opuppet/module-puppetlabs-apt
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #459 from tphoney/modules-1675_check_gpg_version

Browse source 
initial commit for apt_key checking
This commit is contained in:
Morgan Haskel 2015-03-13 14:40:43 -07:00
commit 97f70034c9
4 changed files with 51 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -8,7 +8,7 @@ The apt module provides a simple interface for managing Apt source, key, and def
The apt module automates obtaining and installing software packages on \*nix systems. The apt module automates obtaining and installing software packages on \*nix systems.
**Note**: While this module allows the use of short keys, **we urge you NOT to use short keys**, as they pose a serious security issue by opening you up to collision attacks. **Note**: While this module allows the use of short keys, **warnings are thrown if a full fingerprint is not used**, as they pose a serious security issue by opening you up to collision attacks.
## Setup ## Setup

13
lib/puppet/provider/apt_key/apt_key.rb
View file

@ -16,6 +16,7 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
confine :osfamily => :debian confine :osfamily => :debian
defaultfor :osfamily => :debian defaultfor :osfamily => :debian
commands :apt_key => 'apt-key' commands :apt_key => 'apt-key'
commands :gpg => '/usr/bin/gpg'
def self.instances def self.instances
cli_args = ['adv','--list-keys', '--with-colons', '--fingerprint'] cli_args = ['adv','--list-keys', '--with-colons', '--fingerprint']
@ -136,6 +137,18 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
file = Tempfile.new('apt_key') file = Tempfile.new('apt_key')
file.write content file.write content
file.close file.close
#confirm that the fingerprint from the file, matches the long key that is in the manifest
if name.size == 40
if File.executable? command(:gpg)
extracted_key = execute(["#{command(:gpg)} --with-fingerprint --with-colons #{file.path} | awk -F: '/^fpr:/ { print $10 }'"], :failonfail => false)
extracted_key = extracted_key.chomp
if extracted_key != name
fail ("The id in your manifest #{resource[:name]} and the fingerprint from content/source do not match. Please check there is not an error in the id or check the content/source is legitimate.")
end
else
warning ('/usr/bin/gpg cannot be found for verification of the id.')
end
end
file.path file.path
end end

3
lib/puppet/type/apt_key.rb
View file

@ -23,6 +23,9 @@ Puppet::Type.newtype(:apt_key) do
if self[:content] and self[:source] if self[:content] and self[:source]
fail('The properties content and source are mutually exclusive.') fail('The properties content and source are mutually exclusive.')
end end
if self[:id].length < 40
warning('The id should be a full fingerprint (40 characters), see README.')
end
end end
newparam(:id, :namevar => true) do newparam(:id, :namevar => true) do

34
spec/acceptance/apt_key_provider_spec.rb
View file

@ -520,4 +520,38 @@ ugVIB2pi+8u84f+an4Hml4xlyijgYu05pqNvnLRyJDLd61hviLC8GYU=
end end
end end
end end
describe 'fingerprint validation against source/content' do
context 'fingerprint in id matches fingerprint from remote key' do
it 'works' do
pp = <<-EOS
apt_key { 'puppetlabs':
id => '#{PUPPETLABS_GPG_KEY_FINGERPRINT}',
ensure => 'present',
source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
}
EOS
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_failures => true)
end
end
context 'fingerprint in id does NOT match fingerprint from remote key' do
it 'works' do
pp = <<-EOS
apt_key { 'puppetlabs':
id => '47B320EB4C7C375AA9DAE1A01054B7A24BD6E666',
ensure => 'present',
source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
}
EOS
apply_manifest(pp, :expect_failures => true) do |r|
expect(r.stderr).to match(/do not match/)
end
end
end
end
end end