search

f5devcentral / f5-automation-config-converter

Convert BIG-IP configs to AS3 and DO declarations
https://clouddocs.f5.com/products/extensions/f5-automation-config-converter/latest/
Apache License 2.0
35 stars 13 forks source link

Add support for username and passwords/passphrases is input #43

Closed makagonr closed 3 years ago

makagonr commented 3 years ago

Is your feature request related to a problem? Please describe.

Inside UCS/config file, there might be passwords and passphrases. AS3 schema also allows them.

Example for password

ltm monitor https /Common/test_monitor_password {
    adaptive disabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    password $M$OC$bN53XhCrVMTvO2+ZlApH7A==       <========== password
    recv none 
    recv-disable none 
    send "GET /\r\n"
    time-until-up 0
    timeout 16
    username test         <======= username
}

Example for passphrase

sys file ssl-key /Common/f5_api_com.key {
    cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_62549_1
    passphrase $M$ar$kSub6Kj+2ZgPVwjyu+1JcVQpqQXjUl/qz+y83S25DopF5Seq0QyAFOD9TjD9SnmQZ/GN1HSIBZCA/eI/kJHvJuvV2I0jJQZu8bbykERsfPU=
    revision 1
    source-path file:///config/ssl/ssl.key/f5_api_com.key
}

Describe the solution you'd like

The passwords/passphrases are added to output objects according to AS3 schema:

        "monitorLDAP_nonDefault1": {
          "class": "Monitor",
          "username": "Adm-nM+nkey",   <===== username
          "passphrase": {
            "ciphertext": "ZjVmNQ==",      <===== password
            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",     <======= see below
            "ignoreChanges": true
          },
          "base": "dc=bigip-test,dc=org",
          "filter": "objectClass=employee"
        },
                "webcert1": {
                    "class": "Certificate",
                    "remark": "replace these with real certificates and keys",
                    "certificate": "...",
                    "chainCA": "...",
                    "privateKey": "...",
                    "passphrase": {
                        "ciphertext": "ZjVmNQ==",      <===== password
                        "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"  <======= see below
                    }
                },

According to: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#monitor-radius-passphrase "protected" field description:

So as I understand it - if there is "$M$" prefix inside the password content, which indicates that SecureVault is used to encrypt the value, then: "protected"="eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0" else: "protected"="eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"

Regards

frslater commented 3 years ago

The "protected" strings are base64, so if you forget which is which, just decode them. One is {"alg":"dir","enc":"f5sv"} and the other is {"alg":"dir","enc":"none"}.

mdditt2000 commented 3 years ago

Discussing on the DEV call this Thursday.

mdditt2000 commented 3 years ago

https://github.com/mdditt2000/f5-appsvcs-acc/tree/master/Github/43

mdditt2000 commented 3 years ago

Created Jira CHARON-404 for PM tracking

mdditt2000 commented 3 years ago

@makagonr issue is resolved in a Pre-release. Please get the image from the link in the Jira CHARON-404. Closing this out