From 2716643b0ec739de581b6d49a4c52826c8f07785 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Tue, 30 Jan 2024 12:29:23 +0100
Subject: [PATCH] Fixes #37121 - Automatically secure the DHCP OMAPI interface

The tsig-keygen command can be used to generate a TSIG key to secure the
OMAPI communication.
---
 .fixtures.yml          |  4 +++-
 manifests/init.pp      |  4 ++--
 manifests/proxydhcp.pp | 32 +++++++++++++++++++++++---------
 3 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/.fixtures.yml b/.fixtures.yml
index d2486dfb..5871b07c 100644
--- a/.fixtures.yml
+++ b/.fixtures.yml
@@ -7,7 +7,9 @@ fixtures:
     cron_core: "https://github.com/puppetlabs/puppetlabs-cron_core"
     datacat:  'https://github.com/richardc/puppet-datacat'
     dhcp:     'https://github.com/theforeman/puppet-dhcp'
-    dns:      'https://github.com/theforeman/puppet-dns'
+    dns:
+      repo: 'https://github.com/ekohl/puppet-dns'
+      branch: add-tsig-keygen
     extlib:   'https://github.com/voxpupuli/puppet-extlib'
     foreman:  'https://github.com/theforeman/puppet-foreman'
     puppet:   'https://github.com/theforeman/puppet-puppet'
diff --git a/manifests/init.pp b/manifests/init.pp
index 3d31dbf0..edf6e544 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -163,7 +163,7 @@
 #
 # $dhcp_key_name::              DHCP key name
 #
-# $dhcp_key_secret::            DHCP password
+# $dhcp_key_secret::            DHCP key secret
 #
 # $dhcp_omapi_port::            DHCP server OMAPI port
 #
@@ -363,7 +363,7 @@
   String $dhcp_server = '127.0.0.1',
   Stdlib::Absolutepath $dhcp_config = $foreman_proxy::params::dhcp_config,
   Stdlib::Absolutepath $dhcp_leases = $foreman_proxy::params::dhcp_leases,
-  Optional[String] $dhcp_key_name = undef,
+  String[1] $dhcp_key_name = 'omapi_key',
   Optional[String] $dhcp_key_secret = undef,
   Stdlib::Port $dhcp_omapi_port = 7911,
   Optional[String] $dhcp_peer_address = undef,
diff --git a/manifests/proxydhcp.pp b/manifests/proxydhcp.pp
index 4dfb5f24..31a1df3b 100644
--- a/manifests/proxydhcp.pp
+++ b/manifests/proxydhcp.pp
@@ -62,16 +62,30 @@
     $_dhcp_ipxefilename = undef
   }
 
+  # TODO parametrize
+  $dhcp_key_algorithm = 'hmac-sha256'
+  if $foreman_proxy::dhcp_key_name {
+    if $foreman_proxy::dhcp_key_secret {
+      $dhcp_key_secret = $foreman_proxy::dhcp_key_secret
+    } else {
+      $tsig_key = extlib::cache_data('theforeman', 'dhcp_omapi', dns::tsig_keygen($foreman_proxy::dhcp_key_name, $dhcp_key_algorithm))
+      $dhcp_key_secret = $tsig_key['secret']
+    }
+  } else {
+    $dhcp_key_secret = $foreman_proxy::dhcp_key_secret
+  }
+
   class { 'dhcp':
-    dnsdomain     => $foreman_proxy::dhcp_option_domain,
-    nameservers   => $nameservers,
-    interfaces    => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
-    pxeserver     => $ip,
-    pxefilename   => $foreman_proxy::dhcp_pxefilename,
-    ipxe_filename => $_dhcp_ipxefilename,
-    omapi_name    => $foreman_proxy::dhcp_key_name,
-    omapi_key     => $foreman_proxy::dhcp_key_secret,
-    conf_dir_mode => $conf_dir_mode,
+    dnsdomain       => $foreman_proxy::dhcp_option_domain,
+    nameservers     => $nameservers,
+    interfaces      => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
+    pxeserver       => $ip,
+    pxefilename     => $foreman_proxy::dhcp_pxefilename,
+    ipxe_filename   => $_dhcp_ipxefilename,
+    omapi_name      => $foreman_proxy::dhcp_key_name,
+    omapi_key       => $dhcp_key_secret,
+    omapi_algorithm => $dhcp_key_algorithm,
+    conf_dir_mode   => $conf_dir_mode,
   }
 
   dhcp::pool { $facts['networking']['domain']: