Add API restrictions

2.9.2/conf/ocsinventory-restapi-restricted.conf

@@ -0,0 +1,28 @@
+PerlOptions +Parent
+
+<Perl>
+  $ENV{PLACK_ENV} = 'production';
+  $ENV{MOJO_HOME} = 'REST_API_PATH';
+  $ENV{MOJO_MODE} = 'deployment';
+  $ENV{OCS_DB_HOST} = 'DATABASE_SERVER';
+  $ENV{OCS_DB_PORT} = 'DATABASE_PORT';
+  $ENV{OCS_DB_LOCAL} = 'DATABASE_NAME';
+  $ENV{OCS_DB_USER} = 'DATABASE_USER';
+  $ENV{OCS_DB_PWD} = 'DATABASE_PASSWD';
+  $ENV{OCS_DB_SSL_ENABLED} = OCS_SSL_ENABLED;
+#  $ENV{OCS_DB_SSL_CLIENT_KEY} = '';
+#  $ENV{OCS_DB_SSL_CLIENT_CERT} = '';
+#  $ENV{OCS_DB_SSL_CA_CERT} = '';
+  $ENV{OCS_DB_SSL_MODE} = 'SSL_MODE_PREFERRED';
+</Perl>
+
+<Location /ocsapi>
+  SetHandler perl-script
+  PerlResponseHandler Plack::Handler::Apache2
+  PerlSetVar psgi_app 'REST_API_LOADER_PATH'
+  # API access security
+  AuthType Basic
+  AuthName "OCS API Access"
+  AuthUserFile /etc/apache2/conf-available/.htaccess
+  Require valid-user
+</Location>

2.9.2/docker-compose.yml

@@ -13,6 +13,7 @@ services:
       - "ocsreportsdata:/usr/share/ocsinventory-reports/ocsreports/extensions"
       - "varlibdata:/var/lib/ocsinventory-reports"
       - "httpdconfdata:/etc/apache2/conf-available"
+      - "ssldata:/un/path/a/mettre"
     environment:
       OCS_DB_SERVER: ocsinventory-db
       OCS_DB_USER: ocsuser
@@ -20,6 +21,10 @@ services:
       OCS_DB_NAME: ocsweb
       # See documentation to set up SSL for MySQL
       OCS_SSL_ENABLED: 0
+      # Uncomment to restrict API Access
+      OCS_API_RESTRICTED: ENABLED
+      OCS_API_USER: ocsapi
+      OCS_API_PASS: ocsapi
     links:
       - ocsdb
     networks:
@@ -52,5 +57,6 @@ volumes:
   ocsreportsdata:
   varlibdata:
   httpdconfdata:
+  ssldata:
   sqldata:
   

2.9.2/scripts/docker-entrypoint.sh

@@ -85,15 +85,20 @@ fi
 
 # Configure zz-ocsinventory-restapi file
 if [ ! -f ${API_CONF_FILE} ] && [ -z ${OCS_DISABLE_API_MODE+x} ]; then
-    cp /tmp/conf/ocsinventory-restapi.conf ${API_CONF_FILE}
+	if [ -z ${OCS_API_RESTRICTED+x} ]; then
-       sed -i 's/DATABASE_SERVER/'"$OCS_DB_SERVER"'/g' ${API_CONF_FILE}
+		cp /tmp/conf/ocsinventory-restapi.conf ${API_CONF_FILE}
-       sed -i 's/DATABASE_PORT/'"$OCS_DB_PORT"'/g' ${API_CONF_FILE}
+	else
-       sed -i 's/DATABASE_NAME/'"$OCS_DB_NAME"'/g' ${API_CONF_FILE}
+		cp /tmp/conf/ocsinventory-restapi-restricted.conf ${API_CONF_FILE}
-       sed -i 's/DATABASE_USER/'"$OCS_DB_USER"'/g' ${API_CONF_FILE}
+		htpasswd -cb /etc/apache2/conf-available/.htaccess ${OCS_API_USER} ${OCS_API_PASS}
-       sed -i 's/DATABASE_PASSWD/'"$OCS_DB_PASS"'/g' ${API_CONF_FILE}
+	fi
-       sed -i 's/OCS_SSL_ENABLED/'"$OCS_SSL_ENABLED"'/g' ${API_CONF_FILE}
+	sed -i 's/DATABASE_SERVER/'"$OCS_DB_SERVER"'/g' ${API_CONF_FILE}
-       sed -i 's/REST_API_PATH/'"${API_ROUTE//\//\\/}"'/g' ${API_CONF_FILE}
+	sed -i 's/DATABASE_PORT/'"$OCS_DB_PORT"'/g' ${API_CONF_FILE}
-       sed -i 's/REST_API_LOADER_PATH/'"${API_ROUTE_LOADER//\//\\/}"'/g' ${API_CONF_FILE}
+	sed -i 's/DATABASE_NAME/'"$OCS_DB_NAME"'/g' ${API_CONF_FILE}
+	sed -i 's/DATABASE_USER/'"$OCS_DB_USER"'/g' ${API_CONF_FILE}
+	sed -i 's/DATABASE_PASSWD/'"$OCS_DB_PASS"'/g' ${API_CONF_FILE}
+	sed -i 's/OCS_SSL_ENABLED/'"$OCS_SSL_ENABLED"'/g' ${API_CONF_FILE}
+	sed -i 's/REST_API_PATH/'"${API_ROUTE//\//\\/}"'/g' ${API_CONF_FILE}
+	sed -i 's/REST_API_LOADER_PATH/'"${API_ROUTE_LOADER//\//\\/}"'/g' ${API_CONF_FILE}
 fi
 
 # Replace Variables
@@ -125,6 +130,7 @@ fi
 
 # Generate dbconfig.inc.php
 if [ ! -f ${DB_CONFIG_INC_FILE} ] && [ -z ${OCS_DISABLE_WEB_MODE+x} ]; then
+
 	cp /tmp/conf/dbconfig.inc.php $OCS_WEBCONSOLE_DIR/ocsreports
 	sed -i 's/OCS_DB_NAME/'"$OCS_DB_NAME"'/g' ${DB_CONFIG_INC_FILE}
 	sed -i 's/OCS_READ_NAME/'"$OCS_DB_SERVER"'/g' ${DB_CONFIG_INC_FILE}