Merge branch '4-inventory-restricted-access' into 'development'

feat(inventory): restrict access to endpoints

See merge request nofusscomputing/projects/docker-glpi!3

.gitlab-ci.yml

@@ -7,7 +7,7 @@ variables:
   DOCKER_IMAGE_PUBLISH_NAME: 'docker-glpi'
   DOCKER_IMAGE_PUBLISH_REGISTRY: docker.io/nofusscomputing
   DOCKER_IMAGE_PUBLISH_URL: https://hub.docker.com/r/nofusscomputing/$DOCKER_IMAGE_PUBLISH_NAME
-  PAGES_ENVIRONMENT_PATH: projects/docker_glpi/
+  PAGES_ENVIRONMENT_PATH: projects/glpi/
 
 include:
   - project: nofusscomputing/projects/gitlab-ci

.gitmodules

@@ -2,3 +2,7 @@
 	path = gitlab-ci
 	url = https://gitlab.com/nofusscomputing/projects/gitlab-ci.git
 	branch = development
+[submodule "website-template"]
+	path = website-template
+	url = https://gitlab.com/nofusscomputing/infrastructure/website-template.git
+	branch = development

dockerfile

@@ -88,11 +88,15 @@ COPY --from=prepare /tmp/glpi /var/www/html
 
 
 RUN chown www-data:www-data -R /var/www; \
-  ln -s /var/www/html/bin/console /bin/console;
+  ln -s /var/www/html/bin/console /bin/console; \
+  touch /apache-passwd-glpi-inventory; \
+  chown www-data:www-data /apache-passwd-glpi-inventory; \
+  chmod 740 /apache-passwd-glpi-inventory;
 
 
 VOLUME /var/www/html/config
 VOLUME /var/www/html/data
+VOLUME /var/www/html/files
 VOLUME /var/www/html/plugins
 VOLUME /var/www/html/marketplacey
 VOLUME /var/log

docs/projects/glpi/index.md

@@ -0,0 +1,181 @@
+---
+title: Dockerized GLPI
+description: How to use No Fuss Computings docker container GLPI.
+date: 2023-08-29
+template: project.html
+about: https://gitlab.com/nofusscomputing/projects/ansible/docker-glpi
+---
+
+This docker container contains GLPI and is intended to be production ready and requires minimal configuration to use.
+
+!!! info
+    **TLDR** The docker container is available on dockerhub. `docker pull nofusscomputing/docker-glpi:dev`
+
+This container is designed to be ephemeral with all data residing within docker volumes. Outside of this container, the only reqirements is hard disk space and a MySQL/MariaDB database.
+
+
+## Features
+
+To see a full list of changes/features see the [changelog](https://gitlab.com/nofusscomputing/projects/docker-glpi/-/blob/development/CHANGELOG.md).
+
+- Data Volumes for _(relative paths are for glpi www root, `/var/www/html`)_
+
+    - `config/`
+
+    - `data/`
+
+    - `files/`
+
+    - `plugins/`
+
+    - `marketplace/`
+
+    - `/var/log/`
+
+- Inventory endpoints only available with use of feature flag
+
+- Container health check reports for all services (apache, cron, supervisord)
+
+- GLPI cron script scheduled within container cron. _See notes below._
+
+- GLPI WWW root setup under `public/`
+
+
+## Cron
+
+Cron is installed as part of the image and runs automagically on container start. GLPI cron script is also scheduled to run every minute. However for GLPI to use the CLI cron, you must configure it.
+
+Once GLPI has been setup and configured: 
+
+1. navigate to `Setup -> Automatic Actions`
+
+1. select all items in the list
+
+1. click the `Actions` button
+
+1. select `Update`
+
+1. select `Run Mode`
+
+1. select `CLI`
+
+1. click `Submit`
+
+Now GLPI will use the CLI cron script to run automagic actions.
+
+
+## Inventory
+
+It is posssible to use the inventory features available within GLPI, however by default access to the endpoints is disabled and behind a feature flag.The image by default will return HTTP/404 for the following paths:
+
+- `plugins/fusioninventory/` fusioninventory
+
+- `front/inventory.php` Native (non-GlpiInventory plugin)
+
+- `marketplace/glpiinventory/` GlpiInventory plugin (Marketplace installed)
+
+- `plugins/glpiinventory/` GlpiInventory plugin (plugin folder installed)
+
+To enable an inventory endpoint, using the values above, set environmental variable `GLPI_INVENTORY_PATH` when launching the container. i.e. to use GLPI native inventory `GLPI_INVENTORY_PATH=front/inventory.php`. on launching the container with this variable set, that endpoint is available for use for the inventory feature of GLPI.
+
+!!! tip
+    when using either `marketplace/glpiinventory/` or `plugins/glpiinventory/` as the inventory path you are required to prepend `index.php` to the end of the `server` directive in `agent.cfg`. i.e. `server = https://my-glpi-server/plugins/glpiinventory/index.php`
+
+!!! warning
+    It is strongly advised that when using the inventory features of GLPI, that the endpoints be configured for client authentication.
+
+
+### Client Authentication
+
+Due to the limitations of the inventory agents, mTLS is not available so HTTP Basic Authentication is configurable. by default, when you set the environmental variable `GLPI_INVENTORY_PATH` HTTP basic auth is enabled by default. To configure the users follow these steps:
+
+1. run command from within the container `htpasswd -c /apache-passwd-glpi-inventory {Username to create}`
+
+1. enter the password and confirm when prompted
+
+1. configure the `user` and `password` entries in the `agent.cfg` file.
+
+!!! tip
+    Ensure you limit the permissions on the `agent.cfg` file as it contains a password in clear text. Only the user the agent is run as requires access and you are encouraged to limit to that user only.
+
+!!! warning
+    HTTP Basic authentication is inherently insecure. to overcome this shortfall, ONLY use HTTP Basic Auth over a secure connection _(https)_. 
+
+
+## Running the container
+
+To quickly setup a container the following `docker-compose.yaml` file could be used.
+
+``` yaml title="docker-compose.yaml" linenums="1"
+version: "3.2"
+
+services:
+
+
+  mariadb:
+    image: mariadb:latest
+    container_name: mariadb
+    hostname: mariadb
+    volumes:
+      - /opt/mysql/mysql:/var/lib/mysql
+    environment:
+      - MARIADB_ROOT_PASSWORD=********
+      - MARIADB_DATABASE=glpi
+      - MARIADB_USER=********
+      - MARIADB_PASSWORD=********
+    restart: always
+
+
+  ingress:
+    image: nginx:latest-alpine
+    container_name : ingress
+    hostname: ingress
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /opt/ingress/conf.d:/etc/nginx/conf.d:ro
+      - /opt/ingress/http:/http:ro
+      - /opt/ingress/ssl:/ssl:ro
+    environment:
+      - TIMEZONE=UTC
+    restart: always
+    networks:
+      - ingress
+      - default
+
+
+  glpi:
+    image: nofusscomputing/docker-glpi:dev
+    container_name : glpi
+    hostname: glpi
+    ports:
+      - "80:80"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /opt/glpi/plugins:/var/www/html/plugins
+      - /opt/glpi/files:/var/www/html/files
+      - /opt/glpi/config:/var/www/html/config
+      - /opt/glpi/marketplace:/var/www/html/marketplace
+    environment:
+      - TIMEZONE=UTC
+      - GLPI_INVENTORY_PATH=/plugins/glpiinventory/
+    restart: always
+    networks:
+      - default
+
+
+volumes:
+  data_mysql:
+
+
+networks:
+  default:
+    external: no
+  ingress:
+    external: yes
+
+```

docs/task-doc-template.md

@@ -0,0 +1,87 @@
+
+
+short summary of the task file
+
+## {Task Name}
+
+- **Name**: 
+
+- **Description**: 
+
+- **Module**: 
+
+- **Arguments**:
+
+  - 
+
+- **Conditional**: 
+
+- **Tags**: 
+
+  - 
+
+## {Task Name}
+
+- **Name**: 
+
+- **Description**: 
+
+- **Module**: 
+
+- **Arguments**:
+
+  - 
+
+- **Registers**: 
+
+- **Conditional**: 
+
+- **Tags**: 
+
+  - 
+
+
+## Variables
+
+The following variables can be customized in this task file:
+
+```yaml
+variable_name: "default_value"
+```
+
+- `variable_name`: Description of the variable.
+
+## Tags
+
+The tasks in this task file are tagged with the following tags:
+
+- 
+
+## Usage
+
+To use this Ansible task file, you can include it in your playbook or role and provide values for the required variables. Here's an example of how you can use this task file:
+
+1. Create a playbook (e.g., `your_playbook.yaml`) and define the necessary variables:
+
+```yaml
+---
+
+- hosts: your_hosts
+  vars:
+    variable_name: "value"
+  
+  tasks:
+    - include_tasks: path/to/task_file.yaml
+```
+
+2. Create a separate file for the task file (e.g., `task_file.yaml`) and copy the content of the task file into it.
+
+3. Run the playbook:
+
+```shell
+ansible-playbook your_playbook.yaml
+```
+
+Make sure to replace the placeholder values (`variable_name`, `value`) with the appropriate values for your setup.
+
+Note: You may need to adjust the playbook structure and additional tasks based on your specific requirements and the tasks you want to execute.

includes/etc/apache2/sites-available/000-default.conf

@@ -1,15 +1,62 @@
 <VirtualHost *:80>
   DocumentRoot /var/www/html/public
 
+  <Location "/plugins/glpiinventory/index.php">
+
+    <If "%{ENV:GLPI_INVENTORY_PATH} != ''">
+
+      <If "%{ENV:GLPI_INVENTORY_AUTH} == ''">
+
+        AuthType Basic
+        AuthName "Restricted Access"
+        AuthUserFile /apache-passwd-glpi-inventory
+        Require valid-user
+
+      </If>
+
+    </If>
+
+  </Location>
+
+
   <Directory /var/www/html/public>
+
     Require all granted
     RewriteEngine On
+
+    # Paths:
+    #  Reference: https://glpi-agent.readthedocs.io/en/latest/configuration.html
+    #  - fusioninventory:                                  /plugins/fusioninventory/
+    #  - Native (non-GlpiInventory plugin):                /front/inventory.php
+    #  - GlpiInventory plugin (Marketplace installed):     /marketplace/glpiinventory/
+    #  - GlpiInventory plugin (plugin folder installed):   /plugins/glpiinventory/
+    #    NOTE: for glpi inventory index.php must be prepended to path so that GUI can still be accessed.
+
+    # Don't provide access to inventory on these paths
+    # ToDo: add inventory path for /plugins/fusioninventory/
+
+    RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/front/inventory.php
+      RewriteCond %{REQUEST_URI} ^/front/inventory.php$
+    RewriteRule ^(.*)$ - [R=404,NC]
+
+    RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/plugins/glpiinventory/
+      RewriteCond %{REQUEST_URI} /plugins/glpiinventory
+      RewriteCond %{REQUEST_URI} !/plugins/glpiinventory/front/
+    RewriteRule ^(.*)$ - [R=404,NC]
+
+    RewriteCond %{ENV:GLPI_INVENTORY_PATH} !/marketplace/glpiinventory/
+      RewriteCond %{REQUEST_URI} /marketplace/glpiinventory
+      RewriteCond %{REQUEST_URI} !/marketplace/glpiinventory/front/
+    RewriteRule ^(.*)$ - [R=404,NC]
+
+
     RewriteCond %{REQUEST_FILENAME} !-f
-  
     RewriteRule ^(.*)$ index.php [QSA,L]
+
   </Directory>
 
   ErrorLog /var/log/apache2/error-glpi.log
   LogLevel warn
   CustomLog /var/log/apache2/access-glpi.log combined
+
 </VirtualHost>

mkdocs.yml

@@ -0,0 +1,30 @@
+INHERIT: website-template/mkdocs.yml
+
+docs_dir: 'docs'
+
+repo_name: Docker GLPI
+repo_url: https://gitlab.com/nofusscomputing/projects/docker-glpi
+edit_uri: '/-/ide/project/nofusscomputing/projects/docker-glpi/edit/development/-/docs/'
+
+nav:
+- Home: index.md
+
+- Articles: 
+
+  - articles/index.md
+
+- Projects: 
+
+  - projects/index.md
+
+  - GLPI Docker:
+
+    - projects/glpi/index.md
+
+
+- Operations: 
+
+  - operations/index.md
+
+- Contact Us: contact.md
+