Skip to content

feat: add f5__awaf — F5 Advanced WAF IP 管理与策略控制(iControl REST)#264

Open
qiqi-chen wants to merge 2 commits into
chaitin:mainfrom
qiqi-chen:feat/add-f5-awaf
Open

feat: add f5__awaf — F5 Advanced WAF IP 管理与策略控制(iControl REST)#264
qiqi-chen wants to merge 2 commits into
chaitin:mainfrom
qiqi-chen:feat/add-f5-awaf

Conversation

@qiqi-chen

@qiqi-chen qiqi-chen commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

Summary

New OctoBus service package for F5 Advanced WAF (AWAF) — exposes 7 RPCs via the iControl REST API.

Closes / references #34.

RPCs

RPC Capability Category
Login Authenticate, obtain session token read
BlockIP Add IPs to ASM policy exception list (blockRequests=always) write
UnblockIP Remove IPs from ASM policy exception list write
AllowIP Whitelist IPs in ASM policy exception list (blockRequests=never) write
SetEnforcementMode Switch policy between blocking / transparent write
ListPolicies Enumerate all ASM policies with enforcement mode read
Logout Invalidate session token read

Auth Pattern

Session-based (Option A from the submission spec): explicit Login → token passed as field in every subsequent RPC → Logout.

Implementation Notes

  • TLS: verify_ssl defaults to false (F5 uses self-signed certs); set true in production with a trusted CA
  • Idempotency: BlockIP/AllowIP PATCH existing exceptions; UnblockIP treats already-removed IPs as success
  • Apply-policy: all write operations trigger POST /mgmt/tm/asm/tasks/apply-policy (best-effort, non-fatal)
  • No real device needed: 39 tests pass against a local mock HTTP server that faithfully simulates the iControl REST endpoints

Files

services/f5__awaf/
  proto/f5_awaf_v1.proto     # protobuf definitions (7 RPCs)
  src/f5-awaf.js             # handler implementations
  service.json               # OctoBus manifest + 7 CLI commands
  config.schema.json         # host/port/verify_ssl/default_policy_name
  secret.schema.json         # username/password
  test/f5-awaf.test.js       # 39 unit + integration tests
  test/mock_upstream.js      # mock iControl REST server
  README.md                  # full RPC documentation

Test Plan

  • node --test test/*.test.js39 passed, 0 failed (no real F5 device required)
  • Unit tests: mock globalThis.fetch per suite, validate error mapping and request shape
  • Integration tests: real HTTP against mock_upstream.js, covers full Login→BlockIP→Logout flow
  • Real-device smoke test (pending access to F5 BIG-IP hardware — runbook in README)

qiqi-chen and others added 2 commits June 25, 2026 18:45
feat: add f5__awaf service package — F5 Advanced WAF IP 封禁/解封(iContro…
8bdd90d 
…l REST)
@qiqi-chen
feat(f5__awaf): expand to 7 RPCs — AllowIP, SetEnforcementMode, ListP…
41a72db 
…olicies

Add three new capabilities on top of the existing Login/BlockIP/UnblockIP/Logout:

- AllowIP: whitelist IPs with blockRequests=never (mirrors BlockIP logic)
- SetEnforcementMode: toggle ASM policy between blocking and transparent via
  PATCH /mgmt/tm/asm/policies/{id}, triggers apply-policy afterwards
- ListPolicies: enumerate all ASM policies with enforcement mode and active
  status via GET /mgmt/tm/asm/policies?$select=id,name,enforcementMode,active

Update proto (7 RPCs + new message types), service.json (3 new CLI commands),
README (new RPC docs + expanded capset table), mock_upstream (PATCH policy
endpoint + enforcementMode field in state), and tests (8 new cases, 39 total).

Refs: chaitin#34
@qiqi-chen qiqi-chen changed the title feat: add f5__awaf — F5 Advanced WAF IP 封禁/解封(iControl REST) feat: add f5__awaf — F5 Advanced WAF IP 管理与策略控制(iControl REST) Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@qiqi-chen