enh(apps::monitoring::zscaler::zdx::api): adapt to OneAPI authentication (#6094)

Co-authored-by: Sylvain Cresto <scresto@centreon.com>
Refs: CTOR-2251

Author: omercier

.github/docker/unit-tests/Dockerfile.unit-tests-alma10

@@ -3,7 +3,6 @@ ARG REGISTRY_URL=docker.io
 FROM ${REGISTRY_URL}/almalinux:10
 
 RUN bash -e <<EOF
-
 dnf install -y 'dnf-command(config-manager)' epel-release zstd jq
 dnf config-manager --set-enabled crb
 
@@ -12,25 +11,25 @@ cat > /etc/yum.repos.d/centreon-plugins.repo <<'REPOEOF'
 [centreon-plugins-stable]
 name=centreon plugins stable x86_64
 baseurl=https://packages.centreon.com/rpm-plugins/el10/stable/x86_64
-enabled=0
+enabled=1
 gpgcheck=1
 gpgkey=https://yum-gpg.centreon.com/RPM-GPG-KEY-CES
 [centreon-plugins-stable-noarch]
 name=centreon plugins stable noarch
 baseurl=https://packages.centreon.com/rpm-plugins/el10/stable/noarch
-enabled=0
+enabled=1
 gpgcheck=1
 gpgkey=https://yum-gpg.centreon.com/RPM-GPG-KEY-CES
 [centreon-plugins-testing]
 name=centreon plugins testing x86_64
 baseurl=https://packages.centreon.com/rpm-plugins/el10/testing/x86_64
-enabled=0
+enabled=1
 gpgcheck=1
 gpgkey=https://yum-gpg.centreon.com/RPM-GPG-KEY-CES
 [centreon-plugins-testing-noarch]
 name=centreon plugins testing noarch
 baseurl=https://packages.centreon.com/rpm-plugins/el10/testing/noarch
-enabled=0
+enabled=1
 gpgcheck=1
 gpgkey=https://yum-gpg.centreon.com/RPM-GPG-KEY-CES
 [centreon-plugins-unstable]

.github/docker/unit-tests/Dockerfile.unit-tests-trixie

@@ -18,9 +18,9 @@ ENV LANG=en_US.utf8
 
 RUN bash -e <<EOF
 # Add Centreon plugins repositories
-#echo "deb https://packages.centreon.com/apt-plugins-stable/ trixie main" | tee /etc/apt/sources.list.d/centreon-plugins.list
-#echo "deb https://packages.centreon.com/apt-plugins-testing/ trixie main" | tee -a /etc/apt/sources.list.d/centreon-plugins.list
-#echo "deb https://packages.centreon.com/apt-plugins-unstable/ trixie main" | tee -a /etc/apt/sources.list.d/centreon-plugins.list
+echo "deb https://packages.centreon.com/apt-plugins-stable/ trixie main" | tee /etc/apt/sources.list.d/centreon-plugins.list
+echo "deb https://packages.centreon.com/apt-plugins-testing/ trixie main" | tee -a /etc/apt/sources.list.d/centreon-plugins.list
+echo "deb https://packages.centreon.com/apt-plugins-unstable/ trixie main" | tee -a /etc/apt/sources.list.d/centreon-plugins.list
 echo "deb https://packages.centreon.com/apt-plugins-unstable/ trixie main" | tee a /etc/apt/sources.list.d/centreon-plugins.list
 wget -O- https://apt-key.centreon.com | gpg --dearmor | tee /etc/apt/trusted.gpg.d/centreon.gpg > /dev/null 2>&1
 apt-get update

.github/packaging/centreon-plugin.yaml.template

@@ -55,6 +55,7 @@ overrides:
       perl(lib),
       perl(sort),
       perl(String::ShellQuote),
+      perl(Digest::SHA),
       tzdata,
       @RPM_DEPENDENCIES@
     ]
@@ -84,6 +85,7 @@ overrides:
       libdatetime-perl,
       libxml-libxml-perl,
       libstring-shellquote-perl,
+      libdigest-sha-perl,
       tzdata,
       @DEB_DEPENDENCIES@
     ]

packaging/centreon-plugin-Applications-Monitoring-Zscaler-Zdx-Api/rpm.json

@@ -1,5 +1,6 @@
 {
     "dependencies": [
-        "perl(DateTime)"
+        "perl(DateTime)",
+        "perl(URI::Escape)"
     ]
 }

src/apps/monitoring/zscaler/zdx/api/custom/api.pm

@@ -25,12 +25,13 @@ use warnings;
 use centreon::plugins::http;
 use centreon::plugins::statefile;
 use DateTime;
-use Digest::MD5 qw(md5_hex);
+use URI::Escape;
+use Digest::SHA qw(sha256_hex);
 use centreon::plugins::misc qw(json_decode is_empty value_of is_excluded);
 
 sub new {
     my ($class, %options) = @_;
-    my $self  = {};
+    my $self = {};
     bless $self, $class;
 
     if (!defined($options{output})) {
@@ -41,23 +42,24 @@ sub new {
         $options{output}->add_option_msg(short_msg => "Class Custom: Need to specify 'options' argument.");
         $options{output}->option_exit();
     }
-    
+
     if (!defined($options{noptions})) {
         $options{options}->add_options(arguments => {
-            'key-id:s'     => { name => 'key_id', default => '' },
-            'key-secret:s' => { name => 'key_secret', default => '' },
-            'api-path:s'   => { name => 'api_path', default => '/v1' },
-            'hostname:s'   => { name => 'hostname', default => 'api.zdxcloud.net' },
-            'port:s'       => { name => 'port', default => 443 },
-            'proto:s'      => { name => 'proto', default => 'https' },
-            'timeout:s'    => { name => 'timeout', default => 10 }
+            'auth-url:s'      => { name => 'auth_url', default => '' },
+            'client-id:s'     => { name => 'client_id', default => '' },
+            'client-secret:s' => { name => 'client_secret', default => '' },
+            'api-path:s'      => { name => 'api_path', default => '/zdx/v1' },
+            'hostname:s'      => { name => 'hostname', default => 'api.zsapi.net' },
+            'port:s'          => { name => 'port', default => 443 },
+            'proto:s'         => { name => 'proto', default => 'https' },
+            'timeout:s'       => { name => 'timeout', default => 10 }
         });
     }
     $options{options}->add_help(package => __PACKAGE__, sections => 'REST API OPTIONS', once => 1);
 
     $self->{output} = $options{output};
-    $self->{http} = centreon::plugins::http->new(%options, default_backend => 'curl');
-    $self->{cache} = centreon::plugins::statefile->new(%options);
+    $self->{http}   = centreon::plugins::http->new(%options, default_backend => 'curl');
+    $self->{cache}  = centreon::plugins::statefile->new(%options);
 
     return $self;
 }
@@ -70,14 +72,13 @@ sub get_token {
     $self->settings();
 
     my $has_cache_file = $self->{cache}->read(
-            statefile => 'zdx_token_' . md5_hex(
-                    $self->{hostname}
-                    . ':' . $self->{port}
-                    . '_' . $self->{key_id})
+        statefile => 'zdx_token_' . sha256_hex(
+            $self->{auth_url}
+                . '_' . $self->{client_id})
     );
     # return token stored in cache if exists after checking it is still valid
     if ($has_cache_file) {
-        my $expiration      = $self->{cache}->get(name => 'expiration');
+        my $expiration = $self->{cache}->get(name => 'expiration');
         if (defined($expiration) && $expiration > time() + 60) {
             $self->{token}      = $self->{cache}->get(name => 'token');
             $self->{token_type} = $self->{cache}->get(name => 'token_type');
@@ -89,17 +90,22 @@ sub get_token {
     # if we do not have a token or if it has to be renewed
     my $content = $self->{http}->request(
         method          => 'POST',
-        url_path        => '/v1/oauth/token',
-        query_form_post => '{"key_id": "' . $self->{key_id} . '", "key_secret": "' . $self->{key_secret} . '"}',
-
+        full_url        => $self->{auth_url},
+        header          => [ 'Content-Type: application/x-www-form-urlencoded' ],
+        query_form_post => "grant_type=client_credentials&client_id=" . uri_escape($self->{client_id})
+            . "&client_secret=" . uri_escape($self->{client_secret}),
     );
     my $decoded_content = json_decode($content, output => $self->{output});
 
-    $self->{output}->option_exit(short_msg => "No token found in '$content'") unless ($decoded_content->{token});
-    $self->{token} = $decoded_content->{token};
-    $self->{token_type} = $decoded_content->{token_type};
+    $self->{output}->option_exit(short_msg => "No token found in '$content'")
+        unless ($decoded_content->{access_token} || $decoded_content->{token});
+    # store in $self for further requests
+    $self->{token}      = $decoded_content->{access_token} // $decoded_content->{token};
+    $self->{token_type} = $decoded_content->{token_type} // 'Bearer';
+    # store in cache for further executions
     $self->{http}->add_header(key => 'Authorization', value => $self->{token_type} . ' ' . $self->{token});
-    $self->{cache}->write(data => { token => $decoded_content->{token}, token_type => $decoded_content->{token_type}, expiration => ($decoded_content->{expires_in} + time()) });
+    $self->{cache}->write(data => { token => $self->{token}, token_type => $self->{token_type}, expiration => ($decoded_content->{expires_in} + time()) });
+
     return $self->{token};
 }
 
@@ -120,7 +126,7 @@ sub build_location_filters {
     # if location filters are provided, get the list of location ids
     my $locations = $self->get_locations(%options);
     # $locations points to an array of {id, name}
-    return { loc => [map { $_->{id}} @$locations] };
+    return { loc => [ map {$_->{id}} @$locations ] };
 }
 
 sub get_unique_app {
@@ -129,24 +135,26 @@ sub get_unique_app {
     my $content = $self->{http}->request(
         method     => 'GET',
         get_params => $self->{get_params},
+        unknown_status => "%{http_code} < 200 or %{http_code} > 404",
         url_path   => $self->{option_results}->{api_path} . '/apps/' . $options{application_id}
     );
     my $app = json_decode($content, output => $self->{output});
+
     return {
-        id          => $app->{id},
-        name        => $app->{name},
-        score       => $app->{score},
-        total_users => $app->{stats}->{active_users}
+        id          => $app->{id} // $options{application_id},
+        name        => $app->{name} // "not found",
+        score       => $app->{score} // -1,
+        total_users => $app->{stats}->{active_users} // 0
     }
 }
 
 sub get_unique_app_metrics {
     my ($self, %options) = @_;
 
-    my $to = time();
-    my $get_params = { %{ $self->{get_params}} };
+    my $to              = time();
+    my $get_params      = { %{$self->{get_params}} };
     $get_params->{from} = $to - 60 * ($options{max_metrics_age} // 20);
-    $get_params->{to} = $to;
+    $get_params->{to}   = $to;
 
     my $content = $self->{http}->request(
         method     => 'GET',
@@ -183,6 +191,7 @@ sub get_unique_app_metrics {
         }
     }
 
+
     return $data;
 }
 
@@ -221,6 +230,12 @@ sub get_apps {
             total_users => $app->{total_users}
         };
     }
+    push @stats, {
+            id          => $options{application_id} // -1,
+            name        => $options{include_application_name} //"not found",
+            score       => -1,
+            total_users => 0
+        } unless @stats;
 
     return \@stats;
 }
@@ -232,8 +247,8 @@ sub get_locations {
 
     # get all locations and check which ones match the filters
     my $locations_json = $self->{http}->request(
-        method     => 'GET',
-        url_path   => $self->{option_results}->{api_path} . '/administration/locations/'
+        method   => 'GET',
+        url_path => $self->{option_results}->{api_path} . '/administration/locations/'
     );
     my $locations = json_decode($locations_json, output => $self->{output});
 
@@ -246,8 +261,8 @@ sub get_locations {
             $options{exclude_location_name});
 
         push @result, {
-            id          => $loc->{id},
-            name        => $loc->{name},
+            id   => $loc->{id},
+            name => $loc->{name},
         };
     }
 
@@ -256,13 +271,28 @@ sub get_locations {
 
 sub set_defaults {}
 
+sub from_fqdn_to_url {
+    my $input = shift;
+    # remove trailing /
+    $input =~ s/\/$//;
+    # if url is already complete, return
+    return $input if $input =~ /^https?:\/\/[\w\.:]+\/.+$/;
+    # add default auth path if nothing after fqdn
+    $input .= "/oauth2/v1/token" if $input =~ /^(https?:\/\/)?[\w\.:]+$/;
+    # add default auth proto if no proto given
+    $input = "https://" . $input if $input !~ /^https?:\/\//;
+    return $input;
+}
+
 sub check_options {
     my ($self, %options) = @_;
 
-    $self->{$_} = $self->{option_results}->{$_} foreach qw(hostname port proto api_path timeout key_id key_secret );
+    $self->{$_} = $self->{option_results}->{$_} foreach qw(hostname port proto timeout auth_url api_path client_id client_secret);
+    $self->{output}->option_exit(short_msg => "Mandatory option 'auth-url' is missing for OneAPI authentication.") if ($self->{auth_url} eq '');
 
-    foreach (qw(key_id key_secret)) {
-        $self->{output}->option_exit(short_msg => "Mandatory option '$_' is missing.") if ($self->{$_} eq '');
+    $self->{auth_url} = from_fqdn_to_url($self->{auth_url});
+    foreach (qw(client_id client_secret)) {
+        $self->{output}->option_exit(short_msg => "Mandatory option '$_' is missing for OneAPI authentication.") if ($self->{$_} eq '');
         $self->{output}->option_exit(short_msg => "Option '$_' contains illegal characters.") if ($self->{$_} =~ /([\b\f\n\r\t\"\\]+)/);
     }
 
@@ -274,9 +304,7 @@ sub check_options {
 sub settings {
     my ($self, %options) = @_;
 
-    #$self->build_options_for_httplib();
     $self->{http}->add_header(key => 'Accept', value => 'application/json');
-    $self->{http}->add_header(key => 'Content-Type', value => 'application/json');
     $self->{http}->set_options(%{$self->{option_results}});
 }
 
@@ -298,29 +326,37 @@ Zscaler Digital Experience (ZDX) Rest API
 
 =over 8
 
+=item B<--auth-url>
+
+Authentication URL (or FQDN) to get a token from (mandatory).
+
+Depends on your Zscaler customer name.
+
+Example: C<https://company-name.zslogin.net/oauth2/v1/token> or C<company-name.zslogin.net>.
+
 =item B<--hostname>
 
-ZDX API hostname (default: C<api.zdxcloud.net>)
+API URL (default: C<api.zsapi.net>). You should not need to change it.
 
 =item B<--port>
 
-API port (default: 443)
+API port (default: 443).
 
 =item B<--proto>
 
-Specify http if needed (default: 'https')
+Specify http if needed (default: 'https').
 
 =item B<--api-path>
 
-API URL path (default: '/api')
+API URL path (default: '/zdx/v1')
 
-=item B<--key-id>
+=item B<--client-id>
 
-Key ID (see L<here|https://help.zscaler.com/zdx/managing-zdx-api-keys> for more details).
+Client ID for OneAPI authentication (see https://help.zscaler.com/zidentity/understanding-oneapi-authentication for more details).
 
-=item B<--key-secret>
+=item B<--client-secret>
 
-Key secret (see L<here|https://help.zscaler.com/zdx/managing-zdx-api-keys> for more details).
+Client secret for OneAPI authentication (see https://help.zscaler.com/zidentity/understanding-oneapi-authentication for more details).
 
 =item B<--timeout>
 

src/apps/monitoring/zscaler/zdx/api/plugin.pm

@@ -31,9 +31,9 @@ sub new {
 
     $self->{version} = '0.1';
     $self->{modes} = {
-        'application' => 'apps::monitoring::zscaler::zdx::api::mode::application',
-        'discovery'   => 'apps::monitoring::zscaler::zdx::api::mode::discovery',
-        'list-locations'    => 'apps::monitoring::zscaler::zdx::api::mode::listlocations',
+        'application'    => 'apps::monitoring::zscaler::zdx::api::mode::application',
+        'discovery'      => 'apps::monitoring::zscaler::zdx::api::mode::discovery',
+        'list-locations' => 'apps::monitoring::zscaler::zdx::api::mode::listlocations',
     };
     $self->{custom_modes}->{api} = 'apps::monitoring::zscaler::zdx::api::custom::api';
     return $self;

tests/apps/monitoring/zscaler/zdx/api/application.robot

@@ -11,13 +11,14 @@ Test Timeout        120s
 *** Variables ***
 ${MOCKOON_JSON}     ${CURDIR}${/}mockoon.json
 ${CMD}              ${CENTREON_PLUGINS}
-...         --plugin=apps::monitoring::zscaler::zdx::api::plugin
-...         --mode=application
-...         --hostname=${HOSTNAME}
-...         --port=${APIPORT}
-...         --proto=http
-...         --key-id=1
-...         --key-secret=1
+...                 --plugin=apps::monitoring::zscaler::zdx::api::plugin
+...                 --mode=application
+...                 --hostname=${HOSTNAME}
+...                 --port=${APIPORT}
+...                 --proto=http
+...                 --client-id=1
+...                 --client-secret=1
+...                 --auth-url=http://${HOSTNAME}:${APIPORT}/oauth2/v1/token
 
 
 *** Test Cases ***