Merge pull request #131 from apenney/allow-deny

location_allow and location_deny support.
voxpupuli · Sep 4, 2013 · 2df378e · 2df378e
2 parents 4e7a453 + 39bc3f1
commit 2df378e
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 17 deletions.
diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp
@@ -6,6 +6,8 @@
 #   [*ensure*]               - Enables or disables the specified location (present|absent)
 #   [*vhost*]                - Defines the default vHost for this location entry to include with
 #   [*location*]             - Specifies the URI associated with this location entry
+#   [*location_allow*]      - Array: Locations to allow connections from.
+#   [*location_deny*]       - Array: Locations to deny connections from.
 #   [*www_root*]             - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy
 #   [*index_files*]          - Default index files for NGINX to read when traversing a directory
 #   [*proxy*]                - Proxy server(s) for a location to connect to. Accepts a single value, can be used in conjunction
@@ -82,6 +84,8 @@
   $ssl                  = false,
   $ssl_only             = false,
   $location_alias       = undef,
+  $location_allow       = undef,
+  $location_deny        = undef,
   $option               = undef,
   $stub_status          = undef,
   $location_custom_cfg  = undef,

diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp
@@ -7,6 +7,8 @@
 #   [*listen_ip*]           - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*)
 #   [*listen_port*]         - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80
 #   [*listen_options*]      - Extra options for listen directive like 'default' to catchall. Undef by default.
+#   [*location_allow*]      - Array: Locations to allow connections from.
+#   [*location_deny*]       - Array: Locations to deny connections from.
 #   [*ipv6_enable*]         - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
 #                             support exists on your system before enabling.
 #   [*ipv6_listen_ip*]      - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::)
@@ -64,6 +66,8 @@
   $listen_ip              = '*',
   $listen_port            = '80',
   $listen_options         = undef,
+  $location_allow         = [],
+  $location_deny          = [],
   $ipv6_enable            = false,
   $ipv6_listen_ip         = '::',
   $ipv6_listen_port       = '80',
@@ -101,6 +105,9 @@
   $include_files          = undef
 ) {
 
+  validate_array($location_allow)
+  validate_array($location_deny)
+
   File {
     ensure => $ensure ? {
       'absent' => absent,
@@ -144,23 +151,25 @@
 
   # Create the default location reference for the vHost
   nginx::resource::location {"${name}-default":
-    ensure               => $ensure,
-    vhost                => $name,
-    ssl                  => $ssl,
-    ssl_only             => $ssl_only,
-    location             => '/',
-    proxy                => $proxy,
-    proxy_read_timeout   => $proxy_read_timeout,
-    proxy_cache          => $proxy_cache,
-    proxy_cache_valid    => $proxy_cache_valid,
-    fastcgi              => $fastcgi,
-    fastcgi_params       => $fastcgi_params,
-    fastcgi_script       => $fastcgi_script,
-    try_files            => $try_files,
-    www_root             => $www_root,
-    index_files          => $index_files,
-    location_custom_cfg  => $location_custom_cfg,
-    notify               => Class['nginx::service'],
+    ensure              => $ensure,
+    vhost               => $name,
+    ssl                 => $ssl,
+    ssl_only            => $ssl_only,
+    location            => '/',
+    location_allow      => $location_allow,
+    location_deny       => $location_deny,
+    proxy               => $proxy,
+    proxy_read_timeout  => $proxy_read_timeout,
+    proxy_cache         => $proxy_cache,
+    proxy_cache_valid   => $proxy_cache_valid,
+    fastcgi             => $fastcgi,
+    fastcgi_params      => $fastcgi_params,
+    fastcgi_script      => $fastcgi_script,
+    try_files           => $try_files,
+    www_root            => $www_root,
+    index_files         => $index_files,
+    location_custom_cfg => $location_custom_cfg,
+    notify              => Class['nginx::service'],
   }
 
   # Support location_cfg_prepend and location_cfg_append on default location created by vhost

diff --git a/spec/defines/nginx__resource__vhost_spec.rb b/spec/defines/nginx__resource__vhost_spec.rb
@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+describe 'nginx::resource::vhost' do
+
+  describe 'applies allow and deny rules' do
+    let (:title) { 'test' }
+    let (:params) {{
+      :www_root       => '/var/www/nginx',
+      :location_allow => ['10.0.0.1', 'host1'],
+      :location_deny  => ['host2', '10.0.0.2']
+    }}
+
+    it 'applies location_allow rules' do
+      should contain_file('/nginx.d/test-500-test-default').with({
+        'content' => /allow 10.0.0.1\n  allow host1/
+      })
+    end
+    it 'applies location_deny rules' do
+      should contain_file('/nginx.d/test-500-test-default').with({
+        'content' => /deny host2\n  deny 10.0.0.2/
+      })
+    end
+  end
+
+end
diff --git a/templates/vhost/vhost_location_directory.erb b/templates/vhost/vhost_location_directory.erb
@@ -1,4 +1,10 @@
   location <%= @location %> {
+<% if @location_allow -%><% @location_allow.each do |allow_rule| -%>
+  allow <%= allow_rule %>
+<% end -%><% end -%>
+<% if @location_deny -%><% @location_deny.each do |deny_rule| -%>
+  deny <%= deny_rule %>
+<% end -%><% end -%>
 <% if @location_cfg_prepend -%><% @location_cfg_prepend.sort_by {|k,v| k}.each do |key,value| -%>
     <%= key %> <%= value %>;
 <% end -%><% end -%>