Skip to content
Snippets Groups Projects
Commit abbd15e6 authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman
Browse files

Add support for option `name_from_ip` in ipadnszone module.

IPA CLI has an option `name_from_ip` that provide a name for a zone
from the reverse IP address, so that it can be used to, for example,
manage PTR DNS records.

This patch adds a similar attribute to ipadnszone module, where it
will try to find the proper zone name, using DNS resolve, or provide
a sane default, if a the zone name cannot be resolved.

The option `name_from_ip` must be used instead of `name` in playbooks,
and it is a string, and not a list.

A new example playbook was added:

    playbooks/dnszone/dnszone-reverse-from-ip.yml

A new test playbook was added:

    tests/dnszone/test_dnszone_name_from_ip.yml
parent fbb2819d
No related branches found
No related tags found
No related merge requests found
...@@ -163,7 +163,8 @@ Variable | Description | Required ...@@ -163,7 +163,8 @@ Variable | Description | Required
-------- | ----------- | -------- -------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `zone_name` | The zone name string or list of strings. | yes `name` \| `zone_name` | The zone name string or list of strings. | no
`name_from_ip` | Derive zone name from reverse of IP (PTR). | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
  | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes   | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
  | `port` - The custom port that should be used on this server. | no   | `port` - The custom port that should be used on this server. | no
......
---
- name: Playbook to ensure DNS zone exist
hosts: ipaserver
become: true
tasks:
- name: Ensure zone exist, finding zone name from IP address.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 10.1.2.3
...@@ -43,6 +43,10 @@ options: ...@@ -43,6 +43,10 @@ options:
required: true required: true
type: list type: list
alises: ["zone_name"] alises: ["zone_name"]
name_from_ip:
description: Derive zone name from reverse of IP (PTR).
required: false
type: str
forwarders: forwarders:
description: The list of global DNS forwarders. description: The list of global DNS forwarders.
required: false required: false
...@@ -197,6 +201,12 @@ from ansible.module_utils.ansible_freeipa_module import ( ...@@ -197,6 +201,12 @@ from ansible.module_utils.ansible_freeipa_module import (
is_ipv6_addr, is_ipv6_addr,
is_valid_port, is_valid_port,
) # noqa: E402 ) # noqa: E402
import netaddr
import six
if six.PY3:
unicode = str
class DNSZoneModule(FreeIPABaseModule): class DNSZoneModule(FreeIPABaseModule):
...@@ -354,6 +364,31 @@ class DNSZoneModule(FreeIPABaseModule): ...@@ -354,6 +364,31 @@ class DNSZoneModule(FreeIPABaseModule):
if not zone and self.ipa_params.skip_nameserver_check is not None: if not zone and self.ipa_params.skip_nameserver_check is not None:
return self.ipa_params.skip_nameserver_check return self.ipa_params.skip_nameserver_check
def __reverse_zone_name(self, ipaddress):
"""
Infer reverse zone name from an ip address.
This function uses the same heuristics as FreeIPA to infer the zone
name from ip.
"""
try:
ip = netaddr.IPAddress(str(ipaddress))
except (netaddr.AddrFormatError, ValueError):
net = netaddr.IPNetwork(ipaddress)
items = net.ip.reverse_dns.split('.')
prefixlen = net.prefixlen
ip_version = net.version
else:
items = ip.reverse_dns.split('.')
prefixlen = 24 if ip.version == 4 else 64
ip_version = ip.version
if ip_version == 4:
return u'.'.join(items[4 - prefixlen // 8:])
elif ip_version == 6:
return u'.'.join(items[32 - prefixlen // 4:])
else:
self.fail_json(msg="Invalid IP version for reverse zone.")
def get_zone(self, zone_name): def get_zone(self, zone_name):
get_zone_args = {"idnsname": zone_name, "all": True} get_zone_args = {"idnsname": zone_name, "all": True}
response = self.api_command("dnszone_find", args=get_zone_args) response = self.api_command("dnszone_find", args=get_zone_args)
...@@ -368,14 +403,33 @@ class DNSZoneModule(FreeIPABaseModule): ...@@ -368,14 +403,33 @@ class DNSZoneModule(FreeIPABaseModule):
return zone, is_zone_active return zone, is_zone_active
def get_zone_names(self): def get_zone_names(self):
if len(self.ipa_params.name) > 1 and self.ipa_params.state != "absent": zone_names = self.__get_zone_names_from_params()
if len(zone_names) > 1 and self.ipa_params.state != "absent":
self.fail_json( self.fail_json(
msg=("Please provide a single name. Multiple values for 'name'" msg=("Please provide a single name. Multiple values for 'name'"
"can only be supplied for state 'absent'.") "can only be supplied for state 'absent'.")
) )
return zone_names
def __get_zone_names_from_params(self):
if not self.ipa_params.name:
return [self.__reverse_zone_name(self.ipa_params.name_from_ip)]
return self.ipa_params.name return self.ipa_params.name
def check_ipa_params(self):
if not self.ipa_params.name and not self.ipa_params.name_from_ip:
self.fail_json(
msg="Either `name` or `name_from_ip` must be provided."
)
if self.ipa_params.state != "present" and self.ipa_params.name_from_ip:
self.fail_json(
msg=(
"Cannot use argument `name_from_ip` with state `%s`."
% self.ipa_params.state
)
)
def define_ipa_commands(self): def define_ipa_commands(self):
for zone_name in self.get_zone_names(): for zone_name in self.get_zone_names():
# Look for existing zone in IPA # Look for existing zone in IPA
...@@ -434,8 +488,9 @@ def get_argument_spec(): ...@@ -434,8 +488,9 @@ def get_argument_spec():
ipaadmin_principal=dict(type="str", default="admin"), ipaadmin_principal=dict(type="str", default="admin"),
ipaadmin_password=dict(type="str", required=False, no_log=True), ipaadmin_password=dict(type="str", required=False, no_log=True),
name=dict( name=dict(
type="list", default=None, required=True, aliases=["zone_name"] type="list", default=None, required=False, aliases=["zone_name"]
), ),
name_from_ip=dict(type="str", default=None, required=False),
forwarders=dict( forwarders=dict(
type="list", type="list",
default=None, default=None,
...@@ -475,7 +530,11 @@ def get_argument_spec(): ...@@ -475,7 +530,11 @@ def get_argument_spec():
def main(): def main():
DNSZoneModule(argument_spec=get_argument_spec()).ipa_run() DNSZoneModule(
argument_spec=get_argument_spec(),
mutually_exclusive=[["name", "name_from_ip"]],
required_one_of=[["name", "name_from_ip"]],
).ipa_run()
if __name__ == "__main__": if __name__ == "__main__":
......
---
- name: Test dnszone
hosts: ipaserver
become: yes
gather_facts: yes
tasks:
# Setup
- name: Ensure zone is absent.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
state: absent
with_items:
- 2.0.192.in-addr.arpa.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.f.ip6.arpa.
- 1.0.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa.
# tests
- name: Ensure zone exists for reverse IP.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 192.0.2.3/24
register: ipv4_zone
failed_when: not ipv4_zone.changed or ipv4_zone.failed
- name: Ensure zone exists for reverse IP, again.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 192.0.2.3/24
register: result
failed_when: result.changed or result.failed
- name: Ensure zone exists for reverse IP, given the zone name.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: "{{ ipv4_zone.dnszone.name }}"
register: result
failed_when: result.changed or result.failed
- name: Modify existing zone, using `name_from_ip`.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 192.0.2.3/24
default_ttl: 1234
register: result
failed_when: not result.changed
- name: Modify existing zone, using `name_from_ip`, again.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 192.0.2.3/24
default_ttl: 1234
register: result
failed_when: result.changed or result.failed
- name: Ensure ipv6 zone exists for reverse IPv6.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: fd00::0001
register: ipv6_zone
failed_when: not ipv6_zone.changed or ipv6_zone.failed
# - debug:
# msg: "{{ipv6_zone}}"
- name: Ensure ipv6 zone was created.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: "{{ ipv6_zone.dnszone.name }}"
register: result
failed_when: result.changed or result.failed
- name: Ensure ipv6 zone exists for reverse IPv6, again.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: fd00::0001
register: result
failed_when: result.changed
- name: Ensure second ipv6 zone exists for reverse IPv6.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 2001:db8:cafe:1::1
register: ipv6_sec_zone
failed_when: not ipv6_sec_zone.changed or ipv6_zone.failed
- name: Ensure second ipv6 zone was created.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: "{{ ipv6_sec_zone.dnszone.name }}"
register: result
failed_when: result.changed or result.failed
- name: Ensure second ipv6 zone exists for reverse IPv6, again.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 2001:db8:cafe:1::1
register: result
failed_when: result.changed
# Cleanup
- name: Ensure zone is absent.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: "{{ item }}"
state: absent
with_items:
- "{{ ipv6_zone.dnszone.name }}"
- "{{ ipv6_sec_zone.dnszone.name }}"
- "{{ ipv4_zone.dnszone.name }}"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment