enh: http proxy: add allowed_egress_protocols config option

ovh · Feb 24, 2025 · 3357084 · 3357084
1 parent 7128bc5
commit 3357084
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 11 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -831,6 +831,14 @@ Timeout delay (in seconds) for the connection between the bastion and the device
 
 Default value: `$thebastion::params::http_proxy_timeout`
 
+##### `http_proxy_allowed_egress_protocols`
+
+Data type: `Array[String]`
+
+List of the allowed protocols to be used on the egress side of the HTTPS proxy, supported protocols: https, http
+
+Default value: `$thebastion::params::http_proxy_allowed_egress_protocols`
+
 ##### `piv_grace_reaper_syslog`
 
 Data type: `Optional[String]`

diff --git a/manifests/addons.pp b/manifests/addons.pp
@@ -63,17 +63,18 @@
   # HTTP Proxy
 
   $http_proxy_conf = {
-    'ciphers'           => $thebastion::http_proxy_ciphers,
-    'enabled'           => $thebastion::http_proxy_enabled,
-    'insecure'          => $thebastion::http_proxy_insecure,
-    'min_servers'       => $thebastion::http_proxy_min_servers,
-    'min_spare_servers' => $thebastion::http_proxy_min_spare_servers,
-    'max_servers'       => $thebastion::http_proxy_max_servers,
-    'max_spare_servers' => $thebastion::http_proxy_max_spare_servers,
-    'port'              => $thebastion::http_proxy_port,
-    'ssl_certificate'   => $thebastion::http_proxy_ssl_certificate,
-    'ssl_key'           => $thebastion::http_proxy_ssl_key,
-    'timeout'           => $thebastion::http_proxy_timeout,
+    'ciphers'                  => $thebastion::http_proxy_ciphers,
+    'enabled'                  => $thebastion::http_proxy_enabled,
+    'insecure'                 => $thebastion::http_proxy_insecure,
+    'min_servers'              => $thebastion::http_proxy_min_servers,
+    'min_spare_servers'        => $thebastion::http_proxy_min_spare_servers,
+    'max_servers'              => $thebastion::http_proxy_max_servers,
+    'max_spare_servers'        => $thebastion::http_proxy_max_spare_servers,
+    'port'                     => $thebastion::http_proxy_port,
+    'ssl_certificate'          => $thebastion::http_proxy_ssl_certificate,
+    'ssl_key'                  => $thebastion::http_proxy_ssl_key,
+    'timeout'                  => $thebastion::http_proxy_timeout,
+    'allowed_egress_protocols' => $thebastion::http_proxy_allowed_egress_protocols,
   }
 
   concat { '/etc/bastion/osh-http-proxy.conf':

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -209,6 +209,8 @@
 #   File that contains the server SSL key in PEM format
 # @param http_proxy_timeout
 #   Timeout delay (in seconds) for the connection between the bastion and the devices
+# @param http_proxy_allowed_egress_protocols
+#   List of the allowed protocols to be used on the egress side of the HTTPS proxy, supported protocols: https, http
 # @param piv_grace_reaper_syslog
 #   Syslog facility to log to if defined
 # @param sync_watcher_enabled
@@ -332,6 +334,7 @@
   Stdlib::AbsolutePath $http_proxy_ssl_certificate                                  = $thebastion::params::http_proxy_ssl_certificate,
   Stdlib::AbsolutePath $http_proxy_ssl_key                                          = $thebastion::params::http_proxy_ssl_key,
   Integer $http_proxy_timeout                                                       = $thebastion::params::http_proxy_timeout,
+  Array[String] $http_proxy_allowed_egress_protocols                                = $thebastion::params::http_proxy_allowed_egress_protocols,
   Optional[String] $piv_grace_reaper_syslog                                         = $thebastion::params::piv_grace_reaper_syslog,
   Boolean $sync_watcher_enabled                                                     = $thebastion::params::sync_watcher_enabled,
   Optional[Stdlib::AbsolutePath] $sync_watcher_logdir                               = $thebastion::params::sync_watcher_logdir,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -225,6 +225,7 @@
   $http_proxy_ssl_certificate               = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
   $http_proxy_ssl_key                       = '/etc/ssl/private/ssl-cert-snakeoil.key'
   $http_proxy_timeout                       = 120
+  $http_proxy_allowed_egress_protocols      = ['https']
   $piv_grace_reaper_syslog                  = undef
   $sync_watcher_enabled                     = false
   $sync_watcher_logdir                      = undef

diff --git a/spec/classes/thebastion_spec.rb b/spec/classes/thebastion_spec.rb
@@ -648,6 +648,7 @@
             http_proxy_ssl_certificate:   '/tmp/certs/mycert',
             http_proxy_ssl_key:           '/tmp/certs/mykey',
             http_proxy_timeout:           85,
+            http_proxy_allowed_egress_protocols: ['https', 'http']
           }
         end
 
@@ -664,6 +665,7 @@
           expect(parsed['ssl_certificate']).to eq('/tmp/certs/mycert')
           expect(parsed['ssl_key']).to eq('/tmp/certs/mykey')
           expect(parsed['timeout']).to eq(85)
+          expect(parsed['allowed_egress_protocols']).to contain_exactly(['https', 'http'])
         end
       end