From 89ee6bf742f69dcd4b9ba302df46f2596c717fcc Mon Sep 17 00:00:00 2001
From: Jon <jonathon.lockwood@networkedweb.com>
Date: Sat, 24 Feb 2024 15:37:04 +0930
Subject: [PATCH] feat(scanner): ability to confirm server identity

!11 closes #1
---
 .../ansible/collection/phpipam_scan_agent/scanner.md       | 7 ++++++-
 playbooks/tasks/scan_subnet.yaml                           | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/projects/ansible/collection/phpipam_scan_agent/scanner.md b/docs/projects/ansible/collection/phpipam_scan_agent/scanner.md
index 12e1063..a4be9d7 100644
--- a/docs/projects/ansible/collection/phpipam_scan_agent/scanner.md
+++ b/docs/projects/ansible/collection/phpipam_scan_agent/scanner.md
@@ -38,7 +38,7 @@ nofusscomputing_phpipam_scan_agent:
 
   http_port: 5000                    # Optional, Integer. http port to connect to the server.
   http_server: http://127.0.0.1      # Optional, Integer. url with protocol of the Scan Server to connect to.
-  auth_token:                 # Optional, String. The Scan-Agent server authentication token.
+  ca_path:                           # Optional, String. PEM formatted file that contains a CA certificate to be used for validation
 
   cache_expire_time: 1800            # Optional, Integer. Time in seconds to expire the phpIPAM cache.
   epoch_time_offset: 0               # optional, int. Value in seconds to offset the time
@@ -100,5 +100,10 @@ The scanner component has the following workflow:
 
 Once the [server component](server.md#remote%20network%20scannning) has been setup, the client can be installed/used from any network. Even a network that is isolated from the server. Only caveat is that the client can communicate with the server. To ensure that the client can connect to the server set the `auth_token` to match that of the server.
 
+Confirmation of the servers identity is done by validating the certificate that the server is using for TLS. Set variable `ca_path` to the path of a PEM formated certificate, and the CA certificate that was used to sign the servers TLS certificate.
+
+!!! tip
+    Whilst it's possible to use a certificate from a provider, letsencrypt for example. Using a self signed certificate is advised for communication between the server and scanner components. By doing so only you can authorize a certificate for the server. You should assess what is the best course of action within your threat model.
+
 !!! danger "Security"
     Failing to secure the server component communication with TLS will allow anyone with direct access to the line of communication to view the `auth_token`. Anyone who has the `auth_token` will be able to upload data to the server.
diff --git a/playbooks/tasks/scan_subnet.yaml b/playbooks/tasks/scan_subnet.yaml
index a73e3c5..88a2f44 100644
--- a/playbooks/tasks/scan_subnet.yaml
+++ b/playbooks/tasks/scan_subnet.yaml
@@ -67,6 +67,7 @@
 
 - name: Upload Scan Results - {{ subnet.address }}
   ansible.builtin.uri:
+    ca_path: "{{ nofusscomputing_phpipam_scan_agent.ca_path | default(omit) }}"
     headers:
       Authorization: "Bearer {{ nofusscomputing_phpipam_scan_agent.auth_token | default('no-token-set') }}"
     url: "{{