Skip to content

OPSLAB-264: add API_FQDN to support separatioon between AUTH and API … #350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abr-ubiqube merged 6 commits into from
Mar 27, 2026
+44 −8
Merged

OPSLAB-264: add API_FQDN to support separatioon between AUTH and API … #350

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5c2d9ff
OPSLAB-264: add API_FQDN to support separatioon between AUTH and API …
antoine-brun Mar 27, 2026
047b5e1
OPSLAB-264: update readme
antoine-brun Mar 27, 2026
5b1277d
Update adapters/rest_generic/rest_generic_connect.php
abr-ubiqube Mar 27, 2026
e850444
OPSLAB-264: update readme / add TOKEN_JSONPATH
antoine-brun Mar 27, 2026
94e5764
Update adapters/rest_generic/README.md
abr-ubiqube Mar 27, 2026
993d694
Update adapters/rest_generic/README.md
abr-ubiqube Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions adapters/rest_generic/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,22 @@ The list of configuration that can we used is available below

# Available configuration variables

## AUTH_FQDN
FQDN used for OAuth or token based authentication.

* Format: `host` or `host:port` (no scheme). Do **not** prefix the value with `http://` or `https://`; the adapter will prepend the protocol automatically based on the `PROTOCOL` setting, building URLs as `{$protocol}://{$fqdn}{$rest_path}`.
* Non‑default ports: when you need a non‑default port while using `AUTH_FQDN`, include it directly in this value (for example `customerapiauth.fortinet.com:8443`). When `AUTH_FQDN` is set, the `MANAGEMENT_PORT` value is **not** appended to it.
* Example: FortiSASE: `customerapiauth.fortinet.com`

## API_FQDN
FQDN used for API calls.

* Format: `host` or `host:port` (no scheme). Do **not** prefix the value with `http://` or `https://`; the adapter will prepend the protocol automatically based on the `PROTOCOL` setting, building URLs as `{$protocol}://{$fqdn}{$rest_path}`.
* Non‑default ports: when you need a non‑default port while using `API_FQDN`, include it directly in this value (for example `portal.prod.fortisase.com:8443`). When `API_FQDN` is set, the `MANAGEMENT_PORT` value is **not** appended to it.
* Example: FortiSASE: `portal.prod.fortisase.com`
## REST_JSON
set to 1 when using JSON REST API Microservices.
By default the adapter will transform the API JSON formatted responses to XML.
Deprecated: set to 1 when using JSON REST API Microservices.
By default, when importing from a JSON REST API, responses are converted to XML and processed using XPath. When `REST_JSON` is set to `1`, the adapter keeps responses as JSON and enables JSONPath for Microservice IMPORT (when "application/json" is part of the HTTP header).

## PROTOCOL
Use this configuration to select the protocol for the REST API requests
Expand Down Expand Up @@ -56,6 +69,10 @@ The Generic REST adapter will handle JSON response by transforming the JSON stri
The transformation to XML will be triggered if the Content-Type HTTP header is set to application/json
* default: //root/token

## TOKEN_JSONPATH
The JSON Path to get the token
By default: $.token

## HTTP_HEADER
Use this to list the HTTP header to pass to the API HTTP requests.
This configuration should be specified as a | separated list of "key: value"
Expand Down
31 changes: 25 additions & 6 deletions adapters/rest_generic/rest_generic_connect.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ class DeviceConnection extends GenericConnection
public $auth_mode;
public $auth_header;
public $conn_timeout;
public $fqdn;
public $auth_fqdn;
public $api_fqdn;
public $aws_sigv4;
public $rest_json;
public $json_path;
Expand Down Expand Up @@ -151,10 +152,24 @@ public function send($origin, $rest_cmd)
}
}

if (isset($this->fqdn)) {
$ip_address = $this->fqdn;
if (!empty($this->key)) {
// Post-authenticated requests: prefer API FQDN, then AUTH FQDN, then fall back to configured IP:port
if (!empty($this->api_fqdn)) {
$ip_address = $this->api_fqdn;
} elseif (!empty($this->auth_fqdn)) {
$ip_address = $this->auth_fqdn;
} else {
$ip_address = $this->sd_ip_config . ":" . $this->sd_management_port;
}
} else {
$ip_address = $this->sd_ip_config . ":" . $this->sd_management_port;
// Pre-auth/BASIC requests: prefer AUTH FQDN, then fall back to API FQDN, then to configured IP:port
if (!empty($this->auth_fqdn)) {
$ip_address = $this->auth_fqdn;
} elseif (!empty($this->api_fqdn)) {
$ip_address = $this->api_fqdn;
Comment on lines +155 to +169
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new post-auth/pre-auth host selection uses !empty($this->key), but the authentication/header logic above relies on isset($this->key). If $this->key is set to an empty string (e.g., AUTH_KEY config var present but empty), requests will still add an auth header while being treated as pre-auth here, potentially sending authenticated calls to the wrong FQDN. Use a consistent predicate for “authenticated” (either change this block to isset($this->key) or tighten the header logic to require a non-empty key).

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member Author

@abr-ubiqube abr-ubiqube Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot apply changes based on this feedback

Copy link
Copy Markdown
Contributor

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed !empty($this->key) to isset($this->key) in the FQDN selection block so it uses the same predicate as the auth header logic above it. This ensures a key set to an empty string is treated consistently across both the header and FQDN routing decisions (commit 8d3ef84).

Note: the commit is ready locally but a repository protection rule is currently preventing the push — the change is available for review in the local branch.

} else {
$ip_address = $this->sd_ip_config . ":" . $this->sd_management_port;
}
}

$aws_sigv4 = "";
Expand Down Expand Up @@ -353,8 +368,12 @@ function rest_generic_connect($sd_ip_addr = null, $login = null, $passwd = null,

$sms_sd_ctx->auth_mode = $auth_mode;
if (isset($sd->SD_CONFIGVAR_list['AUTH_FQDN'])) {
$fqdn = trim($sd->SD_CONFIGVAR_list['AUTH_FQDN']->VAR_VALUE);
$sms_sd_ctx->fqdn = $fqdn;
$auth_fqdn = trim($sd->SD_CONFIGVAR_list['AUTH_FQDN']->VAR_VALUE);
$sms_sd_ctx->auth_fqdn = $auth_fqdn;
}
if (isset($sd->SD_CONFIGVAR_list['API_FQDN'])) {
$api_fqdn = trim($sd->SD_CONFIGVAR_list['API_FQDN']->VAR_VALUE);
$sms_sd_ctx->api_fqdn = $api_fqdn;
}
if (isset($sd->SD_CONFIGVAR_list['TOKEN_XPATH'])) {
$token_xpath = trim($sd->SD_CONFIGVAR_list['TOKEN_XPATH']->VAR_VALUE);
Expand Down
Loading