proxy: add allowed_methods option

REFERENCE.md

@@ -863,6 +863,14 @@ List of the allowed protocols to be used on the egress side of the HTTPS proxy,
 
 Default value: `$thebastion::params::http_proxy_allowed_egress_protocols`
 
+##### `http_proxy_allowed_methods`
+
+Data type: `Array[String]`
+
+List of the allowed HTTP methods that will be forwarded through the proxy, such as GET, POST, PUT, DELETE, ...
+
+Default value: `$thebastion::params::http_proxy_allowed_methods`
+
 ##### `piv_grace_reaper_syslog`
 
 Data type: `Optional[String]`

manifests/addons.pp

@@ -64,6 +64,7 @@
 
   $http_proxy_conf = {
     'allowed_egress_protocols' => $thebastion::http_proxy_allowed_egress_protocols,
+    'allowed_methods'          => $thebastion::http_proxy_allowed_methods,
     'ciphers'                  => $thebastion::http_proxy_ciphers,
     'enabled'                  => $thebastion::http_proxy_enabled,
     'insecure'                 => $thebastion::http_proxy_insecure,

manifests/init.pp

@@ -217,6 +217,8 @@
 #   Timeout delay (in seconds) for the connection between the bastion and the devices
 # @param http_proxy_allowed_egress_protocols
 #   List of the allowed protocols to be used on the egress side of the HTTPS proxy, supported protocols: https, http
+# @param http_proxy_allowed_methods
+#   List of the allowed HTTP methods that will be forwarded through the proxy, such as GET, POST, PUT, DELETE, ...
 # @param piv_grace_reaper_syslog
 #   Syslog facility to log to if defined
 # @param sync_watcher_enabled
@@ -333,6 +335,7 @@
   Optional[String] $encrypt_rsync_signing_key_passphrase                            = $thebastion::params::encrypt_rsync_signing_key_passphrase,
   Optional[String] $encrypt_rsync_syslog_facility                                   = $thebastion::params::encrypt_rsync_syslog_facility,
   Array[String] $http_proxy_allowed_egress_protocols                                = $thebastion::params::http_proxy_allowed_egress_protocols,
+  Array[String] $http_proxy_allowed_methods                                         = $thebastion::params::http_proxy_allowed_methods,
   String $http_proxy_ciphers                                                        = $thebastion::params::http_proxy_ciphers,
   Boolean $http_proxy_enabled                                                       = $thebastion::params::http_proxy_enabled,
   Boolean $http_proxy_insecure                                                      = $thebastion::params::http_proxy_insecure,

manifests/params.pp

@@ -218,6 +218,7 @@
   $encrypt_rsync_signing_key_passphrase     = undef
   $encrypt_rsync_syslog_facility            = undef
   $http_proxy_allowed_egress_protocols      = ['https']
+  $http_proxy_allowed_methods               = ['GET','POST']
   $http_proxy_ciphers                       = ''
   $http_proxy_enabled                       = false
   $http_proxy_insecure                      = false

spec/classes/thebastion_spec.rb

@@ -644,6 +644,7 @@
         let(:params) do
           {
             http_proxy_allowed_egress_protocols: ['http', 'https'],
+            http_proxy_allowed_methods:          ['GET', 'PUT'],
             http_proxy_ciphers:           'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384',
             http_proxy_enabled:           true,
             http_proxy_insecure:          true,
@@ -661,6 +662,7 @@
         it 'tests valid parameters input' do
           parsed = JSON.parse(catalogue.resource('concat::fragment', 'thebastion::addons::osh-http-proxy-conf').send(:parameters)[:content])
           expect(parsed['allowed_egress_protocols']).to contain_exactly('http', 'https')
+          expect(parsed['allowed_methods']).to contain_exactly('GET', 'PUT')
           expect(parsed['ciphers']).to eq('ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384')
           expect(parsed['enabled']).to be true
           expect(parsed['insecure']).to be true