Merge remote-tracking branch 'upstream/master'

README.md

@@ -84,16 +84,18 @@ unbound::stub { "0.0.10.in-addr.arpa.":
   insecure => true,
 }
 
-# address can be an array.
+# address can be an array along with nameservers.
 # in the following case, generated conf would be as follows:
 #
-#   stub-host: ns1.example.com
+#   stub-addr: 10.0.0.53
 #   stub-addr: 10.0.0.10@10053
+#   stub-host: ns1.example.com
 #   stub-host: ns2.example.com
 #
 # note that conf will be generated in the same order provided.
 unbound::stub { "10.0.10.in-addr.arpa.":
-  address => [ 'ns1.example.com', '10.0.0.10@10053', 'ns2.example.com' ],
+  address    => [ 10.0.0.53', '10.0.0.10@10053'],
+  namservers => [ 'ns1.example.com', 'ns2.example.com' ],
 }
 ```
 
@@ -103,8 +105,10 @@ Or, using hiera
 unbound::stub:
   '10.0.10.in-addr.arpa.':
     address:
-      - 'ns1.example.com'
+      - '10.0.0.53
       - '10.0.0.10@10053'
+    nameserveres:
+      - 'ns1.example.com'
       - 'ns2.example.com'
 ```
 

data/os/Archlinux.yaml

@@ -0,0 +1,2 @@
+unbound::fetch_client: 'curl --silent --output'
+unbound::owner: 'root'

manifests/init.pp

@@ -211,6 +211,7 @@
   Stdlib::Absolutepath                          $unbound_conf_d                  = "${confdir}/unbound.conf.d",
   Unbound::Hints_file                           $hints_file                      = "${confdir}/root.hints",
   Optional[String[1]]                           $hints_file_content              = undef,
+  Hash[String[1], Unbound::Rpz]                 $rpzs                            = {},
 ) {
   $_base_dirs = [$confdir, $conf_d, $keys_d, $runtime_dir]
   $_piddir = if $pidfile { dirname($pidfile) } else { undef }

manifests/record.pp

@@ -23,28 +23,30 @@
 #   (optional) name of configuration file
 #
 define unbound::record (
-  String $content,
+  Variant[Array[String[1]], String[1]] $content,
   $ttl         = '14400',
   $type        = 'A',
   $reverse     = false,
   $entry       = $name,
   $config_file = $unbound::config_file,
 ) {
-  if $type != 'TXT' {
-    $local_data     = "  local-data: \"${entry} ${ttl} IN ${type} ${content}\"\n"
-  } else {
-    # Long TXT records must be broken into strings of 255 characters as per RFC 4408
-    $real_content = $content.slice(255)
-    .reduce('') |String $record, Array $s| {
-      "${record}\"${s.join()}\""
+  $local_data = [$content].flatten.map |$_content| {
+    if $type != 'TXT' {
+      "  local-data: \"${entry} ${ttl} IN ${type} ${_content}\""
+    } else {
+      # Long TXT records must be broken into strings of 255 characters as per RFC 4408
+      $real_content = $_content.slice(255)
+      .reduce('') |String $record, Array $s| {
+        "${record}\"${s.join()}\""
+      }
+      "  local-data: '${entry} ${ttl} IN ${type} ${real_content}'"
     }
-    $local_data     = "  local-data: '${entry} ${ttl} IN ${type} ${real_content}'\n"
-  }
-  $local_data_ptr = "  local-data-ptr: \"${content} ${entry}\"\n"
+  }.join("\n")
+  $local_data_ptr = "  local-data-ptr: \"${content} ${entry}\""
 
-  $config = $reverse? {
-    true    => "${local_data}${local_data_ptr}",
-    default => $local_data,
+  $config = $reverse ? {
+    true    => "${local_data}\n${local_data_ptr}\n",
+    default => "${local_data}\n",
   }
 
   concat::fragment { "unbound-stub-${title}-local-record":

manifests/stub.pp

@@ -9,6 +9,9 @@
 #   array or a single value. To use a nondefault port for DNS communication
 #   append  '@' with the port number.
 #
+# [*nameservers*]
+#   (optional) Name of stub zone nameserver. Is itself resolved before it is used.
+#
 # [*insecure*]
 #   (optional) Defaults to false. Sets domain name to be insecure, DNSSEC chain
 #   of trust is ignored towards the domain name.  So a trust anchor  above the
@@ -30,6 +33,7 @@
 #
 define unbound::stub (
   Variant[Array[Unbound::Address], Unbound::Address] $address,
+  Array[Stdlib::Host]                                 $nameservers = [],
   # lint:ignore:quoted_booleans
   Variant[Boolean, Enum['true', 'false']]            $insecure    = false,
   Variant[Boolean, Enum['true', 'false']]            $no_cache    = false,

spec/acceptance/unbound_spec.rb

@@ -21,8 +21,14 @@
       expect(apply_manifest(pp, catch_failures: true).exit_code).to eq 0
     end
 
-    describe command('service unbound restart') do
-      its(:exit_status) { is_expected.to eq 0 }
+    if fact('osfamily') == 'Archlinux'
+      describe command('systemctl restart unbound') do
+        its(:exit_status) { is_expected.to eq 0 }
+      end
+    else
+      describe command('service unbound restart') do
+        its(:exit_status) { is_expected.to eq 0 }
+      end
     end
 
     describe service('unbound') do

spec/classes/init_spec.rb

@@ -1074,6 +1074,83 @@
 
         it { is_expected.to compile.with_all_deps }
       end
+
+      context 'RPZs config' do
+        let(:params) do
+          {
+            module_config: ['respip'],
+            rpzs: {
+              'test1' => {
+                'primary' => ['192.0.1.2', 'primary.example.org'],
+              },
+              'test2' => {
+                'url' => ['https://primary.example.org/zone'],
+                'allow_notify' => ['192.0.1.2', '2001:db8::'],
+                'zonefile' => '/foo/bar',
+                'rpz_action_override' => 'drop',
+                'rpz_log' => true,
+                'rpz_log_name' => 'foobar',
+                'tags' => %w[foo bar],
+              },
+              'test3' => {
+                'url' => ['https://primary.example.org/zone'],
+                'allow_notify' => ['192.0.1.2', '2001:db8::'],
+                'zonefile' => '/foo/bar',
+                'rpz_action_override' => 'cname',
+                'rpz_cname_override' => 'cname.example.org',
+                'rpz_log' => true,
+                'rpz_log_name' => 'foobar',
+                'tags' => %w[foo bar],
+              },
+            }
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+
+        it do
+          is_expected.to contain_concat__fragment('unbound-modules').
+            with_content(
+              %r{
+                rpz:
+                \s+name:\stest1
+                \s+primary:\s"192\.0\.1\.2"
+                \s+primary:\s"primary\.example\.org"
+              }x
+            ).
+            with_content(
+              %r{
+                rpz:
+                \s+name:\stest2
+                \s+url:\s"https://primary\.example\.org/zone"
+                \s+allow-notify:\s"192\.0\.1\.2"
+                \s+allow-notify:\s"2001:db8::"
+                \s+zonefile:\s"/foo/bar"
+                \s+rpz-action-overrude:\s"drop"
+                \s+rpz-log:\syes
+                \s+rpz-log-name:\s"foobar"
+                \s+tags:\s"foo"
+                \s+tags:\s"bar"
+              }x
+            ).
+            with_content(
+              %r{
+                rpz:
+                \s+name:\stest3
+                \s+url:\s"https://primary\.example\.org/zone"
+                \s+allow-notify:\s"192\.0\.1\.2"
+                \s+allow-notify:\s"2001:db8::"
+                \s+zonefile:\s"/foo/bar"
+                \s+rpz-action-overrude:\s"cname"
+                \s+rpz-cname-override:\s"cname\.example\.org"
+                \s+rpz-log:\syes
+                \s+rpz-log-name:\s"foobar"
+                \s+tags:\s"foo"
+                \s+tags:\s"bar"
+              }x
+            )
+        end
+      end
     end
   end
   # rubocop:enable RSpec/MultipleMemoizedHelpers

spec/defines/record_spec.rb

@@ -47,6 +47,27 @@
           )
         }
       end
+
+      context 'Multiple contents (answers)' do
+        let(:params) do
+          {
+            content: ['192.0.2.53', '192.0.2.42'],
+            reverse: false,
+          }
+        end
+
+        it { is_expected.to contain_unbound__record('record.example.com') }
+
+        it do
+          is_expected.to contain_concat__fragment('unbound-stub-record.example.com-local-record').
+            with_content(
+              %r{
+                  \s+local-data:\s"record.example.com\s14400\sIN\sA\s192.0.2.53"
+                  \s+local-data:\s"record.example.com\s14400\sIN\sA\s192.0.2.42"
+                }x
+            )
+        end
+      end
     end
   end
 end

spec/defines/stub_spec.rb

@@ -30,6 +30,30 @@
         }
       end
 
+      context 'unbound::address' do
+        let(:params) do
+          {
+            address: '10.0.0.10@10053',
+            nameservers: ['ns1.example.com', 'ns2.example.com'],
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_unbound__stub('lab.example.com') }
+
+        it {
+          expect(subject).to contain_concat__fragment('unbound-stub-lab.example.com').with(
+            content: <<~ZONE
+              stub-zone:
+                name: "lab.example.com"
+                stub-addr: 10.0.0.10@10053
+                stub-host: ns1.example.com
+                stub-host: ns2.example.com
+            ZONE
+          )
+        }
+      end
+
       context 'with no_cache set' do
         let(:params) do
           {

spec/type_aliases/rpz_spec.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Unbound::Rpz' do
+  describe 'valid modes' do
+    values = [
+      {
+        'primary' => ['primary.example.org'],
+        'master' => ['mastr.example.org'],
+        'url' => ['http://rpz.example.org/zone'],
+        'allow_notify' => ['192.0.2.1'],
+        'zonefile' => '/foo/zone',
+        'rpz_action_override' => 'passthru',
+        'rpz_cname_override' => 'cname.example.org',
+        'rpz_log' => true,
+        'rpz_log_name' => 'rpzlog',
+        'tags' => %w[foo bar]
+      },
+      {
+        'primary' => ['primary.example.org'],
+      },
+      {
+        'master' => ['mastr.example.org'],
+      },
+      {
+        'url' => ['http://rpz.example.org/zone'],
+      },
+      {
+        'allow_notify' => ['192.0.2.1'],
+      },
+      {
+        'zonefile' => '/foo/zone',
+      },
+      {
+        'rpz_action_override' => 'passthru',
+      },
+      {
+        'rpz_cname_override' => 'cname.example.org',
+      },
+      {
+        'rpz_log' => true,
+      },
+      {
+        'rpz_log_name' => 'rpzlog',
+      },
+      {
+        'tags' => %w[foo bar]
+      }
+    ]
+    values.each do |value|
+      describe value.inspect do
+        it { is_expected.to allow_value(value) }
+      end
+    end
+  end
+end

templates/stub.erb

@@ -3,6 +3,9 @@ stub-zone:
 <% [@address].flatten.each do |addr| -%>
   stub-addr: <%= addr %>
 <% end -%>
+<% @nameservers.each do |host| -%>
+  stub-host: <%= host %>
+<% end -%>
 <% if @no_cache == 'true' or @no_cache == true -%>
   stub-no-cache: yes
 <% end -%>

templates/unbound.conf.erb

@@ -147,7 +147,9 @@ server:
 <%= print_config('hide-version', @hide_version) -%>
 <%= print_config('version', @version) -%>
 <%= print_config('hide-trustanchor', @hide_trustanchor, '1.6.2') -%>
-<%= print_config('target-fetch-policy', @target_fetch_policy) -%>
+<%- unless @target_fetch_policy.empty? -%>
+<%= print_config('target-fetch-policy', @target_fetch_policy.join(' ')) -%>
+<%- end -%>
 <%= print_config('harden-short-bufsize', @harden_short_bufsize) -%>
 <%= print_config('harden-large-queries', @harden_large_queries) -%>
 <%= print_config('harden-glue', @harden_glue) -%>

templates/unbound.modules.conf.erb

@@ -7,7 +7,7 @@
   end
   def print_config(name, value, version=false )
     if version and scope.call_function('versioncmp', [unbound_version, version]) < 0
-       return 
+       return
     end
     if value.is_a?(TrueClass)
       return "  #{name}: yes\n"
@@ -65,3 +65,19 @@ cachedb:
 <%= print_config('redis-timeout', @redis_timeout) -%>
   <%- end -%>
 <%- end -%>
+<%- if @module_config and @module_config.include?('respip') -%>
+  <%- @rpzs.each_pair do |name, rpz| -%>
+rpz:
+  name: <%= name %>
+<%= print_config('primary', rpz['primary']) -%>
+<%= print_config('primary', rpz['master']) -%>
+<%= print_config('url', rpz['url']) -%>
+<%= print_config('allow-notify', rpz['allow_notify']) -%>
+<%= print_config('zonefile', rpz['zonefile']) -%>
+<%= print_config('rpz-action-overrude', rpz['rpz_action_override']) -%>
+<%= print_config('rpz-cname-override', rpz['rpz_cname_override']) -%>
+<%= print_config('rpz-log', rpz['rpz_log']) -%>
+<%= print_config('rpz-log-name', rpz['rpz_log_name']) -%>
+<%= print_config('tags', rpz['tags']) -%>
+  <%- end -%>
+<%- end -%>

types/module.pp

@@ -1,3 +1,4 @@
+# @summary list of valid modules
 type Unbound::Module = Enum[
   'validator',
   'iterator',
@@ -6,4 +7,5 @@
   'subnetcache',
   'ipsecmod',
   'cachedb',
+  'respip',
 ]