feat: add userlist

CHANGELOG.md

@@ -7,6 +7,7 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
 
 ### Added
 
+- add userlist
 - can specify the haproxy repository
 - add resolvers configuration
 - add debian11 support

README.md

@@ -138,6 +138,16 @@ Install and configure haproxy
     - 8.8.8.8
 ```
 
+- `haproxy_userlists` - hash with the userlist for basic auth
+
+```
+  restricted:
+    group:
+      - admin
+    user:
+      - admin password 84375611a53741f7e94b09eb49127f41 groups admin
+```
+
 - `haproxy_ssl_certificates` - hash with ssl certificates to copy
 
 ```

defaults/main.yml

@@ -61,3 +61,4 @@ haproxy_backends: {}
 haproxy_ssl_certificates: {}
 haproxy_ips_lists: {}
 haproxy_resolvers: {}
+haproxy_userlists: {}

molecule/default/converge.yml

@@ -15,6 +15,12 @@
     haproxy_resolvers:
       dns:
         nameserver: dns1 127.0.0.1:53
+    haproxy_userlists:
+      restricted:
+        group:
+          - admin
+        user:
+          - admin insecure-password password groups admin
     haproxy_frontends:
       main:
         bind:
@@ -37,6 +43,11 @@
           - acl_test1-https hdr(host) test1.example.net
           - acl_test2-https hdr(host) test2.example.net
           - acl_blacklist src -f /etc/haproxy/blacklist.list
+          - acl_auth_path path -i /auth/
+          - acl_auth http_auth(restricted)
+        http-request:
+          - auth realm restricted if acl_auth_path !acl_auth
+          - return status 200 content-type "text/plain" string "Good" if acl_auth_path
         use_backend:
           - backend-test-https if acl_test1-https
           - backend-test-resolver if acl_test2-https

molecule/default/tests/test_default.py

@@ -41,3 +41,11 @@ def test_sockets(host):
   for port in [80, 5000]:
     socket = host.socket('tcp://0.0.0.0:%d' % (port))
     assert socket.is_listening
+
+def test_auth(host):
+  cmd = host.run('curl -v -u admin:password http://127.0.0.1/auth/')
+  assert cmd.succeeded
+  assert cmd.stdout == 'Good'
+  cmd = host.run('curl -v -u admin:badpassword http://127.0.0.1/auth/')
+  assert cmd.succeeded
+  assert '401 Unauthorized' in cmd.stdout

templates/haproxy.cfg.j2

@@ -52,11 +52,24 @@ resolvers {{ resolver }}
 	{{ key }} {{ value }}
 {% endif %}
 {% endfor %}
+
+{% endfor %}
+{% for userlist, config in haproxy_userlists.items() %}
+userlist {{ userlist }}
+{% for key, value in config.items() %}
+{% if value is iterable and value is not string %}
+{% for option in value %}
+       {{ key }} {{ option }}
+{% endfor %}
+{% else %}
+       {{ key }} {{ value }}
+{% endif %}
 {% endfor %}
 
+{% endfor %}
 {% for frontend, config in haproxy_frontends.items() %}
 frontend {{ frontend }}
-{% for key, value in config.items()|sort if key != 'acl' and key != 'use_backend' %}
+{% for key, value in config.items() %}
 {% if key == "bind" %}
 	bind {{ value["ip"] }}:{{ value["port"] }}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {{ value["ssl"]["crt"] }}{% endif %}
 {% endif %}
@@ -69,16 +82,6 @@ frontend {{ frontend }}
 	{{ key }} {{ value }}
 {% endif %}
 {% endfor %}
-{% if 'acl' in config %}
-{% for option in config['acl'] %}
-	acl {{ option }}
-{% endfor %}
-{% endif %}
-{% if 'use_backend' in config %}
-{% for option in config['use_backend'] %}
-	use_backend {{ option }}
-{% endfor %}
-{% endif %}
 
 {% endfor %}