From fe6245ec3da91aaa3f1193ca4de0aa39a220e468 Mon Sep 17 00:00:00 2001
From: Alexander Fisher <alex@linfratech.co.uk>
Date: Fri, 4 Mar 2022 15:11:25 +0000
Subject: [PATCH] Add `server_jolokia_metrics_whitelist` parameter

When set, allows listed clients access to the V2 (jolokia) metrics
endpoint.

See https://puppet.com/docs/puppet/7/server/metrics-api/v2/metrics_api.html
---
 manifests/init.pp                               |  4 ++++
 manifests/server.pp                             |  4 ++++
 manifests/server/puppetserver.pp                |  1 +
 spec/classes/puppet_server_puppetserver_spec.rb | 17 +++++++++++++++++
 .../server/puppetserver/conf.d/auth.conf.erb    | 15 +++++++++++++++
 5 files changed, 41 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index 3b242580..71d92a17 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -537,6 +537,9 @@
 #                                           invokes when on static_file_content requests.
 #                                           Defaults to undef
 #
+# $server_jolokia_metrics_whitelist::       The whitelist of clients that
+#                                           can query the jolokia /metrics/v2 endpoint
+#
 # === Usage:
 #
 # * Simple usage:
@@ -732,6 +735,7 @@
   Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files,
   Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef,
   Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef,
+  Array[String[1]] $server_jolokia_metrics_whitelist = [],
 ) inherits puppet::params {
   contain puppet::config
 
diff --git a/manifests/server.pp b/manifests/server.pp
index d80ad45e..f7e1b27f 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -331,6 +331,9 @@
 # $versioned_code_content::            Contains the path to an executable script that Puppet Server invokes when an agent makes
 #                                      a static_file_content API request for the contents of a file resource that
 #                                      has a source attribute with a puppet:/// URI value.
+#
+# $jolokia_metrics_whitelist::         The whitelist of clients that
+#                                      can query the jolokia /metrics/v2 endpoint
 class puppet::server(
   Variant[Boolean, Stdlib::Absolutepath] $autosign = $puppet::autosign,
   Array[String] $autosign_entries = $puppet::autosign_entries,
@@ -449,6 +452,7 @@
   Optional[Integer[1]] $max_open_files = $puppet::server_max_open_files,
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,
+  Array[String[1]] $jolokia_metrics_whitelist = $puppet::server_jolokia_metrics_whitelist,
 ) {
   # For Puppetserver, certain configuration parameters are version specific. We
   # assume a particular version here.
diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
index a39b3e66..12e5b357 100644
--- a/manifests/server/puppetserver.pp
+++ b/manifests/server/puppetserver.pp
@@ -144,6 +144,7 @@
   $versioned_code_id                      = $puppet::server::versioned_code_id,
   $versioned_code_content                 = $puppet::server::versioned_code_content,
   $disable_fips                           = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8',
+  $jolokia_metrics_whitelist              = $puppet::server::jolokia_metrics_whitelist,
 ) {
   include puppet::server
 
diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
index b22ce935..6a4ecc6d 100644
--- a/spec/classes/puppet_server_puppetserver_spec.rb
+++ b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -564,6 +564,23 @@
           }
         end
       end
+
+      describe 'jolokia_metrics_whitelist' do
+        let(:content) { catalogue.resource('file', auth_conf).send(:parameters)[:content] }
+        let(:rules) { Hocon.parse(content)['authorization']['rules'] }
+        let(:rule) { rules.find {|rule| rule['name'] == 'jolokia metrics' } }
+
+        context 'by default' do
+          it { expect(rule).to be_nil }
+        end
+
+        context 'when set' do
+          let(:params) { super().merge(server_jolokia_metrics_whitelist: ['localhost', 'host.example.com']) }
+
+          it { expect(rule['match-request']['path']).to eq('/metrics/v2') }
+          it { expect(rule['allow']).to eq(['localhost', 'host.example.com']) }
+        end
+      end
     end
   end
 end
diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
index 275326f1..c1f03369 100644
--- a/templates/server/puppetserver/conf.d/auth.conf.erb
+++ b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -356,6 +356,21 @@ authorization: {
             sort-order: 500
             name: "puppetlabs experimental"
         },
+<%- end -%>
+<%- unless @jolokia_metrics_whitelist.empty? -%>
+        {
+            match-request: {
+                path: "/metrics/v2"
+                type: path
+            }
+            allow: [
+<%- @jolokia_metrics_whitelist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+            ]
+            sort-order: 500
+            name: "jolokia metrics"
+        },
 <%- end -%>
         {
             # Deny everything else. This ACL is not strictly