From 0800a3d4fd1c0874090d72fe5022e14d8de086a9 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Mon, 21 Mar 2022 17:00:07 +0100
Subject: [PATCH] Update to 2022-03-21 17:00
---
roles/zabbix_server/defaults/main.yml | 23 +++++++++++++++++
roles/zabbix_server/tasks/conf.yml | 25 +++++++++++++++++++
roles/zabbix_server/tasks/directories.yml | 4 +++
.../templates/saml_metadata.xml.j2 | 24 ++++++++++++++++++
.../templates/zabbix.conf.php.j2 | 4 +++
5 files changed, 80 insertions(+)
create mode 100644 roles/zabbix_server/templates/saml_metadata.xml.j2
diff --git a/roles/zabbix_server/defaults/main.yml b/roles/zabbix_server/defaults/main.yml
index a7c9e81..a069e98 100644
--- a/roles/zabbix_server/defaults/main.yml
+++ b/roles/zabbix_server/defaults/main.yml
@@ -63,3 +63,26 @@ zabbix_server_backup_hooks: True
# so its web monitoring can be direct
# This will only have an effect if system_proxy is defined
zabbix_server_uses_system_proxy: True
+
+# If using SAML auth, you have to configure the certificate of the IDP
+# zabbix_server_saml_idp_cert: |
+# -----BEGIN CERTIFICATE-----
+# MIICsDCCAZigAwIBAgIEY42IsjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9z
+# c28uZWh0cmFjZS5jb20wHhcNMjEwNDI5MTAyNDE1WhcNNDEwNDI0MTAyNDE1WjAa
+# MRgwFgYDVQQDDA9zc28uZWh0cmFjZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+# DwAwggEKAoIBAQCnkJTXog/iNhNGBWuwKFGurhwHJGQfAsOc0LfDcJC4MHCkaRdW
+# f5nM2txxuDn2iCN6bhsPL9Q0XR9MOGfwc9cb0WNCpg91rFLG7FLxbevp81m2thRe
+# gTwdBpJoUJkm/MoMa7+oU8/PYuG/XFTrlq9/TznE/7BcvNqUJQYT4k9LAnkusIBA
+# yRj9mF3ZHNZKe9YcqD9e2kwOfA8uGFBAMw4UR2m158vyNmng2AMzHdgnKrIKwYjJ
+# e1f8B+GQRc+C/o06jF+wRYpVTYitcJzaadNjDgUWsUwjaYeKB2Z2E0FUE5ybTkoh
+# rfL0HQzCFC5beQkfq0vjHrMCInOvGGkaEDQBAgMBAAEwDQYJKoZIhvcNAQELBQAD
+# ggEBACIWuRwpF6FYmlw224n9Pc14iOTazgWr41hJEw36cpQFEiN/ZYU2C8a2W7SV
+# OBK2bzCMkELUlewuuzrodjflBdh55ZIDx3RKB8Db70hvw/fAe/US33oeSnngBQxm
+# FazCQq5ijajSH76xuoUw9AkH2KPP+tm/Y8ReV2xj6JxMpPArJsQ9ITuaiC9Bt4bI
+# LwXXqa+rnDtReBZBDjt8eyV0L5u5XvkfKlQoG/+UOdsfXavyJR6by2m6vv7/zGS+
+# fGpPuqtTWh0G4A3JEMJ5i0bajftWyYn7XGXOi2DIX5LGP1dhEml55m/NxLkPxTw8
+# vGPDSdbhHJZxQkilQsrPXNQqK38=
+# -----END CERTIFICATE-----
+
+# When using SAML, you should also set the public URL so SAML metadata are correctly generated
+# zabbix_server_public_url: https://monitoring.example.org
diff --git a/roles/zabbix_server/tasks/conf.yml b/roles/zabbix_server/tasks/conf.yml
index f01267b..d1d7fa4 100644
--- a/roles/zabbix_server/tasks/conf.yml
+++ b/roles/zabbix_server/tasks/conf.yml
@@ -1,5 +1,30 @@
---
+- name: Create a selfsigned cert for SAML auth
+ import_tasks: ../includes/create_selfsigned_cert.yml
+ vars:
+ - cert_path: /etc/zabbix/ssl/sp.crt
+ - cert_key_path: /etc/zabbix/ssl/sp.key
+ - cert_key_group: apache
+ - cert_key_mode: '640'
+ tags: zabbix
+
+- name: Read SAML certificate
+ shell: cat /etc/zabbix/ssl/sp.crt | perl -e 'my $out; while (<STDIN>){ next if /^\-\-\-\-\-(END|BEGIN) CERTIFICATE/; chomp; $out .= $_; }; print $out'
+ changed_when: False
+ register: zabbix_server_saml_sp_cert
+ tags: zabbix
+
+- name: Deploy SAML IDP certificate
+ copy: content={{ zabbix_server_saml_idp_cert }} dest=/etc/zabbix/ssl/idp.crt mode=644
+ when: zabbix_server_saml_idp_cert is defined
+ tags: zabbix
+
+- name: Deploy SAML metadata
+ template: src=saml_metadata.xml.j2 dest=/usr/share/zabbix/saml-metadata.xml
+ when: zabbix_server_public_url is defined
+ tags: zabbix
+
- name: Deploy patrix configuration file
template: src=patrixrc.j2 dest=/var/lib/zabbix/.patrixrc owner=zabbix group=zabbix mode=600
when: (zabbix_server_matrix_user is defined and zabbix_server_matrix_pass is defined) or zabbix_server_matrix_access_token is defined
diff --git a/roles/zabbix_server/tasks/directories.yml b/roles/zabbix_server/tasks/directories.yml
index 4582d26..b672708 100644
--- a/roles/zabbix_server/tasks/directories.yml
+++ b/roles/zabbix_server/tasks/directories.yml
@@ -10,6 +10,10 @@
owner: apache
group: apache
mode: 700
+ - dir: /etc/zabbix/ssl
+ owner: root
+ group: apache
+ mode: 750
tags: zabbix
#- name: Ensure proper permission on the web config dir
diff --git a/roles/zabbix_server/templates/saml_metadata.xml.j2 b/roles/zabbix_server/templates/saml_metadata.xml.j2
new file mode 100644
index 0000000..5d90f3e
--- /dev/null
+++ b/roles/zabbix_server/templates/saml_metadata.xml.j2
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<EntityDescriptor entityID="{{ zabbix_server_public_url }}" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+ <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+ <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ zabbix_server_public_url | regex_replace('/$', '') }}/index_sso.php?acs" index="0" />
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ zabbix_server_public_url | regex_replace('/$', '') }}/index_sso.php?sls" />
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data>
+ <ds:X509Certificate>{{ zabbix_server_saml_sp_cert.stdout }}</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ </SPSSODescriptor>
+ <Organization>
+ <OrganizationName xml:lang="en">{{ ansible_domain }}</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">Zabbix {{ ansible_domain }}</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">{{ zabbix_server_public_url }}</OrganizationURL>
+ </Organization>
+ <ContactPerson contactType="administrative">
+ <GivenName>System Administrator</GivenName>
+ <EmailAddress>{{ system_admin_email | default('admin@' ~ ansible_domain) }}</EmailAddress>
+ </ContactPerson>
+</EntityDescriptor>
diff --git a/roles/zabbix_server/templates/zabbix.conf.php.j2 b/roles/zabbix_server/templates/zabbix.conf.php.j2
index 174ec1a..0e94dce 100644
--- a/roles/zabbix_server/templates/zabbix.conf.php.j2
+++ b/roles/zabbix_server/templates/zabbix.conf.php.j2
@@ -12,4 +12,8 @@ $IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG;
{% if zabbix_server_version.stdout is version('5.0', '>=') %}
$DB['DOUBLE_IEEE754'] = 'true';
{% endif %}
+$SSO['SP_KEY'] = '/etc/zabbix/ssl/sp.key';
+$SSO['SP_CERT'] = '/etc/zabbix/ssl/sp.crt';
+$SSO['IDP_CERT'] = '/etc/zabbix/ssl/idp.crt';
+
?>