Open amolari opened 4 months ago
amolari
commented
4 months ago Additional comment: if the controls logLevel of the declaration is set to debug then we have the declaration logged in restnoded.log on the BIG-IP. It would be good that the masking is applied there too.
sunitharonan
commented
4 months ago Thanks for reaching out, have created an internal backlog item AUTOTOOL-4260. In order to prioritize this issue, please reach out to us at automation_toolchain_pm@f5.com
Is your feature request related to a problem? Please describe.
We are using Constants (sensitive value as it's an api credential) in our AS3 declarations that are run through git pipelines. That constant is refered in the declaration for all the URIs for refered objects (can be WAF policies json files, irule files etc...) When posting the declaration, we see the constant value "as-is" in the returned payload. That is problematic for us and will lead to security alerts from the tooling which parse our repositories for revealed secrets. There is today the possibility to encrypt (ciphertext) but it's not very practicable for us.
Describe the solution you'd like
Possibility (using an optional key in Constants or creating a Constants-secret Class) to have the constants values always masked in the returned declaration (whatever the declaration controls are and if the declaration post was successful or not). For reference here what we're using today:
We refer this constant in such way in the uri attribute: &private_token=
=/@/apim/constants/authkeyWe would expect to see in the returned declaration:
Describe alternatives you've considered
Additional context
Another F5 project exists where a possibility is offered (although it's based on a list of specific keys, which is not what we're asking here): f5-bigip-runtime-init (ref: https://github.com/F5Networks/f5-bigip-runtime-init?tab=readme-ov-file#security---masking-secrets).