From: David Schmitt Date: Sat, 23 Sep 2017 18:07:03 +0000 (+0100) Subject: Refine key validation vs content; port more tests to testmode switcher X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=7e03252aa8d9e3b83740841b66167afaed771f49;p=puppet-modules%2Fpuppetlabs-apt.git Refine key validation vs content; port more tests to testmode switcher --- diff --git a/lib/puppet/provider/apt_key2/apt_key2.rb b/lib/puppet/provider/apt_key2/apt_key2.rb index 2b21c0e..531fb83 100644 --- a/lib/puppet/provider/apt_key2/apt_key2.rb +++ b/lib/puppet/provider/apt_key2/apt_key2.rb @@ -186,19 +186,20 @@ class Puppet::Provider::AptKey2::AptKey2 begin file.write content file.close - if title.size == 40 - if File.executable? '/usr/bin/gpg' - extracted_key = `/usr/bin/gpg --with-fingerprint --with-colons #{file.path}`.each_line.find { |line| line =~ %r{^fpr:} }.split(':')[9] - - if extracted_key =~ %r{^#{title}$} - context.debug('Fingerprint verified against extracted key') - else - raise ArgumentError, "The fingerprint in your manifest (#{title}) and the fingerprint from content/source (#{extracted_key}) do not match. "\ - ' Please check there is not an error in the name or check the content/source is legitimate.' - end + if File.executable? '/usr/bin/gpg' + extracted_key = `/usr/bin/gpg --with-fingerprint --with-colons #{file.path}`.each_line.find { |line| line =~ %r{^fpr:} }.split(':')[9] + + case extracted_key + when title + context.debug('Fingerprint verified against extracted key') + when %r{#{title}$} + context.debug('Fingerprint matches the extracted key') else - context.warning('/usr/bin/gpg cannot be found for verification of the fingerprint.') + raise ArgumentError, "The fingerprint in your manifest (#{title}) and the fingerprint from content/source (#{extracted_key}) do not match. "\ + ' Please check there is not an error in the name or check the content/source is legitimate.' end + else + context.warning('/usr/bin/gpg cannot be found for verification of the fingerprint.') end yield file.path ensure diff --git a/spec/acceptance/apt_key_provider_spec.rb b/spec/acceptance/apt_key_provider_spec.rb index 8e1f73e..5df5e0a 100644 --- a/spec/acceptance/apt_key_provider_spec.rb +++ b/spec/acceptance/apt_key_provider_spec.rb @@ -31,88 +31,74 @@ end fedora = { fingerprint: '128CF232A9371991C8A65695E08E7E629DB62FB1'.freeze, short: '9DB62FB1'.freeze, + long: 'E08E7E629DB62FB1'.freeze, content: my_fixture_read('fedora.txt').freeze, }.freeze after(:each) do - shell_ex("apt-key del #{fedora[:short]} > /dev/null") # Delete twice to make sure everything is cleaned # up after the short key collision - shell_ex("apt-key del #{fedora[:short]} > /dev/null") + shell_ex("apt-key del #{fedora[:fingerprint]} > /dev/null; apt-key del #{fedora[:fingerprint]} > /dev/null") end - # context 'with an already installed key' do - # # run on :all hook to cooperate with `a puppet resource run` shared context - # before(:all) do - # # puts "apt-key add #{my_fixture('fedora.txt')}" - # shell_ex("apt-key add #{my_fixture('fedora.txt')} >/dev/null 2>&1") - # end - - # context 'when looked for using puppet resource' do - # include_context 'a puppet resource run', typename, fedora[:fingerprint], trace: true - # puppet_resource_should_show('ensure', 'present') - # puppet_resource_should_show('fingerprint',fedora[:fingerprint]) - # puppet_resource_should_show('long', fedora[:fingerprint][-16..-1]) - # puppet_resource_should_show('short', fedora[:short]) - # # puppet_resource_should_show('created', '2017-08-14') - # pending "Correctly calculate the created date" - # puppet_resource_should_show('expired', 'false') - # puppet_resource_should_show('size', '4096') - # puppet_resource_should_show('type', ':?rsa') - # end - - # end + context 'with an already installed key' do + # run on :all hook to cooperate with `a puppet resource run` shared context + before(:all) do + # puts "apt-key add #{my_fixture('fedora.txt')}" + shell_ex("apt-key add #{my_fixture('fedora.txt')} >/dev/null 2>&1") + end + + context 'when looked for using puppet resource' do + include_context 'a puppet resource run', typename, fedora[:fingerprint], trace: true + puppet_resource_should_show('ensure', 'present') + puppet_resource_should_show('fingerprint', fedora[:fingerprint]) + puppet_resource_should_show('long', fedora[:fingerprint][-16..-1]) + puppet_resource_should_show('short', fedora[:short]) + # puppet_resource_should_show('created', '2017-08-14') + pending 'Correctly calculate the created date' + puppet_resource_should_show('expired', 'false') + puppet_resource_should_show('size', '4096') + puppet_resource_should_show('type', ':?rsa') + end + end describe 'default options' do key_versions = { - '32bit key id' => fedora[:short], - # '64bit key id' => PUPPETLABS_GPG_KEY_LONG_ID.to_s, - # '160bit key fingerprint' => PUPPETLABS_GPG_KEY_FINGERPRINT.to_s, - # '32bit lowercase key id' => PUPPETLABS_GPG_KEY_SHORT_ID.downcase.to_s, - # '64bit lowercase key id' => PUPPETLABS_GPG_KEY_LONG_ID.downcase.to_s, - # '160bit lowercase key fingerprint' => PUPPETLABS_GPG_KEY_FINGERPRINT.downcase.to_s, - # '0x formatted 32bit key id' => "0x#{PUPPETLABS_GPG_KEY_SHORT_ID}", - # '0x formatted 64bit key id' => "0x#{PUPPETLABS_GPG_KEY_LONG_ID}", - # '0x formatted 160bit key fingerprint' => "0x#{PUPPETLABS_GPG_KEY_FINGERPRINT}", - # '0x formatted 32bit lowercase key id' => "0x#{PUPPETLABS_GPG_KEY_SHORT_ID.downcase}", - # '0x formatted 64bit lowercase key id' => "0x#{PUPPETLABS_GPG_KEY_LONG_ID.downcase}", - # '0x formatted 160bit lowercase key fingerprint' => "0x#{PUPPETLABS_GPG_KEY_FINGERPRINT.downcase}", + '32bit key id' => fedora[:short], + '64bit key id' => fedora[:long], + '160bit key fingerprint' => fedora[:fingerprint], } - key_versions.each do |key, value| - context key.to_s do - it 'works' do - pp = <<-EOS - #{typename} { 'puppetlabs': - name => '#{value}', - ensure => 'present', - content => '#{fedora[:content]}', - } - EOS - - puts 'Add' - execute_manifest(pp, trace: true, catch_failures: true) - puts 'Check 1' - check_key(fedora[:short]) - puts 'Ensure' - execute_manifest(pp, trace: true, catch_changes: true) - puts 'Check 2' - check_key(fedora[:short]) - end + key_versions.merge!(Hash[key_versions.map { |name, id| ["#{name}, lowercase", id.downcase] }]) + key_versions.merge!(Hash[key_versions.map { |name, id| ["#{name}, 0x prefix", "0x#{id}"] }]) + + key_versions.each do |name, id| + it "works with #{name}: #{id}" do + pp = <<-EOS + #{typename} { 'test_key': + name => '#{id}', + ensure => 'present', + content => '#{fedora[:content]}', + } + EOS + + execute_manifest(pp, trace: true, catch_failures: true) + check_key(fedora[:fingerprint]) + execute_manifest(pp, trace: true, catch_changes: true) + check_key(fedora[:fingerprint]) end end - context 'invalid length key id' do - it 'fails' do + context 'when specifying a key id with invalid length' do + it 'reports an error' do pp = <<-EOS - #{typename} { 'puppetlabs': - id => '8280EF8D349F', - } - EOS + #{typename} { 'puppetlabs': + id => '8280EF8D349F', + } + EOS - apply_manifest(pp, expect_failures: true) do |r| - expect(r.stderr).to match(%r{Valid values match}) - end + result = execute_manifest(pp, expect_failures: true) + expect(result.stderr).to match(%r{Valid values match}) end end end diff --git a/spec/unit/puppet/provider/apt_key2/apt_key2_spec.rb b/spec/unit/puppet/provider/apt_key2/apt_key2_spec.rb index 0ccba40..1b1b378 100644 --- a/spec/unit/puppet/provider/apt_key2/apt_key2_spec.rb +++ b/spec/unit/puppet/provider/apt_key2/apt_key2_spec.rb @@ -29,7 +29,7 @@ EOS describe '#canonicalize(resources)' do before(:each) do - allow(provider).to receive(:`).with('apt-key adv --list-keys --with-colons --fingerprint --fixed-list-mode 2>/dev/null').and_return(key_list) + allow(provider).to receive(:`).with('apt-key adv --list-keys --with-colons --fingerprint --fixed-list-mode 2>/dev/null').and_return(key_list) # rubocop:disable RSpec/SubjectStub allow(context).to receive(:warning) end @@ -196,11 +196,11 @@ EOS allow(key_tempfile).to receive(:path).with(no_args).and_return('tempfilename') allow(key_tempfile).to receive(:close) expect(key_tempfile).to receive(:unlink) - expect(provider).to receive(:`).with('/usr/bin/gpg --with-fingerprint --with-colons tempfilename').and_return("\nfpr:::::::::#{fingerprint}:\n") + expect(provider).to receive(:`).with('/usr/bin/gpg --with-fingerprint --with-colons tempfilename').and_return("\nfpr:::::::::#{fingerprint}:\n") # rubocop:disable RSpec/SubjectStub expect(creating_ctx).to receive(:debug).with('Fingerprint verified against extracted key') # expect(apt_key_cmd).to receive(:run).with(creating_ctx, 'add', 'tempfilename', noop: false).and_return 0 - expect(provider).to receive(:system).with('apt-key add tempfilename') + expect(provider).to receive(:system).with('apt-key add tempfilename') # rubocop:disable RSpec/SubjectStub provider.set(context, fingerprint => { is: nil,