Use upstream apt module, expand Ubuntu support - #4 (#10)

* Use upstream apt module, expand Ubuntu support - #4 Modify gpg key import methods. Couldn't get tests to pass with apt::key, had to use an id + URL instead. - Replace ${module_name} with actual module name - Add puppetlabs/apt as dependency, update debian/ubuntu support - Add comment about expanded manage_repo functionality
mozilla-it · Sep 17, 2020 · a425e95 · a425e95
1 parent 5006420
commit a425e95
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 39 deletions.
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -6,3 +6,4 @@ fixtures:
      stdlib: "puppetlabs/stdlib"
      augeas_core: "puppetlabs/augeas_core"
      yumrepo: "puppetlabs/yumrepo_core"
+     apt: "puppetlabs/apt"
diff --git a/manifests/apt.pp b/manifests/apt.pp
@@ -13,31 +13,19 @@
     }
   }
 
-  package { $::duo_unix::duo_package:
-    ensure  => $package_state,
-    require => [
-      File[$repo_file],
-      Exec['Duo Security GPG Import'],
-      Exec['duo-security-apt-update']
-    ]
-  }
-
-  file { $repo_file:
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    content => "deb ${repo_uri}/${facts['operatingsystem']} ${facts['lsbdistcodename']} main",
-    notify  => Exec['duo-security-apt-update']
-  }
-
-  exec { 'duo-security-apt-update':
-    command     => '/usr/bin/apt-get update',
-    refreshonly => true
-  }
+  if $::duo_unix::manage_repo {
+    apt::source { 'duosecurity':
+      location => $repo_uri,
+      repos    => 'main',
+      key      => {
+        'id'     => '08C2A645DDF240B85844068D7A450864C1A07A85',
+        'source' => 'https://duo.com/DUO-GPG-PUBLIC-KEY.asc'
+      }
+    }
 
-  exec { 'Duo Security GPG Import':
-    command => "/usr/bin/apt-key add ${::duo_unix::gpg_file}",
-    unless  => '/usr/bin/apt-key list | grep "Duo Security"',
-    notify  => Exec['duo-security-apt-update']
+    package { $::duo_unix::duo_package:
+      ensure  => $package_state,
+      require => Apt::Source['duosecurity'],
+    }
   }
 }
diff --git a/manifests/generic.pp b/manifests/generic.pp
@@ -19,7 +19,6 @@
       mode   => '0644',
       # Updated 2020-03, see https://help.duo.com/s/article/5503
       source => 'puppet:///modules/duo_unix/DUO-GPG-PUBLIC-KEY',
-      notify => Exec['Duo Security GPG Import'];
     }
   }
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -46,7 +46,7 @@
 # @param manage_pam
 #   Manage PAM config using Augeas
 # @param manage_repo
-#   Manage package repositories for Duo
+#   Manage rpm and deb package repositories for Duo
 # @param pam_unix_control
 #   Use the specified control mechanism for PAM
 # @param package_version
@@ -96,14 +96,14 @@
         'i386'  => '/lib/security/pam_duo.so',
         'i686'  => '/lib/security/pam_duo.so',
         'amd64' => '/lib64/security/pam_duo.so',
-        default => fail("Module ${module_name} does not support architecture ${facts['architecture']}")
+        default => fail("Module duo_unix does not support architecture ${facts['architecture']}")
       }
 
       include ::duo_unix::apt
       include ::duo_unix::generic
     }
     default: {
-      fail("Module ${module_name} does not support ${facts['os']['family']}")
+      fail("Module duo_unix does not support ${facts['os']['family']}")
     }
   }
 

diff --git a/manifests/yum.pp b/manifests/yum.pp
@@ -18,18 +18,12 @@
   }
 
   if $facts['os']['family'] == 'RedHat' and $::duo_unix::manage_repo {
-    exec { 'Duo Security GPG Import':
-      command => "/bin/rpm --import ${::duo_unix::gpg_file}",
-      unless  => "/bin/rpm -q gpg-pubkey-`echo $(gpg --throw-keyids < ${::duo_unix::gpg_file}) | cut --characters=11-18 | tr [A-Z] [a-z]`",
-      before  => Yumrepo['duosecurity'],
-      require => File[$::duo_unix::gpg_file];
-    }
-
     yumrepo { 'duosecurity':
       descr    => 'Duo Security Repository',
       baseurl  => "${repo_uri}/${os}/${releasever}/\$basearch",
       gpgcheck => '1',
       enabled  => '1',
+      gpgkey   => "file://${::duo_unix::gpg_file}",
       before   => Package[$::duo_unix::duo_package],
       require  => File[$::duo_unix::gpg_file];
     }

diff --git a/metadata.json b/metadata.json
@@ -16,6 +16,10 @@
       "name": "puppetlabs/augeas_core",
       "version_requirement": ">= 1.0.4 < 1.1.0"
     },
+    {
+      "name": "puppetlabs/apt",
+      "version_requirement": ">= 7.0.0 < 8.0.0"
+    },
     {
       "name": "puppetlabs/yumrepo_core",
       "version_requirement": ">= 1.0.3 < 1.1.0"
@@ -46,13 +50,15 @@
     {
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
-        "8"
+        "8",
+        "9"
       ]
     },
     {
       "operatingsystem": "Ubuntu",
       "operatingsystemrelease": [
-        "14.04"
+        "16.04",
+        "18.04"
       ]
     }
   ],

diff --git a/spec/classes/duo_unix_spec.rb b/spec/classes/duo_unix_spec.rb
@@ -25,6 +25,8 @@
           case facts[:osfamily]
           when 'Debian'
             it { is_expected.to contain_class('duo_unix::apt') }
+            it { is_expected.to contain_file('/etc/apt/DUO-GPG-PUBLIC-KEY') }
+            it { is_expected.to contain_apt__source('duosecurity').that_comes_before('Package[duo-unix]') }
             it { is_expected.to contain_package('duo-unix').with_ensure('installed') }
             it {
               is_expected.to contain_service('ssh').with(
@@ -35,7 +37,6 @@
           when 'RedHat'
             it { is_expected.to contain_class('duo_unix::yum') }
             it { is_expected.to contain_file('/etc/pki/rpm-gpg/DUO-GPG-PUBLIC-KEY') }
-            it { is_expected.to contain_yumrepo('duosecurity') }
             it { is_expected.to contain_yumrepo('duosecurity').that_comes_before('Package[duo_unix]') }
             it { is_expected.to contain_package('duo_unix').with_ensure('installed') }
             it {