diff --git a/manifests/keyring.pp b/manifests/keyring.pp index d42f4e3c21..ef7fa2e4e4 100644 --- a/manifests/keyring.pp +++ b/manifests/keyring.pp @@ -13,6 +13,17 @@ # source => 'https://apt.puppetlabs.com/keyring.gpg' # } # } +# @example Deploy the apt source and associated keyring file with checksum +# apt::source { 'puppet8-release': +# location => 'http://apt.puppetlabs.com', +# repos => 'puppet8', +# key => { +# name => 'puppetlabs-keyring.gpg', +# source => 'https://apt.puppetlabs.com/keyring.gpg' +# checksum => 'sha256', +# checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771', +# } +# } # # @param dir # Path to the directory where the keyring will be stored. @@ -32,13 +43,28 @@ # @param ensure # Ensure presence or absence of the resource. # +# @param checksum +# Checksum type of the keyfile. +# Only md5, sha256, sha224, sha384 and sha512 are supported when specifying +# this parameter. (due to checksum_value parameter). +# Optional, but is useful if the keyfile is from a remote HTTP source that +# does not provide the necessary headers for the file resource to determine if +# content has changed. +# +# @param checksum_value +# The value of the checksum, must be a String. +# Only md5, sha256, sha224, sha384 and sha512 are supported when specifying +# this parameter. +# define apt::keyring ( - Stdlib::Absolutepath $dir = '/etc/apt/keyrings', - String[1] $filename = $name, - Stdlib::Filemode $mode = '0644', - Optional[Stdlib::Filesource] $source = undef, - Optional[String[1]] $content = undef, - Enum['present','absent'] $ensure = 'present', + Stdlib::Absolutepath $dir = '/etc/apt/keyrings', + String[1] $filename = $name, + Stdlib::Filemode $mode = '0644', + Optional[Stdlib::Filesource] $source = undef, + Optional[String[1]] $content = undef, + Enum['present','absent'] $ensure = 'present', + Optional[Enum['md5','sha256','sha224','sha384','sha512']] $checksum = undef, + Optional[String] $checksum_value = undef, ) { ensure_resource('file', $dir, { ensure => 'directory', mode => '0755', }) if $source and $content { @@ -52,12 +78,14 @@ case $ensure { 'present': { file { $file: - ensure => 'file', - mode => $mode, - owner => 'root', - group => 'root', - source => $source, - content => $content, + ensure => 'file', + mode => $mode, + owner => 'root', + group => 'root', + source => $source, + content => $content, + checksum => $checksum, + checksum_value => $checksum_value, } } 'absent': { diff --git a/manifests/source.pp b/manifests/source.pp index 776c5f7a43..1be5ef3f7b 100644 --- a/manifests/source.pp +++ b/manifests/source.pp @@ -14,13 +14,27 @@ # extension. Absence of extension will result in file formation with just name and no extension. # apt::source { 'puppetlabs': # location => 'http://apt.puppetlabs.com', -# comment => 'Puppet8', +# repos => 'puppet8' +# comment => 'Puppet 8 release', # key => { -# 'name' => 'puppetlabs.gpg', +# 'name' => 'puppetlabs-keyring.gpg', # 'source' => 'https://apt.puppetlabs.com/keyring.gpg', # }, # } # +# @example Deploy the apt source and associated keyring file with checksum +# apt::source { 'puppetlabs': +# location => 'http://apt.puppetlabs.com', +# repos => 'puppet8', +# comment => 'Puppet 8 release', +# key => { +# name => 'puppetlabs-keyring.gpg', +# source => 'https://apt.puppetlabs.com/keyring.gpg' +# checksum => 'sha256', +# checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771', +# } +# } +# # @param location # Required, unless ensure is set to 'absent'. Specifies an Apt repository. Valid options: a string containing a repository URL. # @@ -47,7 +61,7 @@ # # @param key # Creates an `apt::keyring` in `/etc/apt/keyrings` (or anywhere on disk given `filename`) Valid options: -# * a hash of `parameter => value` pairs to be passed to `file`: `name` (title), `content`, `source`, `filename` +# * a hash of `parameter => value` pairs to be passed to `file`: `name` (title), `content`, `source`, `filename`, `checksum`, `checksum_value`. # # The following inputs are valid for the (deprecated) `apt::key` defined type. Valid options: # * a string to be passed to the `id` parameter of the `apt::key` defined type @@ -177,13 +191,15 @@ # Modern apt keyrings elsif $_key =~ Hash and $_key['name'] { apt::keyring { $_key['name']: - ensure => $_key_ensure, - content => $_key['content'], - source => $_key['source'], - dir => $_key['dir'], - filename => $_key['filename'], - mode => $_key['mode'], - before => $_before, + ensure => $_key_ensure, + content => $_key['content'], + source => $_key['source'], + dir => $_key['dir'], + filename => $_key['filename'], + mode => $_key['mode'], + checksum => $_key['checksum'], + checksum_value => $_key['checksum_value'], + before => $_before, } $_list_keyring = if $_key['dir'] and $_key['filename'] { diff --git a/spec/defines/keyring_spec.rb b/spec/defines/keyring_spec.rb index 6b3c65e1ef..34ac26fa8a 100644 --- a/spec/defines/keyring_spec.rb +++ b/spec/defines/keyring_spec.rb @@ -15,6 +15,18 @@ let(:facts) { os_facts } it { is_expected.to compile } + + context 'with checksum verification enabled' do + let (:params) do + { + source: 'https://apt.puppetlabs.com/pubkey.gpg', + checksum: 'sha256', + checksum_value: '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771', + } + end + + it { is_expected.to compile } + end end end end diff --git a/spec/defines/source_spec.rb b/spec/defines/source_spec.rb index 5268c03a04..1805bb5a78 100644 --- a/spec/defines/source_spec.rb +++ b/spec/defines/source_spec.rb @@ -103,21 +103,20 @@ release: 'sid', repos: 'testing', key: { - 'ensure' => 'refreshed', - 'id' => id, - 'server' => 'pgp.mit.edu', - 'content' => 'GPG key content', - 'source' => 'http://apt.puppetlabs.com/pubkey.gpg', - 'weak_ssl' => true + 'name' => 'puppetlabs-keyring.gpg', + 'ensure' => 'present', + 'source' => 'https://apt.puppetlabs.com/pubkey.gpg', + 'checksum' => 'sha256', + 'checksum_value' => '050e8c0c43d4b43449ea89ffbea8a1c912a1bb3d008a70ad9623912024933e01', }, pin: '10', architecture: 'x86_64', - allow_unsigned: true + allow_insecure: true } end it { - expect(subject).to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# foo\ndeb \[arch=x86_64 trusted=yes\] http://debian.mirror.iweb.ca/debian/ sid testing\n}) + expect(subject).to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# foo\ndeb \[arch=x86_64 allow-insecure=yes signed-by=/etc/apt/keyrings/puppetlabs-keyring.gpg\] http://debian.mirror.iweb.ca/debian/ sid testing\n}) .without_content(%r{deb-src}) } @@ -128,12 +127,11 @@ } it { - expect(subject).to contain_apt__key("Add key: #{id} from Apt::Source my_source").that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'refreshed', - id: id, - server: 'pgp.mit.edu', - content: 'GPG key content', - source: 'http://apt.puppetlabs.com/pubkey.gpg', - weak_ssl: true) + expect(subject).to contain_apt__keyring("puppetlabs-keyring.gpg").that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'present', + name: 'puppetlabs-keyring.gpg', + source: 'https://apt.puppetlabs.com/pubkey.gpg', + checksum: 'sha256', + checksum_value: '050e8c0c43d4b43449ea89ffbea8a1c912a1bb3d008a70ad9623912024933e01') } end end