Merge pull request #848 from teluq-pbrideau/feat/auth-with-cert

root-expert · web-flow · commit 752589352ae6 · 2022-12-20T13:00:01.000+02:00
diff --git a/lib/puppet/provider/zabbix_host/ruby.rb b/lib/puppet/provider/zabbix_host/ruby.rb
@@ -13,7 +13,7 @@ def self.instances
         selectInterfaces: %w[interfaceid type main ip port useip details],
         selectGroups: ['name'],
         selectMacros: %w[macro value],
-        output: %w[host proxy_hostid]
+        output: %w[host proxy_hostid tls_accept tls_connect tls_issuer tls_subject]
       }
     )
 
@@ -38,7 +38,11 @@ def self.instances
         macros: h['macros'].map { |macro| { macro['macro'] => macro['value'] } },
         proxy: proxy_select,
         interfacetype: interface['type'].to_i,
-        interfacedetails: interface['details']
+        interfacedetails: interface['details'],
+        tls_accept: h['tls_accept'].to_i,
+        tls_connect: h['tls_connect'].to_i,
+        tls_issuer: h['tls_issuer'].to_s,
+        tls_subject: h['tls_subject'].to_s
       )
     end
   end
@@ -60,6 +64,9 @@ def create
 
     proxy_hostid = @resource[:proxy].nil? || @resource[:proxy].empty? ? nil : zbx.proxies.get_id(host: @resource[:proxy])
 
+    tls_accept = @resource[:tls_accept].nil? ? 1 : @resource[:tls_accept]
+    tls_connect = @resource[:tls_connect].nil? ? 1 : @resource[:tls_connect]
+
     # Now we create the host
     zbx.hosts.create(
       host: @resource[:hostname],
@@ -76,7 +83,11 @@ def create
         }
       ],
       templates: templates,
-      groups: groups
+      groups: groups,
+      tls_connect: tls_connect,
+      tls_accept: tls_accept,
+      tls_issuer: @resource[:tls_issuer].nil? ? '' : @resource[:tls_issuer],
+      tls_subject: @resource[:tls_subject].nil? ? '' : @resource[:tls_subject]
     )
   end
 
@@ -224,4 +235,37 @@ def proxy=(string)
       proxy_hostid: zbx.proxies.get_id(host: string)
     )
   end
+
+  def tls_connect=(int)
+    @property_hash[:tls_connect] = int
+    zbx.hosts.create_or_update(
+      host: @resource[:hostname],
+      tls_connect: @property_hash[:tls_connect].nil? ? 1 : @property_hash[:tls_connect]
+    )
+  end
+
+  def tls_accept=(int)
+    @property_hash[:tls_accept] = int
+
+    zbx.hosts.create_or_update(
+      host: @resource[:hostname],
+      tls_accept: @property_hash[:tls_accept].nil? ? 1 : @property_hash[:tls_accept]
+    )
+  end
+
+  def tls_issuer=(string)
+    @property_hash[:tls_issuer] = string
+    zbx.hosts.create_or_update(
+      host: @resource[:hostname],
+      tls_issuer: @property_hash[:tls_issuer].nil? ? '' : @property_hash[:tls_issuer]
+    )
+  end
+
+  def tls_subject=(string)
+    @property_hash[:tls_subject] = string
+    zbx.hosts.create_or_update(
+      host: @resource[:hostname],
+      tls_subject: @property_hash[:tls_subject].nil? ? '' : @property_hash[:tls_subject]
+    )
+  end
 end
diff --git a/lib/puppet/type/zabbix_host.rb b/lib/puppet/type/zabbix_host.rb
@@ -27,6 +27,19 @@ def munge_boolean(value)
     end
   end
 
+  def munge_encryption(value)
+    case value
+    when 1, 'unencrypted', :unencrypted
+      1
+    when 2, 'psk', :psk
+      2
+    when 4, 'cert', :cert
+      4
+    else
+      raise(Puppet::Error, 'munge_encryption only takes unencrypted, psk or cert')
+    end
+  end
+
   newparam(:hostname, namevar: true) do
     desc 'FQDN of the machine.'
   end
@@ -123,6 +136,36 @@ def insync?(is)
     desc 'Whether it is monitored by an proxy or not.'
   end
 
+  newproperty(:tls_connect) do
+    desc 'How the server connect to the client (unencrypted, psk or cert)'
+    def insync?(is)
+      is.to_i == should.to_i
+    end
+
+    munge do |value|
+      @resource.munge_encryption(value)
+    end
+  end
+
+  newproperty(:tls_accept) do
+    desc 'How the client connect to the server (unencrypted, psk or cert)'
+    def insync?(is)
+      is.to_i == should.to_i
+    end
+
+    munge do |value|
+      @resource.munge_encryption(value)
+    end
+  end
+
+  newproperty(:tls_issuer) do
+    desc 'Certificate issuer.'
+  end
+
+  newproperty(:tls_subject) do
+    desc 'Certificate subject.'
+  end
+
   autorequire(:file) { '/etc/zabbix/api.conf' }
 
   validate do
diff --git a/manifests/agent.pp b/manifests/agent.pp
@@ -79,6 +79,8 @@
 # @param tlsaccept What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy.
 # @param tlscafile Full pathname of a file containing the top-level CA(s) certificates for peer certificate verification.
 # @param tlscertfile Full pathname of a file containing the proxy certificate or certificate chain.
+# @param tlscertissuer Issuer of the certificate that is allowed to talk with the serve
+# @param tlscertsubject Subject of the certificate that is allowed to talk with the server
 # @param tlsconnect How the proxy should connect to Zabbix server. Used for an active proxy, ignored on a passive proxy.
 # @param tlscrlfile Full pathname of a file containing revoked certificates.
 # @param tlskeyfile Full pathname of a file containing the proxy private key.
@@ -192,16 +194,18 @@
   $userparameter                                       = $zabbix::params::agent_userparameter,
   Optional[String[1]] $loadmodulepath                  = $zabbix::params::agent_loadmodulepath,
   $loadmodule                                          = $zabbix::params::agent_loadmodule,
-  $tlsaccept                                           = $zabbix::params::agent_tlsaccept,
+  Optional[Enum['unencrypted','psk','cert']] $tlsaccept = $zabbix::params::agent_tlsaccept,
   $tlscafile                                           = $zabbix::params::agent_tlscafile,
   $tlscertfile                                         = $zabbix::params::agent_tlscertfile,
+  Optional[String[1]] $tlscertissuer                   = undef,
+  Optional[String[1]] $tlscertsubject                  = undef,
   Optional[String[1]] $tlscipherall                    = $zabbix::params::agent_tlscipherall,
   Optional[String[1]] $tlscipherall13                  = $zabbix::params::agent_tlscipherall13,
   Optional[String[1]] $tlsciphercert                   = $zabbix::params::agent_tlsciphercert,
   Optional[String[1]] $tlsciphercert13                 = $zabbix::params::agent_tlsciphercert13,
   Optional[String[1]] $tlscipherpsk                    = $zabbix::params::agent_tlscipherpsk,
   Optional[String[1]] $tlscipherpsk13                  = $zabbix::params::agent_tlscipherpsk13,
-  $tlsconnect                                          = $zabbix::params::agent_tlsconnect,
+  Optional[Enum['unencrypted','psk','cert']] $tlsconnect = $zabbix::params::agent_tlsconnect,
   $tlscrlfile                                          = $zabbix::params::agent_tlscrlfile,
   $tlskeyfile                                          = $zabbix::params::agent_tlskeyfile,
   $tlspskfile                                          = $zabbix::params::agent_tlspskfile,
@@ -273,6 +277,10 @@
       interfacetype    => $zbx_interface_type,
       interfacedetails => $zbx_interface_details,
       proxy            => $use_proxy,
+      tls_accept       => $tlsaccept,
+      tls_connect      => $tlsconnect,
+      tls_issuer       => $tlscertissuer,
+      tls_subject      => $tlscertsubject,
     }
   }
 
diff --git a/manifests/resources/agent.pp b/manifests/resources/agent.pp
@@ -11,6 +11,10 @@
 # @param proxy Whether it is monitored by an proxy or not.
 # @param interfacetype Internally used identifier for the host interface.
 # @param interfacedetails Hash with interface details for SNMP when interface type is 2.
+# @param tls_connect How the server must connect to the agent
+# @param tls_accept How the agent can connect to the server
+# @param tls_issuer Issuer of the certificate that is allowed to talk with the serve
+# @param tls_subject Subject of the certificate that is allowed to talk with the server
 class zabbix::resources::agent (
   $hostname                           = undef,
   $ipaddress                          = undef,
@@ -24,6 +28,10 @@
   $proxy                              = undef,
   $interfacetype                      = 1,
   Variant[Array, Hash] $interfacedetails = [],
+  Optional[Enum['unencrypted','psk','cert']] $tls_connect = undef,
+  Optional[Enum['unencrypted','psk','cert']] $tls_accept  = undef,
+  Optional[String[1]] $tls_issuer                         = undef,
+  Optional[String[1]] $tls_subject                        = undef,
 ) {
   if $group and $groups {
     fail("Got group and groups. This isn't support! Please use groups only.")
@@ -47,5 +55,9 @@
     proxy            => $proxy,
     interfacetype    => $interfacetype,
     interfacedetails => $interfacedetails,
+    tls_connect      => $tls_connect,
+    tls_accept       => $tls_accept,
+    tls_issuer       => $tls_issuer,
+    tls_subject      => $tls_subject,
   }
 }
diff --git a/spec/acceptance/zabbix_host_spec.rb b/spec/acceptance/zabbix_host_spec.rb
@@ -132,8 +132,36 @@ class { 'zabbix':
         end
       end
 
+      it_behaves_like 'an idempotent resource' do
+        let(:manifest) do
+          <<-EOS
+          zabbix_host { 'test5.example.com':
+            ipaddress   => '127.0.0.5',
+            use_ip      => false,
+            port        => 1051,
+            groups      => ['Virtual machines'],
+            templates   => #{template},
+            macros      => [],
+            tls_accept  => 'cert',
+            tls_connect => 'cert',
+            tls_issuer  => 'Zabbix.com',
+            tls_subject => 'MyClientCertificate',
+          }
+          EOS
+        end
+      end
+
       let(:result_hosts) do
-        zabbixapi('localhost', 'Admin', 'zabbix', 'host.get', selectParentTemplates: ['host'], selectInterfaces: %w[dns ip main port type useip details], selectGroups: ['name'], output: ['host', '']).result
+        zabbixapi(
+          'localhost',
+          'Admin',
+          'zabbix',
+          'host.get',
+          selectParentTemplates: ['host'],
+          selectInterfaces: %w[dns ip main port type useip details],
+          selectGroups: ['name'],
+          output: ['host', 'tls_accept', 'tls_connect', 'tls_issuer', 'tls_subject', '']
+        ).result
       end
 
       context 'test1.example.com' do
@@ -308,6 +336,30 @@ class { 'zabbix':
         end
 
       end
+
+      context 'test5.example.com' do
+        let(:test5) { result_hosts.select { |h| h['host'] == 'test5.example.com' }.first }
+
+        it 'is created' do
+          expect(test5['host']).to eq('test5.example.com')
+        end
+
+        it 'has a correct tls_accept configured' do
+          expect(test5['tls_accept']).to eq('4')
+        end
+
+        it 'has a correct tls_connect configured' do
+          expect(test5['tls_connect']).to eq('4')
+        end
+
+        it 'has a correct tls_issuer configured' do
+          expect(test5['tls_issuer']).to eq('Zabbix.com')
+        end
+
+        it 'has a correct tls_subject configured' do
+          expect(test5['tls_subject']).to eq('MyClientCertificate')
+        end
+      end
     end
   end
 end
