Update to 2022-03-21 17:00

2022-03-21 17:00:07 +01:00 · 2022-03-21 17:00:07 +01:00 · 0800a3d4fd
parent 6d26fe917b
commit 0800a3d4fd
5 changed files with 80 additions and 0 deletions
--- a/roles/zabbix_server/defaults/main.yml
+++ b/roles/zabbix_server/defaults/main.yml
@ -63,3 +63,26 @@ zabbix_server_backup_hooks: True
 # so its web monitoring can be direct
 # This will only have an effect if system_proxy is defined
 zabbix_server_uses_system_proxy: True
+
+# If using SAML auth, you have to configure the certificate of the IDP
+# zabbix_server_saml_idp_cert: |
+#   -----BEGIN CERTIFICATE-----
+#   MIICsDCCAZigAwIBAgIEY42IsjANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9z
+#   c28uZWh0cmFjZS5jb20wHhcNMjEwNDI5MTAyNDE1WhcNNDEwNDI0MTAyNDE1WjAa
+#   MRgwFgYDVQQDDA9zc28uZWh0cmFjZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+#   DwAwggEKAoIBAQCnkJTXog/iNhNGBWuwKFGurhwHJGQfAsOc0LfDcJC4MHCkaRdW
+#   f5nM2txxuDn2iCN6bhsPL9Q0XR9MOGfwc9cb0WNCpg91rFLG7FLxbevp81m2thRe
+#   gTwdBpJoUJkm/MoMa7+oU8/PYuG/XFTrlq9/TznE/7BcvNqUJQYT4k9LAnkusIBA
+#   yRj9mF3ZHNZKe9YcqD9e2kwOfA8uGFBAMw4UR2m158vyNmng2AMzHdgnKrIKwYjJ
+#   e1f8B+GQRc+C/o06jF+wRYpVTYitcJzaadNjDgUWsUwjaYeKB2Z2E0FUE5ybTkoh
+#   rfL0HQzCFC5beQkfq0vjHrMCInOvGGkaEDQBAgMBAAEwDQYJKoZIhvcNAQELBQAD
+#   ggEBACIWuRwpF6FYmlw224n9Pc14iOTazgWr41hJEw36cpQFEiN/ZYU2C8a2W7SV
+#   OBK2bzCMkELUlewuuzrodjflBdh55ZIDx3RKB8Db70hvw/fAe/US33oeSnngBQxm
+#   FazCQq5ijajSH76xuoUw9AkH2KPP+tm/Y8ReV2xj6JxMpPArJsQ9ITuaiC9Bt4bI
+#   LwXXqa+rnDtReBZBDjt8eyV0L5u5XvkfKlQoG/+UOdsfXavyJR6by2m6vv7/zGS+
+#   fGpPuqtTWh0G4A3JEMJ5i0bajftWyYn7XGXOi2DIX5LGP1dhEml55m/NxLkPxTw8
+#   vGPDSdbhHJZxQkilQsrPXNQqK38=
+#   -----END CERTIFICATE-----
+
+# When using SAML, you should also set the public URL so SAML metadata are correctly generated
+# zabbix_server_public_url: https://monitoring.example.org
--- a/roles/zabbix_server/tasks/conf.yml
+++ b/roles/zabbix_server/tasks/conf.yml
@ -1,5 +1,30 @@
 ---

+- name: Create a selfsigned cert for SAML auth
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /etc/zabbix/ssl/sp.crt
+    - cert_key_path: /etc/zabbix/ssl/sp.key
+    - cert_key_group: apache
+    - cert_key_mode: '640'
+  tags: zabbix
+
+- name: Read SAML certificate
+  shell: cat /etc/zabbix/ssl/sp.crt | perl -e 'my $out; while (<STDIN>){ next if /^\-\-\-\-\-(END|BEGIN) CERTIFICATE/; chomp; $out .= $_; }; print $out'
+  changed_when: False
+  register: zabbix_server_saml_sp_cert
+  tags: zabbix
+
+- name: Deploy SAML IDP certificate
+  copy: content={{ zabbix_server_saml_idp_cert }} dest=/etc/zabbix/ssl/idp.crt mode=644
+  when: zabbix_server_saml_idp_cert is defined
+  tags: zabbix
+
+- name: Deploy SAML metadata
+  template: src=saml_metadata.xml.j2 dest=/usr/share/zabbix/saml-metadata.xml
+  when: zabbix_server_public_url is defined
+  tags: zabbix
+
 - name: Deploy patrix configuration file
  template: src=patrixrc.j2 dest=/var/lib/zabbix/.patrixrc owner=zabbix group=zabbix mode=600
  when: (zabbix_server_matrix_user is defined and zabbix_server_matrix_pass is defined) or zabbix_server_matrix_access_token is defined
--- a/roles/zabbix_server/tasks/directories.yml
+++ b/roles/zabbix_server/tasks/directories.yml
@ -10,6 +10,10 @@
      owner: apache
      group: apache
      mode: 700
+    - dir: /etc/zabbix/ssl
+      owner: root
+      group: apache
+      mode: 750
  tags: zabbix

  #- name: Ensure proper permission on the web config dir
--- a/roles/zabbix_server/templates/saml_metadata.xml.j2
+++ b/roles/zabbix_server/templates/saml_metadata.xml.j2
@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<EntityDescriptor entityID="{{ zabbix_server_public_url }}" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{ zabbix_server_public_url | regex_replace('/$', '') }}/index_sso.php?acs" index="0" />
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{ zabbix_server_public_url | regex_replace('/$', '') }}/index_sso.php?sls" />
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>{{ zabbix_server_saml_sp_cert.stdout }}</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+  </SPSSODescriptor>
+  <Organization>
+    <OrganizationName xml:lang="en">{{ ansible_domain }}</OrganizationName>
+    <OrganizationDisplayName xml:lang="en">Zabbix {{ ansible_domain }}</OrganizationDisplayName>
+    <OrganizationURL xml:lang="en">{{ zabbix_server_public_url }}</OrganizationURL>
+  </Organization>
+  <ContactPerson contactType="administrative">
+    <GivenName>System Administrator</GivenName>
+    <EmailAddress>{{ system_admin_email | default('admin@' ~ ansible_domain) }}</EmailAddress>
+  </ContactPerson>
+</EntityDescriptor>
--- a/roles/zabbix_server/templates/zabbix.conf.php.j2
+++ b/roles/zabbix_server/templates/zabbix.conf.php.j2
@ -12,4 +12,8 @@ $IMAGE_FORMAT_DEFAULT   = IMAGE_FORMAT_PNG;
 {% if zabbix_server_version.stdout is version('5.0', '>=') %}
 $DB['DOUBLE_IEEE754'] = 'true';
 {% endif %}
+$SSO['SP_KEY']          = '/etc/zabbix/ssl/sp.key';
+$SSO['SP_CERT']         = '/etc/zabbix/ssl/sp.crt';
+$SSO['IDP_CERT']        = '/etc/zabbix/ssl/idp.crt';
+
 ?>