Give bind::key the ability to generate keys

Also, allow them to be placed elsewhere in the filesystem and make it possible to exclude a key from the named configuration.
2015-01-18 10:11:24 -06:00 · 2015-01-18 10:11:24 -06:00 · 9b1cbacee0
commit 9b1cbacee0
parent a981de576e
3 changed files with 41 additions and 10 deletions
--- a/lib/puppet/parser/functions/hmac_secret.rb
+++ b/lib/puppet/parser/functions/hmac_secret.rb
@ -0,0 +1,9 @@
+# ex: syntax=ruby si sw=2 ts=2 et
+require 'securerandom'
+
+module Puppet::Parser::Functions
+  newfunction(:hmac_secret, :type => :rvalue) do |args|
+    bits = args[0].to_i
+    SecureRandom.base64(bits / 8)
+  end
+end
--- a/manifests/key.pp
+++ b/manifests/key.pp
@ -1,28 +1,50 @@
 # ex: syntax=puppet si ts=4 sw=4 et

 define bind::key (
-    $secret,
-    $algorithm = 'hmac-sha256',
-    $owner     = 'root',
-    $group     = $bind::params::bind_group,
+    $secret      = undef,
+    $secret_bits = 256,
+    $algorithm   = 'hmac-sha256',
+    $owner       = 'root',
+    $group       = $bind::params::bind_group,
+    $keydir      = $::bind::keydir::keydir,
+    $keyfile     = undef,
+    $include     = true,
 ) {
-    $keydir = $::bind::keydir::keydir

-    file { "${keydir}/${name}":
+    # Generate a key of size $secret_bits if no $secret
+    $secret_actual = $secret ? {
+        undef   => hmac_secret($secret_bits),
+        default => $secret,
+    }
+
+    # Keep existing key if the module is generating a key
+    $replace = $secret ? {
+        undef   => false,
+        default => true,
+    }
+
+    # Use key name as key file name if none is supplied
+    $key_file_name = $keyfile ? {
+        undef   => $name,
+        default => $keyfile,
+    }
+
+    file { "${keydir}/${key_file_name}":
        ensure  => present,
        owner   => $owner,
        group   => $group,
        mode    => '0640',
+        replace => $replace,
        content => template('bind/key.conf.erb'),
    }

-    if (defined(Class['bind'])) {
-        Package['bind'] -> File["${keydir}/${name}"] ~> Service['bind']
+    if $include and defined(Class['bind']) {
+        Package['bind'] -> File["${keydir}/${key_file_name}"] ~> Service['bind']

        concat::fragment { "bind-key-${name}":
            order   => '10',
            target  => "${bind::confdir}/keys.conf",
-            content => "include \"${bind::confdir}/keys/${name}\";\n",
+            content => "include \"${keydir}/${key_file_name}\";\n",
        }
    }
 }
--- a/templates/key.conf.erb
+++ b/templates/key.conf.erb
@ -1,5 +1,5 @@

 key <%= @name %> {
 	algorithm <%= @algorithm %>;
-	secret "<%= @secret %>";
+	secret "<%= @secret_actual %>";
 };