CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [5.2.0](https://github.com/theforeman/puppet-dns/tree/5.2.0) (2018-05-21)
+
+[Full Changelog](https://github.com/theforeman/puppet-dns/compare/5.1.0...5.2.0)
+
+**Implemented enhancements:**
+
+- Adds control keys and specifying update policy [\#108](https://github.com/theforeman/puppet-dns/pull/108) ([zyronix](https://github.com/zyronix))
+
+**Closed issues:**
+
+- Fails with puppetlabs/concat 4.1.1 [\#107](https://github.com/theforeman/puppet-dns/issues/107)
+- Add support for adding keys for nsupdate [\#94](https://github.com/theforeman/puppet-dns/issues/94)
+
 ## 5.1.0
 
 * Stop shipping development code in releases

Gemfile

@@ -7,6 +7,7 @@ gem 'puppet', ENV.key?('PUPPET_VERSION') ? "~> #{ENV['PUPPET_VERSION']}" : '>= 4
 
 gem 'rake'
 gem 'rspec', '~> 3.0'
+gem 'rdoc', '~> 5.1.0', {"platforms"=>["ruby_21"]}
 gem 'rspec-puppet', '~> 2.3'
 gem 'rspec-puppet-facts', '>= 1.7'
 gem 'puppetlabs_spec_helper', '>= 2.1.1'
@@ -25,7 +26,7 @@ gem 'puppet-lint-unquoted_string-check'
 gem 'puppet-lint-variable_contains_upcase'
 gem 'puppet-lint-version_comparison-check'
 gem 'simplecov'
-gem 'puppet-blacksmith', '>= 3.1.0', {"groups"=>["development"]}
+gem 'puppet-blacksmith', '>= 4.1.0', {"groups"=>["development"]}
 gem 'beaker', '>= 3.9.0', {"groups"=>["system_tests"]}
 gem 'beaker-rspec', {"groups"=>["system_tests"]}
 gem 'beaker-module_install_helper', {"groups"=>["system_tests"]}

README.md

@@ -19,6 +19,10 @@ Zones can be created with the `dns::zone` resource:
 
     dns::zone { 'example.com': }
 
+Keys can be created with the `dns::key` resource:
+
+    dns::key {'dns-key':}
+
 Slaves can also be configured by setting `allow_transfer` in the master's zone
 and setting `zonetype => 'slave'` in the slave's zone.
 

Rakefile

@@ -9,6 +9,8 @@ begin
   require 'puppet_blacksmith/rake_tasks'
   Blacksmith::RakeTask.new do |t|
     t.tag_pattern = "%s"
+    t.tag_message_pattern = "Version %s"
+    t.tag_sign = true
   end
 rescue LoadError
 end

manifests/key.pp

@@ -0,0 +1,42 @@
+# Generate a new key for the dns
+#
+# === Parameters:
+#
+# $secret::                     This is the secret to be place inside the keyfile, if left empty the key will be generated
+#    
+define dns::key(
+  String               $algorithm    = 'hmac-md5',
+  String               $filename     = "${name}.key",
+  Optional[String]     $secret       = undef,
+  Stdlib::Absolutepath $keydir       = $::dns::dnsdir,
+  Integer              $keysize      = 512,
+) {
+  $keyfilename = "${keydir}/${filename}"
+
+  if $secret {
+    file {$keyfilename:
+      ensure  => file,
+      owner   => $dns::user,
+      group   => $dns::group,
+      mode    => '0640',
+      content => template('dns/key.erb'),
+      notify  => Service[$::dns::namedservicename],
+    }
+  } else {
+    exec { "create-${filename}":
+      command => "${dns::rndcconfgen} -r /dev/urandom -a -c ${keyfilename} -b ${keysize} -k ${name}",
+      creates => $keyfilename,
+      notify  => Service[$::dns::namedservicename],
+    }-> file { $keyfilename:
+      owner => 'root',
+      group => $dns::params::group,
+      mode  => '0640',
+    }
+  }
+
+  concat::fragment { "named.conf+20-key-${name}.dns":
+    target  => $::dns::namedconf_path,
+    content => "include \"${keyfilename}\";\n",
+    order   => '20',
+  }
+}

manifests/zone.pp

@@ -6,31 +6,37 @@
 #
 # $manage_file_name::           Whether to set the file parameter in the zone file.
 #
+# $update_policy_rules::        This can be used to specifiy additional update policy rules in the following format
+#                               { '<KEY_NAME' => {'matchtype' => '<VALUE>', 'tname' => '<VALUE>', 'rr' => 'VALUE' } }
+#                               Example {'foreman_key' => {'matchtype' => 'zonesub', 'rr' => 'ANY'}}
+#                               tname and rr are optional
+#
 define dns::zone (
-  Array[String] $target_views                         = [],
-  String $zonetype                                    = 'master',
-  String $soa                                         = $::fqdn,
-  Boolean $reverse                                    = false,
-  String $ttl                                         = '10800',
-  Stdlib::Compat::Ip_address $soaip                   = $::ipaddress,
-  Integer $refresh                                    = 86400,
-  Integer $update_retry                               = 3600,
-  Integer $expire                                     = 604800,
-  Integer $negttl                                     = 3600,
-  Integer $serial                                     = 1,
-  Array $masters                                      = [],
-  Array $allow_transfer                               = [],
-  Array $allow_query                                  = [],
-  Array $also_notify                                  = [],
-  String $zone                                        = $title,
-  Optional[String] $contact                           = undef,
-  Stdlib::Absolutepath $zonefilepath                  = $::dns::zonefilepath,
-  String $filename                                    = "db.${title}",
-  Boolean $manage_file                                = true,
-  Boolean $manage_file_name                           = false,
-  Enum['first', 'only'] $forward                      = 'first',
-  Array $forwarders                                   = [],
-  Optional[Enum['yes', 'no', 'explicit']] $dns_notify = undef,
+  Array[String] $target_views                           = [],
+  String $zonetype                                      = 'master',
+  String $soa                                           = $::fqdn,
+  Boolean $reverse                                      = false,
+  String $ttl                                           = '10800',
+  Stdlib::Compat::Ip_address $soaip                     = $::ipaddress,
+  Integer $refresh                                      = 86400,
+  Integer $update_retry                                 = 3600,
+  Integer $expire                                       = 604800,
+  Integer $negttl                                       = 3600,
+  Integer $serial                                       = 1,
+  Array $masters                                        = [],
+  Array $allow_transfer                                 = [],
+  Array $allow_query                                    = [],
+  Array $also_notify                                    = [],
+  String $zone                                          = $title,
+  Optional[String] $contact                             = undef,
+  Stdlib::Absolutepath $zonefilepath                    = $::dns::zonefilepath,
+  String $filename                                      = "db.${title}",
+  Boolean $manage_file                                  = true,
+  Boolean $manage_file_name                             = false,
+  Enum['first', 'only'] $forward                        = 'first',
+  Array $forwarders                                     = [],
+  Optional[Enum['yes', 'no', 'explicit']] $dns_notify   = undef,
+  Hash[String, Hash[String, Data]] $update_policy_rules = {},
 ) {
 
   $_contact = pick($contact, "root.${zone}.")

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "theforeman-dns",
-  "version": "5.1.0",
+  "version": "5.2.0",
   "author": "theforeman",
   "summary": "Manage the ISC BIND daemon",
   "license": "Apache-2.0",

spec/defines/dns_key_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe 'dns::key' do
+  let(:facts) do
+    {
+      :clientcert     => 'puppetmaster.example.com',
+      :concat_basedir => '/doesnotexist',
+      :fqdn           => 'puppetmaster.example.com',
+      :ipaddress      => '192.168.1.1',
+      :osfamily       => 'RedHat',
+    }
+  end
+
+  let(:title) { 'foreman_key' }
+
+  let :pre_condition do
+    'include dns'
+  end
+
+  it { is_expected.to compile }
+  it { is_expected.to contain_exec('create-foreman_key.key') }
+
+  context 'secret set' do
+    let(:params) do
+      {
+        :secret => 'top_secret',
+      }
+    end
+    it 'should contain a file with the secret in it' do
+      is_expected.to contain_file('/etc/foreman_key.key')
+      verify_contents(catalogue, '/etc/foreman_key.key', [
+        'key "foreman_key" {',
+        '    algorithm hmac-md5;',
+        '    secret "top_secret";',
+        '};',
+      ])
+      verify_concat_fragment_exact_contents(catalogue, 'named.conf+20-key-foreman_key.dns', [
+        'include "/etc/foreman_key.key";',
+      ])
+
+    end
+  end
+end

spec/defines/dns_zone_spec.rb

@@ -263,4 +263,20 @@
 
   end
 
+  context 'update_policy_rules is set' do
+    let(:params) { {
+      :update_policy_rules => {
+        'foreman_key' => {
+          'matchtype' => 'zonesub',
+          'tname' => '*',
+          'rr' => 'ANY'
+        }
+      }
+    } }
+
+    it "should have valid slave zone configuration" do
+      is_expected.to compile
+    end
+  end
+
 end

templates/key.erb

@@ -0,0 +1,4 @@
+key "<%= @name %>" {
+    algorithm <%= @algorithm %>;
+    secret "<%= @secret %>";
+};

templates/named.zone.erb

@@ -12,6 +12,9 @@ zone "<%= @zone %>" {
 <% if @zonetype == 'master' -%>
     update-policy {
             grant rndc-key zonesub ANY;
+            <%- @update_policy_rules.sort_by {|k, v| k}.each do |key, key_hash| -%>
+            grant <%= key %> <%= key_hash['matchtype'] %> <% if key_hash['tname'] %><%= key_hash['tname'] %> <% end %><% if key_hash['rr'] %><%= key_hash['rr'] %><% end %>;
+            <%- end -%>
     };
 <% end -%>
 <% unless @allow_transfer.empty? -%>