From 45a5fb765149e868155113edb7989154174d375e Mon Sep 17 00:00:00 2001
From: Gardouille <gardouille@gmail.com>
Date: Fri, 9 Jan 2015 18:14:43 +0100
Subject: [PATCH] * (#4) Add an access control list for PveProxy (like
 Apache2).

---
 CHANGELOG.md                              |  1 +
 README.md                                 |  7 ++++++-
 manifests/hypervisor.pp                   |  5 +++++
 manifests/hypervisor/config.pp            | 13 +++++++++++++
 manifests/params.pp                       |  7 +++++++
 templates/hypervisor/pveproxy_default.erb |  8 ++++++++
 6 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 templates/hypervisor/pveproxy_default.erb

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d7aa88d..37dfc0e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 
 ##### Changes
 * Add a variable to choose to keep PVE enterprise repo for the subscribers.
+* (#4) Add an access control list for PveProxy.
 
 ---------------------------------------
 
diff --git a/README.md b/README.md
index 1503e59..cd65f53 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ class { 'proxmox::hypervisor':
 }
 ```
 
-**Note**: The module will automatically reboot the system on the PVE Kernel. You will need to start again the puppet agent. 
+**Note**: The module will automatically reboot the system on the PVE Kernel. You will need to start again the puppet agent.
 
 ### VM
 
@@ -63,6 +63,11 @@ class { 'proxmox::hypervisor':
 * `old_pkg_ensure`: What to set useless packages (non recommended, previous kernel, ...). Can be 'present' or 'absent'. Defaults to 'absent'.
 * `old_pkg_name`: The list of useless packages. Can be an array [ 'acpid',  'linux-image-amd64', 'linux-base', 'linux-image-3.2.0-4-amd64' ].
 * `pve_enterprise_repo_ensure`: Choose to keep the PVE enterprise repository. Can be 'present' or 'absent'. Defaults to 'absent'.
+* `pveproxy_default_path`: Path of the configuration file read by the PveProxy service. Defaults to '/etc/default/pveproxy'.
+* `pveproxy_default_content`: Template file use to generate the previous configuration file. Default to 'proxmox/hypervisor/pveproxy_default.erb'.
+* `pveproxy_allow`:   Can be ip addresses, range or network; separated by a comma (example: '192.168.0.0/24,10.10.0.1-10.10.0.5'). Defaults to '127.0.0.1'.
+* `pveproxy_deny`: Unauthorized IP addresses. Can be 'all' or ip addresses, range or network; separated by a comma. Defaults to 'all'.
+* `pveproxy_policy`: The policy access. Can be 'allow' or 'deny'. Defaults to 'deny'.
 
 Limitations
 -----------
diff --git a/manifests/hypervisor.pp b/manifests/hypervisor.pp
index 35f681d..be504d6 100644
--- a/manifests/hypervisor.pp
+++ b/manifests/hypervisor.pp
@@ -45,6 +45,11 @@ class proxmox::hypervisor (
   $old_pkg_ensure             = $proxmox::params::old_pkg_ensure,
   $old_pkg_name               = $proxmox::params::old_pkg_name,
   $pve_enterprise_repo_ensure = $proxmox::params::pve_enterprise_repo_ensure,
+  $pveproxy_default_path      = $proxmox::params::pveproxy_default_path,
+  $pveproxy_default_content   = $proxmox::params::pveproxy_default_content,
+  $pveproxy_allow             = $proxmox::params::pveproxy_allow,
+  $pveproxy_deny              = $proxmox::params::pveproxy_deny,
+  $pveproxy_policy            = $proxmox::params::pveproxy_policy,
 ) inherits proxmox::params {
 
   include '::proxmox::hypervisor::preconfig'
diff --git a/manifests/hypervisor/config.pp b/manifests/hypervisor/config.pp
index 2efdc2c..8c76de2 100644
--- a/manifests/hypervisor/config.pp
+++ b/manifests/hypervisor/config.pp
@@ -4,6 +4,12 @@
 #
 class proxmox::hypervisor::config {
 
+  File {
+    owner => root,
+    group => root,
+    mode  => 644,
+  }
+
   Exec {
     path      => [ '/bin', '/sbin', '/usr/bin', '/usr/sbin' ],
     logoutput => 'on_failure',
@@ -12,6 +18,13 @@ class proxmox::hypervisor::config {
 
   if $::is_proxmox == 'true' {
 
+    # Pveproxy access control list
+    file { "${proxmox::hypervisor::pveproxy_default_path}":
+      ensure  => present,
+      content => template("${proxmox::hypervisor::pveproxy_default_content}"),
+    }
+    ->
+
     # Remove the Subscription message
     exec { 'remove_subscription_message':
       command  => 'rm -f /usr/share/pve-manager/ext4/pvemanagerlib.js.bak; sed -i".bak" -r -e "s/if \(data.status !== \'Active\'\) \{/if (false) {/" /usr/share/pve-manager/ext4/pvemanagerlib.js',
diff --git a/manifests/params.pp b/manifests/params.pp
index 49195ae..f2ef54c 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -22,6 +22,13 @@ class proxmox::params {
 
         # 
         $pve_enterprise_repo_ensure = 'absent'
+
+        # Pveproxy access restriction
+        $pveproxy_default_path      = '/etc/default/pveproxy'
+        $pveproxy_default_content   = 'proxmox/hypervisor/pveproxy_default.erb'
+        $pveproxy_allow             = '127.0.0.1'
+        $pveproxy_deny              = 'all'
+        $pveproxy_policy            = 'deny'
       }
     }
     default: {
diff --git a/templates/hypervisor/pveproxy_default.erb b/templates/hypervisor/pveproxy_default.erb
new file mode 100644
index 0000000..b1c7fcd
--- /dev/null
+++ b/templates/hypervisor/pveproxy_default.erb
@@ -0,0 +1,8 @@
+#file generated by puppet
+#Don't edit, please see https://forge.puppetlabs.com/gardouille/proxmox
+
+# Access control list (Apache2 like)
+ALLOW_FROM="<%= scope.lookupvar('proxmox::hypervisor::pveproxy_allow') %>"
+DENY_FROM="<%= scope.lookupvar('proxmox::hypervisor::pveproxy_deny') %>"
+POLICY="<%= scope.lookupvar('proxmox::hypervisor::pveproxy_policy') %>"
+