zabbix agent lts - update to 3.0 and add tls options

(cherry picked from commit fc8efa6d0fbb29bcf0ededc9074fe95392576257)
author: Danilo G. Baio (dbaio) <dbaio@bsd.com.br> 2016-05-08 15:33:06 -0300
committer: Renato Botelho <garga@FreeBSD.org> 2016-07-18 11:00:56 -0300
commit: 9b6d0cafbcb576f96380029d184219486801e5b0 (patch)
tree: a29b01fd97f68a514becaa4d89fc3b3b9a5bc7dc
parent: 0be12a0ee1540731c2ca52d9d277b94e32b4eae1 (diff)
download: FreeBSD-ports-9b6d0cafbcb576f96380029d184219486801e5b0.zip
FreeBSD-ports-9b6d0cafbcb576f96380029d184219486801e5b0.tar.gz
3 files changed, 165 insertions, 6 deletions
diff --git a/net-mgmt/pfSense-pkg-zabbix-agent/Makefile b/net-mgmt/pfSense-pkg-zabbix-agent/Makefile
index 62ecdd5..e0a2f69 100644
--- a/net-mgmt/pfSense-pkg-zabbix-agent/Makefile
+++ b/net-mgmt/pfSense-pkg-zabbix-agent/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	pfSense-pkg-zabbix-agent
 PORTVERSION=	0.8.9
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	net-mgmt
 MASTER_SITES=	# empty
 DISTFILES=	# empty
@@ -13,7 +13,7 @@ COMMENT=	pfSense package zabbix-agent
 
 LICENSE=	ESF
 
-RUN_DEPENDS=	${LOCALBASE}/sbin/zabbix_agent:net-mgmt/zabbix22-agent
+RUN_DEPENDS=	${LOCALBASE}/sbin/zabbix_agentd:net-mgmt/zabbix3-agent
 
 NO_BUILD=	yes
 NO_MTREE=	yes
diff --git a/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.inc b/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.inc
index a918153..cfd1761 100644
--- a/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.inc
+++ b/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.inc
@@ -32,11 +32,12 @@ require_once("util.inc");
 require_once("functions.inc");
 require_once("pkg-utils.inc");
 require_once("globals.inc");
+require_once("certs.inc");
 
 define('ZABBIX_AGENT_BASE', '/usr/local');
 
 function php_deinstall_zabbix_agent_lts() {
-	unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf");
+	unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix3/zabbix_agentd.conf");
 	unlink_if_exists("/var/log/zabbix-agent-lts/zabbix_agentd_lts.log");
 	unlink_if_exists("/var/run/zabbix-agent-lts/zabbix_agentd_lts.pid");
 
@@ -132,6 +133,45 @@ function sync_package_zabbix_agent_lts() {
 			$ListenIp = $zbagent_config['listenip'] ?: "0.0.0.0";
 			$ListenPort = $zbagent_config['listenport'] ?: "10050";
 			$TimeOut = $zbagent_config['timeout'] ?: "3";
+			$TLSConnect = $zbagent_config['tlsconnect'];
+			$TLSAccept = $zbagent_config['tlsaccept'] ?: "unencrypted";
+
+			if ($zbagent_config['tlscaso']) {
+				$TlsCAfile = "TLSCAFile=/usr/local/etc/ssl/cert.pem";
+			} else {
+				if ($zbagent_config['tlscafile'] != "none") {
+					$ca = lookup_ca($zbagent_config['tlscafile']);
+					zabbix_add_keyfile($ca['crt'], "ca");
+					$TlsCAfile = "TLSCAFile=/usr/local/etc/zabbix3/zabbix_agentd.ca";
+				}
+			}
+
+			if ($zbagent_config['tlscrlfile'] != "none") {
+				$crl = lookup_crl($zbagent_config['tlscrlfile']);
+				crl_update($crl);
+				zabbix_add_keyfile($crl['text'], "crl-verify");
+				$TlsCRLfile = "TLSCRLFile=/usr/local/etc/zabbix3/zabbix_agentd.crl-verify";
+			}
+
+			if ($zbagent_config['tlscertfile'] != "none") {
+				$cert = lookup_cert($zbagent_config['tlscertfile']);
+
+				zabbix_add_keyfile($cert['crt'], "cert");
+				$TlsCERTfile = "TLSCertFile=/usr/local/etc/zabbix3/zabbix_agentd.cert";
+
+				zabbix_add_keyfile($cert['prv'], "key");
+				$TlsKEYfile = "TLSKeyFile=/usr/local/etc/zabbix3/zabbix_agentd.key";
+			}
+
+			if (! empty($zbagent_config['tlspskidentity']) ) {
+				$TLSPSKIdentity = "TLSPSKIdentity={$zbagent_config['tlspskidentity']}";
+			}
+
+			if (! empty($zbagent_config['tlspskfile']) ) {
+				zabbix_add_keyfile($zbagent_config['tlspskfile'], "psk");
+				$TLSPSKFile = "TLSPSKFile=/usr/local/etc/zabbix3/zabbix_agentd.psk";
+			}
+
 
 			$zbagent_conf_file = <<< EOF
 Server={$zbagent_config['server']}
@@ -148,10 +188,18 @@ Timeout={$TimeOut}
 BufferSend={$BufferSend}
 BufferSize={$BufferSize}
 StartAgents={$StartAgents}
+TLSConnect={$TLSConnect}
+TLSAccept={$TLSAccept}
+{$TlsCAfile}
+{$TlsCRLfile}
+{$TlsCERTfile}
+{$TlsKEYfile}
+{$TLSPSKIdentity}
+{$TLSPSKFile}
 {$UserParams}
 
 EOF;
-			file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => "")));
+			file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix3/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => "")));
 		}
 	}
 
@@ -203,8 +251,8 @@ EOF;
 
 	// Check startup script files
 	// Create a few directories and ensure the sample files are in place
-	if (!is_dir(ZABBIX_AGENT_BASE . "/etc/zabbix22")) {
-		mwexec("/bin/mkdir -p " . ZABBIX_AGENT_BASE . "/etc/zabbix22");
+	if (!is_dir(ZABBIX_AGENT_BASE . "/etc/zabbix3")) {
+		mwexec("/bin/mkdir -p " . ZABBIX_AGENT_BASE . "/etc/zabbix3");
 	}
 
 	$dir_checks = <<< EOF
@@ -250,4 +298,14 @@ EOF;
 	conf_mount_ro();
 }
 
+// Based on openvpn_add_keyfile() function
+function zabbix_add_keyfile(& $data, $directive) {
+
+	$fpath = "/usr/local/etc/zabbix3/zabbix_agentd.{$directive}";
+
+	file_put_contents($fpath, base64_decode($data));
+	@chmod($fpath, 0600);
+	@chown($fpath, "zabbix");
+}
+
 ?>
diff --git a/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.xml b/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.xml
index ff70ae8..acd5970 100644
--- a/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.xml
+++ b/net-mgmt/pfSense-pkg-zabbix-agent/files/usr/local/pkg/zabbix-agent-lts.xml
@@ -178,6 +178,107 @@
 			</description>
 		</field>
 		<field>
+			<name>TLS-RELATED Parameters</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>TLS Connect</fielddescr>
+			<fieldname>tlsconnect</fieldname>
+			<description>
+				<![CDATA[
+					How the agent should connect to server or proxy. Used for active checks.<br/>
+					Only one value can be specified:<br/>
+					<strong>unencrypted</strong> - connect without encryption<br/>
+					<strong>psk</strong>         - connect using TLS and a pre-shared key<br/>
+					<strong>cert</strong>        - connect using TLS and a certificate<br/>
+				]]>
+			</description>
+			<type>select</type>
+			<default_value>unencrypted</default_value>
+			<options>
+				<option><name>unencrypted</name><value>unencrypted</value></option>
+				<option><name>psk</name><value>psk</value></option>
+				<option><name>cert</name><value>cert</value></option>
+			</options>
+		</field>
+		<field>
+			<fielddescr>TLS Accept</fielddescr>
+			<fieldname>tlsaccept</fieldname>
+			<description>
+				<![CDATA[
+					What incoming connections to accept.<br/>
+					Multiple values can be specified:<br/>
+					<strong>unencrypted</strong> - connect without encryption<br/>
+					<strong>psk</strong>         - connect using TLS and a pre-shared key<br/>
+					<strong>cert</strong>        - connect using TLS and a certificate<br/>
+				]]>
+			</description>
+			<type>select</type>
+			<default_value>unencrypted</default_value>
+			<options>
+				<option><name>unencrypted</name><value>unencrypted</value></option>
+				<option><name>psk</name><value>psk</value></option>
+				<option><name>cert</name><value>cert</value></option>
+			</options>
+			<multiple/>
+			<size>3</size>
+		</field>
+		<field>
+			<fielddescr>TLS CA</fielddescr>
+			<fieldname>tlscafile</fieldname>
+			<description>Top-level CA certificate for peer certificate verification.</description>
+			<type>select_source</type>
+			<source><![CDATA[$config['ca']]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
+			<show_disable_value>none</show_disable_value>
+			<default_value>none</default_value>
+		</field>
+		<field>
+			<fielddescr>TLS CA System</fielddescr>
+			<fieldname>tlscaso</fieldname>
+			<description>Use the CA certificate list from the operating system. This option overrides prior option.</description>
+			<type>checkbox</type>
+		</field>
+		<field>
+			<fielddescr>TLS CRL</fielddescr>
+			<fieldname>tlscrlfile</fieldname>
+			<description>List of revoked certificates.</description>
+			<type>select_source</type>
+			<source><![CDATA[$config['crl']]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
+			<show_disable_value>none</show_disable_value>
+			<default_value>none</default_value>
+		</field>
+		<field>
+			<fielddescr>TLS Cert</fielddescr>
+			<fieldname>tlscertfile</fieldname>
+			<description>Agent certificate.</description>
+			<type>select_source</type>
+			<source><![CDATA[$config['cert']]]></source>
+			<source_name>descr</source_name>
+			<source_value>refid</source_value>
+			<show_disable_value>none</show_disable_value>
+			<default_value>none</default_value>
+		</field>
+		<field>
+			<fielddescr>TLS PSK Identity</fielddescr>
+			<fieldname>tlspskidentity</fieldname>
+			<description>Unique, case sensitive string used to identify the pre-shared key.</description>
+			<type>input</type>
+			<size>60</size>
+		</field>
+		<field>
+			<fielddescr>TLS PSK</fielddescr>
+			<fieldname>tlspskfile</fieldname>
+			<encoding>base64</encoding>
+			<type>textarea</type>
+			<rows>5</rows>
+			<cols>50</cols>
+			<description></description>
+		</field>
+		<field>
 			<fielddescr>User Parameters</fielddescr>
 			<fieldname>userparams</fieldname>
 			<encoding>base64</encoding>
author	Danilo G. Baio (dbaio) <dbaio@bsd.com.br>	2016-05-08 15:33:06 -0300
committer	Renato Botelho <garga@FreeBSD.org>	2016-07-18 11:00:56 -0300
commit	9b6d0cafbcb576f96380029d184219486801e5b0 (patch)
tree	a29b01fd97f68a514becaa4d89fc3b3b9a5bc7dc
parent	0be12a0ee1540731c2ca52d9d277b94e32b4eae1 (diff)
download	FreeBSD-ports-9b6d0cafbcb576f96380029d184219486801e5b0.zip FreeBSD-ports-9b6d0cafbcb576f96380029d184219486801e5b0.tar.gz