diff --git a/manifests/source.pp b/manifests/source.pp index 6631eea..4e14d8a 100644 --- a/manifests/source.pp +++ b/manifests/source.pp @@ -1,185 +1,186 @@ # @summary Manages the Apt sources in /etc/apt/sources.list.d/. # # @example Install the puppetlabs apt source # apt::source { 'puppetlabs': # location => 'http://apt.puppetlabs.com', # repos => 'main', # key => { # id => '6F6B15509CF8E59E6E469F327F438280EF8D349F', # server => 'keyserver.ubuntu.com', # }, # } # # @param location # Required, unless ensure is set to 'absent'. Specifies an Apt repository. Valid options: a string containing a repository URL. # # @param comment # Supplies a comment for adding to the Apt source file. # # @param ensure # Specifies whether the Apt source file should exist. Valid options: 'present' and 'absent'. # # @param release # Specifies a distribution of the Apt repository. # # @param repos # Specifies a component of the Apt repository. # # @param include # Configures include options. Valid options: a hash of available keys. # # @option include [Boolean] :deb # Specifies whether to request the distribution's compiled binaries. Default true. # # @option include [Boolean] :src # Specifies whether to request the distribution's uncompiled source code. Default false. # # @param key # Creates a declaration of the apt::key defined type. Valid options: a string to be passed to the `id` parameter of the `apt::key` -# defined type, or a hash of `parameter => value` pairs to be passed to `apt::key`'s `id`, `server`, `content`, `source`, and/or -# `options` parameters. +# defined type, or a hash of `parameter => value` pairs to be passed to `apt::key`'s `id`, `server`, `content`, `source`, `weak_ssl`, +# and/or `options` parameters. # # @param keyring # Absolute path to a file containing the PGP keyring used to sign this repository. Value is used to set signed-by on the source entry. # See https://wiki.debian.org/DebianRepository/UseThirdParty for details. # # @param pin # Creates a declaration of the apt::pin defined type. Valid options: a number or string to be passed to the `id` parameter of the # `apt::pin` defined type, or a hash of `parameter => value` pairs to be passed to `apt::pin`'s corresponding parameters. # # @param architecture # Tells Apt to only download information for specified architectures. Valid options: a string containing one or more architecture names, # separated by commas (e.g., 'i386' or 'i386,alpha,powerpc'). Default: undef (if unspecified, Apt downloads information for all architectures # defined in the Apt::Architectures option). # # @param allow_unsigned # Specifies whether to authenticate packages from this release, even if the Release file is not signed or the signature can't be checked. # # @param notify_update # Specifies whether to trigger an `apt-get update` run. # define apt::source( Optional[String] $location = undef, String $comment = $name, String $ensure = present, Optional[String] $release = undef, String $repos = 'main', Optional[Variant[Hash]] $include = {}, Optional[Variant[String, Hash]] $key = undef, Optional[Stdlib::AbsolutePath] $keyring = undef, Optional[Variant[Hash, Numeric, String]] $pin = undef, Optional[String] $architecture = undef, Boolean $allow_unsigned = false, Boolean $notify_update = true, ) { include ::apt $_before = Apt::Setting["list-${title}"] if !$release { if $facts['os']['distro']['codename'] { $_release = $facts['os']['distro']['codename'] } else { fail('os.distro.codename fact not available: release parameter required') } } else { $_release = $release } if $ensure == 'present' { if ! $location { fail('cannot create a source entry without specifying a location') } elsif ($::apt::proxy['https_acng']) and ($location =~ /(?i:^https:\/\/)/) { $_location = regsubst($location, 'https://','http://HTTPS///') } else { $_location = $location } # Newer oses, do not need the package for HTTPS transport. $_transport_https_releases = [ 'wheezy', 'jessie', 'stretch', 'trusty', 'xenial' ] if ($facts['os']['distro']['codename'] in $_transport_https_releases) and $_location =~ /(?i:^https:\/\/)/ { ensure_packages('apt-transport-https') } } else { $_location = undef } $includes = merge($::apt::include_defaults, $include) if $key and $keyring { fail("parameters key and keyring are mutualy exclusive") } if $key { if $key =~ Hash { unless $key['id'] { fail('key hash must contain at least an id entry') } $_key = merge($::apt::source_key_defaults, $key) } else { $_key = { 'id' => assert_type(String[1], $key) } } } $header = epp('apt/_header.epp') $sourcelist = epp('apt/source.list.epp', { 'comment' => $comment, 'includes' => $includes, 'options' => delete_undef_values({ 'arch' => $architecture, 'trusted' => $allow_unsigned ? {true => "yes", false => undef}, 'signed-by' => $keyring, }), 'location' => $_location, 'release' => $_release, 'repos' => $repos, }) apt::setting { "list-${name}": ensure => $ensure, content => "${header}${sourcelist}", notify_update => $notify_update, } if $pin { if $pin =~ Hash { $_pin = merge($pin, { 'ensure' => $ensure, 'before' => $_before }) } elsif ($pin =~ Numeric or $pin =~ String) { $url_split = split($location, '[:\/]+') $host = $url_split[1] $_pin = { 'ensure' => $ensure, 'priority' => $pin, 'before' => $_before, 'origin' => $host, } } else { fail('Received invalid value for pin parameter') } create_resources('apt::pin', { "${name}" => $_pin }) } # We do not want to remove keys when the source is absent. if $key and ($ensure == 'present') { if $_key =~ Hash { if $_key['ensure'] != undef { $_ensure = $_key['ensure'] } else { $_ensure = $ensure } apt::key { "Add key: ${$_key['id']} from Apt::Source ${title}": - ensure => $_ensure, - id => $_key['id'], - server => $_key['server'], - content => $_key['content'], - source => $_key['source'], - options => $_key['options'], - before => $_before, + ensure => $_ensure, + id => $_key['id'], + server => $_key['server'], + content => $_key['content'], + source => $_key['source'], + options => $_key['options'], + weak_ssl => $_key['weak_ssl'], + before => $_before, } } } } diff --git a/spec/defines/source_spec.rb b/spec/defines/source_spec.rb index 2ce50a2..f6c2e23 100644 --- a/spec/defines/source_spec.rb +++ b/spec/defines/source_spec.rb @@ -1,436 +1,440 @@ # frozen_string_literal: true require 'spec_helper' describe 'apt::source' do GPG_KEY_ID = '6F6B15509CF8E59E6E469F327F438280EF8D349F' let :pre_condition do 'class { "apt": }' end let :title do 'my_source' end let :facts do { os: { family: 'Debian', name: 'Debian', release: { major: '8', full: '8.0', }, distro: { codename: 'jessie', id: 'Debian', }, }, } end context 'with defaults' do context 'without location' do it do is_expected.to raise_error(Puppet::Error, %r{source entry without specifying a location}) end end context 'with location' do let(:params) { { location: 'hello.there' } } it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').without_content(%r{# my_source\ndeb-src hello.there wheezy main\n}) is_expected.not_to contain_package('apt-transport-https') } end end describe 'no defaults' do context 'with complex pin' do let :params do { location: 'hello.there', pin: { 'release' => 'wishwash', 'explanation' => 'wishwash', 'priority' => 1001 }, } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{hello.there jessie main\n}) } it { is_expected.to contain_file('/etc/apt/sources.list.d/my_source.list').that_notifies('Class[Apt::Update]') } it { is_expected.to contain_apt__pin('my_source').that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'present', priority: 1001, explanation: 'wishwash', release: 'wishwash') } end context 'with simple key' do let :params do { comment: 'foo', location: 'http://debian.mirror.iweb.ca/debian/', release: 'sid', repos: 'testing', key: GPG_KEY_ID, pin: '10', architecture: 'x86_64', allow_unsigned: true, } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# foo\ndeb \[arch=x86_64 trusted=yes\] http://debian.mirror.iweb.ca/debian/ sid testing\n}) .without_content(%r{deb-src}) } it { is_expected.to contain_apt__pin('my_source').that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'present', priority: '10', origin: 'debian.mirror.iweb.ca') } it { is_expected.to contain_apt__key("Add key: #{GPG_KEY_ID} from Apt::Source my_source").that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'present', id: GPG_KEY_ID) } end context 'with complex key' do let :params do { comment: 'foo', location: 'http://debian.mirror.iweb.ca/debian/', release: 'sid', repos: 'testing', - key: { 'ensure' => 'refreshed', - 'id' => GPG_KEY_ID, - 'server' => 'pgp.mit.edu', - 'content' => 'GPG key content', - 'source' => 'http://apt.puppetlabs.com/pubkey.gpg' }, + key: { + 'ensure' => 'refreshed', + 'id' => GPG_KEY_ID, + 'server' => 'pgp.mit.edu', + 'content' => 'GPG key content', + 'source' => 'http://apt.puppetlabs.com/pubkey.gpg', + 'weak_ssl' => true, + }, pin: '10', architecture: 'x86_64', allow_unsigned: true, } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# foo\ndeb \[arch=x86_64 trusted=yes\] http://debian.mirror.iweb.ca/debian/ sid testing\n}) .without_content(%r{deb-src}) } it { is_expected.to contain_apt__pin('my_source').that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'present', priority: '10', origin: 'debian.mirror.iweb.ca') } it { is_expected.to contain_apt__key("Add key: #{GPG_KEY_ID} from Apt::Source my_source").that_comes_before('Apt::Setting[list-my_source]').with(ensure: 'refreshed', id: GPG_KEY_ID, server: 'pgp.mit.edu', content: 'GPG key content', - source: 'http://apt.puppetlabs.com/pubkey.gpg') + source: 'http://apt.puppetlabs.com/pubkey.gpg', + weak_ssl: true) } end end context 'with allow_unsigned true' do let :params do { location: 'hello.there', allow_unsigned: true, } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# my_source\ndeb \[trusted=yes\] hello.there jessie main\n}) } end context 'with keyring set' do let :params do { location: 'hello.there', keyring: '/usr/share/keyrings/foo-archive-keyring.gpg', } end it { is_expected.to contain_apt__setting('list-my_source') .with(ensure: 'present') .with_content(%r{# my_source\ndeb \[signed-by=/usr/share/keyrings/foo-archive-keyring.gpg\] hello.there jessie main\n}) } end context 'with keyring, architecture and allow_unsigned set' do let :params do { location: 'hello.there', architecture: 'amd64', allow_unsigned: true, keyring: '/usr/share/keyrings/foo-archive-keyring.gpg', } end it { is_expected.to contain_apt__setting('list-my_source') .with(ensure: 'present') .with_content(%r{# my_source\ndeb \[arch=amd64 trusted=yes signed-by=/usr/share/keyrings/foo-archive-keyring.gpg\] hello.there jessie main\n}) } end context 'with a https location, install apt-transport-https' do let :params do { location: 'HTTPS://foo.bar', allow_unsigned: false, } end it { is_expected.to contain_package('apt-transport-https') } end context 'with a https location and custom release, install apt-transport-https' do let :facts do { os: { family: 'Debian', name: 'Debian', release: { major: '8', full: '8.0', }, distro: { codename: 'jessie', id: 'Debian', }, }, puppetversion: Puppet.version, } end let :params do { location: 'HTTPS://foo.bar', allow_unsigned: false, release: 'customrelease', } end it { is_expected.to contain_package('apt-transport-https') } end context 'with a https location, do not install apt-transport-https on oses not in list eg buster' do let :facts do { os: { family: 'Debian', name: 'Debian', release: { major: '10', full: '10.0', }, distro: { codename: 'buster', id: 'Debian', }, }, } end let :params do { location: 'https://foo.bar', allow_unsigned: false, } end it { is_expected.not_to contain_package('apt-transport-https') } end context 'with architecture equals x86_64' do let :facts do { os: { family: 'Debian', name: 'Debian', release: { major: '7', full: '7.0', }, distro: { codename: 'wheezy', id: 'Debian', }, }, } end let :params do { location: 'hello.there', include: { 'deb' => false, 'src' => true }, architecture: 'x86_64', } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# my_source\ndeb-src \[arch=x86_64\] hello.there wheezy main\n}) } end context 'with architecture fact and unset architecture parameter' do let :facts do super().merge(architecture: 'amd64') end let :params do { location: 'hello.there', include: { 'deb' => false, 'src' => true }, } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# my_source\ndeb-src hello.there jessie main\n}) } end context 'with include_src => true' do let :params do { location: 'hello.there', include: { 'src' => true }, } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{# my_source\ndeb hello.there jessie main\ndeb-src hello.there jessie main\n}) } end context 'with include deb => false' do let :params do { include: { 'deb' => false }, location: 'hello.there', } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').without_content(%r{deb-src hello.there wheezy main\n}) } it { is_expected.to contain_apt__setting('list-my_source').without_content(%r{deb hello.there wheezy main\n}) } end context 'with include src => true and include deb => false' do let :params do { include: { 'deb' => false, 'src' => true }, location: 'hello.there', } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'present').with_content(%r{deb-src hello.there jessie main\n}) } it { is_expected.to contain_apt__setting('list-my_source').without_content(%r{deb hello.there jessie main\n}) } end context 'with ensure => absent' do let :params do { ensure: 'absent', } end it { is_expected.to contain_apt__setting('list-my_source').with(ensure: 'absent') } end describe 'validation' do context 'with no release' do let :facts do { os: { family: 'Debian', name: 'Debian', release: { major: '8', full: '8.0', }, distro: { id: 'Debian', }, }, } end let(:params) { { location: 'hello.there' } } it do is_expected.to raise_error(Puppet::Error, %r{os.distro.codename fact not available: release parameter required}) end end context 'with release is empty string' do let(:params) { { location: 'hello.there', release: '' } } it { is_expected.to contain_apt__setting('list-my_source').with_content(%r{hello\.there main}) } end context 'with invalid pin' do let :params do { location: 'hello.there', pin: true, } end it do is_expected.to raise_error(Puppet::Error, %r{expects a value}) end end context 'with notify_update = undef (default)' do let :params do { location: 'hello.there', } end it { is_expected.to contain_apt__setting("list-#{title}").with_notify_update(true) } end context 'with notify_update = true' do let :params do { location: 'hello.there', notify_update: true, } end it { is_expected.to contain_apt__setting("list-#{title}").with_notify_update(true) } end context 'with notify_update = false' do let :params do { location: 'hello.there', notify_update: false, } end it { is_expected.to contain_apt__setting("list-#{title}").with_notify_update(false) } end end end