Merge pull request #856 from teluq-pbrideau/feat/restrict_api

root-expert · web-flow · commit 99bf82cc7667 · 2023-02-13T20:41:38.000+02:00
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -74,6 +74,7 @@
 # @param ldap_reqcert Specifies what checks to perform on a server certificate
 # @param zabbix_api_user Name of the user which the api should connect to. Default: Admin
 # @param zabbix_api_pass Password of the user which connects to the api. Default: zabbix
+# @param zabbix_api_access Which host has access to the api. Default: no restriction
 # @param listenport Listen port for the zabbix-server. Default: 10051
 # @param sourceip Source ip address for outgoing connections.
 # @param logfile Name of log file.
@@ -250,6 +251,7 @@
   Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert     = $zabbix::params::ldap_reqcert,
   $zabbix_api_user                                                            = $zabbix::params::server_api_user,
   $zabbix_api_pass                                                            = $zabbix::params::server_api_pass,
+  Optional[Array[Stdlib::Host,1]] $zabbix_api_access                          = $zabbix::params::server_api_access,
   $listenport                                                                 = $zabbix::params::server_listenport,
   $sourceip                                                                   = $zabbix::params::server_sourceip,
   Enum['console', 'file', 'system'] $logtype                                  = $zabbix::params::server_logtype,
@@ -364,6 +366,7 @@
     apache_listenport_ssl                    => $apache_listenport_ssl,
     zabbix_api_user                          => $zabbix_api_user,
     zabbix_api_pass                          => $zabbix_api_pass,
+    zabbix_api_access                        => $zabbix_api_access,
     database_host                            => $database_host,
     database_name                            => $database_name,
     database_schema                          => $database_schema,
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -184,6 +184,7 @@
   $ldap_reqcert                             = undef
   $server_api_pass                          = 'zabbix'
   $server_api_user                          = 'Admin'
+  $server_api_access                        = undef
   $server_database_double_ieee754           = false
   $saml_sp_key                              = undef
   $saml_sp_cert                             = undef
diff --git a/manifests/web.pp b/manifests/web.pp
@@ -42,6 +42,7 @@
 # @param apache_listenport_ssl The port for the apache SSL vhost.
 # @param zabbix_api_user Name of the user which the api should connect to. Default: Admin
 # @param zabbix_api_pass Password of the user which connects to the api. Default: zabbix
+# @param zabbix_api_access Which host has access to the api. Default: no restriction
 # @param database_host Database host name.
 # @param database_name Database name.
 # @param database_schema Schema name. used for ibm db2.
@@ -114,6 +115,7 @@
   Variant[Array[Stdlib::Port], Stdlib::Port] $apache_listenport_ssl   = $zabbix::params::apache_listenport_ssl,
   $zabbix_api_user                                                    = $zabbix::params::server_api_user,
   $zabbix_api_pass                                                    = $zabbix::params::server_api_pass,
+  Optional[Array[Stdlib::Host,1]] $zabbix_api_access                  = $zabbix::params::server_api_access,
   $database_host                                                      = $zabbix::params::server_database_host,
   $database_name                                                      = $zabbix::params::server_database_name,
   $database_schema                                                    = $zabbix::params::server_database_schema,
@@ -391,9 +393,10 @@
       $apache_listen_port = $apache_listenport
     }
 
-    # Apache >= 2.4
-    $directory_allow = { 'require' => 'all granted', }
-    $directory_deny = { 'require' => 'all denied', }
+    $location_api_access = $zabbix_api_access ? {
+      undef   => 'all granted',
+      default => $zabbix_api_access.map |$host| { "host ${host}" },
+    }
 
     apache::vhost { $zabbix_url:
       docroot         => '/usr/share/zabbix',
@@ -402,29 +405,37 @@
       default_vhost   => $default_vhost,
       add_listen      => true,
       directories     => [
-        merge(
-          merge({
-              path     => '/usr/share/zabbix',
-              provider => 'directory',
-          }, $directory_allow),
-          $fcgi_filematch
-        ),
-        merge({
-            path     => '/usr/share/zabbix/conf',
-            provider => 'directory',
-        }, $directory_deny),
-        merge({
-            path     => '/usr/share/zabbix/api',
-            provider => 'directory',
-        }, $directory_deny),
-        merge({
-            path     => '/usr/share/zabbix/include',
-            provider => 'directory',
-        }, $directory_deny),
         merge({
-            path     => '/usr/share/zabbix/include/classes',
+            path     => '/usr/share/zabbix',
             provider => 'directory',
-        }, $directory_deny),
+            require  => 'all granted',
+          }, $fcgi_filematch
+        ),
+        {
+          path     => '/usr/share/zabbix/conf',
+          provider => 'directory',
+          require  => 'all denied',
+        },
+        {
+          path     => '/usr/share/zabbix/api',
+          provider => 'directory',
+          require  => 'all denied',
+        },
+        {
+          path     => '/usr/share/zabbix/include',
+          provider => 'directory',
+          require  => 'all denied',
+        },
+        {
+          path     => '/usr/share/zabbix/include/classes',
+          provider => 'directory',
+          require  => 'all denied',
+        },
+        {
+          path     => '/api_jsonrpc.php',
+          provider => 'location',
+          require  => $location_api_access,
+        },
       ],
       custom_fragment => $apache_vhost_custom_fragment,
       rewrites        => [
diff --git a/spec/classes/web_spec.rb b/spec/classes/web_spec.rb
@@ -235,6 +235,20 @@
           it { is_expected.to contain_file('/etc/zabbix/web/zabbix.conf.php').with_content(%r{^\$SSO\['IDP_CERT'\] = '/etc/zabbix/web/idp.cert'}) }
           it { is_expected.to contain_file('/etc/zabbix/web/zabbix.conf.php').with_content(%r{^\$SSO\['SETTINGS'\] = \[ \n  "strict" => true,\n  "baseurl" => "http://example.com/sp/",\n  "security" => \[\n    "signatureAlgorithm" => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",\n    "digestAlgorithm" => "http://www.w3.org/2001/04/xmldsig-more#sha384",\n    "singleLogoutService" => \[\n      "responseUrl" => ""\n    \]\n  \]\n\];}) }
         end
+
+        describe 'with restriction to api access' do
+          let :params do
+            super().merge(
+              zabbix_api_access: ['127.0.0.1']
+            )
+          end
+
+          it {
+            is_expected.to contain_concat__fragment('zabbix.example.com-directories').with(
+              content: %r{^\s+Require host 127\.0\.0\.1$}
+            )
+          }
+        end
       end
     end
   end
