Skip to content

Commit

Permalink
Merge pull request #849 from tuxmea/apt_key_weak_ssl
Browse files Browse the repository at this point in the history 
Allow weak SSL verification for apt_key
  • Loading branch information
@eimlav
eimlav authored Mar 20, 2019
2 parents 3ca031b + d5e8115 commit d2ae49f
Show file tree
Hide file tree
Showing 6 changed files with 76 additions and 14 deletions.
6 changes: 5 additions & 1 deletion lib/puppet/provider/apt_key/apt_key.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,11 @@ def source_to_file(value)
# Only send basic auth if URL contains userinfo
# Some webservers (e.g. Amazon S3) return code 400 if empty basic auth is sent
if parsed_value.userinfo.nil?
key = parsed_value.read
key = if parsed_value.scheme == 'https' && resource[:weak_ssl] == true
open(parsed_value, ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE).read
else
parsed_value.read
end
else
user_pass = parsed_value.userinfo.split(':')
parsed_value.userinfo = ''
Expand Down
5 changes: 5 additions & 0 deletions lib/puppet/type/apt_key.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,11 @@
defaultto false
end

newparam(:weak_ssl, boolean: true, parent: Puppet::Parameter::Boolean) do
desc 'When true and source uses https, accepts download of keys without SSL verfication'
defaultto false
end

newproperty(:fingerprint) do
desc <<-MANIFEST
The 40-digit hexadecimal fingerprint of the specified GPG key.
Expand Down
32 changes: 19 additions & 13 deletions manifests/key.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@
# Specifies a keyserver to provide the GPG key. Valid options: a string containing a domain name or a full URL (http://, https://,
# hkp:// or hkps://). The hkps:// protocol is currently only supported on Ubuntu 18.04.
#
# @param weak_ssl
# Specifies whether strict SSL verification on a https URL should be disabled. Valid options: true or false.
#
# @param options
# Passes additional options to `apt-key adv --keyserver-options`.
#
Expand All @@ -38,6 +41,7 @@
Optional[String] $content = undef,
Optional[Pattern[/\Ahttps?:\/\//, /\Aftp:\/\//, /\A\/\w+/]] $source = undef,
Pattern[/\A((hkp|hkps|http|https):\/\/)?([a-z\d])([a-z\d-]{0,61}\.)+[a-z\d]+(:\d{2,5})?$/] $server = $::apt::keyserver,
Boolean $weak_ssl = false,
Optional[String] $options = undef,
) {

Expand All @@ -49,13 +53,14 @@

if !defined(Anchor["apt_key ${id} present"]) {
apt_key { $title:
ensure => present,
refresh => $ensure == 'refreshed',
id => $id,
source => $source,
content => $content,
server => $server,
options => $options,
ensure => present,
refresh => $ensure == 'refreshed',
id => $id,
source => $source,
content => $content,
server => $server,
weak_ssl => $weak_ssl,
options => $options,
} -> anchor { "apt_key ${id} present": }

case $facts['os']['name'] {
Expand Down Expand Up @@ -83,12 +88,13 @@

if !defined(Anchor["apt_key ${id} absent"]){
apt_key { $title:
ensure => $ensure,
id => $id,
source => $source,
content => $content,
server => $server,
options => $options,
ensure => $ensure,
id => $id,
source => $source,
content => $content,
server => $server,
weak_ssl => $weak_ssl,
options => $options,
} -> anchor { "apt_key ${id} absent": }
}
}
Expand Down
14 changes: 14 additions & 0 deletions spec/acceptance/apt_key_provider_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -533,6 +533,15 @@ def apply_manifest_twice(manifest_pp)
}
MANIFEST

https_with_weak_ssl_works_pp = <<-MANIFEST
apt_key { 'puppetlabs':
id => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
ensure => 'present',
source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
weak_ssl => true,
}
MANIFEST

https_userinfo_pp = <<-MANIFEST
apt_key { 'puppetlabs':
id => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
Expand Down Expand Up @@ -793,6 +802,11 @@ def apply_manifest_twice(manifest_pp)
shell(PUPPETLABS_KEY_CHECK_COMMAND)
end

it 'works with weak ssl' do
apply_manifest_twice(https_with_weak_ssl_works_pp)
shell(PUPPETLABS_KEY_CHECK_COMMAND)
end

it 'works with userinfo' do
apply_manifest_twice(https_userinfo_pp)
shell(PUPPETLABS_KEY_CHECK_COMMAND)
Expand Down
15 changes: 15 additions & 0 deletions spec/unit/puppet/provider/apt_key_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,21 @@
expect(provider).to be_exist
end

it 'apt_key with source and weak ssl verify set' do
expect(described_class).to receive(:apt_key).with(array_including('add', kind_of(String)))
resource = Puppet::Type::Apt_key.new(name: 'gsd',
id: 'C105B9DE',
source: 'https://bla/herpderp.gpg',
ensure: 'present',
weak_ssl: true)

provider = described_class.new(resource)
expect(provider).not_to be_exist
expect(provider).to receive(:source_to_file).and_return(Tempfile.new('foo'))
provider.create
expect(provider).to be_exist
end

describe 'different valid id keys' do
hash_of_keys = {
'32bit key id' => 'EF8D349F',
Expand Down
18 changes: 18 additions & 0 deletions spec/unit/puppet/type/apt_key_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@
it 'refresh is not set' do
expect(resource[:refresh]).to eq nil
end

it 'weak_ssl is not set' do
expect(resource[:weak_ssl]).to eq nil
end
end

context 'with a lowercase 32bit key id' do
Expand Down Expand Up @@ -107,6 +111,20 @@
end
end

context 'with source and weak_ssl' do
let(:resource) do
Puppet::Type.type(:apt_key).new(
id: 'EF8D349F',
source: 'https://apt.puppetlabs.com/pubkey.gpg',
weak_ssl: true,
)
end

it 'source is set to the URL' do
expect(resource[:source]).to eq 'https://apt.puppetlabs.com/pubkey.gpg'
end
end

context 'with content' do
let(:resource) do
Puppet::Type.type(:apt_key).new(
Expand Down

0 comments on commit d2ae49f

Please sign in to comment.