ACL support for http2nagios

Signed-off-by: Sven Velt <sven@velt.de>

diff --git a/nagixsc_http2nagios.py b/nagixsc_http2nagios.py
index b8e39b84aaa9a3216fc947a10843cb604b1f083c..e8646cc3b66cd7859d4942e694881220492eb066 100755 (executable)
--- a/nagixsc_http2nagios.py
+++ b/nagixsc_http2nagios.py
@@ -43,7 +43,8 @@ config = {
                        'ssl': False,
                        'sslcert': None,
                        'conf_dir': '',
-                       'pidfile': '/var/run/nagixsc_conf2http.pid'
+                       'pidfile': '/var/run/nagixsc_conf2http.pid',
+                       'acl': False,
                }
 
 if 'ip' in cfgread.options('server'):
@@ -61,7 +62,7 @@ if 'ssl' in cfgread.options('server'):
        try:
                config['ssl'] = cfgread.getboolean('server', 'ssl')
        except ValueError:
-               print 'Value for "ssl" ("%s") not boolean!' % config['ssl']
+               print 'Value for "ssl" ("%s") not boolean!' % cfgread.get('server', 'ssl')
                sys.exit(127)
 
 if config['ssl']:
@@ -103,6 +104,21 @@ else:
        print 'Mode "%s" is neither "checkresult" nor "passive"!'
        sys.exit(127)
 
+acls = { 'a_hl':{}, 'a_hr':{}, }
+if 'acl' in cfgread.options('server'):
+       try:
+               config['acl'] = cfgread.getboolean('server', 'acl')
+       except ValueError:
+               print 'Value for "acl" ("%s") not boolean!' % cfgread.get('server', 'acl')
+               sys.exit(127)
+if config['acl']:
+       if cfgread.has_section('acl_allowed_hosts_list'):
+               for user in cfgread.options('acl_allowed_hosts_list'):
+                       acls['a_hl'][user] = [ah.lstrip().rstrip() for ah in cfgread.get('acl_allowed_hosts_list',user).split(',')]
+       if cfgread.has_section('acl_allowed_hosts_re'):
+               for user in cfgread.options('acl_allowed_hosts_re'):
+                       acls['a_hr'][user] = re.compile(cfgread.get('acl_allowed_hosts_re',user))
+
 
 
 users = {}
@@ -158,6 +174,19 @@ class HTTP2NagiosHandler(MyHTTPRequestHandler):
                        doc = read_xml_from_string(xmltext)
                        checks = xml_to_dict(doc)
 
+                       if config['acl']:
+                               new_checks = []
+                               for check in checks:
+                                       if authdata[0] in acls['a_hl'] and check['host_name'] in acls['a_hl'][authdata[0]]:
+                                               new_checks.append(check)
+                                       elif authdata[0] in acls['a_hr'] and (acls['a_hr'][authdata[0]]).search(check['host_name']):
+                                               new_checks.append(check)
+
+                               count_acl_failed = len(checks) - len(new_checks)
+                               checks = new_checks
+                       else:
+                               count_acl_failed = None
+
                        if config['mode'] == 'checkresult':
                                (count_services, count_failed, list_failed) = dict2out_checkresult(checks, xml_get_timestamp(doc), config['checkresultdir'])
 
@@ -165,7 +194,10 @@ class HTTP2NagiosHandler(MyHTTPRequestHandler):
                                        self.send_response(200)
                                        self.send_header('Content-Type', 'text/plain')
                                        self.end_headers()
-                                       self.wfile.write('Wrote %s check results, %s failed' % (count_services, count_failed))
+                                       statusmsg = 'Wrote %s check results, %s failed' % (count_services, count_failed)
+                                       if count_acl_failed != None:
+                                               statusmsg += ' - %s check results failed ACL check' % count_acl_failed
+                                       self.wfile.write(statusmsg)
                                        return
                                else:
                                        self.http_error(501, 'Could not write all %s check results' % count_services)

diff --git a/sample-configs/http2nagios.cfg b/sample-configs/http2nagios.cfg
index f5b4c8d83ecfe0f48892301640e66005e81dea29..7c10a954455eb78584f8ceb30a361a03ccc5fb11 100644 (file)
--- a/sample-configs/http2nagios.cfg
+++ b/sample-configs/http2nagios.cfg
@@ -26,6 +26,11 @@
 ; write passive checks to command file ("passive")
 mode: checkresult
 
+; ### acl (false) ###
+; Use ACLs to check if the user is allowed to submit check results for this
+; host
+#acl: false
+
 [mode_passive]
 ; ### pipe ###
 ; File and path of Nagios command pipe
@@ -47,3 +52,25 @@ dir: /tmp/cr
 ; echo -n "Password" | md5sum -
 nagixsc: 019b0966d98fb71d1a4bc4ca0c81d5cc ; PW: nagixsc
 
+[acl_allowed_hosts_list]
+; (List of) allowed host(s) per user
+; Option "acl" in section "server" must be set to "true"!
+;
+; Format: <username>: <hostname1> [, <hostname2> [, <hostname3> [...]]]
+;
+; Example (allow only "host1" for "nagixsc"):
+;nagixsc: host1 ; "host2.foo.bar" of sample config not allowed
+
+[acl_allowed_hosts_re]
+; Regular Expression of allowed host(s) per user
+; Option "acl" in section "server" must be set to "true"!
+;
+; ATTENTION!
+; - Needs more testing!
+; - Python Regular Expressions, see http://docs.python.org/library/re.html
+;
+; Format: <username>: <regexp>
+;
+; Example (allow only "host1" for "nagixsc", same as above in "acl_allowed_hosts_list"):
+;nagixsc: ^host1$
+