diff --git a/lib/puppet/provider/apt_key/apt_key.rb b/lib/puppet/provider/apt_key/apt_key.rb index 1a7f17cc16..c80f41f0dc 100644 --- a/lib/puppet/provider/apt_key/apt_key.rb +++ b/lib/puppet/provider/apt_key/apt_key.rb @@ -13,27 +13,35 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do - KEY_LINE = { - :date => '[0-9]{4}-[0-9]{2}-[0-9]{2}', - :key_type => '(R|D)', - :key_size => '\d{4}', - :key_id => '[0-9a-fA-F]+', - :expires => 'expire(d|s)', - } - confine :osfamily => :debian defaultfor :osfamily => :debian commands :apt_key => 'apt-key' def self.instances + cli_args = ['adv','--list-keys', '--with-colons', '--fingerprint'] + if RUBY_VERSION > '1.8.7' - key_output = apt_key('list').encode('UTF-8', 'binary', :invalid => :replace, :undef => :replace, :replace => '') + key_output = apt_key(cli_args).encode('UTF-8', 'binary', :invalid => :replace, :undef => :replace, :replace => '') else - key_output = apt_key('list') + key_output = apt_key(cli_args) end + + pub_line, fpr_line = nil + key_array = key_output.split("\n").collect do |line| - line_hash = key_line_hash(line) - next unless line_hash + if line.start_with?('pub') + pub_line = line + elsif line.start_with?('fpr') + fpr_line = line + end + + next unless (pub_line and fpr_line) + + line_hash = key_line_hash(pub_line, fpr_line) + + # reset everything + pub_line, fpr_line = nil + expired = false if line_hash[:key_expiry] @@ -41,14 +49,17 @@ def self.instances end new( - :name => line_hash[:key_id], - :id => line_hash[:key_id], - :ensure => :present, - :expired => expired, - :expiry => line_hash[:key_expiry], - :size => line_hash[:key_size], - :type => line_hash[:key_type] == 'R' ? :rsa : :dsa, - :created => line_hash[:key_created] + :name => line_hash[:key_fingerprint], + :id => line_hash[:key_fingerprint], + :fingerprint => line_hash[:key_fingerprint], + :short => line_hash[:key_short], + :long => line_hash[:key_long], + :ensure => :present, + :expired => expired, + :expiry => line_hash[:key_expiry], + :size => line_hash[:key_size], + :type => line_hash[:key_type], + :created => line_hash[:key_created] ) end key_array.compact! @@ -57,59 +68,50 @@ def self.instances def self.prefetch(resources) apt_keys = instances resources.keys.each do |name| - if name.length == 16 - shortname=name[8..-1] - else - shortname=name - end - if provider = apt_keys.find{ |key| key.name == shortname } - resources[name].provider = provider + if name.length == 40 + if provider = apt_keys.find{ |key| key.fingerprint == name } + resources[name].provider = provider + end + elsif name.length == 16 + if provider = apt_keys.find{ |key| key.long == name } + resources[name].provider = provider + end + elsif name.length == 8 + if provider = apt_keys.find{ |key| key.short == name } + resources[name].provider = provider + end end end end - def self.key_line_hash(line) - line_array = line.match(key_line_regexp).to_a - return nil if line_array.length < 5 + def self.key_line_hash(pub_line, fpr_line) + pub_split = pub_line.split(':') + fpr_split = fpr_line.split(':') + fingerprint = fpr_split.last return_hash = { - :key_id => line_array[3], - :key_size => line_array[1], - :key_type => line_array[2], - :key_created => line_array[4], - :key_expiry => nil, + :key_fingerprint => fingerprint, + :key_long => fingerprint[-16..-1], # last 16 characters of fingerprint + :key_short => fingerprint[-8..-1], # last 8 characters of fingerprint + :key_size => pub_split[2], + :key_type => nil, + :key_created => pub_split[5], + :key_expiry => pub_split[6].empty? ? nil : pub_split[6], } - return_hash[:key_expiry] = line_array[7] if line_array.length == 8 - return return_hash - end + # set key type based on types defined in /usr/share/doc/gnupg/DETAILS.gz + case pub_split[3] + when "1" + return_hash[:key_type] = :rsa + when "17" + return_hash[:key_type] = :dsa + when "18" + return_hash[:key_type] = :ecc + when "19" + return_hash[:key_type] = :ecdsa + end - def self.key_line_regexp - # This regexp is trying to match the following output - # pub 4096R/4BD6EC30 2010-07-10 [expires: 2016-07-08] - # pub 1024D/CD2EFD2A 2009-12-15 - regexp = /\A - pub # match only the public key, not signatures - \s+ # bunch of spaces after that - (#{KEY_LINE[:key_size]}) # size of the key, usually a multiple of 1024 - #{KEY_LINE[:key_type]} # type of the key, usually R or D - \/ # separator between key_type and key_id - (#{KEY_LINE[:key_id]}) # hex id of the key - \s+ # bunch of spaces after that - (#{KEY_LINE[:date]}) # date the key was added to the keyring - # following an optional block which indicates if the key has an expiration - # date and if it has expired yet - ( - \s+ # again with thes paces - \[ # we open with a square bracket - #{KEY_LINE[:expires]} # expires or expired - \: # a colon - \s+ # more spaces - (#{KEY_LINE[:date]}) # date indicating key expiry - \] # we close with a square bracket - )? # end of the optional block - \Z/x - regexp + return return_hash end def source_to_file(value) diff --git a/lib/puppet/type/apt_key.rb b/lib/puppet/type/apt_key.rb index 8aa408193c..70825ac218 100644 --- a/lib/puppet/type/apt_key.rb +++ b/lib/puppet/type/apt_key.rb @@ -28,8 +28,8 @@ newparam(:id, :namevar => true) do desc 'The ID of the key you want to manage.' # GPG key ID's should be either 32-bit (short) or 64-bit (long) key ID's - # and may start with the optional 0x - newvalues(/\A(0x)?[0-9a-fA-F]{8}\Z/, /\A(0x)?[0-9a-fA-F]{16}\Z/) + # and may start with the optional 0x, or they can be 40-digit key fingerprints + newvalues(/\A(0x)?[0-9a-fA-F]{8}\Z/, /\A(0x)?[0-9a-fA-F]{16}\Z/, /\A(0x)?[0-9a-fA-F]{40}\Z/) munge do |value| if value.start_with?('0x') id = value.partition('0x').last.upcase @@ -66,6 +66,30 @@ desc 'Additional options to pass to apt-key\'s --keyserver-options.' end + newproperty(:fingerprint) do + desc <<-EOS + The 40-digit hexadecimal fingerprint of the specified GPG key. + + This property is read-only. + EOS + end + + newproperty(:long) do + desc <<-EOS + The 16-digit hexadecimal id of the specified GPG key. + + This property is read-only. + EOS + end + + newproperty(:short) do + desc <<-EOS + The 8-digit hexadecimal id of the specified GPG key. + + This property is read-only. + EOS + end + newproperty(:expired) do desc <<-EOS Indicates if the key has expired. @@ -92,7 +116,7 @@ newproperty(:type) do desc <<-EOS - The key type, either RSA or DSA. + The key type, one of: rsa, dsa, ecc, ecdsa This property is read-only. EOS diff --git a/manifests/key.pp b/manifests/key.pp index c51f4bfa56..ce5fc2514c 100644 --- a/manifests/key.pp +++ b/manifests/key.pp @@ -10,9 +10,11 @@ # [*key*] # _default_: +$title+, the title/name of the resource # -# Is a GPG key ID. This key ID is validated with a regex enforcing it -# to only contain valid hexadecimal characters, be precisely 8 or 16 -# characters long and optionally prefixed with 0x. +# Is a GPG key ID or full key fingerprint. This value is validated with +# a regex enforcing it to only contain valid hexadecimal characters, be +# precisely 8 or 16 hexadecimal characters long and optionally prefixed +# with 0x for key IDs, or 40 hexadecimal characters long for key +# fingerprints. # # [*ensure*] # _default_: +present+ @@ -57,7 +59,7 @@ $key_options = undef, ) { - validate_re($key, ['\A(0x)?[0-9a-fA-F]{8}\Z', '\A(0x)?[0-9a-fA-F]{16}\Z']) + validate_re($key, ['\A(0x)?[0-9a-fA-F]{8}\Z', '\A(0x)?[0-9a-fA-F]{16}\Z', '\A(0x)?[0-9a-fA-F]{40}\Z']) validate_re($ensure, ['\Aabsent|present\Z',]) if $key_content { diff --git a/spec/acceptance/apt_key_provider_spec.rb b/spec/acceptance/apt_key_provider_spec.rb index 3f2536c7f0..aa1e5a425e 100644 --- a/spec/acceptance/apt_key_provider_spec.rb +++ b/spec/acceptance/apt_key_provider_spec.rb @@ -1,20 +1,27 @@ require 'spec_helper_acceptance' -PUPPETLABS_GPG_KEY_ID = '4BD6EC30' -PUPPETLABS_GPG_LONG_KEY_ID = '1054B7A24BD6EC30' -PUPPETLABS_APT_URL = 'apt.puppetlabs.com' -PUPPETLABS_GPG_KEY_FILE = 'pubkey.gpg' -CENTOS_GPG_KEY_ID = 'C105B9DE' -CENTOS_REPO_URL = 'ftp.cvut.cz/centos' -CENTOS_GPG_KEY_FILE = 'RPM-GPG-KEY-CentOS-6' +PUPPETLABS_GPG_KEY_SHORT_ID = '4BD6EC30' +PUPPETLABS_GPG_KEY_LONG_ID = '1054B7A24BD6EC30' +PUPPETLABS_GPG_KEY_FINGERPRINT = '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30' +PUPPETLABS_APT_URL = 'apt.puppetlabs.com' +PUPPETLABS_GPG_KEY_FILE = 'pubkey.gpg' +CENTOS_GPG_KEY_SHORT_ID = 'C105B9DE' +CENTOS_GPG_KEY_LONG_ID = '0946FCA2C105B9DE' +CENTOS_GPG_KEY_FINGERPRINT = 'C1DAC52D1664E8A4386DBA430946FCA2C105B9DE' +CENTOS_REPO_URL = 'ftp.cvut.cz/centos' +CENTOS_GPG_KEY_FILE = 'RPM-GPG-KEY-CentOS-6' + +KEY_CHECK_COMMAND = "apt-key adv --list-keys --with-colons --fingerprint | grep " +PUPPETLABS_KEY_CHECK_COMMAND = "#{KEY_CHECK_COMMAND} #{PUPPETLABS_GPG_KEY_FINGERPRINT}" +CENTOS_KEY_CHECK_COMMAND = "#{KEY_CHECK_COMMAND} #{CENTOS_GPG_KEY_FINGERPRINT}" describe 'apt_key' do before(:each) do # Delete twice to make sure everything is cleaned # up after the short key collision - shell("apt-key del #{PUPPETLABS_GPG_KEY_ID}", + shell("apt-key del #{PUPPETLABS_GPG_KEY_SHORT_ID}", :acceptable_exit_codes => [0,1,2]) - shell("apt-key del #{PUPPETLABS_GPG_KEY_ID}", + shell("apt-key del #{PUPPETLABS_GPG_KEY_SHORT_ID}", :acceptable_exit_codes => [0,1,2]) end @@ -22,12 +29,16 @@ key_versions = { '32bit key id' => '4BD6EC30', '64bit key id' => '1054B7A24BD6EC30', + '160bit key fingerprint' => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', '32bit lowercase key id' => '4bd6ec30', '64bit lowercase key id' => '1054b7a24bd6ec30', + '160bit lowercase key fingerprint' => '47b320eb4c7c375aa9dae1a01054b7a24bd6ec30', '0x formatted 32bit key id' => '0x4BD6EC30', '0x formatted 64bit key id' => '0x1054B7A24BD6EC30', + '0x formatted 160bit key fingerprint' => '0x47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30', '0x formatted 32bit lowercase key id' => '0x4bd6ec30', '0x formatted 64bit lowercase key id' => '0x1054b7a24bd6ec30', + '0x formatted 160bit lowercase key fingerprint' => '0x47b320eb4c7c375aa9dae1a01054b7a24bd6ec30', } key_versions.each do |key, value| @@ -42,7 +53,7 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_changes => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) end end end @@ -67,25 +78,25 @@ it 'is removed' do pp = <<-EOS apt_key { 'centos': - id => '#{CENTOS_GPG_KEY_ID}', + id => '#{CENTOS_GPG_KEY_LONG_ID}', ensure => 'absent', } EOS # Install the key first shell("apt-key adv --keyserver keyserver.ubuntu.com \ - --recv-keys #{CENTOS_GPG_KEY_ID}") - shell("apt-key list | grep #{CENTOS_GPG_KEY_ID}") + --recv-keys #{CENTOS_GPG_KEY_FINGERPRINT}") + shell(CENTOS_KEY_CHECK_COMMAND) # Time to remove it using Puppet apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{CENTOS_GPG_KEY_ID}", + shell(CENTOS_KEY_CHECK_COMMAND, :acceptable_exit_codes => [1]) shell("apt-key adv --keyserver keyserver.ubuntu.com \ - --recv-keys #{CENTOS_GPG_KEY_ID}") + --recv-keys #{CENTOS_GPG_KEY_FINGERPRINT}") end end @@ -93,21 +104,21 @@ it 'is removed' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'absent', } EOS # Install the key first shell("apt-key adv --keyserver keyserver.ubuntu.com \ - --recv-keys #{PUPPETLABS_GPG_LONG_KEY_ID}") - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + --recv-keys #{PUPPETLABS_GPG_KEY_LONG_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) # Time to remove it using Puppet apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}", + shell(PUPPETLABS_KEY_CHECK_COMMAND, :acceptable_exit_codes => [1]) end end @@ -118,7 +129,7 @@ it 'works' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_FINGERPRINT}', ensure => 'present', content => "-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.12 (GNU/Linux) @@ -185,7 +196,7 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) end end @@ -193,7 +204,7 @@ it 'fails' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', content => 'For posterity: such content, much bogus, wow', } @@ -211,7 +222,7 @@ it 'works' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', server => 'pgp.mit.edu', } @@ -219,7 +230,7 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) end end @@ -227,7 +238,7 @@ it 'works' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_FINGERPRINT}', ensure => 'present', server => 'hkp://pgp.mit.edu:80', } @@ -235,7 +246,7 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) end end @@ -243,7 +254,7 @@ it 'fails' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', server => 'nonexistant.key.server', } @@ -259,7 +270,7 @@ it 'fails' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', server => '.pgp.key.server', } @@ -277,7 +288,7 @@ it 'works' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', source => 'http://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}', } @@ -285,13 +296,13 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) end it 'fails with a 404' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', source => 'http://#{PUPPETLABS_APT_URL}/herpderp.gpg', } @@ -305,7 +316,7 @@ it 'fails with a socket error' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', source => 'http://apt.puppetlabss.com/herpderp.gpg', } @@ -319,14 +330,14 @@ context 'ftp://' do before(:each) do - shell("apt-key del #{CENTOS_GPG_KEY_ID}", + shell("apt-key del #{CENTOS_GPG_KEY_LONG_ID}", :acceptable_exit_codes => [0,1,2]) end it 'works' do pp = <<-EOS apt_key { 'CentOS 6': - id => '#{CENTOS_GPG_KEY_ID}', + id => '#{CENTOS_GPG_KEY_LONG_ID}', ensure => 'present', source => 'ftp://#{CENTOS_REPO_URL}/#{CENTOS_GPG_KEY_FILE}', } @@ -334,13 +345,13 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{CENTOS_GPG_KEY_ID}") + shell(CENTOS_KEY_CHECK_COMMAND) end it 'fails with a 550' do pp = <<-EOS apt_key { 'CentOS 6': - id => '#{CENTOS_GPG_KEY_ID}', + id => '#{CENTOS_GPG_KEY_LONG_ID}', ensure => 'present', source => 'ftp://#{CENTOS_REPO_URL}/herpderp.gpg', } @@ -354,7 +365,7 @@ it 'fails with a socket error' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', source => 'ftp://apt.puppetlabss.com/herpderp.gpg', } @@ -370,7 +381,7 @@ it 'works' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}', } @@ -378,7 +389,7 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) end it 'fails with a 404' do @@ -431,7 +442,7 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) end end @@ -439,7 +450,7 @@ it 'fails' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', source => '/tmp/totally_bogus.file', } @@ -462,7 +473,7 @@ it 'fails' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', source => '/tmp/fake-key.gpg', } @@ -480,7 +491,7 @@ it 'works' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', keyserver_options => 'debug', } @@ -488,19 +499,19 @@ apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true) - shell("apt-key list | grep #{PUPPETLABS_GPG_KEY_ID}") + shell(PUPPETLABS_KEY_CHECK_COMMAND) end it 'fails on invalid options' do pp = <<-EOS apt_key { 'puppetlabs': - id => '#{PUPPETLABS_GPG_KEY_ID}', + id => '#{PUPPETLABS_GPG_KEY_LONG_ID}', ensure => 'present', keyserver_options => 'this is totally bonkers', } EOS - shell("apt-key del #{PUPPETLABS_GPG_KEY_ID}", :acceptable_exit_codes => [0,1,2]) + shell("apt-key del #{PUPPETLABS_GPG_KEY_FINGERPRINT}", :acceptable_exit_codes => [0,1,2]) apply_manifest(pp, :expect_failures => true) do |r| expect(r.stderr).to match(/--keyserver-options this is totally/) end diff --git a/spec/defines/key_spec.rb b/spec/defines/key_spec.rb index dbb67c4c57..b09dc5bf50 100644 --- a/spec/defines/key_spec.rb +++ b/spec/defines/key_spec.rb @@ -2,7 +2,7 @@ describe 'apt::key', :type => :define do let(:facts) { { :lsbdistid => 'Debian' } } - GPG_KEY_ID = '4BD6EC30' + GPG_KEY_ID = '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30' let :title do GPG_KEY_ID diff --git a/spec/defines/source_spec.rb b/spec/defines/source_spec.rb index 8327ed2d72..b553fa8dfe 100644 --- a/spec/defines/source_spec.rb +++ b/spec/defines/source_spec.rb @@ -1,7 +1,8 @@ require 'spec_helper' describe 'apt::source', :type => :define do - GPG_KEY_ID = '4BD6EC30' + GPG_KEY_ID = '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30' + let :title do 'my_source'