fixes https://tickets.puppetlabs.com/browse/MODULES-8759
# Only send basic auth if URL contains userinfo
# Some webservers (e.g. Amazon S3) return code 400 if empty basic auth is sent
if parsed_value.userinfo.nil?
# Only send basic auth if URL contains userinfo
# Some webservers (e.g. Amazon S3) return code 400 if empty basic auth is sent
if parsed_value.userinfo.nil?
- key = parsed_value.read
+ key = if parsed_value.scheme == 'https' && resource[:weak_ssl] == true
+ open(parsed_value, ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE).read
+ else
+ parsed_value.read
+ end
else
user_pass = parsed_value.userinfo.split(':')
parsed_value.userinfo = ''
else
user_pass = parsed_value.userinfo.split(':')
parsed_value.userinfo = ''
+ newparam(:weak_ssl, boolean: true, parent: Puppet::Parameter::Boolean) do
+ desc 'When true and source uses https, accepts download of keys without SSL verfication'
+ defaultto false
+ end
+
newproperty(:fingerprint) do
desc <<-MANIFEST
The 40-digit hexadecimal fingerprint of the specified GPG key.
newproperty(:fingerprint) do
desc <<-MANIFEST
The 40-digit hexadecimal fingerprint of the specified GPG key.
# Specifies a keyserver to provide the GPG key. Valid options: a string containing a domain name or a full URL (http://, https://,
# hkp:// or hkps://). The hkps:// protocol is currently only supported on Ubuntu 18.04.
#
# Specifies a keyserver to provide the GPG key. Valid options: a string containing a domain name or a full URL (http://, https://,
# hkp:// or hkps://). The hkps:// protocol is currently only supported on Ubuntu 18.04.
#
+# @param weak_ssl
+# Specifies whether strict SSL verification on a https URL should be disabled. Valid options: true or false.
+#
# @param options
# Passes additional options to `apt-key adv --keyserver-options`.
#
# @param options
# Passes additional options to `apt-key adv --keyserver-options`.
#
Optional[String] $content = undef,
Optional[Pattern[/\Ahttps?:\/\//, /\Aftp:\/\//, /\A\/\w+/]] $source = undef,
Pattern[/\A((hkp|hkps|http|https):\/\/)?([a-z\d])([a-z\d-]{0,61}\.)+[a-z\d]+(:\d{2,5})?$/] $server = $::apt::keyserver,
Optional[String] $content = undef,
Optional[Pattern[/\Ahttps?:\/\//, /\Aftp:\/\//, /\A\/\w+/]] $source = undef,
Pattern[/\A((hkp|hkps|http|https):\/\/)?([a-z\d])([a-z\d-]{0,61}\.)+[a-z\d]+(:\d{2,5})?$/] $server = $::apt::keyserver,
+ Boolean $weak_ssl = false,
Optional[String] $options = undef,
) {
Optional[String] $options = undef,
) {
if !defined(Anchor["apt_key ${id} present"]) {
apt_key { $title:
if !defined(Anchor["apt_key ${id} present"]) {
apt_key { $title:
- ensure => present,
- refresh => $ensure == 'refreshed',
- id => $id,
- source => $source,
- content => $content,
- server => $server,
- options => $options,
+ ensure => present,
+ refresh => $ensure == 'refreshed',
+ id => $id,
+ source => $source,
+ content => $content,
+ server => $server,
+ weak_ssl => $weak_ssl,
+ options => $options,
} -> anchor { "apt_key ${id} present": }
case $facts['os']['name'] {
} -> anchor { "apt_key ${id} present": }
case $facts['os']['name'] {
if !defined(Anchor["apt_key ${id} absent"]){
apt_key { $title:
if !defined(Anchor["apt_key ${id} absent"]){
apt_key { $title:
- ensure => $ensure,
- id => $id,
- source => $source,
- content => $content,
- server => $server,
- options => $options,
+ ensure => $ensure,
+ id => $id,
+ source => $source,
+ content => $content,
+ server => $server,
+ weak_ssl => $weak_ssl,
+ options => $options,
} -> anchor { "apt_key ${id} absent": }
}
}
} -> anchor { "apt_key ${id} absent": }
}
}
+https_with_weak_ssl_works_pp = <<-MANIFEST
+ apt_key { 'puppetlabs':
+ id => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
+ ensure => 'present',
+ source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
+ weak_ssl => true,
+ }
+ MANIFEST
+
https_userinfo_pp = <<-MANIFEST
apt_key { 'puppetlabs':
id => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
https_userinfo_pp = <<-MANIFEST
apt_key { 'puppetlabs':
id => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
shell(PUPPETLABS_KEY_CHECK_COMMAND)
end
shell(PUPPETLABS_KEY_CHECK_COMMAND)
end
+ it 'works with weak ssl' do
+ apply_manifest_twice(https_with_weak_ssl_works_pp)
+ shell(PUPPETLABS_KEY_CHECK_COMMAND)
+ end
+
it 'works with userinfo' do
apply_manifest_twice(https_userinfo_pp)
shell(PUPPETLABS_KEY_CHECK_COMMAND)
it 'works with userinfo' do
apply_manifest_twice(https_userinfo_pp)
shell(PUPPETLABS_KEY_CHECK_COMMAND)
expect(provider).to be_exist
end
expect(provider).to be_exist
end
+ it 'apt_key with source and weak ssl verify set' do
+ expect(described_class).to receive(:apt_key).with(array_including('add', kind_of(String)))
+ resource = Puppet::Type::Apt_key.new(name: 'gsd',
+ id: 'C105B9DE',
+ source: 'https://bla/herpderp.gpg',
+ ensure: 'present',
+ weak_ssl: true)
+
+ provider = described_class.new(resource)
+ expect(provider).not_to be_exist
+ expect(provider).to receive(:source_to_file).and_return(Tempfile.new('foo'))
+ provider.create
+ expect(provider).to be_exist
+ end
+
describe 'different valid id keys' do
hash_of_keys = {
'32bit key id' => 'EF8D349F',
describe 'different valid id keys' do
hash_of_keys = {
'32bit key id' => 'EF8D349F',
it 'refresh is not set' do
expect(resource[:refresh]).to eq nil
end
it 'refresh is not set' do
expect(resource[:refresh]).to eq nil
end
+
+ it 'weak_ssl is not set' do
+ expect(resource[:weak_ssl]).to eq nil
+ end
end
context 'with a lowercase 32bit key id' do
end
context 'with a lowercase 32bit key id' do
+ context 'with source and weak_ssl' do
+ let(:resource) do
+ Puppet::Type.type(:apt_key).new(
+ id: 'EF8D349F',
+ source: 'https://apt.puppetlabs.com/pubkey.gpg',
+ weak_ssl: true,
+ )
+ end
+
+ it 'source is set to the URL' do
+ expect(resource[:source]).to eq 'https://apt.puppetlabs.com/pubkey.gpg'
+ end
+ end
+
context 'with content' do
let(:resource) do
Puppet::Type.type(:apt_key).new(
context 'with content' do
let(:resource) do
Puppet::Type.type(:apt_key).new(