Zabbix authconfig provider

Author: DEFERME Bert

lib/puppet/provider/zabbix_authcfg/ruby.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require_relative '../zabbix'
+Puppet::Type.type(:zabbix_authcfg).provide(:ruby, parent: Puppet::Provider::Zabbix) do
+  confine feature: :zabbixapi
+
+  def initialize(value = {})
+    super(value)
+    @property_flush = {}
+  end
+
+  def get_auth_by_id(id)
+    api_auth = zbx.query(
+      method: 'authentication.get',
+      params: {
+        output: 'extend',
+      },
+      id: id
+    )
+    if api_auth.empty?
+      nil
+    else
+      {
+        authentication_type: api_auth['authentication_type'],
+        ldap_configured: api_auth['ldap_configured'],
+        ldap_host: api_auth['ldap_host'],
+        ldap_port: api_auth['ldap_port'],
+        ldap_base_dn: api_auth['ldap_base_dn'],
+        ldap_search_attribute: api_auth['ldap_search_attribute'],
+        ldap_bind_dn: api_auth['ldap_bind_dn'],
+        ldap_case_sensitive: api_auth['ldap_case_sensitive'],
+        ldap_bind_password: api_auth['ldap_bind_password'],
+      }
+    end
+  end
+
+  def auth
+    @auth ||= get_auth_by_id(resource[:id])
+  end
+
+  attr_writer :auth
+
+  def authentication_type
+    auth[:authentication_type]
+  end
+
+  def authentication_type=(int)
+    @property_flush[:authentication_type] = int
+  end
+
+  def ldap_configured
+    auth[:ldap_configured]
+  end
+
+  def ldap_configured=(int)
+    @property_flush[:ldap_configured] = int
+  end
+
+  def ldap_host
+    auth[:ldap_host]
+  end
+
+  def ldap_host=(value)
+    @property_flush[:ldap_host] = value
+  end
+
+  def ldap_port
+    auth[:ldap_port]
+  end
+
+  def ldap_port=(value)
+    @property_flush[:ldap_port] = value
+  end
+
+  def ldap_base_dn
+    auth[:ldap_base_dn]
+  end
+
+  def ldap_base_dn=(value)
+    @property_flush[:ldap_base_dn] = value
+  end
+
+  def ldap_search_attribute
+    auth[:ldap_search_attribute]
+  end
+
+  def ldap_search_attribute=(value)
+    @property_flush[:ldap_search_attribute] = value
+  end
+
+  def ldap_bind_dn
+    auth[:ldap_bind_dn]
+  end
+
+  def ldap_bind_dn=(value)
+    @property_flush[:ldap_bind_dn] = value
+  end
+
+  def ldap_case_sensitive
+    auth[:ldap_case_sensitive]
+  end
+
+  def ldap_case_sensitive=(int)
+    @property_flush[:ldap_case_sensitive] = int
+  end
+
+  def ldap_bind_password
+    auth[:ldap_bind_password]
+  end
+
+  def ldap_bind_password=(value)
+    @property_flush[:ldap_bind_password] = value
+  end
+
+  def flush
+    # ensure => absent is unsupported
+    return if @property_flush[:ensure] == :absent
+
+    return if @property_flush.empty?
+
+    update_auth
+  end
+
+  def update_auth
+    zbx.query(
+      method: 'authentication.update',
+      id: @resource[:id],
+      params: @property_flush
+    )
+  end
+
+  # Unsupported/not needed since authentication with id: 1 is created by installing zabbix
+  def create
+    nil
+  end
+
+  def exists?
+    auth
+  end
+
+  # Unused/absent is unsupported
+  def destroy
+    nil
+  end
+end

lib/puppet/type/zabbix_authcfg.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require 'uri'
+
+Puppet::Type.newtype(:zabbix_authcfg) do
+  @doc = %q("Manage zabbix authentication configuration
+
+      zabbix_authcfg { '1':
+        ensure                => present,
+        ldap_configured       => true,
+        ldap_host             => 'ldap://host.name',
+        ldap_port             => '389',
+        ldap_base_dn          => 'dc=example,dc=com',
+        ldap_search_attribute => 'uid',
+        ldap_bind_dn          => 'cn=Manager',
+        ldap_bind_password    => Sensitive('password'),
+        ldap_case_sensitive   => true,
+      }")
+
+  ensurable do
+    # We should not be able to delete the authentication settings
+    newvalues(:present)
+    defaultto :present
+  end
+
+  newparam(:id, namevar: true) do
+    # Zabbix 5, 6 only support updating the default authentication settings (id: 1)
+    desc 'authentication settings id'
+    newvalues(1)
+  end
+
+  newproperty(:authentication_type) do
+    desc 'authentication type'
+    newvalues('internal', 'LDAP')
+    defaultto 'internal'
+    munge do |value|
+      value == 'internal' ? 0 : 1
+    end
+  end
+
+  newproperty(:ldap_configured, boolean: true) do
+    desc 'Enable LDAP authentication'
+    newvalues(true, false)
+    defaultto true
+    munge do |value|
+      value ? 1 : 0
+    end
+  end
+
+  newproperty(:ldap_host) do
+    desc 'LDAP host'
+    validate do |value|
+      raise ArgumentError, "ldap_host must be a valid ldap uri, \"#{value}\" is not" unless value =~ URI::DEFAULT_PARSER.make_regexp
+    end
+  end
+
+  newproperty(:ldap_port) do
+    desc 'LDAP port'
+    validate do |value|
+      raise ArgumentError, "ldap_port must be an Integer, not #{value}" unless value.is_a?(Integer)
+    end
+  end
+
+  newproperty(:ldap_base_dn) do
+    desc 'LDAP base DN'
+    validate do |value|
+      raise ArgumentError, "ldap_base_dn must be a valid DN, not #{value}" unless %r{^((dc|ou|cn)=.+,*)+$}i.match?(value)
+    end
+  end
+
+  newproperty(:ldap_search_attribute) do
+    desc 'LDAP search attribute'
+    newvalues('uid', 'sAMAccountName')
+  end
+
+  newproperty(:ldap_bind_dn) do
+    desc 'LDAP bind DN'
+    validate do |value|
+      raise ArgumentError, "ldap_bind_dn must be a valid DN, not #{value}" unless %r{^((dc|ou|cn)=.+,*)+$}i.match?(value)
+    end
+  end
+
+  newproperty(:ldap_case_sensitive, boolean: true) do
+    desc 'LDAP case sensitive login'
+    newvalues(true, false)
+    defaultto true
+    munge do |value|
+      value ? 1 : 0
+    end
+  end
+
+  newproperty(:ldap_bind_password) do
+    desc 'LDAP bind password'
+    validate do |value|
+      raise ArgumentError, "ldap_bind_password must be an String, not #{value}" unless value.is_a?(String)
+    end
+  end
+
+  def set_sensitive_parameters(sensitive_parameters) # rubocop:disable Naming/AccessorMethodName
+    parameter(:ldap_bind_password).sensitive = true if parameter(:ldap_bind_password)
+    super(sensitive_parameters)
+  end
+
+  autorequire(:file) { '/etc/zabbix/api.conf' }
+end