Skip to content

Commit

Permalink
Fixes #37604 - Validate DNS forwarders
Browse files Browse the repository at this point in the history
A user can input an invalid value and the service will refuse to start
up. We can catch this in data types, preventing service downtime.
  • Loading branch information
ekohl committed Jul 5, 2024
1 parent 42d8038 commit 3f53f46
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 3 deletions.
2 changes: 1 addition & 1 deletion manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@
Variant[Enum['unmanaged'], Stdlib::Absolutepath] $localzonepath = $dns::params::localzonepath,
Variant[Enum['unmanaged'], Stdlib::Absolutepath] $defaultzonepath = $dns::params::defaultzonepath,
Optional[Enum['only', 'first']] $forward = undef,
Array[String] $forwarders = [],
Array[Dns::Forwarder] $forwarders = [],
Variant[String, Boolean] $listen_on_v6 = 'any',
Enum['yes', 'no'] $recursion = 'yes',
Array[String] $allow_recursion = ['localnets', 'localhost'],
Expand Down
2 changes: 1 addition & 1 deletion manifests/view.pp
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
Array[String] $allow_query = [],
Array[String] $allow_query_cache = [],
Array[String] $also_notify = [],
Array[String] $forwarders = [],
Array[Dns::Forwarder] $forwarders = [],
Optional[Enum['only','first']] $forward = undef,
Optional[Enum['yes','no']] $recursion = undef,
Optional[Enum['yes','no']] $dnssec_enable = undef,
Expand Down
2 changes: 1 addition & 1 deletion manifests/zone.pp
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@
Boolean $replace_file = false,
Enum['first', 'only'] $forward = 'first',
Boolean $master_empty_forwarders_enable = false,
Array $forwarders = [],
Array[Dns::Forwarder] $forwarders = [],
Optional[Enum['yes', 'no', 'explicit']] $dns_notify = undef,
Optional[Enum['yes', 'no']] $zone_statistics = undef,
Optional[Dns::UpdatePolicy] $update_policy = undef,
Expand Down
22 changes: 22 additions & 0 deletions spec/type_aliases/forwarder_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
require 'spec_helper'

describe 'Dns::Forwarder' do
it { is_expected.not_to allow_value(nil) }
it { is_expected.not_to allow_value('') }

describe 'IPv4' do
it { is_expected.to allow_value('192.0.2.1') }
it { is_expected.to allow_value('192.0.2.1 port 5353') }
it { is_expected.to allow_value('192.168.254.254 port 5353') }
it { is_expected.to allow_value('192.168.254.254 port 65534') }
end

describe 'IPv6' do
it { is_expected.to allow_value('::1') }
it { is_expected.to allow_value('::1 port 5353') }
it { is_expected.to allow_value('2001:db8:1234:5678:9ABC:DEF::1') }
it { is_expected.to allow_value('2001:db8:1234:5678:9ABC:DEF::1 port 5353') }
it { is_expected.to allow_value('2001:0db8:1234:5678:9ABC:0DEF:0000:0001') }
it { is_expected.to allow_value('2001:0db8:1234:5678:9ABC:0DEF:0000:0001 port 65534') }
end
end
11 changes: 11 additions & 0 deletions types/forwarder.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# @summary a DNS forwarder entry
#
# A forwarder is an IP address (v4 or v6) with optionally followed a port.
# Since we can't compose patterns, this copies stdlib's implementation for v4.
# For v6 it uses the default type and grossly simplifies the port check for simplicity.
type Dns::Forwarder = Variant[
Pattern[/\A([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])){3}(\s+port\s+[0-9]{1,5})?\z/],
Stdlib::IP::Address::V6::Nosubnet,
# This is a really gross simplification of IPv6
Pattern[/(\A(:{0,2}[[:xdigit:]]{1,4}){1,8}\s+port\s[0-9]{1,5}\Z)/],
]

0 comments on commit 3f53f46

Please sign in to comment.