Merge pull request #152 from gcmalloc/allow-query-zone

Allow query zone
ajjahn · Jan 9, 2016 · bab4287 · bab4287
2 parents c0b68ff + 4425894
commit bab4287
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 1 deletion.
diff --git a/manifests/zone.pp b/manifests/zone.pp
@@ -54,6 +54,10 @@
 #   '192.168.100.102 port 1234' ]`.  Defaults to an empty array, which
 #   means no forwarding will be done.
 #
+# [*allow_query*]
+#   An array of IP addresses from which queries should be allowed
+#  Defaults to an empty array, which allows all ip to query the zone
+#
 # [*also_notify*]
 #   This is an array of IP addresses and optional port numbers to
 #   which this DNS server will send notifies when the master DNS server
@@ -144,6 +148,7 @@
   $zone_type = 'master',
   $allow_transfer = [],
   $allow_forwarder = [],
+  $allow_query =[],
   $forward_policy = 'first',
   $slave_masters = undef,
   $zone_notify = undef,
@@ -158,6 +163,7 @@
   if !member(['first', 'only'], $forward_policy) {
     error('The forward policy can only be set to either first or only')
   }
+  validate_array($allow_query)
 
   validate_array($also_notify)
   $valid_zone_notify = ['yes', 'no', 'explicit', 'master-only']

diff --git a/spec/defines/dns__zone_spec.rb b/spec/defines/dns__zone_spec.rb
@@ -5,6 +5,28 @@
   let(:title) { 'test.com' }
   let(:facts) {{ :osfamily => 'Debian', :concat_basedir => '/mock_dir' }}
 
+  describe 'passing something other than an array to $allow_query ' do
+      let(:params) {{ :allow_query => '127.0.0.1' }}
+      it { should raise_error(Puppet::Error, /is not an Array/) }
+  end
+
+  describe 'passing an array to $allow_query' do 
+      let(:params) {{ :allow_query => ['192.0.2.0', '2001:db8::/32'] }}
+      it { should_not raise_error }
+      it {
+          should contain_concat__fragment('named.conf.local.test.com.include').
+          with_content(/allow-query/)
+      }
+      it {
+          should contain_concat__fragment('named.conf.local.test.com.include').
+          with_content(/192\.0\.2\.0;/)
+      }
+      it {
+          should contain_concat__fragment('named.conf.local.test.com.include').
+          with_content(/2001:db8::\/32/)
+      }
+  end
+
   describe 'passing something other than an array to $allow_transfer' do
       let(:params) {{ :allow_transfer => '127.0.0.1' }}
       it { should raise_error(Puppet::Error, /is not an Array/) }

diff --git a/templates/zone.erb b/templates/zone.erb
@@ -36,5 +36,12 @@ type <%= @zone_type %>;
     <% end -%>
     };
 <% end -%>
+    <% if @allow_query.size != 0 %>
+        allow-query {
+        <% @allow_query.each do |ip| -%>
+            <%= ip %>;
+        <% end -%>
+        };
+    <% end -%>
 
 };
diff --git a/tests/init.pp b/tests/init.pp
@@ -10,7 +10,8 @@
   soa            => 'ns1.example.com',
   soa_email      => 'admin.example.com',
   nameservers    => [ 'ns1' ],
-  allow_transfer => [ '192.0.2.0', '2001:db8::/32' ]
+  allow_transfer => [ '192.0.2.0', '2001:db8::/32' ],
+  allow_query    => [ '192.168.0.0/16' ],
 }
 
 dns::zone { '56.168.192.IN-ADDR.ARPA':