From 9b1cbacee0a61b2bf389489aba1d5969c6b492f3 Mon Sep 17 00:00:00 2001
From: Nate Riffe <inkblot@movealong.org>
Date: Sun, 18 Jan 2015 10:11:24 -0600
Subject: [PATCH] Give bind::key the ability to generate keys

Also, allow them to be placed elsewhere in the filesystem and make it possible
to exclude a key from the named configuration.
---
 lib/puppet/parser/functions/hmac_secret.rb |  9 +++++
 manifests/key.pp                           | 40 +++++++++++++++++-----
 templates/key.conf.erb                     |  2 +-
 3 files changed, 41 insertions(+), 10 deletions(-)
 create mode 100644 lib/puppet/parser/functions/hmac_secret.rb

diff --git a/lib/puppet/parser/functions/hmac_secret.rb b/lib/puppet/parser/functions/hmac_secret.rb
new file mode 100644
index 0000000..5f2f5c7
--- /dev/null
+++ b/lib/puppet/parser/functions/hmac_secret.rb
@@ -0,0 +1,9 @@
+# ex: syntax=ruby si sw=2 ts=2 et
+require 'securerandom'
+
+module Puppet::Parser::Functions
+  newfunction(:hmac_secret, :type => :rvalue) do |args|
+    bits = args[0].to_i
+    SecureRandom.base64(bits / 8)
+  end
+end
diff --git a/manifests/key.pp b/manifests/key.pp
index a1c99f2..765b2ea 100644
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -1,28 +1,50 @@
 # ex: syntax=puppet si ts=4 sw=4 et
 
 define bind::key (
-    $secret,
-    $algorithm = 'hmac-sha256',
-    $owner     = 'root',
-    $group     = $bind::params::bind_group,
+    $secret      = undef,
+    $secret_bits = 256,
+    $algorithm   = 'hmac-sha256',
+    $owner       = 'root',
+    $group       = $bind::params::bind_group,
+    $keydir      = $::bind::keydir::keydir,
+    $keyfile     = undef,
+    $include     = true,
 ) {
-    $keydir = $::bind::keydir::keydir
 
-    file { "${keydir}/${name}":
+    # Generate a key of size $secret_bits if no $secret
+    $secret_actual = $secret ? {
+        undef   => hmac_secret($secret_bits),
+        default => $secret,
+    }
+
+    # Keep existing key if the module is generating a key
+    $replace = $secret ? {
+        undef   => false,
+        default => true,
+    }
+
+    # Use key name as key file name if none is supplied
+    $key_file_name = $keyfile ? {
+        undef   => $name,
+        default => $keyfile,
+    }
+
+    file { "${keydir}/${key_file_name}":
         ensure  => present,
         owner   => $owner,
         group   => $group,
         mode    => '0640',
+        replace => $replace,
         content => template('bind/key.conf.erb'),
     }
 
-    if (defined(Class['bind'])) {
-        Package['bind'] -> File["${keydir}/${name}"] ~> Service['bind']
+    if $include and defined(Class['bind']) {
+        Package['bind'] -> File["${keydir}/${key_file_name}"] ~> Service['bind']
 
         concat::fragment { "bind-key-${name}":
             order   => '10',
             target  => "${bind::confdir}/keys.conf",
-            content => "include \"${bind::confdir}/keys/${name}\";\n",
+            content => "include \"${keydir}/${key_file_name}\";\n",
         }
     }
 }
diff --git a/templates/key.conf.erb b/templates/key.conf.erb
index 2db293f..f1fe0bf 100644
--- a/templates/key.conf.erb
+++ b/templates/key.conf.erb
@@ -1,5 +1,5 @@
 
 key <%= @name %> {
 	algorithm <%= @algorithm %>;
-	secret "<%= @secret %>";
+	secret "<%= @secret_actual %>";
 };