Update an ASM Policy Template via REST-API - the reverse engineering way
I always want to automate as many tasks as possible. I have already a pipeline to import ASM policy templates. Today I had the demand to update this base policies. Simply overwriting the template with the import tasks does not work. I got the error message "The policy template ax-f5-waf-jump-start-template already exists.".
Ok, I need an overwrite tasks. Searching around does not provide me a solution, not even a solution that does not work. Simply nothing, my google-foo have deserted me. Quick chat with an AI, gives me a solution that was hallucinated. The AI answer would be funny if it weren't so sad. I had no hope that AI could solve this problem for me and it was confirmed, again.
I was configuring Linux systems before the internet was widely available. Let's dig us in the internals of the F5 REST API implementation and solve the problem on my own.
- I took a valid payload and removed a required parameter, "name" in this case. The error response changes, this is always a good signal in this stage of experimenting. The error response was "Failed Required Fields: Must have at least 1 of (title, name, policyTemplate)".
- There is also a valid field named "policyTemplate". My first thought: This could be a reference for an existing template to update.
- I added the "policyTemplate" parameter and assigned it an existing template id. The error message has changed again. It now throws "Can't use string (\"ox91NUGR6mFXBDG4FnQSpQ\") as a HASH ref while \"strict refs\" in use at /usr/local/share/perl5/F5/ASMConfig/Entity/Base.pm line 888.". An perl error that is readable and the perl file is in plain text available.
- Looking at the file at line 888: The Perl code looks for an "id" field as property of the "policyTemplate" parameter. Changing the payload again and added the id property. And wow that was easy, it works and the template was updated.
Final the payload for people who do not want to do reverse engineering.
Update
POST following payload to /mgmt/tm/asm/tasks/import-policy-template to update an ASM policy template:
{
"filename": "<username>~<filename>",
"policyTemplate": {
"id": "ox91NUGR6mFXBDG4FnQSpQ"
}
}Create
POST following payload /mgmt/tm/asm/tasks/import-policy-template to create an ASM policy template:
{
"name": "<name>",
"filename": "<username>~<filename>"
}Hint: You must upload the template before to /var/config/rest/downloads/<username>~<filename>".
Conclusion
Documentation is sometimes overrated if you can read Perl. Missed I the API documentation for this endpoint and it was just a exercise for me?
