X-Git-Url: https://review.fuel-infra.org/gitweb?a=blobdiff_plain;f=manifests%2Fkey.pp;h=9ccbfcb6bbf6990a426f8664904a134f407fcc4f;hb=a35c30fe4b501e1bce24fe120cc8cd348b914ac6;hp=24eef9e9cf2f94c6a253f71a5f49a75c6a1c72d5;hpb=76dbf992e04bbbaa909cbe779adac0045cee5a7f;p=puppet-modules%2Fpuppetlabs-apt.git

diff --git a/manifests/key.pp b/manifests/key.pp
index 24eef9e..9ccbfcb 100644
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -1,68 +1,121 @@
+# == Define: apt::key
+#
+# The apt::key defined type allows for keys to be added to apt's keyring
+# which is used for package validation. This defined type uses the apt_key
+# native type to manage keys. This is a simple wrapper around apt_key with
+# a few safeguards in place.
+#
+# === Parameters
+#
+# [*key*]
+#   _default_: +$title+, the title/name of the resource
+#
+#   Is a GPG key ID. This key ID is validated with a regex enforcing it
+#   to only contain valid hexadecimal characters, be precisely 8 or 16
+#   characters long and optionally prefixed with 0x.
+#
+# [*ensure*]
+#   _default_: +present+
+#
+#   The state we want this key in, may be either one of:
+#   * +present+
+#   * +absent+
+#
+# [*key_content*]
+#   _default_: +undef+
+#
+#   This parameter can be used to pass in a GPG key as a
+#   string in case it cannot be fetched from a remote location
+#   and using a file resource is for other reasons inconvenient.
+#
+# [*key_source*]
+#   _default_: +undef+
+#
+#   This parameter can be used to pass in the location of a GPG
+#   key. This URI can take the form of a:
+#   * +URL+: ftp, http or https
+#   * +path+: absolute path to a file on the target system.
+#
+# [*key_server*]
+#   _default_: +undef+
+#
+#   The keyserver from where to fetch our GPG key. It defaults to
+#   undef which results in apt_key's default keyserver being used,
+#   currently +keyserver.ubuntu.com+.
+#
+# [*key_options*]
+#   _default_: +undef+
+#
+#   Additional options to pass on to `apt-key adv --keyserver-options`.
 define apt::key (
-  $key = $title,
-  $ensure = present,
-  $key_content = false,
-  $key_source = false,
-  $key_server = "keyserver.ubuntu.com"
+  $key         = $title,
+  $ensure      = present,
+  $key_content = undef,
+  $key_source  = undef,
+  $key_server  = undef,
+  $key_options = undef,
 ) {
 
-  include apt::params
+  validate_re($key, ['\A(0x)?[0-9a-fA-F]{8}\Z', '\A(0x)?[0-9a-fA-F]{16}\Z'])
+  validate_re($ensure, ['\Aabsent|present\Z',])
 
   if $key_content {
-    $method = "content"
-  } elsif $key_source {
-    $method = "source"
-  } elsif $key_server {
-    $method = "server"
+    validate_string($key_content)
   }
 
-  # This is a hash of the parts of the key definition that we care about.
-  # It is used as a unique identifier for this instance of apt::key. It gets
-  # hashed to ensure that the resource name doesn't end up being pages and
-  # pages (e.g. in the situation where key_content is specified).
-  $digest = sha1("${key}/${key_content}/${key_source}/${key_server}/")
+  if $key_source {
+    validate_re($key_source, ['\Ahttps?:\/\/', '\Aftp:\/\/', '\A\/\w+'])
+  }
+
+  if $key_server {
+    if !is_domain_name($key_server) {
+      fail('$key_server must be a valid domain name')
+    }
+  }
+
+  if $key_options {
+    validate_string($key_options)
+  }
 
-  # Allow multiple ensure => present for the same key to account for many
-  # apt::source resources that all reference the same key.
   case $ensure {
     present: {
-      if defined(Exec["apt::key $key absent"]) {
-        fail ("Cannot ensure Apt::Key[$key] present; $key already ensured absent")
-      } elsif !defined(Exec["apt::key $key present"]) {
-        # this is a marker to ensure we don't simultaneously define a key
-        # ensure => absent AND ensure => present
-        exec { "apt::key $key present":
-          path   => "/",
-          onlyif => "/bin/false",
-          noop   => true;
-        }
+      if defined(Anchor["apt_key ${key} absent"]){
+        fail("key with id ${key} already ensured as absent")
       }
-      if !defined(Exec[$digest]) {
-        exec { $digest:
-          path    => "/bin:/usr/bin",
-          unless  => "/usr/bin/apt-key list | /bin/grep '${key}'",
-          command => $method ? {
-            "content" => "echo '${key_content}' | /usr/bin/apt-key add -",
-            "source"  => "wget -q '${key_source}' -O- | apt-key add -",
-            "server"  => "apt-key adv --keyserver '${key_server}' --recv-keys '${key}'",
-          };
-        }
+
+      if !defined(Anchor["apt_key ${key} present"]) {
+        apt_key { $title:
+          ensure            => $ensure,
+          id                => $key,
+          source            => $key_source,
+          content           => $key_content,
+          server            => $key_server,
+          keyserver_options => $key_options,
+        } ->
+        anchor { "apt_key ${key} present": }
       }
     }
+
     absent: {
-      if defined(Exec["apt::key $key present"]) {
-        fail ("Cannot ensure Apt::Key[$key] absent; $key already ensured present")
+      if defined(Anchor["apt_key ${key} present"]){
+        fail("key with id ${key} already ensured as present")
       }
-      exec { "apt::key $key absent":
-        path    => "/bin:/usr/bin",
-        onlyif  => "apt-key list | grep '$key'",
-        command => "apt-key del '$key'",
-        user    => "root",
-        group   => "root",
+
+      if !defined(Anchor["apt_key ${key} absent"]){
+        apt_key { $title:
+          ensure            => $ensure,
+          id                => $key,
+          source            => $key_source,
+          content           => $key_content,
+          server            => $key_server,
+          keyserver_options => $key_options,
+        } ->
+        anchor { "apt_key ${key} absent": }
       }
     }
+
     default: {
-      fail "Invalid 'ensure' value '$ensure' for aptkey"
+      fail "Invalid 'ensure' value '${ensure}' for apt::key"
     }
   }
 }