Forum Discussion
yamashin55
Cirrus
CirrusHow to update data-group using iRules LX
I created the following code with iRules LX.
The code does not work properly.
The log is output up to "console.log('getDataGroup start');".
Does anyone know how to check if icontrol is successfully connecting to BIG-IP?
List() of iControl doesn't seem to work properly.
iRule
---------------------------------------------
when ACCESS_POLICY_AGENT_EVENT {
switch [ACCESS::policy agent_id] {
....
....
"add_user" {
set ilx_handle [ILX::init "f5_mfa_plugin" "f5_mfa_extension"]
set user [ACCESS::session data get session.logon.last.username]
set sec [ACCESS::session data get session.custom.otp.secret]
log local0.info "INFO: f5_mfa.tcl - user:$user secret:$sec"
if {[catch {set result [ILX::call $ilx_handle -timeout 10000 addUser $user $sec]} result]} {
log local0.error "ERROR: f5_mfa.tcl - Client - [IP::client_addr], ILX failure: $result"
return
}
log local0.info "user:$result"
}
}
}
iRuleLX: index.js
---------------------------------------------
var f5 = require('f5-nodejs');
var User = require('./f5_user').User;
var ilx = new f5.ILXServer();
ilx.listen();
ilx.addMethod('addUser', function(req,res) {
console.log("START: addMethod", req.params()[0], req.params()[1]);
var user = new User(req.params()[0]);
user.secret = req.params()[1];
user.add(function(response) {
res.reply(response);
});
});
iRuleLX: user.js
---------------------------------------------
var dg = require('./f5_data_group');
exports.User = function(name) {
var self = this;
self.name = name;
self.enrolled = false;
self.secret = "";
this.methods = {};
/**
* add a user to the data group
*
* @return {Boolean} user added
*/
this.add = function(callback){
console.log('user.add start');
if(typeof this.secret === undefined) {
console.error('you have to set a secret before calling add');
callback(false);
}
console.log(self.name, self.secret);
dg.put(self.name, self.secret, function(status) {
if(status) {
self.enrolled = true;
}
callback(true);
});
};
};
iRuleLX: f5_data_group.js
---------------------------------------------
var iControl = require('icontrol');
var util = require('util');
// set API connection and authentication
var bigip = new iControl({
host: '127.0.0.1',
proto: 'https',
port: '443',
username: 'admin',
pass: 'admin',
strict: 'true',
debug: 'true'
});
var dgPath = '/ltm/data-group/internal/~Common~token_keys';
var exports = module.exports = {};
//ignore self signed certificate
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
bigip.strict = false;
/**
* return dta group
*
* @param {Function} callback
*/
exports.getDataGroup = function(callback) {
console.log('getDataGroup start');
bigip.list(dgPath, function(err, res) {
callback(res);
});
};
/**
* add key:data pair to the data group
*
* @param {String} key
* @param {String} data
* @param {Function} callback
*/
exports.put = function (key, data, callback) {
console.log('put data-group key:', key, 'data:', data);
exports.getDataGroup(function(res) {
// add new user to the object stack
// make sure the data group isn't empty
if (typeof res.records !== 'undefined') {
// make sure user doesn't already exist
var isset = false;
for(var record in res.records) {
if(res.records[record].name == key) {
// user exists, update secret
res.records[record].data = data;
isset = true;
break;
}
}
if(!isset) {
// user doesn't exist, add them
res.records.push({"name": key, "data": data});
}
} else {
res.records = [{"name": key, "data": data}];
}
// populate the arguments for the http post
args = {
data: { records: res.records },
header: { "Content-Type": "application/json" }
};
bigip.modify(dgPath, args, function(err, res) {
callback(data);
});
});
};
In f5_data_group.js, you hard-coded the loopback address (127.0.0.1), which is no longer accessible from the iRules LX (node.js) for security reason (since BIG-IP 13.x).
/var/log/restjavad-audit.*.log shows the iControl REST accesses that modify the BIG-IP configurations. GET requests are not recorded by default but can be included by increasing the verbosity of restjavad.
I presume the code came from F5-FMA and iControl npm package came from icontrol. How about contacting the authors (they are 3 and 5 years old respectively, hence they might not be compatible with the current BIG-IPs)?
yamashin55
Thank you for the information!!
Well.... I can't get in touch with codygreen....
Check by raising the level of /etc/restjavad.log.conf.
I'll check it out a little more. If you have any information, please let me know.
- yamashin55
From the iControl REST of iRuleLX could not connect F5 Mgmt.
Instead, I used SIDEBAND iRule.
