samples(http): publish proxmox-ve-http ticket-cookie/CSRF sample with full README

Author: petrsnd

docs/agent-reference/samples-index.md

@@ -27,6 +27,7 @@ CI runs the same script with `-CheckOnly` and fails the build if the committed c
 | http | — | CheckSystem, CheckPassword, ChangePassword | — | [`samples/http/forgerock-openam/Forgerock_OpenAM.json`](../../samples/http/forgerock-openam/Forgerock_OpenAM.json) | [README](../../samples/http/forgerock-openam/README.md) |
 | http | — | CheckSystem, CheckPassword, ChangePassword, EnableAccount, DisableAccount, DiscoverAccounts | — | [`samples/http/okta-discovery/Okta_WithDiscoveryAndGroupMembershipRestore.json`](../../samples/http/okta-discovery/Okta_WithDiscoveryAndGroupMembershipRestore.json) | [README](../../samples/http/okta-discovery/README.md) |
 | http | Basic+Bearer | CheckSystem, ChangePassword, EnableAccount, DisableAccount, ElevateAccount, DemoteAccount | — | [`samples/http/onelogin-jit/OneLogin_GRC_JIT_addon.json`](../../samples/http/onelogin-jit/OneLogin_GRC_JIT_addon.json) | [README](../../samples/http/onelogin-jit/README.md) |
+| http | — | CheckSystem, CheckPassword, ChangePassword | — | [`samples/http/proxmox-ve-http/ProxmoxVE-HTTP.json`](../../samples/http/proxmox-ve-http/ProxmoxVE-HTTP.json) | [README](../../samples/http/proxmox-ve-http/README.md) |
 | http | Form | CheckPassword, ChangePassword | — | [`samples/http/twitter/CustomTwitter.json`](../../samples/http/twitter/CustomTwitter.json) | [README](../../samples/http/twitter/README.md) |
 | http | Basic | CheckSystem, CheckPassword, ChangePassword | — | [`samples/http/wordpress/WordPressHttp.json`](../../samples/http/wordpress/WordPressHttp.json) | [README](../../samples/http/wordpress/README.md) |
 | ssh | Interactive | CheckSystem, CheckPassword, ChangePassword, DiscoverSshHostKey, ChangeSshKey, CheckSshKey, DiscoverAuthorizedKeys | — | [`samples/ssh/generic-linux-ssh-keys/GenericLinuxWithSSHKeySupport.json`](../../samples/ssh/generic-linux-ssh-keys/GenericLinuxWithSSHKeySupport.json) | [README](../../samples/ssh/generic-linux-ssh-keys/README.md) |

docs/agent-reference/strategy-decision-tree.md

@@ -77,7 +77,7 @@ Pick a bucket, then a specific scheme. The bucket determines whether the script
 | Vendor docs or probe evidence show `Authorization: Bearer …` on operation calls. | Script-managed header | `Bearer` | `Headers.AddHeaders` with `Authorization: Bearer %Token%`. See `samples/http/onelogin-jit/`. |
 | Vendor docs show a custom `Authorization` scheme such as `PVEAPIToken=…` (Proxmox token-auth path), `Token …`, or other vendor-specific prefix. | Script-managed header | Custom `Authorization` scheme | Same as Bearer but with the vendor's scheme name. Treat as Bearer-shaped for authoring purposes. |
 | Vendor docs describe a static API key passed in a custom header (e.g., `X-API-Key`, `X-Vault-Token`, `X-Auth-Token`). | Script-managed header | Custom-header API key | `Headers.AddHeaders` with the named header. Pair with [`docs/guides/api-key-management.md`](../guides/api-key-management.md) when the same script must rotate the key. |
-| Vendor docs describe a session-cookie auth flow: a login endpoint returns an opaque session token that is then sent back as a `Cookie:` header on every subsequent call (often paired with a secondary CSRF/XSRF header on write verbs). The Proxmox VE **ticket-cookie** path is canonical — `POST /access/ticket` returns `data.ticket` and `data.CSRFPreventionToken`; subsequent calls send `Cookie: PVEAuthCookie=<ticket>` and write calls additionally send `CSRFPreventionToken: <token>`. | Script-managed header | Session cookie (+ CSRF header on writes) | Two-step by definition (the cookie is fetched, not pre-held). `Headers.AddHeaders` with `Cookie: <name>=%Token%` on every call; add the CSRF header on writes only. Form bodies for the login post **must** use `SetFormValue` + `Request.Content.ContentObjectName` — pre-built body strings via `Request.Content.Value` re-encode unpredictably (see `failure-patterns.md`). Beware native-cookie-jar interactions: if you also set `PersistCookies: true` (default), the engine may inject a session cookie from a prior call alongside the script-set `Cookie` header — pick one mechanism and stick to it. |
+| Vendor docs describe a session-cookie auth flow: a login endpoint returns an opaque session token that is then sent back as a `Cookie:` header on every subsequent call (often paired with a secondary CSRF/XSRF header on write verbs). The Proxmox VE **ticket-cookie** path is canonical — `POST /access/ticket` returns `data.ticket` and `data.CSRFPreventionToken`; subsequent calls send `Cookie: PVEAuthCookie=<ticket>` and write calls additionally send `CSRFPreventionToken: <token>`. See [`samples/http/proxmox-ve-http/`](../../samples/http/proxmox-ve-http/). | Script-managed header | Session cookie (+ CSRF header on writes) | Two-step by definition (the cookie is fetched, not pre-held). `Headers.AddHeaders` with `Cookie: <name>=%Token%` on every call; add the CSRF header on writes only. Form bodies for the login post **must** use `SetFormValue` + `Request.Content.ContentObjectName` — pre-built body strings via `Request.Content.Value` re-encode unpredictably (see `failure-patterns.md`). Beware native-cookie-jar interactions: if you also set `PersistCookies: true` (default), the engine may inject a session cookie from a prior call alongside the script-set `Cookie` header — pick one mechanism and stick to it. |
 
 ### `http-api` one-step vs two-step
 

samples/http/README.md

@@ -11,6 +11,7 @@ Tested custom platform scripts for managing systems over HTTP/REST APIs. These s
 | [forgerock-openam](forgerock-openam/) | ⭐⭐ | ForgeRock AM 7.5 REST API |
 | [okta-discovery](okta-discovery/) | ⭐⭐⭐ | Okta with account discovery and group membership |
 | [onelogin-jit](onelogin-jit/) | ⭐⭐⭐ | OneLogin JIT elevation and account activation |
+| [proxmox-ve-http](proxmox-ve-http/) | ⭐⭐⭐ | Proxmox VE 7.x/8.x REST API (ticket-cookie + CSRF) |
 | [wordpress](wordpress/) | ⭐⭐ | WordPress REST API with Basic Auth |
 
 ## Choosing a Sample
@@ -20,6 +21,7 @@ Tested custom platform scripts for managing systems over HTTP/REST APIs. These s
 - **Need account discovery?** See [okta-discovery](okta-discovery/).
 - **JIT elevation workflow?** Try [onelogin-jit](onelogin-jit/).
 - **Browser-form login (not a REST API)?** See [facebook](facebook/) or [twitter](twitter/).
+- **Cookie-based session auth with CSRF tokens?** See [proxmox-ve-http](proxmox-ve-http/).
 
 ## Related Docs
 

samples/http/proxmox-ve-http/ProxmoxVE-HTTP.json

@@ -0,0 +1,306 @@
+{
+  "Id": "ProxmoxVE",
+  "BackEnd": "Scriptable",
+  "Meta": {
+    "Description": "Proxmox VE password rotation via the ticket-cookie REST API (HTTP variant). Manages users in the @pve realm only — @pam-realm users are OS-PAM-backed and require root-on-host (use the SSH variant instead). Service-account model: a privileged @pve user (FuncUserName) rotates the managed @pve user's (AccountUserName) password via PUT /access/password. Two-step token fetch — POST /access/ticket returns a session ticket plus a CSRFPreventionToken; subsequent calls send Cookie: PVEAuthCookie=<ticket> and (on writes) CSRFPreventionToken: <token>. Cross-user password changes additionally require the caller's own password as the confirmation-password form field."
+  },
+  "CheckSystem": {
+    "Parameters": [
+      { "Address": { "Type": "String", "Required": true } },
+      { "Port": { "Type": "Integer", "Required": false, "DefaultValue": 8006 } },
+      { "Timeout": { "Type": "Integer", "Required": false, "DefaultValue": 30 } },
+      { "SkipServerCertValidation": { "Type": "Boolean", "Required": false, "DefaultValue": false } },
+      { "FuncUserName": { "Type": "String", "Required": true } },
+      { "FuncPassword": { "Type": "Secret", "Required": true } }
+    ],
+    "Do": [
+      {
+        "Try": {
+          "Do": [
+            {
+              "Function": {
+                "Name": "AuthenticateClient",
+                "Parameters": [
+                  "%Address%",
+                  "%{Port}%",
+                  "%{Timeout}%",
+                  "%{SkipServerCertValidation}%",
+                  "%FuncUserName%",
+                  "%FuncPassword%"
+                ],
+                "ResultVariable": "AuthenticateClientResult"
+              }
+            },
+            { "NewHttpRequest": { "ObjectName": "SystemRequest" } },
+            {
+              "Headers": {
+                "RequestObjectName": "SystemRequest",
+                "AddHeaders": {
+                  "Accept": "application/json",
+                  "Cookie": "PVEAuthCookie=%Ticket%"
+                }
+              }
+            },
+            {
+              "Request": {
+                "RequestObjectName": "SystemRequest",
+                "ResponseObjectName": "SystemResponse",
+                "Verb": "GET",
+                "Url": "/api2/json/version",
+                "IgnoreServerCertAuthentication": "%{SkipServerCertValidation}%"
+              }
+            },
+            {
+              "Condition": {
+                "If": "SystemResponse.StatusCode == 200",
+                "Then": { "Do": [ { "Return": { "Value": true } } ] },
+                "Else": { "Do": [ { "Throw": { "Value": "CheckSystem failed with HTTP %{SystemResponse.StatusCode}%" } } ] }
+              }
+            }
+          ],
+          "Catch": [ { "Return": { "Value": false } } ]
+        }
+      }
+    ]
+  },
+  "CheckPassword": {
+    "Parameters": [
+      { "Address": { "Type": "String", "Required": true } },
+      { "Port": { "Type": "Integer", "Required": false, "DefaultValue": 8006 } },
+      { "Timeout": { "Type": "Integer", "Required": false, "DefaultValue": 30 } },
+      { "SkipServerCertValidation": { "Type": "Boolean", "Required": false, "DefaultValue": false } },
+      { "FuncUserName": { "Type": "String", "Required": true } },
+      { "FuncPassword": { "Type": "Secret", "Required": true } },
+      { "AccountUserName": { "Type": "String", "Required": true } },
+      { "AccountPassword": { "Type": "Secret", "Required": true } }
+    ],
+    "Do": [
+      {
+        "Try": {
+          "Do": [
+            {
+              "Function": {
+                "Name": "SetBaseAddress",
+                "Parameters": [ "%Address%", "%{Port}%" ],
+                "ResultVariable": "SetBaseAddressResult"
+              }
+            },
+            { "SetFormValue": { "FormObjectName": "CheckPasswordForm", "InputName": "username", "Value": "%AccountUserName%" } },
+            { "SetFormValue": { "FormObjectName": "CheckPasswordForm", "InputName": "password", "Value": "%AccountPassword%", "IsSecret": true } },
+            { "NewHttpRequest": { "ObjectName": "CheckPasswordRequest" } },
+            {
+              "Headers": {
+                "RequestObjectName": "CheckPasswordRequest",
+                "AddHeaders": { "Accept": "application/json" }
+              }
+            },
+            {
+              "Request": {
+                "RequestObjectName": "CheckPasswordRequest",
+                "ResponseObjectName": "CheckPasswordResponse",
+                "Verb": "POST",
+                "Url": "/api2/json/access/ticket",
+                "Content": {
+                  "ContentObjectName": "CheckPasswordForm",
+                  "ContentType": "application/x-www-form-urlencoded"
+                },
+                "IgnoreServerCertAuthentication": "%{SkipServerCertValidation}%"
+              }
+            },
+            {
+              "Condition": {
+                "If": "CheckPasswordResponse.StatusCode == 200",
+                "Then": { "Do": [ { "Return": { "Value": true } } ] },
+                "Else": {
+                  "Do": [
+                    {
+                      "Condition": {
+                        "If": "CheckPasswordResponse.StatusCode == 401",
+                        "Then": { "Do": [ { "Return": { "Value": false } } ] },
+                        "Else": { "Do": [ { "Throw": { "Value": "CheckPassword returned HTTP %{CheckPasswordResponse.StatusCode}%" } } ] }
+                      }
+                    }
+                  ]
+                }
+              }
+            }
+          ],
+          "Catch": [ { "Return": { "Value": false } } ]
+        }
+      }
+    ]
+  },
+  "ChangePassword": {
+    "Parameters": [
+      { "Address": { "Type": "String", "Required": true } },
+      { "Port": { "Type": "Integer", "Required": false, "DefaultValue": 8006 } },
+      { "Timeout": { "Type": "Integer", "Required": false, "DefaultValue": 30 } },
+      { "SkipServerCertValidation": { "Type": "Boolean", "Required": false, "DefaultValue": false } },
+      { "FuncUserName": { "Type": "String", "Required": true } },
+      { "FuncPassword": { "Type": "Secret", "Required": true } },
+      { "AccountUserName": { "Type": "String", "Required": true } },
+      { "AccountPassword": { "Type": "Secret", "Required": true } },
+      { "NewPassword": { "Type": "Secret", "Required": true } }
+    ],
+    "Do": [
+      {
+        "Try": {
+          "Do": [
+            {
+              "Condition": {
+                "If": "AccountPassword.Equals(NewPassword)",
+                "Then": { "Do": [ { "Return": { "Value": false } } ] }
+              }
+            },
+            {
+              "Function": {
+                "Name": "AuthenticateClient",
+                "Parameters": [
+                  "%Address%",
+                  "%{Port}%",
+                  "%{Timeout}%",
+                  "%{SkipServerCertValidation}%",
+                  "%FuncUserName%",
+                  "%FuncPassword%"
+                ],
+                "ResultVariable": "AuthenticateClientResult"
+              }
+            },
+            { "SetFormValue": { "FormObjectName": "ChangePasswordForm", "InputName": "userid", "Value": "%AccountUserName%" } },
+            { "SetFormValue": { "FormObjectName": "ChangePasswordForm", "InputName": "password", "Value": "%NewPassword%", "IsSecret": true } },
+            { "SetFormValue": { "FormObjectName": "ChangePasswordForm", "InputName": "confirmation-password", "Value": "%FuncPassword%", "IsSecret": true } },
+            { "NewHttpRequest": { "ObjectName": "ChangePasswordRequest" } },
+            {
+              "Headers": {
+                "RequestObjectName": "ChangePasswordRequest",
+                "AddHeaders": {
+                  "Accept": "application/json",
+                  "Cookie": "PVEAuthCookie=%Ticket%",
+                  "CSRFPreventionToken": "%CsrfToken%"
+                }
+              }
+            },
+            {
+              "Request": {
+                "RequestObjectName": "ChangePasswordRequest",
+                "ResponseObjectName": "ChangePasswordResponse",
+                "Verb": "PUT",
+                "Url": "/api2/json/access/password",
+                "Content": {
+                  "ContentObjectName": "ChangePasswordForm",
+                  "ContentType": "application/x-www-form-urlencoded"
+                },
+                "IgnoreServerCertAuthentication": "%{SkipServerCertValidation}%"
+              }
+            },
+            {
+              "Condition": {
+                "If": "ChangePasswordResponse.StatusCode == 200",
+                "Then": { "Do": [ { "Return": { "Value": true } } ] },
+                "Else": { "Do": [ { "Throw": { "Value": "ChangePassword failed with HTTP %{ChangePasswordResponse.StatusCode}%" } } ] }
+              }
+            }
+          ],
+          "Catch": [ { "Throw": { "Value": "%Exception%" } } ]
+        }
+      }
+    ]
+  },
+  "Functions": [
+    {
+      "Name": "SetBaseAddress",
+      "Parameters": [
+        { "Address": { "Type": "String", "Required": true } },
+        { "Port": { "Type": "Integer", "Required": false, "DefaultValue": 8006 } }
+      ],
+      "Do": [
+        { "BaseAddress": { "Address": "https://%Address%:%{Port}%" } },
+        { "Return": { "Value": true } }
+      ]
+    },
+    {
+      "Name": "AuthenticateClient",
+      "Parameters": [
+        { "Address": { "Type": "String", "Required": true } },
+        { "Port": { "Type": "Integer", "Required": false, "DefaultValue": 8006 } },
+        { "Timeout": { "Type": "Integer", "Required": false, "DefaultValue": 30 } },
+        { "SkipServerCertValidation": { "Type": "Boolean", "Required": false, "DefaultValue": false } },
+        { "FuncUserName": { "Type": "String", "Required": true } },
+        { "FuncPassword": { "Type": "Secret", "Required": true } }
+      ],
+      "Do": [
+        {
+          "Function": {
+            "Name": "SetBaseAddress",
+            "Parameters": [ "%Address%", "%{Port}%" ],
+            "ResultVariable": "SetBaseAddressResult"
+          }
+        },
+        { "SetFormValue": { "FormObjectName": "TicketForm", "InputName": "username", "Value": "%FuncUserName%" } },
+        { "SetFormValue": { "FormObjectName": "TicketForm", "InputName": "password", "Value": "%FuncPassword%", "IsSecret": true } },
+        { "NewHttpRequest": { "ObjectName": "TicketRequest" } },
+        {
+          "Headers": {
+            "RequestObjectName": "TicketRequest",
+            "AddHeaders": { "Accept": "application/json" }
+          }
+        },
+        {
+          "Request": {
+            "RequestObjectName": "TicketRequest",
+            "ResponseObjectName": "TicketResponse",
+            "Verb": "POST",
+            "Url": "/api2/json/access/ticket",
+            "Content": {
+              "ContentObjectName": "TicketForm",
+              "ContentType": "application/x-www-form-urlencoded"
+            },
+            "IgnoreServerCertAuthentication": "%{SkipServerCertValidation}%"
+          }
+        },
+        {
+          "Condition": {
+            "If": "TicketResponse.StatusCode == 200",
+            "Then": {
+              "Do": [
+                {
+                  "ExtractJsonObject": {
+                    "JsonObjectName": "TicketResponse",
+                    "Name": "TicketResponseJson",
+                    "ContainsSecret": true
+                  }
+                },
+                {
+                  "Condition": {
+                    "If": "TicketResponseJson.data != null && TicketResponseJson.data.ticket != null && !string.IsNullOrWhiteSpace(TicketResponseJson.data.ticket.ToString())",
+                    "Then": {
+                      "Do": [
+                        {
+                          "SetItem": {
+                            "Name": "Global:Ticket",
+                            "Value": "%{TicketResponseJson.data.ticket.ToString()}%",
+                            "IsSecret": true
+                          }
+                        },
+                        {
+                          "SetItem": {
+                            "Name": "Global:CsrfToken",
+                            "Value": "%{TicketResponseJson.data.CSRFPreventionToken.ToString()}%",
+                            "IsSecret": true
+                          }
+                        },
+                        { "Return": { "Value": true } }
+                      ]
+                    },
+                    "Else": { "Do": [ { "Throw": { "Value": "Ticket response did not include data.ticket." } } ] }
+                  }
+                }
+              ]
+            },
+            "Else": { "Do": [ { "Throw": { "Value": "Service-account authentication failed with HTTP %{TicketResponse.StatusCode}%" } } ] }
+          }
+        }
+      ]
+    }
+  ]
+}