From 7c868c4e493ecf61e76ca997ef94e1ab724b828f Mon Sep 17 00:00:00 2001 From: Robert Wolf Date: Fri, 17 May 2024 12:53:20 +0200 Subject: [PATCH] tlsaccept for agent and proxy accepts string value or array (of string values) --- REFERENCE.md | 4 ++-- manifests/agent.pp | 2 +- manifests/proxy.pp | 2 +- spec/classes/agent_spec.rb | 24 ++++++++++++++++++++++++ spec/classes/proxy_spec.rb | 31 +++++++++++++++++++++++++++++++ templates/zabbix_agentd.conf.erb | 2 +- templates/zabbix_proxy.conf.erb | 2 +- 7 files changed, 61 insertions(+), 6 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index d54cdaebc..92e260d75 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1860,7 +1860,7 @@ Default value: `$zabbix::params::agent_timeout` ##### `tlsaccept` -Data type: `Optional[Enum['unencrypted','psk','cert']]` +Data type: `Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]]` What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy. @@ -3279,7 +3279,7 @@ Default value: `$zabbix::params::proxy_timeout` ##### `tlsaccept` -Data type: `Any` +Data type: `Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]]` What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy. diff --git a/manifests/agent.pp b/manifests/agent.pp index 858042755..9db33a8ea 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -203,7 +203,7 @@ $userparameter = $zabbix::params::agent_userparameter, Optional[String[1]] $loadmodulepath = $zabbix::params::agent_loadmodulepath, $loadmodule = $zabbix::params::agent_loadmodule, - Optional[Enum['unencrypted','psk','cert']] $tlsaccept = $zabbix::params::agent_tlsaccept, + Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]] $tlsaccept = $zabbix::params::agent_tlsaccept, $tlscafile = $zabbix::params::agent_tlscafile, $tlscertfile = $zabbix::params::agent_tlscertfile, Optional[String[1]] $tlscertissuer = undef, diff --git a/manifests/proxy.pp b/manifests/proxy.pp index 6fe3285f3..f01169989 100755 --- a/manifests/proxy.pp +++ b/manifests/proxy.pp @@ -269,7 +269,7 @@ $historyindexcachesize = $zabbix::params::proxy_historyindexcachesize, $historytextcachesize = $zabbix::params::proxy_historytextcachesize, $timeout = $zabbix::params::proxy_timeout, - $tlsaccept = $zabbix::params::proxy_tlsaccept, + Optional[Variant[Array[Enum['unencrypted','psk','cert']],Enum['unencrypted','psk','cert']]] $tlsaccept = $zabbix::params::proxy_tlsaccept, $tlscafile = $zabbix::params::proxy_tlscafile, $tlscertfile = $zabbix::params::proxy_tlscertfile, $tlsconnect = $zabbix::params::proxy_tlsconnect, diff --git a/spec/classes/agent_spec.rb b/spec/classes/agent_spec.rb index e2e825667..856c3c954 100644 --- a/spec/classes/agent_spec.rb +++ b/spec/classes/agent_spec.rb @@ -352,6 +352,30 @@ end end + context 'tlsaccept with one value array' do + if facts[:kernel] == 'Linux' + let :params do + { + tlsaccept: %w[cert] + } + end + + it { is_expected.to contain_file(config_path).with_content %r{^TLSAccept=cert$} } + end + end + + context 'tlsaccept with two value array' do + if facts[:kernel] == 'Linux' + let :params do + { + tlsaccept: %w[unencrypted cert] + } + end + + it { is_expected.to contain_file(config_path).with_content %r{^TLSAccept=unencrypted,cert$} } + end + end + context 'without ListenIP' do let :params do { diff --git a/spec/classes/proxy_spec.rb b/spec/classes/proxy_spec.rb index 6b38bf58e..711d8e354 100644 --- a/spec/classes/proxy_spec.rb +++ b/spec/classes/proxy_spec.rb @@ -415,6 +415,37 @@ it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^LogFileSize=10$} } end end + + context 'tlsaccept with one string value' do + let :params do + { + tlsaccept: 'cert' + } + end + + it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^TLSAccept=cert$} } + end + + context 'tlsaccept with one value array' do + let :params do + { + tlsaccept: %w[cert] + } + end + + it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^TLSAccept=cert$} } + end + + context 'tlsaccept with two value array' do + let :params do + { + tlsaccept: %w[unencrypted cert] + } + end + + it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^TLSAccept=unencrypted,cert$} } + end + end end end diff --git a/templates/zabbix_agentd.conf.erb b/templates/zabbix_agentd.conf.erb index 7684ef37a..e2e7361b4 100644 --- a/templates/zabbix_agentd.conf.erb +++ b/templates/zabbix_agentd.conf.erb @@ -310,7 +310,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) # Default: # TLSAccept=unencrypted -<% if @tlsaccept %>TLSAccept=<%= @tlsaccept %><% end %> +<% if @tlsaccept %>TLSAccept=<%= [@tlsaccept].flatten.join(',') %><% end %> ### Option: TLSCAFile # Full pathname of a file containing the top-level CA(s) certificates for diff --git a/templates/zabbix_proxy.conf.erb b/templates/zabbix_proxy.conf.erb index b405c4ad0..f70e06a0c 100755 --- a/templates/zabbix_proxy.conf.erb +++ b/templates/zabbix_proxy.conf.erb @@ -511,7 +511,7 @@ LoadModulePath=<%= @loadmodulepath %> # Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection) # Default: # TLSAccept=unencrypted -<% if @tlsaccept %>TLSAccept=<%= @tlsaccept %><% end %> +<% if @tlsaccept %>TLSAccept=<%= [@tlsaccept].flatten.join(',') %><% end %> ### Option: TLSCAFile # Full pathname of a file containing the top-level CA(s) certificates for