August | 2017 | Fijiaaron

Working with a client recently and needed to check connectivity to a web service. I wanted to make a few HTTP requests. Normally I’d fire up curl and paste a URL with basic auth credentials:

curl -u $USERNAME:$PASSWORD -k https://api.example.com/some/endpoint

But… they were on Windows. No problem, fire up chocolately and install curl

choco install curl

Ah… this server is locked down and no way they’re going to fill out the paperwork (in triplicate) to install . Someone said that PowerShell has curl installed. But wait a minute…

Screen Shot 2017-08-18 at 3.21.40 PM

Someone has played a nasty trick on me.

I can’t use curl, but PowerShell has something not quite, but almost entirely unlike curl. Let’s see what we can do with Invoke-WebRequest.

Ok, so you can call a URL with:

Invoke-WebRequest -Uri https://api.example.com/some/endpoint

It turns out that passing Basic Authentication credentials is trickier. But wait! stackoverflow comes to the rescue(-ish).

You have a -Credential flag, but all that does is open up a Windows dialog to enter them. Not very automatable. (automatible? odd-tomato-bull?)

Basic authentication is really just an HTTP header:

GET /some/endpoint HTTP/1.1
Authorization: Basic SSBsb3ZlIEtlbHNleSBGb3g=

And the credentials are just a base64 encoded string containing text in the format

username:password

One last thing though, you need to escape the colon in your credentials. Apparently backtick is the escape character in Powershell:

$credentials = "$username`:$password"

And you can pass an array of headers with Invoke-WebRequest. (backtick also allows continuation on the next line)

Invoke-WebRequest `
-Uri https://api.example.com/some/endpoint `
-Headers @{ Authorization = "Basic $encodedCredentials" }

So now I’m getting somewhere.

The only step left is to figure out how to Base64Encode with PowerShell. I’m not sure where I found it, but this will do the trick:

$encodedCredentials = `
[System.Convert]::ToBase64String( `
[System.Text.Encoding]::ASCII.GetBytes($credentials))

Remember folks, only you can prevent github from sharing your credentials. Use an environment variable, and don’t put your password in powershell your script:

Here’s how you get an environment variable in Powershell

Get-ChildItem Env:USERNAME

Finally, here is my full script:

$username = $(Get-ChildItem Env:USERNAME).value
$password = $(Get-ChildItem Env:PASSWORD).value

$credentials = "$username`:$password"
$encodedCredentials = `
[System.Convert]::ToBase64String( `
[System.Text.Encoding]::ASCII.GetBytes($credentials))

Invoke-WebRequest `
-Uri https://api.example.com/some/endpoint `
-Headers @{ Authorization = "Basic $encodedCredentials" }

But wait, there’s more!

Now that I’ve got my response I can actually use Powershell to parse the JSON response and access it using ConvertFrom-Json.:

Given the following JSON

[{ "contact": { "name": "Aaron Evans", "website": { "url": "http://one-shore.com" }, "blog": { "url": "https://fijiaaron.wordpress.com" } }}]

I could parse it like this:

$response = $(Invoke-WebRequest -Uri "$endpoint" -Headers $headers)
$contacts = $(ConvertFrom-Json -InputObject $response.Content)

Invoke-WebRequest -Uri  $contacts[0].contact.blog.url

Please don’t flood my blog with hits. I haven’t monetized it yet.

See the whole thing with this gist:

$username = $(Get-ChildItem Env:USERNAME).value

$password = $(Get-ChildItem Env:PASSWORD).value

$credentials = "$username`:$password"

$encodedCredentials = `

[System.Convert]::ToBase64String( `

[System.Text.Encoding]::ASCII.GetBytes($credentials))

Invoke-WebRequest `

–Uri https://api.example.com/some/endpoint `

–Headers @{ Authorization = "Basic $encodedCredentials" }

$response = $(Invoke-WebRequest –Uri "$endpoint" –Headers $headers)

$data = $(ConvertFrom-Json –InputObject $response.Content)

view raw

powershell_rest_request_example_with_basic_auth.ps1

hosted with ❤ by GitHub

Here’s the problem:

You have a site that you’d like to write automated tests for. But when you attempt to login with Internet Explorer, it has a Windows Authentication dialog popup. Because this is a native UI element, Selenium can’t touch it.

If you have control of the machine (and the Windows ADFS domain controller), you can add the user and the popup will go away. But if you don’t have control — like if you’re running your tests on a virtual machine in the cloud with Sauce Labs — you need to find a way to get around it.

I recently ran into this problem. It only affected Internet Explorer. Chrome and Firefox were directed to a web login form — which could be automated with Selenium. The options were to either A) figure out how to authenticate with Windows, or B) bypass Windows Authentication so it doesn’t have the native popup, and it doesn’t block tests.

I think I’ve found a solution.

You can disable Integrated Windows Authentication under “Internet Options” for Internet Explorer. Under the “Advanced” tab, scroll down to “Security” and uncheck “Enable Integrated Windows Authentication”. That should do it.

Uncheck Enable Integrated Windows Authentication

But there was still the task of automating this step. I thought of trying a macro tool like AutoIt, but that just didn’t feel right. Plus, it can be tricky to actually use AutoIt. I don’t want to learn their language, and the recorder has been removed from AutoIt.

Click here to see how to get an older version of AutoIt that still has a working recorder:

https://www.autoitscript.com/forum/topic/176009-where-is-au3recordexe/

I knew there must be some way to do this without resorting to UI automation. So, after a little poking around, I found this old blog post:

https://laxmanchip.wordpress.com/2011/12/16/enabledisable-integrated-windows-authentication-vbscript/

Thanks Tom!

A little more searching taught me all I need to know about using Powershell to edit registry keys:

https://blogs.technet.microsoft.com/heyscriptingguy/2015/04/02/update-or-add-registry-key-value-with-powershell/

Combining the two gave me this nice little script:

Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -name EnableNegotiate -value 0
Get-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" –name EnableNegotiate –value 0

Get-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

view raw

disable-windows-authentication.ps1

hosted with ❤ by GitHub

And now I can execute that on a remote computer before running my Selenium automation!

Sauce Labs has the following in their wiki about using AutoIt as a pre-run executable:

https://wiki.saucelabs.com/display/DOCS/Running+an+AutoIt+Script+as+a+Pre-run+Executable+to+Handle+Windows+Security+Authentication+Dialogs

And some general information about specifying a pre-run executable in your Desired Capabilities.

Thanks Sauce Labs!

And thanks to the team that set up this challenge — you know who you are ;)

Fijiaaron

Monthly Archives: August 2017

RESTful Web Services with Powershell

Disable Integrated Windows Authentication (IWA) for Selenium

	$username = $(Get-ChildItem Env:USERNAME).value
	$password = $(Get-ChildItem Env:PASSWORD).value

	$credentials = "$username`:$password"
	$encodedCredentials = `
	[System.Convert]::ToBase64String( `
	[System.Text.Encoding]::ASCII.GetBytes($credentials))

	Invoke-WebRequest `
	–Uri https://api.example.com/some/endpoint `
	–Headers @{ Authorization = "Basic $encodedCredentials" }

	$response = $(Invoke-WebRequest –Uri "$endpoint" –Headers $headers)
	$data = $(ConvertFrom-Json –InputObject $response.Content)

	Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" –name EnableNegotiate –value 0
	Get-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Share this:

Like this:

Share this:

Like this: