feat: add option to restrict api access

teluq-pbrideau · teluq-pbrideau · commit 78d507ad7a62 · 2023-02-13T09:21:08.000-05:00
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -74,6 +74,7 @@
 # @param ldap_reqcert Specifies what checks to perform on a server certificate
 # @param zabbix_api_user Name of the user which the api should connect to. Default: Admin
 # @param zabbix_api_pass Password of the user which connects to the api. Default: zabbix
+# @param zabbix_api_access Which host has access to the api. Default: no restriction
 # @param listenport Listen port for the zabbix-server. Default: 10051
 # @param sourceip Source ip address for outgoing connections.
 # @param logfile Name of log file.
@@ -250,6 +251,7 @@
   Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert     = $zabbix::params::ldap_reqcert,
   $zabbix_api_user                                                            = $zabbix::params::server_api_user,
   $zabbix_api_pass                                                            = $zabbix::params::server_api_pass,
+  Optional[Array[Stdlib::Fqdn]] $zabbix_api_access                            = $zabbix::params::server_api_acces,
   $listenport                                                                 = $zabbix::params::server_listenport,
   $sourceip                                                                   = $zabbix::params::server_sourceip,
   Enum['console', 'file', 'system'] $logtype                                  = $zabbix::params::server_logtype,
@@ -364,6 +366,7 @@
     apache_listenport_ssl                    => $apache_listenport_ssl,
     zabbix_api_user                          => $zabbix_api_user,
     zabbix_api_pass                          => $zabbix_api_pass,
+    zabbix_api_access                        => $zabbix_api_access,
     database_host                            => $database_host,
     database_name                            => $database_name,
     database_schema                          => $database_schema,
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -184,6 +184,7 @@
   $ldap_reqcert                             = undef
   $server_api_pass                          = 'zabbix'
   $server_api_user                          = 'Admin'
+  $server_api_access                        = undef
   $server_database_double_ieee754           = false
   $saml_sp_key                              = undef
   $saml_sp_cert                             = undef
diff --git a/manifests/web.pp b/manifests/web.pp
@@ -42,6 +42,7 @@
 # @param apache_listenport_ssl The port for the apache SSL vhost.
 # @param zabbix_api_user Name of the user which the api should connect to. Default: Admin
 # @param zabbix_api_pass Password of the user which connects to the api. Default: zabbix
+# @param zabbix_api_access Which host has access to the api. Default: no restriction
 # @param database_host Database host name.
 # @param database_name Database name.
 # @param database_schema Schema name. used for ibm db2.
@@ -114,6 +115,7 @@
   Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl   = $zabbix::params::apache_listenport_ssl,
   $zabbix_api_user                                                    = $zabbix::params::server_api_user,
   $zabbix_api_pass                                                    = $zabbix::params::server_api_pass,
+  Optional[Array[Stdlib::Fqdn]] $zabbix_api_access                    = $zabbix::params::server_api_access,
   $database_host                                                      = $zabbix::params::server_database_host,
   $database_name                                                      = $zabbix::params::server_database_name,
   $database_schema                                                    = $zabbix::params::server_database_schema,
@@ -395,6 +397,15 @@
     $directory_allow = { 'require' => 'all granted', }
     $directory_deny = { 'require' => 'all denied', }
 
+    $location_api_access = $zabbix_api_access ? {
+      undef   => $directory_allow,
+      default => if versioncmp($apache::apache_version, '2.4') >= 0 {
+        { 'require' => $zabbix_api_access.map |$host| { "host ${host}" }, }
+      } else {
+        { 'allow' => $zabbix_api_access, 'order' => 'Allow,Deny' }
+      }
+    }
+
     apache::vhost { $zabbix_url:
       docroot         => '/usr/share/zabbix',
       ip              => $apache_listen_ip,
@@ -425,6 +436,10 @@
             path     => '/usr/share/zabbix/include/classes',
             provider => 'directory',
         }, $directory_deny),
+        merge({
+            path     => '/api_jsonrpc.php',
+            provider => 'location',
+        }, $location_api_access),
       ],
       custom_fragment => $apache_vhost_custom_fragment,
       rewrites        => [
