Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for checking if an apt::keyring is up-to-date with checksums #1199

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 40 additions & 12 deletions manifests/keyring.pp
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,17 @@
# source => 'https://apt.puppetlabs.com/keyring.gpg'
# }
# }
# @example Deploy the apt source and associated keyring file with checksum
# apt::source { 'puppet8-release':
# location => 'http://apt.puppetlabs.com',
# repos => 'puppet8',
# key => {
# name => 'puppetlabs-keyring.gpg',
# source => 'https://apt.puppetlabs.com/keyring.gpg'
# checksum => 'sha256',
# checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
# }
# }
#
# @param dir
# Path to the directory where the keyring will be stored.
Expand All @@ -32,13 +43,28 @@
# @param ensure
# Ensure presence or absence of the resource.
#
# @param checksum
# Checksum type of the keyfile.
# Only md5, sha256, sha224, sha384 and sha512 are supported when specifying
# this parameter. (due to checksum_value parameter).
# Optional, but is useful if the keyfile is from a remote HTTP source that
# does not provide the necessary headers for the file resource to determine if
# content has changed.
#
# @param checksum_value
# The value of the checksum, must be a String.
# Only md5, sha256, sha224, sha384 and sha512 are supported when specifying
# this parameter.
#
define apt::keyring (
Stdlib::Absolutepath $dir = '/etc/apt/keyrings',
String[1] $filename = $name,
Stdlib::Filemode $mode = '0644',
Optional[Stdlib::Filesource] $source = undef,
Optional[String[1]] $content = undef,
Enum['present','absent'] $ensure = 'present',
Stdlib::Absolutepath $dir = '/etc/apt/keyrings',
String[1] $filename = $name,
Stdlib::Filemode $mode = '0644',
Optional[Stdlib::Filesource] $source = undef,
Optional[String[1]] $content = undef,
Enum['present','absent'] $ensure = 'present',
Optional[Enum['md5','sha256','sha224','sha384','sha512']] $checksum = undef,
Optional[String] $checksum_value = undef,
) {
ensure_resource('file', $dir, { ensure => 'directory', mode => '0755', })
if $source and $content {
Expand All @@ -52,12 +78,14 @@
case $ensure {
'present': {
file { $file:
ensure => 'file',
mode => $mode,
owner => 'root',
group => 'root',
source => $source,
content => $content,
ensure => 'file',
mode => $mode,
owner => 'root',
group => 'root',
source => $source,
content => $content,
checksum => $checksum,
checksum_value => $checksum_value,
}
}
'absent': {
Expand Down
36 changes: 26 additions & 10 deletions manifests/source.pp
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,27 @@
# extension. Absence of extension will result in file formation with just name and no extension.
# apt::source { 'puppetlabs':
# location => 'http://apt.puppetlabs.com',
# comment => 'Puppet8',
# repos => 'puppet8'
# comment => 'Puppet 8 release',
# key => {
# 'name' => 'puppetlabs.gpg',
# 'name' => 'puppetlabs-keyring.gpg',
# 'source' => 'https://apt.puppetlabs.com/keyring.gpg',
# },
# }
#
# @example Deploy the apt source and associated keyring file with checksum
# apt::source { 'puppetlabs':
# location => 'http://apt.puppetlabs.com',
# repos => 'puppet8',
# comment => 'Puppet 8 release',
# key => {
# name => 'puppetlabs-keyring.gpg',
# source => 'https://apt.puppetlabs.com/keyring.gpg'
# checksum => 'sha256',
# checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
# }
# }
#
# @param location
# Required, unless ensure is set to 'absent'. Specifies an Apt repository. Valid options: a string containing a repository URL.
#
Expand All @@ -47,7 +61,7 @@
#
# @param key
# Creates an `apt::keyring` in `/etc/apt/keyrings` (or anywhere on disk given `filename`) Valid options:
# * a hash of `parameter => value` pairs to be passed to `file`: `name` (title), `content`, `source`, `filename`
# * a hash of `parameter => value` pairs to be passed to `file`: `name` (title), `content`, `source`, `filename`, `checksum`, `checksum_value`.
#
# The following inputs are valid for the (deprecated) `apt::key` defined type. Valid options:
# * a string to be passed to the `id` parameter of the `apt::key` defined type
Expand Down Expand Up @@ -177,13 +191,15 @@
# Modern apt keyrings
elsif $_key =~ Hash and $_key['name'] {
apt::keyring { $_key['name']:
ensure => $_key_ensure,
content => $_key['content'],
source => $_key['source'],
dir => $_key['dir'],
filename => $_key['filename'],
mode => $_key['mode'],
before => $_before,
ensure => $_key_ensure,
content => $_key['content'],
source => $_key['source'],
dir => $_key['dir'],
filename => $_key['filename'],
mode => $_key['mode'],
checksum => $_key['checksum'],
checksum_value => $_key['checksum_value'],
before => $_before,
}

$_list_keyring = if $_key['dir'] and $_key['filename'] {
Expand Down
12 changes: 12 additions & 0 deletions spec/defines/keyring_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,18 @@
let(:facts) { os_facts }

it { is_expected.to compile }

context 'with checksum verification enabled' do
let (:params) do
{
source: 'https://apt.puppetlabs.com/pubkey.gpg',
checksum: 'sha256',
checksum_value: '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
}
end

it { is_expected.to compile }
end
end
end
end
26 changes: 12 additions & 14 deletions spec/defines/source_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -103,21 +103,20 @@
release: 'sid',
repos: 'testing',
key: {
'ensure' => 'refreshed',
'id' => id,
'server' => 'pgp.mit.edu',
'content' => 'GPG key content',
'source' => 'http://apt.puppetlabs.com/pubkey.gpg',
'weak_ssl' => true
'name' => 'puppetlabs-keyring.gpg',
'ensure' => 'present',
'source' => 'https://apt.puppetlabs.com/pubkey.gpg',
'checksum' => 'sha256',
'checksum_value' => '050e8c0c43d4b43449ea89ffbea8a1c912a1bb3d008a70ad9623912024933e01',
},
pin: '10',
architecture: 'x86_64',
allow_unsigned: true
allow_insecure: true
}
end

it {
expect(subject).to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# foo\ndeb \[arch=x86_64 trusted=yes\] http://debian.mirror.iweb.ca/debian/ sid testing\n})
expect(subject).to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# foo\ndeb \[arch=x86_64 allow-insecure=yes signed-by=/etc/apt/keyrings/puppetlabs-keyring.gpg\] http://debian.mirror.iweb.ca/debian/ sid testing\n})
.without_content(%r{deb-src})
}

Expand All @@ -128,12 +127,11 @@
}

it {
expect(subject).to contain_apt__key("Add key: #{id} from Apt::Source my_source").that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'refreshed',
id: id,
server: 'pgp.mit.edu',
content: 'GPG key content',
source: 'http://apt.puppetlabs.com/pubkey.gpg',
weak_ssl: true)
expect(subject).to contain_apt__keyring("puppetlabs-keyring.gpg").that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'present',
name: 'puppetlabs-keyring.gpg',
source: 'https://apt.puppetlabs.com/pubkey.gpg',
checksum: 'sha256',
checksum_value: '050e8c0c43d4b43449ea89ffbea8a1c912a1bb3d008a70ad9623912024933e01')
}
end
end
Expand Down