Prior to this commit, ppa_spec.rb did not test the recently implemented
validation for resource names.
This commit aims to implement some test cases to make sure that valid
resource names are allowed while invalid or malicious resource names do
not work.
Prior to this commit, one of our recent module updates introduced a
regex validation step for the resource names in our ppa.pp manifest
which would raise an issue if a valid resource name contained a dot (.).
This commit aims to slightly adjust the regex validation so that it
allows for dotted resource names. This PR should fix issue #1057.
david22swan [Wed, 24 Aug 2022 10:59:05 +0000 (11:59 +0100)]
(GH-cat-9) Update module to match current syntax standard
Module is now in compliance with the following rules:
- optional_default
- strict_indent
- unquoted_string_in_case
- parameter_documentation
- relative_classname_inclusion
- no-top_scope_facts-check
- no-top_scope_variable-check
- variable_scope
The below exception has been left in place:
- disable_anchor_resource
Craig Gumbley [Mon, 22 Aug 2022 10:23:56 +0000 (10:23 +0000)]
(GH-1055) Fix hardcoded cache path
Prior to this commit the cache path used to create the script file resource
was hardcoded to /opt/puppetlabs/puppet/cache.
This commit fixes that by using the `puppet_vardir` fact provided by stdlib so
that we will always get the correct path for the OS that is executing the code.
Additionally, if for some reason the `puppet_vardir` fact is not available we
will fall back to `tmp`.
Craig Gumbley [Thu, 11 Aug 2022 15:20:36 +0000 (15:20 +0000)]
Harden PPA defined type
Prior to this commit there was a possibility that malformed strings
could be passed as the resources name. This could lead to unsafe
executions on a remote system.
This was also a possibility for the options parameter as it was
constrained to a string.
In addition, commands were not properly broken out in to arrays of
arguments when passed to the exec resource.
This commit fixes the above by adding validation to the resource name
ensuring that the given ppa name conforms to expectation. Also, commands
are now broken down in to arrays of arguments appropriately. This ensures
safer execution on the remote system.
Given that the options parameter, passed as a raw string, could lead to
unsafe code execution it was reasonable to change the accepted type to
an `Optional[Array[String]]. This means that an array of options can now
be passed to the exec resource inside the original command.
Craig Gumbley [Thu, 11 Aug 2022 20:13:11 +0000 (20:13 +0000)]
Harden apt-mark defined type
Prior to this commit the title parameter of this defined
type was not properly validated. This means that it could have been
possible to use a resource title outside of the normal bounds of
a package name.
Additionally the `onlyif` and `command` parameter values were
interpolated strings meaning that it may have been possible to
execute unsafe code on the remote system.
This commit fixes the above issues by adding a regex to check that the
resource title is a valid apt package name and also breaks out the
`onlyif` and `command` parameter values in to arrays of args ensuring
that the commands executed in a safe manor on the remote system.
The exception in this commit is the `unless_cmd`. This has not been
broken out in to an array of args due to the requirement of the command.
This is a reasonable trade of however due to the fact that action is
created from known enum values and title would be pre-validated.
This is also explained in mark.pp:20.
In Ruby 3.0 net-ftp changed from a bundled gem to a default gem. This
means it may not be available, such as when running unit tests.
Since ftp is becoming less and less common, this changes net-ftp to be
an optional dependency. Users who do need ftp support should ensure the
gem is installed.
david22swan [Wed, 3 Aug 2022 08:16:52 +0000 (09:16 +0100)]
(GH-1038) add support for `check-valid-until` configuration
Add's additional configuration to `apt::source` to allow the user to specify whether or not to check if the repository that they are accessing has a valid release ate.
Defaults to `True`
david22swan [Mon, 20 Jun 2022 10:09:40 +0000 (11:09 +0100)]
(ISSUE-1036) Conditional `gnupg` include added to init.pp
Originally removed as it was causing `gnupg` to be installed in all OS when it wasn't needed, removing it seems to have caused a dependency cycle in the relevant Debian family OS for certain community members.
Adding the include back within a conditional statement to solve the issue while still preventing it from being included when unneeded.
* On Puppet 6 facter 3.x requires lsb-release to resolve os.distro.* facts. Using $facts hash cause errors like "Evaluation Error: Operator '[]' is not applicable to an Undef Value." because os.distro is undefined causing the catalog to fail. Use fact() to identify Undef facts and throw an error to the user.
LTangaF [Thu, 7 Oct 2021 16:56:16 +0000 (16:56 +0000)]
(MODULES-10763) Remove frequency collector
The case logic in apt::update adequately covers the 'always' case and
the collector causes issues in acceptance testing.
When updating configuration file, apt by default prompt the user for the
action to perform. Since we are running in a non-interactive context,
skip these prompts:
* `--force-confdef` ensure the configuration file is replaced by a
newer version in the package if the previous package default
configuration file was not modified;
* `--force-confold` keep the configuration file as it is if it has
been modified compared to the one shipped in the previous version of the
package.
Romain Tartière [Wed, 25 Aug 2021 01:22:51 +0000 (15:22 -1000)]
(maint) Set DEBIAN_FRONTEND=noninteractive on upgrade
When upgrading Debian packages, the system sometimes what to prompt the
user about what action to perform. Since a tasks is supposed to be
non-interactive, we should disable such prompts.
This help when updating some packages, e.g. postfix.