From bcaca80c5a290525a5fdf3e1b9520a2e47c08674 Mon Sep 17 00:00:00 2001 From: James Paton-Smith Date: Tue, 20 Jun 2023 11:08:41 +0100 Subject: [PATCH 1/3] Add apt::keyring defined type --- README.md | 17 ++++++++++ manifests/init.pp | 8 +++++ manifests/keyring.pp | 65 ++++++++++++++++++++++++++++++++++++ manifests/params.pp | 1 + spec/defines/keyring_spec.rb | 18 ++++++++++ 5 files changed, 109 insertions(+) create mode 100644 manifests/keyring.pp create mode 100644 spec/defines/keyring_spec.rb diff --git a/README.md b/README.md index c37101f07b..73fd3c319c 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,23 @@ include apt ### Add GPG keys +You can fetch GPG keys via HTTP, Puppet URI, or local filesystem. The key must be in binary format for apt to read it properly. + +#### Fetch via HTTP +```puppet +apt::keyring {'puppetlabs-keyring.gpg': + source => 'https://apt.puppetlabs.com/keyring.gpg', +} +``` +#### Fetch via Puppet URI +```puppet +apt::keyring {'puppetlabs-keyring.gpg': + source => 'puppet:///modules/my_module/local_puppetlabs-keyring.gpg', +} +``` +Alternatively `apt::key` can be used. + +**Warning** `apt::key` is deprecated in the latest Debian and Ubuntu releases. Please use apt::keyring instead. **Warning:** Using short key IDs presents a serious security issue, potentially leaving you open to collision attacks. We recommend you always use full fingerprints to identify your GPG keys. This module allows short keys, but issues a security warning if you use them. diff --git a/manifests/init.pp b/manifests/init.pp index b30b418d72..eaa63f9e25 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -88,6 +88,9 @@ # @param keys # Creates new `apt::key` resources. Valid options: a hash to be passed to the create_resources function linked above. # +# @param keyrings +# Creates new `apt::keyring` resources. Valid options: a hash to be passed to the create_resources function linked above. +# # @param ppas # Creates new `apt::ppa` resources. Valid options: a hash to be passed to the create_resources function linked above. # @@ -159,6 +162,7 @@ Apt::Proxy $proxy = $apt::params::proxy, Hash $sources = $apt::params::sources, Hash $keys = $apt::params::keys, + Hash $keyrings = $apt::params::keyrings, Hash $ppas = $apt::params::ppas, Hash $pins = $apt::params::pins, Hash $settings = $apt::params::settings, @@ -347,6 +351,10 @@ if $keys { create_resources('apt::key', $keys) } + # manage keyrings if present + if $keyrings { + create_resources('apt::keyring', $keyrings) + } # manage ppas if present if $ppas { create_resources('apt::ppa', $ppas) diff --git a/manifests/keyring.pp b/manifests/keyring.pp new file mode 100644 index 0000000000..59771343c4 --- /dev/null +++ b/manifests/keyring.pp @@ -0,0 +1,65 @@ +# @summary Manage GPG keyrings for apt repositories +# +# @example Install the puppetlabs apt source with keyring. +# apt::source { 'puppet7-release': +# location => 'http://apt.puppetlabs.com', +# repos => 'main', +# keyring => '/etc/apt/keyrings/puppetlabs-keyring.gpg', +# } +# apt::keyring {'puppetlabs-keyring.gpg': +# source => 'https://apt.puppetlabs.com/keyring.gpg', +# } +# +# @param keyring_dir +# Path to the directory where the keyring will be stored. +# +# @param keyring_filename +# Optional filename for the keyring. +# +# @param keyring_file +# File path of the keyring. +# +# @param keyring_file_mode +# File permissions of the keyring. +# +# @param source +# Source of the keyring file. Mutually exclusive with 'content'. +# +# @param content +# Content of the keyring file. Mutually exclusive with 'source'. +# +# @param ensure +# Ensure presence or absence of the resource. +# +define apt::keyring ( + Stdlib::Absolutepath $keyring_dir = '/etc/apt/keyrings', + Optional[String] $keyring_filename = $name, + Stdlib::Absolutepath $keyring_file = "${keyring_dir}/${keyring_filename}", + String $keyring_file_mode = '0644', + Optional[Stdlib::Filesource] $source = undef, + Optional[String] $content = undef, + Enum['present','absent'] $ensure = 'present', +) { + ensure_resource('file', $keyring_dir, { ensure => 'directory', mode => '0755', }) + if $source and $content { + fail("Parameters \'source\' and \'content\' are mutualy exclusive") + } + case $ensure { + 'present': { + file { $keyring_file: + ensure => 'file', + mode => $keyring_file_mode, + source => $source, + content => $content, + } + } + 'absent': { + file { $keyring_file: + ensure => $ensure, + } + } + default: { + fail("Invalid \'ensure\' value \'${ensure}\' for apt::keyring") + } + } +} diff --git a/manifests/params.pp b/manifests/params.pp index 3ce8f48640..a89862410b 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,6 +25,7 @@ $proxy = {} $sources = {} $keys = {} + $keyrings = {} $ppas = {} $pins = {} $settings = {} diff --git a/spec/defines/keyring_spec.rb b/spec/defines/keyring_spec.rb new file mode 100644 index 0000000000..adef7aeb6d --- /dev/null +++ b/spec/defines/keyring_spec.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'apt::keyring' do + let(:title) { 'namevar' } + let(:params) do + {} + end + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + it { is_expected.to compile } + end + end +end From 6f9a63a42d5925b0f284c7af744777bf7a30ed4f Mon Sep 17 00:00:00 2001 From: jamesps-ebi <83767764+jamesps-ebi@users.noreply.github.com> Date: Tue, 5 Sep 2023 08:14:24 +0100 Subject: [PATCH 2/3] Fix syntax and typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Applying suggestions from code review Co-authored-by: Romain Tartière --- manifests/keyring.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/keyring.pp b/manifests/keyring.pp index 59771343c4..92447bc22c 100644 --- a/manifests/keyring.pp +++ b/manifests/keyring.pp @@ -42,7 +42,7 @@ ) { ensure_resource('file', $keyring_dir, { ensure => 'directory', mode => '0755', }) if $source and $content { - fail("Parameters \'source\' and \'content\' are mutualy exclusive") + fail("Parameters 'source' and 'content' are mutually exclusive") } case $ensure { 'present': { @@ -59,7 +59,7 @@ } } default: { - fail("Invalid \'ensure\' value \'${ensure}\' for apt::keyring") + fail("Invalid 'ensure' value '${ensure}' for apt::keyring") } } } From 6bfe101219338b7b472c184efd81cf36ce5de69c Mon Sep 17 00:00:00 2001 From: James Paton-Smith Date: Tue, 5 Sep 2023 10:49:53 +0100 Subject: [PATCH 3/3] Add logic Fail when no source or content parameters are supplied. --- manifests/keyring.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/keyring.pp b/manifests/keyring.pp index 92447bc22c..c9be193e1f 100644 --- a/manifests/keyring.pp +++ b/manifests/keyring.pp @@ -43,6 +43,8 @@ ensure_resource('file', $keyring_dir, { ensure => 'directory', mode => '0755', }) if $source and $content { fail("Parameters 'source' and 'content' are mutually exclusive") + } elsif ! $source and ! $content { + fail("One of 'source' or 'content' parameters are required") } case $ensure { 'present': {