Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for checking if an apt::keyring is up-to-date with checksums #1199

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add support for checking if an apt::keyring is up-to-date with checksums #1199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
53e717f
issues/1196
NeatNerdPrime Sep 7, 2024
12b7f80
issues/1196
NeatNerdPrime Sep 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 40 additions & 12 deletions manifests/keyring.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,17 @@
# source => 'https://apt.puppetlabs.com/keyring.gpg'
# }
# }
# @example Deploy the apt source and associated keyring file with checksum
# apt::source { 'puppet8-release':
# location => 'http://apt.puppetlabs.com',
# repos => 'puppet8',
# key => {
# name => 'puppetlabs-keyring.gpg',
# source => 'https://apt.puppetlabs.com/keyring.gpg'
# checksum => 'sha256',
# checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
# }
# }
#
# @param dir
# Path to the directory where the keyring will be stored.
Expand All @@ -32,13 +43,28 @@
# @param ensure
# Ensure presence or absence of the resource.
#
# @param checksum
# Checksum type of the keyfile.
# Only md5, sha256, sha224, sha384 and sha512 are supported when specifying
# this parameter. (due to checksum_value parameter).
# Optional, but is useful if the keyfile is from a remote HTTP source that
# does not provide the necessary headers for the file resource to determine if
# content has changed.
#
# @param checksum_value
# The value of the checksum, must be a String.
# Only md5, sha256, sha224, sha384 and sha512 are supported when specifying
# this parameter.
#
define apt::keyring (
Stdlib::Absolutepath $dir = '/etc/apt/keyrings',
String[1] $filename = $name,
Stdlib::Filemode $mode = '0644',
Optional[Stdlib::Filesource] $source = undef,
Optional[String[1]] $content = undef,
Enum['present','absent'] $ensure = 'present',
Stdlib::Absolutepath $dir = '/etc/apt/keyrings',
String[1] $filename = $name,
Stdlib::Filemode $mode = '0644',
Optional[Stdlib::Filesource] $source = undef,
Optional[String[1]] $content = undef,
Enum['present','absent'] $ensure = 'present',
Optional[Enum['md5','sha256','sha224','sha384','sha512']] $checksum = undef,
Optional[String] $checksum_value = undef,
) {
ensure_resource('file', $dir, { ensure => 'directory', mode => '0755', })
if $source and $content {
Expand All @@ -52,12 +78,14 @@
case $ensure {
'present': {
file { $file:
ensure => 'file',
mode => $mode,
owner => 'root',
group => 'root',
source => $source,
content => $content,
ensure => 'file',
mode => $mode,
owner => 'root',
group => 'root',
source => $source,
content => $content,
checksum => $checksum,
checksum_value => $checksum_value,
}
}
'absent': {
Expand Down
36 changes: 26 additions & 10 deletions manifests/source.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,27 @@
# extension. Absence of extension will result in file formation with just name and no extension.
# apt::source { 'puppetlabs':
# location => 'http://apt.puppetlabs.com',
# comment => 'Puppet8',
# repos => 'puppet8'
# comment => 'Puppet 8 release',
# key => {
# 'name' => 'puppetlabs.gpg',
# 'name' => 'puppetlabs-keyring.gpg',
# 'source' => 'https://apt.puppetlabs.com/keyring.gpg',
# },
# }
#
# @example Deploy the apt source and associated keyring file with checksum
# apt::source { 'puppetlabs':
# location => 'http://apt.puppetlabs.com',
# repos => 'puppet8',
# comment => 'Puppet 8 release',
# key => {
# name => 'puppetlabs-keyring.gpg',
# source => 'https://apt.puppetlabs.com/keyring.gpg'
# checksum => 'sha256',
# checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
# }
# }
#
# @param location
# Required, unless ensure is set to 'absent'. Specifies an Apt repository. Valid options: a string containing a repository URL.
#
Expand All @@ -47,7 +61,7 @@
#
# @param key
# Creates an `apt::keyring` in `/etc/apt/keyrings` (or anywhere on disk given `filename`) Valid options:
# * a hash of `parameter => value` pairs to be passed to `file`: `name` (title), `content`, `source`, `filename`
# * a hash of `parameter => value` pairs to be passed to `file`: `name` (title), `content`, `source`, `filename`, `checksum`, `checksum_value`.
#
# The following inputs are valid for the (deprecated) `apt::key` defined type. Valid options:
# * a string to be passed to the `id` parameter of the `apt::key` defined type
Expand Down Expand Up @@ -177,13 +191,15 @@
# Modern apt keyrings
elsif $_key =~ Hash and $_key['name'] {
apt::keyring { $_key['name']:
ensure => $_key_ensure,
content => $_key['content'],
source => $_key['source'],
dir => $_key['dir'],
filename => $_key['filename'],
mode => $_key['mode'],
before => $_before,
ensure => $_key_ensure,
content => $_key['content'],
source => $_key['source'],
dir => $_key['dir'],
filename => $_key['filename'],
mode => $_key['mode'],
checksum => $_key['checksum'],
checksum_value => $_key['checksum_value'],
before => $_before,
}

$_list_keyring = if $_key['dir'] and $_key['filename'] {
Expand Down
12 changes: 12 additions & 0 deletions spec/defines/keyring_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,18 @@
let(:facts) { os_facts }

it { is_expected.to compile }

context 'with checksum verification enabled' do
let (:params) do
{
source: 'https://apt.puppetlabs.com/pubkey.gpg',
checksum: 'sha256',
checksum_value: '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
}
end

it { is_expected.to compile }
end
end
end
end
26 changes: 12 additions & 14 deletions spec/defines/source_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,21 +103,20 @@
release: 'sid',
repos: 'testing',
key: {
'ensure' => 'refreshed',
'id' => id,
'server' => 'pgp.mit.edu',
'content' => 'GPG key content',
'source' => 'http://apt.puppetlabs.com/pubkey.gpg',
'weak_ssl' => true
'name' => 'puppetlabs-keyring.gpg',
'ensure' => 'present',
'source' => 'https://apt.puppetlabs.com/pubkey.gpg',
'checksum' => 'sha256',
'checksum_value' => '050e8c0c43d4b43449ea89ffbea8a1c912a1bb3d008a70ad9623912024933e01',
},
pin: '10',
architecture: 'x86_64',
allow_unsigned: true
allow_insecure: true
}
end

it {
expect(subject).to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# foo\ndeb \[arch=x86_64 trusted=yes\] http://debian.mirror.iweb.ca/debian/ sid testing\n})
expect(subject).to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# foo\ndeb \[arch=x86_64 allow-insecure=yes signed-by=/etc/apt/keyrings/puppetlabs-keyring.gpg\] http://debian.mirror.iweb.ca/debian/ sid testing\n})
.without_content(%r{deb-src})
}

Expand All @@ -128,12 +127,11 @@
}

it {
expect(subject).to contain_apt__key("Add key: #{id} from Apt::Source my_source").that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'refreshed',
id: id,
server: 'pgp.mit.edu',
content: 'GPG key content',
source: 'http://apt.puppetlabs.com/pubkey.gpg',
weak_ssl: true)
expect(subject).to contain_apt__keyring("puppetlabs-keyring.gpg").that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'present',
name: 'puppetlabs-keyring.gpg',
source: 'https://apt.puppetlabs.com/pubkey.gpg',
checksum: 'sha256',
checksum_value: '050e8c0c43d4b43449ea89ffbea8a1c912a1bb3d008a70ad9623912024933e01')
}
end
end
Expand Down