Add option to restrict API access to specific hosts #856
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root-expert
reviewed
Dec 14, 2022
alexjfisher
requested changes
Dec 14, 2022
teluq-pbrideau
force-pushed
the
feat/restrict_api
branch
from
acd6816
to
a484974
Compare
bastelfreak
reviewed
Dec 14, 2022
teluq-pbrideau
force-pushed
the
feat/restrict_api
branch
2 times, most recently
from
b2bdbdd
to
ec4ddc5
Compare
|
I’ve banged my head to try to write a test but I cannot find the right syntax… Would someone have a pointer about it? describe 'with restriction to api access' do
let :params do
super().merge(
zabbix_api_access: [ '127.0.0.1' ],
)
end
it { is_expected.to contain_apache__vhost('zabbix.example.com').with_directories(
including(
{"path"=>"/api_jsonrpc.php", "provider"=>"location", "require"=>["host 127.0.0.1"]}
)
)}
endI’ve tried The closer I got it to run is by defining the entire array: it { is_expected.to contain_apache__vhost('zabbix.example.com').with_directories([
{"path"=>"/usr/share/zabbix", "provider"=>"directory", "require"=>"all granted"},
{"path"=>"/usr/share/zabbix/conf", "provider"=>"directory", "require"=>"all denied"},
{"path"=>"/usr/share/zabbix/api", "provider"=>"directory", "require"=>"all denied"},
{"path"=>"/usr/share/zabbix/include", "provider"=>"directory", "require"=>"all denied"},
{"path"=>"/usr/share/zabbix/include/classes", "provider"=>"directory", "require"=>"all denied"},
{"path"=>"/api_jsonrpc.php", "provider"=>"location", "require"=>["host 127.0.0.1"]}
])}But this does not work in every tests because there is conditions : if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') >= 0 and versioncmp($zabbix_version, '5') >= 0 {
if versioncmp($facts['os']['release']['major'], '7') == 0 {
$fpm_service = 'rh-php72-php-fpm'
# PHP parameters are moved to /etc/opt/rh/rh-php72/php-fpm.d/zabbix.conf per package zabbix-web-deps-scl
$fpm_scl_prefix = '/opt/rh/rh-php72'
} else {
$fpm_service = 'php-fpm'
$fpm_scl_prefix = ''
}
$fcgi_filematch = {
path => '/usr/share/zabbix',
provider => 'directory',
addhandlers => [
{
extensions => [
'php',
'phar',
],
handler => "proxy:unix:/var${fpm_scl_prefix}/run/php-fpm/zabbix.sock|fcgi://localhost",
},
],
} apache::vhost { $zabbix_url:
directories => [
merge( {
path => '/usr/share/zabbix',
provider => 'directory',
require => 'all granted',
}, $fcgi_filematch
),
[...]It feels wrong to me to duplicate all this logic inside the test, is it the way to go? |
|
Or should I make a less precise test like what is done in it {
is_expected.to contain_concat__fragment('zabbix.example.com-directories').with(
content: %r{^\s+Require host 127.0.0.1$},
)
} |
Although the first option is better that's also okay for me. Probably you need something like this though: it {
is_expected.to contain_concat__fragment('zabbix.example.com-directories').with(
content: %r{^\s*Require host 127\.0\.0.\1$},
)
}Dot matches everything except new lines, so you need to escape it 😄 |
teluq-pbrideau
force-pushed
the
feat/restrict_api
branch
2 times, most recently
from
9a14521
to
c6fa640
Compare
This comment was marked as outdated.
This comment was marked as outdated.
root-expert
approved these changes
Dec 21, 2022
|
@teluq-pbrideau Can you please rebase with our master branch one last time before merging this? |
Co-authored-by: Alexander Fisher <alex@linfratech.co.uk>
teluq-pbrideau
force-pushed
the
feat/restrict_api
branch
from
4321018
to
3961a00
Compare
root-expert
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request (PR) description
By default, the api is open to everyone. I would like to restrict it to only the zabbix server.
I’m not sure if it should be included in this module like I suggest, or if I should manage my own apache config by disabling this module apache management
manage_vhost => falseinweb.pp, but I think the changes are simple enough to include in this moduleMy suggestion in this PR allow to add restriction to the api like so:
class { 'zabbix::web' : [...] zabbix_api_access => [$facts['networking']['fqdn']], }This creates this
locationentry in apache config (or equivalent in apache 2.2):This Pull Request (PR) fixes the following issues