Refactor and enhance Zabbix API interaction. (#1111)

* Handle Zabbix API exceptions and improve error reporting.

Add explicit handling for ZabbixAPIException by re-raising it when necessary. Additionally, improve error handling throughout by capturing exceptions, processing them with the `error()` method, and returning a well-structured Result object to ensure robustness and better debugging.

* Add support for bearer token authentication in Zabbix server

This update introduces a check for the authentication type, adding support for bearer token authentication alongside basic authentication. An exception is raised for invalid authentication methods, ensuring better error handling and robustness.

* Ensure Zabbix API URL is correctly formatted.

Added a conditional check to append '/api_jsonrpc.php' to the server URL only if it's not already included. This ensures compatibility with servers using preformatted URLs and avoids redundant suffixes.

* Add bearer token authentication support to Zabbix API

Refactors `login`, `test_login`, and `logged_in` methods to handle bearer tokens as an alternative authentication method. This improves flexibility and extends the API to support token-based authentication in addition to traditional user/password schemes. Also includes minor fixes like correcting a typo in exceptions.

* Refactor Zabbix API request handling for better clarity

Enhanced error handling, modularized header preparation and URL opener creation, and improved method documentation. This ensures more robust and maintainable interactions with the Zabbix API.

* Add authentication property initialization in Zabbix server

This change introduces the initialization of the `authentication` property using the server configuration. It ensures the Zabbix server object has the necessary authentication data available for further operations.

* Add new event actions and error handling for Zabbix API

Expanded event actions to include suppression and rank changes. Introduced error handling for blocked or incorrect credentials in the `event.acknowledge` API call to improve robustness.

* Fix error handling in Zabbix server login and acknowledgment

Enhanced error handling during login by catching exceptions and logging errors. Prevent execution continuation if login fails and ensure proper response for authentication issues.

---------

Co-authored-by: Kimmig, Simon - D0242573 <simon.kimmig@dm.de>

Author: Simkimdm

Nagstamon/Servers/Zabbix.py

@@ -49,6 +49,7 @@ def __init__(self, **kwds):
         GenericServer.__init__(self, **kwds)
 
         # Prepare all urls needed by nagstamon -
+        self.authentication = conf.servers[self.get_name()].authentication
         self.urls = {}
         # self.statemap = {}
         self.statemap = {
@@ -89,11 +90,16 @@ def _login(self):
                 self.zapi = ZabbixAPI(server=self.monitor_url, path="", log_level=self.log_level,
                                       validate_certs=self.validate_certs, timeout=self.timeout)
             # login if not yet logged in, or if login was refused previously
-            if not self.zapi.logged_in():
-                self.zapi.login(self.username, self.password)
-        except ZabbixAPIException:
-            result, error = self.error(sys.exc_info())
-            return Result(result=result, error=error)
+            if self.authentication == 'bearer':
+                if not self.zapi.logged_in(bearer=True):
+                    self.zapi.login(self.username, self.password, bearer=True)
+            elif self.authentication == 'basic':
+                if not self.zapi.logged_in():
+                    self.zapi.login(self.username, self.password)
+            else:
+                raise Exception("Invalid authentication method")
+        except ZabbixAPIException as e:
+            raise e
 
     def getLastApp(self, this_item):
         if len(this_item) > 0:
@@ -127,7 +133,11 @@ def _get_status(self):
         nagitems = {"services": [], "hosts": []}
 
         # Create URLs for the configured filters
-        self._login()
+        try:
+            self._login()
+        except Exception:
+            result, error = self.error(sys.exc_info())
+            return Result(result=result, error=error)
         # print(self.name)
         # =========================================
         # Service
@@ -153,6 +163,8 @@ def _get_status(self):
         # Don't really care if this fails, just means we won't exclude any downtimed services
         except Exception:
             print(sys.exc_info())
+            result, error = self.error(sys.exc_info())
+            return Result(result=result, error=error)
 
         try:
             try:
@@ -212,7 +224,9 @@ def _get_status(self):
                     service = e.result.content
                     ret = e.result
             except Exception:
+                result, error = self.error(sys.exc_info())
                 print(sys.exc_info())
+                return Result(result=result, error=error)
 
             hosts = []
             # get just involved Hosts.
@@ -457,7 +471,11 @@ def _set_acknowledge(self, host, service, author, comment, sticky, notify, persi
             self.debug(server=self.get_name(),
                        debug="Set Acknowledge Host: " + host + " Service: " + service + " Sticky: " + str(
                            sticky) + " persistent:" + str(persistent) + " All services: " + str(all_services))
-        self._login()
+        try:
+            self._login()
+        except Exception:
+            self.error(sys.exc_info())
+            return
         eventids = set()
         unclosable_events = set()
         if all_services is None:
@@ -486,6 +504,11 @@ def _set_acknowledge(self, host, service, author, comment, sticky, notify, persi
             # 4 - add message
             # 8 - change severity
             # 16 - unacknowledge event
+            # 32 - suppress event;
+            # 64 - unsuppress event;
+            # 128 - change event rank to cause;
+            # 256 - change event rank to symptom.
+            # sticky = close problem  # TODO: make visible in GUI
             actions = 2
             if comment:
                 actions |= 4
@@ -501,8 +524,14 @@ def _set_acknowledge(self, host, service, author, comment, sticky, notify, persi
             else:
                 if sticky:
                     actions |= 1
-                # print("Events to acknowledge: " + str(eventids) + " Close: " + str(actions))
-                self.zapi.event.acknowledge({'eventids': list(eventids), 'message': comment, 'action': actions})
+                try:
+                    self.zapi.event.acknowledge({'eventids': list(eventids), 'message': comment, 'action': actions})
+                except ZabbixAPIException as e:
+                    if "Incorrect user name or password or account is temporarily blocked" in str(e):
+                        self.error(str(e))
+                        return
+                    else:
+                        raise e
 
     def _set_downtime(self, hostname, service, author, comment, fixed, start_time, end_time, hours, minutes):
         # Check if there is an associated Application tag with this trigger/item

Nagstamon/thirdparty/zabbix_api.py

@@ -95,7 +95,6 @@ class Already_Exists(ZabbixAPIException):
 
 
 class InvalidProtoError(ZabbixAPIException):
-
     """ Recived an invalid proto """
     pass
 
@@ -139,7 +138,10 @@ def __init__(self, server='http://localhost/zabbix', user=httpuser, passwd=httpp
         self._setuplogging()
         self.set_log_level(log_level)
         self.server = server
-        self.url = server + '/api_jsonrpc.php'
+        if "/api_jsonrpc.php" not in server:
+            self.url = server + '/api_jsonrpc.php'
+        else:
+            self.url = server
         self.proto = self.server.split("://")[0]
         # self.proto=proto
         self.httpuser = user
@@ -189,7 +191,10 @@ def json_obj(self, method, params={}, auth=True):
 
         return json.dumps(obj)
 
-    def login(self, user='', password='', save=True):
+    def login(self, user='', password='', bearer=False, save=True):
+        if bearer:
+            self.auth = password
+            return
         if user != '':
             l_user = user
             l_password = password
@@ -217,33 +222,94 @@ def login(self, user='', password='', save=True):
         result = self.do_request(obj)
         self.auth = result['result']
 
-    def test_login(self):
-        if self.auth != '':
+    def test_login(self, bearer=False):
+        if bearer:
+            obj = self.json_obj('user.checkAuthentication', {'token': self.auth})
+        else:
             obj = self.json_obj('user.checkAuthentication', {'sessionid': self.auth})
-            result = self.do_request(obj)
+        result = self.do_request(obj, auth_header=False)
+        if not result['result']:
+            self.auth = ''
+            return False  # auth hash bad
+        return True  # auth hash good
 
-            if not result['result']:
-                self.auth = ''
-                return False  # auth hash bad
-            return True  # auth hash good
-        else:
-            return False
-
-    def do_request(self, json_obj):
-        headers = {'Content-Type': 'application/json-rpc',
-                   'User-Agent': 'python/zabbix_api'}
-
-        if self.api_version > '6.4':
-            headers['Authorization'] = 'Bearer ' + self.auth
-        if self.httpuser and "Authorization" not in headers.keys():
-            self.debug(logging.INFO, "HTTP Auth enabled")
-            auth = 'Basic ' + string.strip(base64.encodestring(self.httpuser + ':' + self.httppasswd))
-            headers['Authorization'] = auth
+    def do_request(self, json_obj, auth_header=True):
+        """
+        Send a request to the Zabbix API and handle the response.
+
+        Args:
+            json_obj: The JSON object to send
+            auth_header: Whether to include authentication headers
+
+        Returns:
+            dict: The JSON response from the API
+
+        Raises:
+            ZabbixAPIException: For various API and connection errors
+            APITimeout: When the request times out
+        """
+        headers = self._prepare_headers(auth_header)
         self.r_query.append(str(json_obj))
         self.debug(logging.INFO, "Sending: " + str(json_obj))
         self.debug(logging.DEBUG, "Sending headers: " + str(headers))
 
         request = urllib2.Request(url=self.url, data=json_obj.encode('utf-8'), headers=headers)
+        opener = self._create_url_opener()
+        urllib2.install_opener(opener)
+
+        try:
+            response = opener.open(request, timeout=self.timeout)
+        except ssl.SSLError as e:
+            error_message = e.message if hasattr(e, 'message') else str(e)
+            raise ZabbixAPIException(f"ssl.SSLError - {error_message}")
+        except socket.timeout:
+            raise APITimeout("HTTP read timeout")
+        except urllib2.URLError as e:
+            error_message = e.message if hasattr(e, 'message') else str(e)
+            raise ZabbixAPIException(f"urllib2.URLError - {error_message}")
+
+        self.debug(logging.INFO, f"Response Code: {response.code}")
+
+        if response.code != 200:
+            raise ZabbixAPIException(f"HTTP ERROR {response.status}: {response.reason}")
+
+        response_data = response.read()
+        if len(response_data) == 0:
+            raise ZabbixAPIException("Received zero answer")
+
+        try:
+            json_response = json.loads(response_data.decode('utf-8'))
+        except ValueError:
+            self.debug(logging.ERROR, f"Unable to decode response: {response_data}")
+            raise ZabbixAPIException("Unable to decode answer")
+
+        self.debug(logging.DEBUG, f"Response Body: {json_response}")
+        self.id += 1
+
+        if 'error' in json_response:
+            self._handle_api_error(json_response, json_obj)
+
+        return json_response
+
+    def _prepare_headers(self, auth_header):
+        """Prepare request headers including authentication if needed."""
+        headers = {
+            'Content-Type': 'application/json-rpc',
+            'User-Agent': 'python/zabbix_api'
+        }
+
+        if auth_header:
+            if self.api_version > '6.4':
+                headers['Authorization'] = f'Bearer {self.auth}'
+            elif self.httpuser and "Authorization" not in headers:
+                self.debug(logging.INFO, "HTTP Auth enabled")
+                auth_string = base64.encodestring(f"{self.httpuser}:{self.httppasswd}").strip()
+                headers['Authorization'] = f'Basic {auth_string}'
+
+        return headers
+
+    def _create_url_opener(self):
+        """Create and return the appropriate URL opener based on protocol."""
         if self.proto == "https":
             if HAS_SSLCONTEXT and not self.validate_certs:
                 ssl._create_default_https_context = ssl._create_unverified_context
@@ -258,52 +324,29 @@ def do_request(self, json_obj):
             http_handler = urllib2.HTTPHandler(debuglevel=0)
             opener = urllib2.build_opener(http_handler)
         else:
-            raise ZabbixAPIException("Unknow protocol %s" % self.proto)
+            raise ZabbixAPIException(f"Unknown protocol {self.proto}")
 
-        urllib2.install_opener(opener)
-        try:
-            response = opener.open(request, timeout=self.timeout)
-        except ssl.SSLError as e:
-            if hasattr(e, 'message'):
-                e = e.message
-            raise ZabbixAPIException("ssl.SSLError - %s" % e)
-        except socket.timeout as e:
-            raise APITimeout("HTTP read timeout",)
-        except urllib2.URLError as e:
-            if hasattr(e, 'message'):
-                e = e.message
-            raise ZabbixAPIException("urllib2.URLError - %s" % e)
-        self.debug(logging.INFO, "Response Code: " + str(response.code))
+        return opener
 
-        # NOTE: Getting a 412 response code means the headers are not in the
-        # list of allowed headers.
-        if response.code != 200:
-            raise ZabbixAPIException("HTTP ERROR %s: %s"
-                    % (response.status, response.reason))
-        reads = response.read()
-        if len(reads) == 0:
-            raise ZabbixAPIException("Received zero answer")
-        try:
-            jobj = json.loads(reads.decode('utf-8'))
-        except ValueError as msg:
-            print ("unable to decode. returned string: %s" % reads)
-            raise ZabbixAPIException("Unable to decode answer")
-        self.debug(logging.DEBUG, "Response Body: " + str(jobj))
+    def _handle_api_error(self, json_response, json_obj):
+        """Handle API error responses and raise appropriate exceptions."""
+        error = json_response['error']
 
-        self.id += 1
+        # Special handling for authentication failures to prevent sensitive data exposure
+        if error['code'] == -32500:
+            raise ZabbixAPIException("Incorrect user name or password or account is temporarily blocked.")
 
-        if 'error' in jobj:  # some exception
-            msg = 'Error %s: %s, %s while sending %s' % (jobj['error']['code'],
-                    jobj['error']['message'], jobj['error']['data'], str(json_obj))
-            if re.search(r'.*already\sexists.*', jobj['error']['data'], re.I):  # already exists
-                raise Already_Exists(msg, jobj['error']['code'])
-            else:
-                raise ZabbixAPIException(msg, jobj['error']['code'])
-        return jobj
+        error_msg = f"Error {error['code']}: {error['message']}, {error['data']} while sending {json_obj}"
+
+        if re.search(r'.*already\sexists.*', error['data'], re.I):
+            raise Already_Exists(error_msg, error['code'])
+        else:
+            raise ZabbixAPIException(error_msg, error['code'])
 
-    def logged_in(self):
+    def logged_in(self, bearer=False):
         if self.auth != '':
-            return True
+            if self.test_login(bearer):
+                return True
         return False
 
     def get_api_version(self, **options):