PuppetDB filtering proxy Requires jq 1.3+ and mod_ext_filter in apache

authproxy.erb

Listen 8080
NameVirtualHost *:8080
<VirtualHost *:8080>
  ServerName <%= @fqdn %>:8080

  SSLEngine on
  SSLProtocol -ALL +SSLv3 +TLSv1
  SSLCipherSuite ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!RC2

  SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem
  SSLCertificateFile      /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem
  SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
  SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
  SSLCARevocationFile     /var/lib/puppet/ssl/crl.pem

  SSLOptions +StdEnvVars +FakeBasicAuth
  SSLVerifyClient optional

  <Proxy *>
    Order Allow,Deny
    Allow from all
  </Proxy>
  ProxyPreserveHost On
  <Location "/">
    ExtFilterOptions LogStderr
    ProxyPass http://localhost:8080/
    ProxyPassReverse http://localhost:8080/
    Deny from all
  </Location>

  # Set filter options

  # Remove parameters on all resources
  ExtFilterDefine resources-remove-parameters mode=output \
    intype=application/json outtype=application/json \
    cmd="/usr/bin/jq map(.parameters={})"
    
  # Remove parameters on resources that aren't exported
  ExtFilterDefine resources-remove-parameters-nonexported mode=output \
    intype=application/json outtype=application/json \
    cmd="/usr/bin/jq map(if\ .exported\ then\ .\ else\ .parameters={}\ end)"

  # Remove resources that aren't exported
  ExtFilterDefine resources-remove-nonexported mode=output \
    intype=application/json outtype=application/json \
    cmd="/usr/bin/jq map(.parameters={})"

  # Remove catalog records from other nodes than self
  ExtFilterDefine catalog-remove-nonself mode=output \
    intype=application/json outtype=application/json \
    cmd="/bin/sh -c /usr/bin/jq\ \"select(.data.name==\\\"${SSL_CLIENT_S_DN_CN}\\\")\""

  # Remove resource parameters in catalog records
  ExtFilterDefine catalog-remove-resource-parameters mode=output \
    intype=application/json outtype=application/json \
    cmd="/usr/bin/jq .data.resources=(.data.resources|map(.parameters={}))"

  # Remove records from other nodes than self
  ExtFilterDefine remove-nonself mode=output \
    intype=application/json outtype=application/json \
    cmd="/bin/sh -c /usr/bin/jq\ \"map(select(.certname==\\\"${SSL_CLIENT_S_DN_CN}\\\"))\""

  # Resource endpoints
  <Location ~ "(/resources)|(/v\d+/resources)|(/v\d+/nodes/.*/resources)">
    SetOutputFilter resources-remove-parameters-nonexported
    SSLVerifyClient require
    Allow from all
  </Location>

  # Nodes endpoints
  <Location ~ "(/nodes)|(/v\d+/nodes)">
    SSLVerifyClient require
    Allow from all
  </Location>

  # Facts endpoints
  <Location ~ "(/facts)|(/v\d+/nodes/.*/facts)">
    SSLVerifyClient require
    Allow from all
  </Location>

  # Catalog endpoints
  <Location ~ "(/catalogs)|(/v\d+/catalogs/)">
    SetOutputFilter catalog-remove-resource-parameters
    SSLVerifyClient require
    Allow from all
  </Location>

  # Report endpoints
  <Location ~ "(/experimental/reports)|(/v\d+/reports)">
    SetOutputFilter remove-nonself
    SSLVerifyClient require
    Allow from all
  </Location>

  # Event endpoints
  <Location ~ "(/experimental/events)|(/v\d+/events)">
    SetOutputFilter remove-nonself
    SSLVerifyClient require
    Allow from all
  </Location>

  # Event counts endpoints
  <Location ~ "/v\d+/event-counts/">
    SSLVerifyClient require
    Allow from all
  </Location>

  # Aggregate event counts endpoints
  <Location ~ "/v\d+/aggregate-event-counts/">
    SSLVerifyClient require
    Allow from all
  </Location>

  # Server time endpoints
  <Location ~ "/v\d+/server-time/">
    SSLVerifyClient require
    Allow from all
  </Location>

  # Server time endpoints
  <Location ~ "(/metrics/)|(/v\d+/metrics/)">
    SSLVerifyClient optional
    Allow from all
  </Location>

  # Dashboard
  <Location ~ "/($|dashboard/|favicon.ico$|v\d+/version)" >
    SSLVerifyClient optional
    Allow from all
  </Location>
</VirtualHost>