F5 AWAF/ASM support for wildcard url and parameter names with a swagger/openapi file
Hello to everyone,
I have a project where I am trying to make use of the F5 wildcard options for parameter names and url paths by importing a swagger/openapi file but I do not know if F5 have exposed those options like custom non RFC options when importing API definitions. In the future I may try this to import it in the F5 XC Distributed Cloud API protection feature but for now I am trying to make it work on normal BIG-IP AWAF/ASM.
By playing with pets store test api app swagger file I managed to do the code below for wildcard url by using postional parameters of type string but for wildcard parameter names I still am figuring out the options. 😅
Any ideas will be helpfull as this is a nice subject to think about.
{
"swagger": "2.0",
"info": {
"version": "1.0.0",
"title": "Swagger Petstore",
"description": "A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification",
"termsOfService": "http://swagger.io/terms/",
"contact": {
"name": "Swagger API Team"
},
"license": {
"name": "MIT"
}
},
"host": "petstore.swagger.io",
"basePath": "/",
"schemes": [
"http"
],
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"paths": {
"/{path}": {
"get": {
"description": "Returns a user based on a single ID, if the user does not have access to the pet",
"operationId": "findPetById",
"produces": [
"application/json",
"application/xml",
"text/xml",
"text/html"
],
"parameters": [
{
"name": "path",
"in": "path",
"description": "wildcard path",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "pet response",
"schema": {
"$ref": "#/definitions/Pet"
}
},
"default": {
"description": "unexpected error",
"schema": {
"$ref": "#/definitions/ErrorModel"
}
}
}
}
}
}
Edit:
I found that "/{path=**}": { triggers the url to be wildcard and not positional parameter and this is great but for wildcard parameter names still no luck. I also wonder if there is way to define global parameters (not url based) and to use any request method or any location for a parameter as for each POST , GET etc I need to add a column. This are not in the OpenAPI spec but maybe F5 have made some custom stuff and if someone knows anything it will be great!
I also found this https://github.com/OAI/OpenAPI-Specification/issues/2622 for free form parameters and tested it and as of now it seems the only solution for wildcard parameters names but maybe in F5 BIG-IP there is way to trigger the wildcard checkmark for parameter names with a Swagger or openapi, so still hoping that someone will know a way 🙂