f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
RFE: Mask Constants values in returned declarations
Is your feature request related to a problem? Please describe.
We are using Constants (sensitive value as it's an api credential) in our AS3 declarations that are run through git pipelines. That constant is refered in the declaration for all the URIs for refered objects (can be WAF policies json files, irule files etc...) When posting the declaration, we see the constant value "as-is" in the returned payload. That is problematic for us and will lead to security alerts from the tooling which parse our repositories for revealed secrets. There is today the possibility to encrypt (ciphertext) but it's not very practicable for us.
Describe the solution you'd like
Possibility (using an optional key in Constants or creating a Constants-secret Class) to have the constants values always masked in the returned declaration (whatever the declaration controls are and if the declaration post was successful or not). For reference here what we're using today:
"TEST": {
"class": "Tenant",
"apim": {
"class": "Application",
"template": "shared",
"constants": {
"class": "Constants",
"authkey": "<sensitive value>"
},
We refer this constant in such way in the uri attribute:
&private_token==/@/apim/constants/authkey
We would expect to see in the returned declaration:
{
"results": [
{
"code": 200,
"message": "success",
"lineCount": 19,
"host": "localhost",
"tenant": "TEST",
"runTime": 12891,
"declarationId": "commit-1-xxx111"
}
],
"declaration": {
"TEST": {
"class": "Tenant",
"apim": {
"class": "Application",
"template": "shared",
"constants": {
"class": "Constants",
"authkey": "***********"
},
Describe alternatives you've considered
Additional context
Another F5 project exists where a possibility is offered (although it's based on a list of specific keys, which is not what we're asking here): f5-bigip-runtime-init (ref: https://github.com/F5Networks/f5-bigip-runtime-init?tab=readme-ov-file#security---masking-secrets).
