Allow weak SSL verification for apt_key

fixes https://tickets.puppetlabs.com/browse/MODULES-8759

diff --git a/lib/puppet/provider/apt_key/apt_key.rb b/lib/puppet/provider/apt_key/apt_key.rb
index 494dd12d1e822de61e7053a90c6f7aa61f29d4df..9f70cc65a2058c06d8671b22a7f1c86dfa3f40bf 100644 (file)
--- a/lib/puppet/provider/apt_key/apt_key.rb
+++ b/lib/puppet/provider/apt_key/apt_key.rb
@@ -126,7 +126,11 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
         # Only send basic auth if URL contains userinfo
         # Some webservers (e.g. Amazon S3) return code 400 if empty basic auth is sent
         if parsed_value.userinfo.nil?
-          key = parsed_value.read
+          key = if parsed_value.scheme == 'https' && resource[:weak_ssl] == true
+                  open(parsed_value, ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE).read
+                else
+                  parsed_value.read
+                end
         else
           user_pass = parsed_value.userinfo.split(':')
           parsed_value.userinfo = ''

diff --git a/lib/puppet/type/apt_key.rb b/lib/puppet/type/apt_key.rb
index 467f568af4a74ff475fb2ed77da0e2c31298dc16..8c5c84c886f83c3bc296b0e06e50ff73af3d1391 100644 (file)
--- a/lib/puppet/type/apt_key.rb
+++ b/lib/puppet/type/apt_key.rb
@@ -80,6 +80,11 @@ Puppet::Type.newtype(:apt_key) do
     defaultto false
   end
 
+  newparam(:weak_ssl, boolean: true, parent: Puppet::Parameter::Boolean) do
+    desc 'When true and source uses https, accepts download of keys without SSL verfication'
+    defaultto false
+  end
+
   newproperty(:fingerprint) do
     desc <<-MANIFEST
       The 40-digit hexadecimal fingerprint of the specified GPG key.

diff --git a/manifests/key.pp b/manifests/key.pp
index 13b477060d679786677697db0fab9a1b60dc61d5..1f9a495f54f4f3f19424fe571842ed04955bd46f 100644 (file)
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -29,6 +29,9 @@
 #   Specifies a keyserver to provide the GPG key. Valid options: a string containing a domain name or a full URL (http://, https://,
 #   hkp:// or hkps://). The hkps:// protocol is currently only supported on Ubuntu 18.04.
 #
+# @param weak_ssl
+#    Specifies whether strict SSL verification on a https URL should be disabled. Valid options: true or false.
+#
 # @param options
 #   Passes additional options to `apt-key adv --keyserver-options`.
 #
@@ -38,6 +41,7 @@ define apt::key (
   Optional[String] $content                                                                          = undef,
   Optional[Pattern[/\Ahttps?:\/\//, /\Aftp:\/\//, /\A\/\w+/]] $source                                = undef,
   Pattern[/\A((hkp|hkps|http|https):\/\/)?([a-z\d])([a-z\d-]{0,61}\.)+[a-z\d]+(:\d{2,5})?$/] $server = $::apt::keyserver,
+  Boolean $weak_ssl                                                                                  = false,
   Optional[String] $options                                                                          = undef,
   ) {
 
@@ -49,13 +53,14 @@ define apt::key (
 
       if !defined(Anchor["apt_key ${id} present"]) {
         apt_key { $title:
-          ensure  => present,
-          refresh => $ensure == 'refreshed',
-          id      => $id,
-          source  => $source,
-          content => $content,
-          server  => $server,
-          options => $options,
+          ensure   => present,
+          refresh  => $ensure == 'refreshed',
+          id       => $id,
+          source   => $source,
+          content  => $content,
+          server   => $server,
+          weak_ssl => $weak_ssl,
+          options  => $options,
         } -> anchor { "apt_key ${id} present": }
 
         case $facts['os']['name'] {
@@ -83,12 +88,13 @@ define apt::key (
 
       if !defined(Anchor["apt_key ${id} absent"]){
         apt_key { $title:
-          ensure  => $ensure,
-          id      => $id,
-          source  => $source,
-          content => $content,
-          server  => $server,
-          options => $options,
+          ensure   => $ensure,
+          id       => $id,
+          source   => $source,
+          content  => $content,
+          server   => $server,
+          weak_ssl => $weak_ssl,
+          options  => $options,
         } -> anchor { "apt_key ${id} absent": }
       }
     }

diff --git a/spec/acceptance/apt_key_provider_spec.rb b/spec/acceptance/apt_key_provider_spec.rb
index f3dc4d38889755b99c1eddf0dcdb5c8dbb019872..18c885728ecc1ae28873a65f9a2e8eb5c1936ee4 100644 (file)
--- a/spec/acceptance/apt_key_provider_spec.rb
+++ b/spec/acceptance/apt_key_provider_spec.rb
@@ -533,6 +533,15 @@ https_works_pp = <<-MANIFEST
         }
   MANIFEST
 
+https_with_weak_ssl_works_pp = <<-MANIFEST
+        apt_key { 'puppetlabs':
+          id     => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
+          ensure => 'present',
+          source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
+          weak_ssl => true,
+        }
+  MANIFEST
+
 https_userinfo_pp = <<-MANIFEST
         apt_key { 'puppetlabs':
           id     => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
@@ -793,6 +802,11 @@ describe 'apt_key' do
         shell(PUPPETLABS_KEY_CHECK_COMMAND)
       end
 
+      it 'works with weak ssl' do
+        apply_manifest_twice(https_with_weak_ssl_works_pp)
+        shell(PUPPETLABS_KEY_CHECK_COMMAND)
+      end
+
       it 'works with userinfo' do
         apply_manifest_twice(https_userinfo_pp)
         shell(PUPPETLABS_KEY_CHECK_COMMAND)

diff --git a/spec/unit/puppet/provider/apt_key_spec.rb b/spec/unit/puppet/provider/apt_key_spec.rb
index a514793bae96a01cf1e2beef0b500f7e7727a926..ca35ff7d6b10986e28329bf70c41293ba5ec6528 100644 (file)
--- a/spec/unit/puppet/provider/apt_key_spec.rb
+++ b/spec/unit/puppet/provider/apt_key_spec.rb
@@ -113,6 +113,21 @@ OUTPUT
       expect(provider).to be_exist
     end
 
+    it 'apt_key with source and weak ssl verify set' do
+      expect(described_class).to receive(:apt_key).with(array_including('add', kind_of(String)))
+      resource = Puppet::Type::Apt_key.new(name: 'gsd',
+                                           id: 'C105B9DE',
+                                           source: 'https://bla/herpderp.gpg',
+                                           ensure: 'present',
+                                           weak_ssl: true)
+
+      provider = described_class.new(resource)
+      expect(provider).not_to be_exist
+      expect(provider).to receive(:source_to_file).and_return(Tempfile.new('foo'))
+      provider.create
+      expect(provider).to be_exist
+    end
+
     describe 'different valid id keys' do
       hash_of_keys = {
         '32bit key id' => 'EF8D349F',

diff --git a/spec/unit/puppet/type/apt_key_spec.rb b/spec/unit/puppet/type/apt_key_spec.rb
index 5b205e9924b3d749944b973a8c91cdd31a8d901e..253b6448747f8c4d7dacde60edc2aa82eb84ab76 100644 (file)
--- a/spec/unit/puppet/type/apt_key_spec.rb
+++ b/spec/unit/puppet/type/apt_key_spec.rb
@@ -32,6 +32,10 @@ describe Puppet::Type.type(:apt_key) do
     it 'refresh is not set' do
       expect(resource[:refresh]).to eq nil
     end
+
+    it 'weak_ssl is not set' do
+      expect(resource[:weak_ssl]).to eq nil
+    end
   end
 
   context 'with a lowercase 32bit key id' do
@@ -107,6 +111,20 @@ describe Puppet::Type.type(:apt_key) do
     end
   end
 
+  context 'with source and weak_ssl' do
+    let(:resource) do
+      Puppet::Type.type(:apt_key).new(
+        id: 'EF8D349F',
+        source: 'https://apt.puppetlabs.com/pubkey.gpg',
+        weak_ssl: true,
+      )
+    end
+
+    it 'source is set to the URL' do
+      expect(resource[:source]).to eq 'https://apt.puppetlabs.com/pubkey.gpg'
+    end
+  end
+
   context 'with content' do
     let(:resource) do
       Puppet::Type.type(:apt_key).new(