zabbix proxy lts - update to 3.0 and add tls options

(cherry picked from commit a19a234ea523b517ecc1136d1b008de453cfb15c)

3 files changed, 164 insertions, 6 deletions

diff --git a/net-mgmt/pfSense-pkg-zabbix-proxy/Makefile b/net-mgmt/pfSense-pkg-zabbix-proxy/Makefile
index 5931bcc..873dfbd 100644
--- a/net-mgmt/pfSense-pkg-zabbix-proxy/Makefile
+++ b/net-mgmt/pfSense-pkg-zabbix-proxy/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	pfSense-pkg-zabbix-proxy
 PORTVERSION=	0.8.9
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	net-mgmt
 MASTER_SITES=	# empty
 DISTFILES=	# empty
@@ -13,7 +13,7 @@ COMMENT=	pfSense package zabbix-proxy
 
 LICENSE=	ESF
 
-RUN_DEPENDS=	${LOCALBASE}/sbin/zabbix_proxy:net-mgmt/zabbix22-proxy
+RUN_DEPENDS=	${LOCALBASE}/sbin/zabbix_proxy:net-mgmt/zabbix3-proxy
 
 NO_BUILD=	yes
 NO_MTREE=	yes
diff --git a/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.inc b/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.inc
index d3a5138..9bdb87b 100644
--- a/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.inc
+++ b/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.inc
@@ -32,11 +32,12 @@ require_once("util.inc");
 require_once("functions.inc");
 require_once("pkg-utils.inc");
 require_once("globals.inc");
+require_once("certs.inc");
 
 define('ZABBIX_PROXY_BASE', '/usr/local');
 
 function php_deinstall_zabbix_proxy_lts() {
-	unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy_lts.conf");
+	unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix3/zabbix_proxy_lts.conf");
 	unlink_if_exists("/var/log/zabbix-proxy-lts/zabbix_proxy_lts.log");
 	unlink_if_exists("/var/run/zabbix-proxy-lts/zabbix_proxy_lts.pid");
 
@@ -84,6 +85,44 @@ function sync_package_zabbix_proxy_lts() {
 		if ($zbproxy_config['proxyenabled'] == "on") {
 			$Mode = (is_numericint($zbproxy_config['proxymode']) ? $zbproxy_config['proxymode'] : 0);
 			$AdvancedParams = base64_decode($zbproxy_config['advancedparams']);
+			$TLSConnect = $zbproxy_config['tlsconnect'];
+			$TLSAccept = $zbproxy_config['tlsaccept'] ?: "unencrypted";
+
+			if ($zbproxy_config['tlscaso']) {
+				$TlsCAfile = "TLSCAFile=/usr/local/etc/ssl/cert.pem";
+			} else {
+				if ($zbproxy_config['tlscafile'] != "none") {
+					$ca = lookup_ca($zbproxy_config['tlscafile']);
+					zabbix_add_keyfile($ca['crt'], "ca");
+					$TlsCAfile = "TLSCAFile=/usr/local/etc/zabbix3/zabbix_proxy.ca";
+				}
+			}
+
+			if ($zbproxy_config['tlscrlfile'] != "none") {
+				$crl = lookup_crl($zbproxy_config['tlscrlfile']);
+				crl_update($crl);
+				zabbix_add_keyfile($crl['text'], "crl-verify");
+				$TlsCRLfile = "TLSCRLFile=/usr/local/etc/zabbix3/zabbix_proxy.crl-verify";
+			}
+
+			if ($zbproxy_config['tlscertfile'] != "none") {
+				$cert = lookup_cert($zbproxy_config['tlscertfile']);
+
+				zabbix_add_keyfile($cert['crt'], "cert");
+				$TlsCERTfile = "TLSCertFile=/usr/local/etc/zabbix3/zabbix_proxy.cert";
+
+				zabbix_add_keyfile($cert['prv'], "key");
+				$TlsKEYfile = "TLSKeyFile=/usr/local/etc/zabbix3/zabbix_proxy.key";
+			}
+
+			if (! empty($zbproxy_config['tlspskidentity']) ) {
+				$TLSPSKIdentity = "TLSPSKIdentity={$zbproxy_config['tlspskidentity']}";
+			}
+
+			if (! empty($zbproxy_config['tlspskfile']) ) {
+				zabbix_add_keyfile($zbproxy_config['tlspskfile'], "psk");
+				$TLSPSKFile = "TLSPSKFile=/usr/local/etc/zabbix3/zabbix_proxy.psk";
+			}
 
 			$zbproxy_conf_file = <<< EOF
 Server={$zbproxy_config['server']}
@@ -98,10 +137,18 @@ FpingLocation=/usr/local/sbin/fping
 # but if there was, the binary would likely also be in /usr/local/sbin.
 Fping6Location=/usr/local/sbin/fping6
 ProxyMode={$Mode}
+TLSConnect={$TLSConnect}
+TLSAccept={$TLSAccept}
+{$TlsCAfile}
+{$TlsCRLfile}
+{$TlsCERTfile}
+{$TlsKEYfile}
+{$TLSPSKIdentity}
+{$TLSPSKFile}
 {$AdvancedParams}
 
 EOF;
-			file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => "")));
+			file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix3/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => "")));
 		}
 	}
 
@@ -153,8 +200,8 @@ EOF;
 
 	// Check startup script files
 	// Create a few directories and ensure the sample files are in place
-	if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix22")) {
-		mwexec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix22");
+	if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix3")) {
+		mwexec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix3");
 	}
 
 	$dir_checks = <<< EOF
@@ -218,4 +265,14 @@ EOF;
 	conf_mount_ro();
 }
 
+// Based on openvpn_add_keyfile() function
+function zabbix_add_keyfile(& $data, $directive) {
+
+	$fpath = "/usr/local/etc/zabbix3/zabbix_proxy.{$directive}";
+
+	file_put_contents($fpath, base64_decode($data));
+	@chmod($fpath, 0600);
+	@chown($fpath, "zabbix");
+}
+
 ?>
diff --git a/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.xml b/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.xml
index f6b1621..f33b62f 100644
--- a/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.xml
+++ b/net-mgmt/pfSense-pkg-zabbix-proxy/files/usr/local/pkg/zabbix-proxy-lts.xml
@@ -127,6 +127,107 @@
 			<required>true</required>
 		</field>
 		<field>
+			<name>TLS-RELATED Parameters</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>TLS Connect</fielddescr>
+			<fieldname>tlsconnect</fieldname>
+			<description>
+				<![CDATA[
+					How the agent should connect to server or proxy. Used for active checks.<br/>
+					Only one value can be specified:<br/>
+					<strong>unencrypted</strong> - connect without encryption<br/>
+					<strong>psk</strong>         - connect using TLS and a pre-shared key<br/>
+					<strong>cert</strong>        - connect using TLS and a certificate<br/>
+				]]>
+			</description>
+			<type>select</type>
+			<default_value>unencrypted</default_value>
+			<options>
+				<option><name>unencrypted</name><value>unencrypted</value></option>
+				<option><name>psk</name><value>psk</value></option>
+				<option><name>cert</name><value>cert</value></option>
+			</options>
+		</field>
+		<field>
+			<fielddescr>TLS Accept</fielddescr>
+			<fieldname>tlsaccept</fieldname>
+			<description>
+				<![CDATA[
+					What incoming connections to accept.<br/>
+					Multiple values can be specified:<br/>
+					<strong>unencrypted</strong> - connect without encryption<br/>
+					<strong>psk</strong>         - connect using TLS and a pre-shared key<br/>
+					<strong>cert</strong>        - connect using TLS and a certificate<br/>
+				]]>
+			</description>
+			<type>select</type>
+			<default_value>unencrypted</default_value>
+			<options>
+				<option><name>unencrypted</name><value>unencrypted</value></option>
+				<option><name>psk</name><value>psk</value></option>
+				<option><name>cert</name><value>cert</value></option>
+			</options>
+			<multiple/>
+			<size>3</size>
+		</field>
+		<field>
+			<fielddescr>TLS CA</fielddescr>
+			<fieldname>tlscafile</fieldname>
+			<description>Top-level CA certificate for peer certificate verification.</description>
+			<type>select_source</type>
+			<source><![CDATA[$config['ca']]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
+			<show_disable_value>none</show_disable_value>
+			<default_value>none</default_value>
+		</field>
+		<field>
+			<fielddescr>TLS CA System</fielddescr>
+			<fieldname>tlscaso</fieldname>
+			<description>Use the CA certificate list from the operating system. This option overrides prior option.</description>
+			<type>checkbox</type>
+		</field>
+		<field>
+			<fielddescr>TLS CRL</fielddescr>
+			<fieldname>tlscrlfile</fieldname>
+			<description>List of revoked certificates.</description>
+			<type>select_source</type>
+			<source><![CDATA[$config['crl']]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
+			<show_disable_value>none</show_disable_value>
+			<default_value>none</default_value>
+		</field>
+		<field>
+			<fielddescr>TLS Cert</fielddescr>
+			<fieldname>tlscertfile</fieldname>
+			<description>Agent certificate.</description>
+			<type>select_source</type>
+			<source><![CDATA[$config['cert']]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
+			<show_disable_value>none</show_disable_value>
+			<default_value>none</default_value>
+		</field>
+		<field>
+			<fielddescr>TLS PSK Identity</fielddescr>
+			<fieldname>tlspskidentity</fieldname>
+			<description>Unique, case sensitive string used to identify the pre-shared key.</description>
+			<type>input</type>
+			<size>60</size>
+		</field>
+		<field>
+			<fielddescr>TLS PSK</fielddescr>
+			<fieldname>tlspskfile</fieldname>
+			<encoding>base64</encoding>
+			<type>textarea</type>
+			<rows>5</rows>
+			<cols>50</cols>
+			<description></description>
+		</field>
+		<field>
 			<fielddescr>Advanced Parameters</fielddescr>
 			<fieldname>advancedparams</fieldname>
 			<encoding>base64</encoding>