X-Git-Url: https://review.fuel-infra.org/gitweb?a=blobdiff_plain;f=manifests%2Fkey.pp;h=dbbed2bef0df5e58aea588e1b292d5a1a628359c;hb=a2229a843eb2af5045cf6aebde7a130d3f22fca4;hp=68e0c76330768277fc3fbc2aafa7c15ddfa8d765;hpb=3dd2d1f2270791cc50c8c9634fc0e2e1e19a74d3;p=puppet-modules%2Fpuppetlabs-apt.git diff --git a/manifests/key.pp b/manifests/key.pp index 68e0c76..9387899 100644 --- a/manifests/key.pp +++ b/manifests/key.pp @@ -1,75 +1,100 @@ +# @summary Manages the GPG keys that Apt uses to authenticate packages. +# +# @note +# The apt::key defined type makes use of the apt_key type, but includes extra functionality to help prevent duplicate keys. +# +# @example Declare Apt key for apt.puppetlabs.com source +# apt::key { 'puppetlabs': +# id => '6F6B15509CF8E59E6E469F327F438280EF8D349F', +# server => 'hkps.pool.sks-keyservers.net', +# options => 'http-proxy="http://proxyuser:proxypass@example.org:3128"', +# } +# +# @param id +# Specifies a GPG key to authenticate Apt package signatures. Valid options: a string containing a key ID (8 or 16 hexadecimal +# characters, optionally prefixed with "0x") or a full key fingerprint (40 hexadecimal characters). +# +# @param ensure +# Specifies whether the key should exist. Valid options: 'present', 'absent' or 'refreshed'. Using 'refreshed' will make keys auto +# update when they have expired (assuming a new key exists on the key server). +# +# @param content +# Supplies the entire GPG key. Useful in case the key can't be fetched from a remote location and using a file resource is inconvenient. +# +# @param source +# Specifies the location of an existing GPG key file to copy. Valid options: a string containing a URL (ftp://, http://, or https://) or +# an absolute path. +# +# @param server +# Specifies a keyserver to provide the GPG key. Valid options: a string containing a domain name or a full URL (http://, https://, or +# hkp://). +# +# @param options +# Passes additional options to `apt-key adv --keyserver-options`. +# define apt::key ( - $key = $title, - $ensure = present, - $key_content = false, - $key_source = false, - $key_server = "keyserver.ubuntu.com" -) { + Pattern[/\A(0x)?[0-9a-fA-F]{8}\Z/, /\A(0x)?[0-9a-fA-F]{16}\Z/, /\A(0x)?[0-9a-fA-F]{40}\Z/] $id = $title, + Enum['present', 'absent', 'refreshed'] $ensure = present, + Optional[String] $content = undef, + Optional[Pattern[/\Ahttps?:\/\//, /\Aftp:\/\//, /\A\/\w+/]] $source = undef, + Pattern[/\A((hkp|http|https):\/\/)?([a-z\d])([a-z\d-]{0,61}\.)+[a-z\d]+(:\d{2,5})?$/] $server = $::apt::keyserver, + Optional[String] $options = undef, + ) { - include apt::params - - if $key_content { - $method = "content" - } elsif $key_source { - $method = "source" - } elsif $key_server { - $method = "server" - } - - # This is a hash of the parts of the key definition that we care about. - # It is used as a unique identifier for this instance of apt::key. It gets - # hashed to ensure that the resource name doesn't end up being pages and - # pages (e.g. in the situation where key_content is specified). - $digest = sha1("${key}/${key_content}/${key_source}/${key_server}/") - - # Allow multiple ensure => present for the same key to account for many - # apt::source resources that all reference the same key. case $ensure { - present: { - - anchor { "apt::key/$title":; } - - if defined(Exec["apt::key $key absent"]) { - fail ("Cannot ensure Apt::Key[$key] present; $key already ensured absent") + /^(refreshed|present)$/: { + if defined(Anchor["apt_key ${id} absent"]){ + fail(translate('key with id %{_id} already ensured as absent'), {'_id' => id}) } - if !defined(Anchor["apt::key $key present"]) { - anchor { "apt::key $key present":; } - } + if !defined(Anchor["apt_key ${id} present"]) { + apt_key { $title: + ensure => present, + refresh => $ensure == 'refreshed', + id => $id, + source => $source, + content => $content, + server => $server, + options => $options, + } -> anchor { "apt_key ${id} present": } - if !defined(Exec[$digest]) { - exec { $digest: - path => "/bin:/usr/bin", - unless => "/usr/bin/apt-key list | /bin/grep '${key}'", - before => Anchor["apt::key $key present"], - command => $method ? { - "content" => "echo '${key_content}' | /usr/bin/apt-key add -", - "source" => "wget -q '${key_source}' -O- | apt-key add -", - "server" => "apt-key adv --keyserver '${key_server}' --recv-keys '${key}'", - }; + case $facts['os']['name'] { + 'Debian': { + if versioncmp($facts['os']['release']['major'], '9') >= 0 { + ensure_packages(['dirmngr']) + Apt::Key<| title == $title |> + } + } + 'Ubuntu': { + if versioncmp($facts['os']['release']['full'], '17.04') >= 0 { + ensure_packages(['dirmngr']) + Apt::Key<| title == $title |> + } + } + default: { } } } - - Anchor["apt::key $key present"] -> Anchor["apt::key/$title"] - } - absent: { - if defined(Anchor["apt::key $key present"]) { - fail ("Cannot ensure Apt::Key[$key] absent; $key already ensured present") + absent: { + if defined(Anchor["apt_key ${id} present"]){ + fail(translate('key with id %{_id} already ensured as present', {'_id' => id})) } - exec { "apt::key $key absent": - path => "/bin:/usr/bin", - onlyif => "apt-key list | grep '$key'", - command => "apt-key del '$key'", - user => "root", - group => "root", + if !defined(Anchor["apt_key ${id} absent"]){ + apt_key { $title: + ensure => $ensure, + id => $id, + source => $source, + content => $content, + server => $server, + options => $options, + } -> anchor { "apt_key ${id} absent": } } } default: { - fail "Invalid 'ensure' value '$ensure' for aptkey" + fail translate('Invalid \'ensure\' value \'%{_ensure}\' for apt::key', {'_ensure' => ensure}) } } }