opuppet/module-puppetlabs-apt
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into merge_master_to_next

Browse source
This commit is contained in:
Morgan Haskel 2015-03-25 18:32:09 -04:00
commit dc746734f1
12 changed files with 223 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
CHANGELOG.md
View file

@ -1,3 +1,37 @@
##2015-03-17 - Supported Release 1.8.0
###Summary
This is the last planned feature release of the 1.x series of this module. All new features will be evaluated for puppetlabs-apt 2.x.
This release includes many important features, including support for full fingerprints, and fixes issues where `apt_key` was not supporting user/password and `apt_has_updates` was not properly parsing the `apt-check` output.
####Changes to default behavior
- The apt module will now throw warnings if you don't use full fingerprints for `apt_key`s
####Features
- Use gpg to check keys to work around https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1409117 (MODULES-1675)
- Add 'oldstable' to the default update origins for wheezy
- Add utopic, vivid, and cumulus compatibility
- Add support for full fingerprints
- New parameter for `apt::source`
- `trusted_source`
- New parameters for `apt::ppa`
- `package_name`
- `package_manage`
- New parameter for `apt::unattended_upgrades`
- `legacy_origin`
- Separate `apt::pin` from `apt::backports` to allow pin by release instead of origin
####Bugfixes
- Cleanup lint and future parser issues
- Fix to support username and passwords again for `apt_key` (MODULES-1119)
- Fix issue where `apt::force` `$install_check` didn't work with non-English locales (MODULES-1231)
- Allow 5 digit ports in `apt_key`
- Fix for `ensure => absent` in `apt_key` (MODULES-1661)
- Fix `apt_has_updates` not parsing `apt-check` output correctly
- Fix inconsistent headers across files (MODULES-1200)
- Clean up formatting for 50unattended-upgrades.erb
##2014-10-28 - Supported Release 1.7.0
###Summary

21
Gemfile
View file

@ -1,5 +1,15 @@
source ENV['GEM_SOURCE'] || "https://rubygems.org"
def location_for(place, fake_version = nil)
if place =~ /^(git:[^#]*)#(.*)/
[fake_version, { :git => $1, :branch => $2, :require => false }].compact
elsif place =~ /^file:\/\/(.*)/
['>= 0', { :path => File.expand_path($1), :require => false }]
else
[place, { :require => false }]
end
end
group :development, :unit_tests do
gem 'rake', :require => false
gem 'rspec-core', '3.1.7', :require => false
@ -11,8 +21,17 @@ group :development, :unit_tests do
gem 'json', :require => false
end
beaker_version = ENV['BEAKER_VERSION']
beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION']
group :system_tests do
gem 'beaker-rspec', :require => false
if beaker_version
gem 'beaker', *location_for(beaker_version)
end
if beaker_rspec_version
gem 'beaker-rspec', *location_for(beaker_rspec_version)
else
gem 'beaker-rspec', :require => false
end
gem 'serverspec', :require => false
end

58
README.md
View file

@ -8,7 +8,7 @@ The apt module provides a simple interface for managing Apt source, key, and def
The apt module automates obtaining and installing software packages on \*nix systems.
**Note**: While this module allows the use of short keys, **we urge you NOT to use short keys**, as they pose a serious security issue by opening you up to collision attacks.
**Note**: While this module allows the use of short keys, **warnings are thrown if a full fingerprint is not used**, as they pose a serious security issue by opening you up to collision attacks.
## Setup
@ -54,7 +54,7 @@ class { 'apt': }
```puppet
apt_key { 'puppetlabs':
ensure => 'present',
id => '1054B7A24BD6EC30',
id => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
}
```
@ -69,16 +69,16 @@ class { 'apt': }
* `apt::conf`: Specifies a custom configuration file. The priority defaults to 50, but you can set the priority parameter to load the file earlier or later. The content parameter passes specified content, if any, into the file resource.
* `apt::key`: Adds a key to the list of keys used by Apt to authenticate packages. This type uses the aforementioned `apt_key` native type. As such, it no longer requires the `wget` command on which the old implementation depended.
* `apt::key`: Adds a key to the list of keys used by Apt to authenticate packages. This type uses the aforementioned `apt\_key` native type. As such, it no longer requires the `wget` command on which the old implementation depended.
```puppet
apt::key { 'puppetlabs':
id => '1054B7A24BD6EC30',
id => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
server => 'pgp.mit.edu',
}
apt::key { 'jenkins':
id => '9B7D32F2D50582E6',
id => '150FDE3F7787E7D11EF4E12A9B7D32F2D50582E6',
source => 'http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key',
}
```
@ -119,7 +119,7 @@ class { 'apt': }
repos => 'main contrib non-free',
pin => '-10',
key => {
'id' => '8B48AD6246925553',
'id' => 'A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553',
'server' => 'subkeys.pgp.net',
},
include => {
@ -136,7 +136,7 @@ class { 'apt': }
location => 'http://apt.puppetlabs.com',
repos => 'main',
key => {
'id' => '1054B7A24BD6EC30',
'id' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
'server' => 'pgp.mit.edu',
},
```
@ -145,10 +145,10 @@ class { 'apt': }
The apt module includes a few facts to describe the state of the Apt system:
* `apt_updates`: The number of updates available on the system
* `apt_security_updates`: The number of updates which are security updates
* `apt_package_updates`: The package names that are available for update. In Facter 2.0 and later, this will be a list type; in earlier versions, it is a comma-delimited string.
* `apt_update_last_success`: The date, in epochtime, of the most recent successful `apt-get update` run. This is determined by reading the mtime of /var/lib/apt/periodic/update-success-stamp.
* `apt\_updates`: The number of updates available on the system
* `apt\_security\_updates`: The number of updates which are security updates
* `apt\_package\_updates`: The package names that are available for update. In Facter 2.0 and later, this will be a list type; in earlier versions, it is a comma-delimited string.
* `apt\_update\_last\_success`: The date, in epochtime, of the most recent successful `apt-get update` run. This is determined by reading the mtime of /var/lib/apt/periodic/update-success-stamp.
**Note:** The facts depend on 'update-notifier' being installed on your system. Though this is a GNOME daemon only the support files are needed so the package 'update-notifier-common' is enough to enable this functionality.
@ -172,7 +172,7 @@ apt::sources:
location: 'http://apt.puppetlabs.com'
repos: 'main'
key:
id:'1054B7A24BD6EC30'
id: '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30'
server: 'pgp.mit.edu'
```
@ -183,9 +183,9 @@ apt::sources:
* `update`: Hash to configure various update settings. Valid keys are:
* 'frequency': The run frequency for `apt-get update`. Defaults to 'reluctantly'. Accepts the following values:
* 'always': Runs update at every Puppet run.
* 'daily': Runs update daily; that is, `apt-get update` runs if the value of `apt_update_last_success` is less than current epoch time - 86400. If the exec resource `apt_update` is notified, `apt-get update` runs regardless of this value.
* 'weekly': Runs update weekly; that is, `apt-get update` runs if the value of `apt_update_last_success` is less than current epoch time - 604800. If the exec resource `apt_update` is notified, `apt-get update` runs regardless of this value.
* 'reluctantly': Only runs `apt-get update` if the exec resource `apt_update` is notified. This is the default setting.
* 'daily': Runs update daily; that is, `apt-get update` runs if the value of `apt\_update\_last\_success` is less than current epoch time - 86400. If the exec resource `apt\_update` is notified, `apt-get update` runs regardless of this value.
* 'weekly': Runs update weekly; that is, `apt-get update` runs if the value of `apt\_update\_last\_success` is less than current epoch time - 604800. If the exec resource `apt\_update` is notified, `apt-get update` runs regardless of this value.
* 'reluctantly': Only runs `apt-get update` if the exec resource `apt\_update` is notified. This is the default setting.
* 'timeout': Overrides the exec timeout in seconds for `apt-get update`. Defaults to exec default (300).
* 'tries': Sets how many times to attempt running `apt-get update`. Use this to work around transient DNS and HTTP errors. By default, the command runs only once.
* `purge`: Hash to configure various purge settings. Valid keys are:
@ -197,10 +197,10 @@ apt::sources:
* 'host': Configures a proxy host and stores the configuration in /etc/apt/apt.conf.d/01proxy.
* 'port': Configures a proxy port and stores the configuration in /etc/apt/apt.conf.d/01proxy.
* 'https': Boolean to configure whether or not to enable https proxies. Defaults to false.
* `keys`: Passes a hash to create_resource to make new `apt::key` resources.
* `ppas`: Passes a hash to create_resource to make new `apt::ppa` resources.
* `settings`: Passes a hash to create_resource to make new `apt::setting` resources.
* `sources`: Passes a hash to create_resource to make new `apt::source` resources.
* `keys`: Passes a hash to `create\_resource` to make new `apt::key` resources.
* `ppas`: Passes a hash to `create\_resource` to make new `apt::ppa` resources.
* `settings`: Passes a hash to `create\_resource` to make new `apt::setting` resources.
* `sources`: Passes a hash to `create\_resource` to make new `apt::source` resources.
####apt::conf
@ -220,7 +220,7 @@ apt::sources:
####apt::pin
* `ensure`: The state we want this pin in. Can be 'present' or 'absent'.
* `explanation`: Add a comment. Defaults to `${caller_module_name}: ${name}`.
* `explanation`: Add a comment. Defaults to `${caller\_module\_name}: ${name}`.
* `order`: The order of the file name. Defaults to undef, otherwise must be an integer.
* `packages`: The list of packages to pin. Defaults to '\*'. Can be an array or string.
* `priority`: Several versions of a package may be available for installation when the sources.list(5) file contains references to more than one distribution (for example, stable and testing). APT assigns a priority to each version that is available. Subject to dependency constraints, apt-get selects the version with the highest priority for installation.
@ -228,7 +228,7 @@ apt::sources:
* `origin`: Can be used to match a hostname. The following record will assign a high priority to all versions available from the server identified by the hostname. Defaults to ''.
* `version`: The specific form assigns a priority (a "Pin-Priority") to one or more specified packages with a specified version or version range.
* `codename`: The distribution (lsbdistcodename) of the apt repository. Defaults to ''.
* `release_version`: Names the release version. For example, the packages in the tree might belong to Debian release version 7. Defaults to ''.
* `release\_version`: Names the release version. For example, the packages in the tree might belong to Debian release version 7. Defaults to ''.
* `component`: Names the licensing component associated with the packages in the directory tree of the Release file. defaults to ''. Typical values can be 'main', 'dependencies' and 'restricted'
* `originator`: Names the originator of the packages in the directory tree of the Release file. Defaults to ''. Most commonly, this is Debian.
* `label`: Names the label of the packages in the directory tree of the Release file. Defaults to ''. Most commonly, this is Debian.
@ -239,11 +239,11 @@ It is recommended to read the manpage 'apt_preferences(5)'
####apt::ppa
* `ensure`: Whether to add or remove the PPA. Valid values are 'present' or 'absent'. Defaults to 'present'.
* `options`: Options to pass to `add-apt-repository`. OS-dependent defaults are defined in `apt::params`.
* `release`: OS-release, used in the filename of the generated sources.list.d file. Defaults to `$::lsbdistcodename`.
* `package_name`: The package to install `add-apt-repository`. OS-dependent defaults are defined in `apt::params`.
* `package_manage`: Whether or not to manage the package for `add-apt-repository`. Defaults to false.
* `ensure`: Whether we are adding or removing the PPA. Can be 'present' or 'absent'. Defaults to 'present'.
* `release`: The codename for the operating system you're running. Defaults to `$lsbdistcodename`. Required if lsb-release is not installed.
* `options`: Options to be passed to the `apt-add-repository` command. OS-dependent defaults are set in `apt::params`.
* `package\_name`: The package that provides the `apt-add-repository` command. OS-dependent defaults are set in `apt::params`.
* `package\_manage`: Whether or not to manage the package providing `apt-add-repository`. Defaults to true.
####apt::setting
@ -251,7 +251,7 @@ It is recommended to read the manpage 'apt_preferences(5)'
* `ensure`: Whether to add or remove the file. Valid values are 'present', 'absent', and 'file'. Defaults to `file`.
* `source`: The source for the file. Exactly one of `content` and `source` must be specified.
* `content`: The content for the file. Exactly one of `content` and `source` must be specified.
* `notify_update`: Boolean for whether or not this `apt::setting` should trigger an `apt-get update`. Defaults to `true`.
* `notify\_update`: Boolean for whether or not this `apt::setting` should trigger an `apt-get update`. Defaults to `true`.
####apt::source
@ -271,7 +271,7 @@ It is recommended to read the manpage 'apt_preferences(5)'
* 'options': See `options` in `apt::key`
* `pin`: See apt::pin. Defaults to false.
* `architecture`: can be used to specify for which architectures information should be downloaded. If this option is not set all architectures defined by the APT::Architectures option will be downloaded. Defaults to `undef` which means all. Example values can be 'i386' or 'i386,alpha,powerpc'.
* `allow_unsigned`: can be set to indicate that packages from this source are always authenticated even if the Release file is not signed or the signature can't be checked. Defaults to `false`. Can be `true` or `false`.
* `allow\_unsigned`: can be set to indicate that packages from this source are always authenticated even if the Release file is not signed or the signature can't be checked. Defaults to `false`. Can be `true` or `false`.
Limitations
-----------
@ -281,7 +281,7 @@ This module should work across all versions of Debian/Ubuntu and support all maj
Development
------------
Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We cant access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve.
Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can't access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve.
We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things.

4
examples/source.pp
View file

@ -15,7 +15,7 @@ apt::source { 'debian_testing':
location => 'http://debian.mirror.iweb.ca/debian/',
release => 'testing',
repos => 'main contrib non-free',
key => '46925553',
key => 'A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553',
key_server => 'subkeys.pgp.net',
pin => '-10',
}
@ -23,7 +23,7 @@ apt::source { 'debian_unstable':
location => 'http://debian.mirror.iweb.ca/debian/',
release => 'unstable',
repos => 'main contrib non-free',
key => '46925553',
key => 'A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553',
key_server => 'subkeys.pgp.net',
pin => '-10',
}

26
lib/puppet/provider/apt_key/apt_key.rb
View file

@ -1,4 +1,3 @@
require 'date'
require 'open-uri'
require 'net/ftp'
require 'tempfile'
@ -16,9 +15,10 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
confine :osfamily => :debian
defaultfor :osfamily => :debian
commands :apt_key => 'apt-key'
commands :gpg => '/usr/bin/gpg'
def self.instances
cli_args = ['adv','--list-keys', '--with-colons', '--fingerprint']
cli_args = ['adv','--list-keys', '--with-colons', '--fingerprint', '--fixed-list-mode']
if RUBY_VERSION > '1.8.7'
key_output = apt_key(cli_args).encode('UTF-8', 'binary', :invalid => :replace, :undef => :replace, :replace => '')
@ -45,7 +45,7 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
expired = false
if line_hash[:key_expiry]
expired = Date.today > Date.parse(line_hash[:key_expiry])
expired = Time.now >= line_hash[:key_expiry]
end
new(
@ -56,10 +56,10 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
:long => line_hash[:key_long],
:ensure => :present,
:expired => expired,
:expiry => line_hash[:key_expiry],
:expiry => line_hash[:key_expiry].nil? ? nil : line_hash[:key_expiry].strftime("%Y-%m-%d"),
:size => line_hash[:key_size],
:type => line_hash[:key_type],
:created => line_hash[:key_created]
:created => line_hash[:key_created].strftime("%Y-%m-%d")
)
end
key_array.compact!
@ -95,8 +95,8 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
:key_short => fingerprint[-8..-1], # last 8 characters of fingerprint
:key_size => pub_split[2],
:key_type => nil,
:key_created => pub_split[5],
:key_expiry => pub_split[6].empty? ? nil : pub_split[6],
:key_created => Time.at(pub_split[5].to_i),
:key_expiry => pub_split[6].empty? ? nil : Time.at(pub_split[6].to_i),
}
# set key type based on types defined in /usr/share/doc/gnupg/DETAILS.gz
@ -136,6 +136,18 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
file = Tempfile.new('apt_key')
file.write content
file.close
#confirm that the fingerprint from the file, matches the long key that is in the manifest
if name.size == 40
if File.executable? command(:gpg)
extracted_key = execute(["#{command(:gpg)} --with-fingerprint --with-colons #{file.path} | awk -F: '/^fpr:/ { print $10 }'"], :failonfail => false)
extracted_key = extracted_key.chomp
if extracted_key != name
fail("The id in your manifest #{resource[:name]} and the fingerprint from content/source do not match. Please check there is not an error in the id or check the content/source is legitimate.")
end
else
warning('/usr/bin/gpg cannot be found for verification of the id.')
end
end
file.path
end

3
lib/puppet/type/apt_key.rb
View file

@ -23,6 +23,9 @@ Puppet::Type.newtype(:apt_key) do
if self[:content] and self[:source]
fail('The properties content and source are mutually exclusive.')
end
if self[:id].length < 40
warning('The id should be a full fingerprint (40 characters), see README.')
end
end
newparam(:id, :namevar => true) do

6
manifests/params.pp
View file

@ -107,6 +107,10 @@ class apt::params {
}
}
}
'Cumulus Networks': {
$distid = 'debian'
$distcodename = $::lsbdistcodename
}
undef: {
fail('Unable to determine lsbdistid, is lsb-release installed?')
}
@ -131,7 +135,7 @@ class apt::params {
}
default: {
$ppa_options = '-y'
$ppa_package = 'software-properties-common'
$ppa_package = 'python-software-properties'
}
}
}

2
metadata.json
View file

@ -1,6 +1,6 @@
{
"name": "puppetlabs-apt",
"version": "1.7.0",
"version": "1.8.0",
"author": "Puppet Labs",
"summary": "Provides an interface for managing Apt source, key, and definitions with Puppet",
"license": "Apache-2.0",

34
spec/acceptance/apt_key_provider_spec.rb
View file

@ -520,4 +520,38 @@ ugVIB2pi+8u84f+an4Hml4xlyijgYu05pqNvnLRyJDLd61hviLC8GYU=
end
end
end
describe 'fingerprint validation against source/content' do
context 'fingerprint in id matches fingerprint from remote key' do
it 'works' do
pp = <<-EOS
apt_key { 'puppetlabs':
id => '#{PUPPETLABS_GPG_KEY_FINGERPRINT}',
ensure => 'present',
source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
}
EOS
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_failures => true)
end
end
context 'fingerprint in id does NOT match fingerprint from remote key' do
it 'works' do
pp = <<-EOS
apt_key { 'puppetlabs':
id => '47B320EB4C7C375AA9DAE1A01054B7A24BD6E666',
ensure => 'present',
source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
}
EOS
apply_manifest(pp, :expect_failures => true) do |r|
expect(r.stderr).to match(/do not match/)
end
end
end
end
end

2
spec/acceptance/apt_spec.rb
View file

@ -29,7 +29,7 @@ describe 'apt class' do
'location' => 'http://apt.puppetlabs.com',
'repos' => 'main',
'key' => {
'id' => '4BD6EC30',
'id' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
'server' => 'pgp.mit.edu',
},
},

4
spec/classes/apt_spec.rb
View file

@ -140,14 +140,14 @@ describe 'apt' do
'location' => 'http://debian.mirror.iweb.ca/debian/',
'release' => 'unstable',
'repos' => 'main contrib non-free',
'key' => { 'id' => '55BE302B', 'server' => 'subkeys.pgp.net' },
'key' => { 'id' => '150C8614919D8446E01E83AF9AA38DCD55BE302B', 'server' => 'subkeys.pgp.net' },
'pin' => '-10',
'include' => {'src' => true,},
},
'puppetlabs' => {
'location' => 'http://apt.puppetlabs.com',
'repos' => 'main',
'key' => { 'id' => '4BD6EC30', 'server' => 'pgp.mit.edu' },
'key' => { 'id' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', 'server' => 'pgp.mit.edu' },
}
} } }

73
spec/defines/ppa_spec.rb
View file

@ -33,6 +33,79 @@ describe 'apt::ppa' do
end
end
describe 'package_name => software-properties-common' do
let :pre_condition do
'class { "apt": }'
end
let :params do
{
:package_name => 'software-properties-common',
:package_manage => true,
}
end
let :facts do
{
:lsbdistrelease => '11.04',
:lsbdistcodename => 'natty',
:operatingsystem => 'Ubuntu',
:osfamily => 'Debian',
:lsbdistid => 'Ubuntu',
}
end
let(:title) { 'ppa:needs/such.substitution/wow' }
it { is_expected.to contain_package('software-properties-common') }
it { is_expected.to contain_exec('add-apt-repository-ppa:needs/such.substitution/wow').that_notifies('Exec[apt_update]').with({
'environment' => [],
'command' => '/usr/bin/add-apt-repository -y ppa:needs/such.substitution/wow',
'unless' => '/usr/bin/test -s /etc/apt/sources.list.d/needs-such_substitution-wow-natty.list',
'user' => 'root',
'logoutput' => 'on_failure',
})
}
it { is_expected.to contain_file('/etc/apt/sources.list.d/needs-such_substitution-wow-natty.list').that_requires('Exec[add-apt-repository-ppa:needs/such.substitution/wow]').with({
'ensure' => 'file',
})
}
end
describe 'package_manage => false' do
let :pre_condition do
'class { "apt": }'
end
let :facts do
{
:lsbdistrelease => '11.04',
:lsbdistcodename => 'natty',
:operatingsystem => 'Ubuntu',
:osfamily => 'Debian',
:lsbdistid => 'Ubuntu',
}
end
let :params do
{
:package_manage => false,
}
end
let(:title) { 'ppa:needs/such.substitution/wow' }
it { is_expected.to_not contain_package('python-software-properties') }
it { is_expected.to contain_exec('add-apt-repository-ppa:needs/such.substitution/wow').that_notifies('Exec[apt_update]').with({
'environment' => [],
'command' => '/usr/bin/add-apt-repository -y ppa:needs/such.substitution/wow',
'unless' => '/usr/bin/test -s /etc/apt/sources.list.d/needs-such_substitution-wow-natty.list',
'user' => 'root',
'logoutput' => 'on_failure',
})
}
it { is_expected.to contain_file('/etc/apt/sources.list.d/needs-such_substitution-wow-natty.list').that_requires('Exec[add-apt-repository-ppa:needs/such.substitution/wow]').with({
'ensure' => 'file',
})
}
end
describe 'apt included, no proxy' do
let :pre_condition do
'class { "apt": }