From d5e81157b553ff9ccd425bc26d285a2829281072 Mon Sep 17 00:00:00 2001
From: Martin Alfke <ma@example42.com>
Date: Wed, 20 Mar 2019 10:18:20 +0100
Subject: [PATCH] Allow weak SSL verification for apt_key

fixes https://tickets.puppetlabs.com/browse/MODULES-8759
---
 lib/puppet/provider/apt_key/apt_key.rb    |  6 ++++-
 lib/puppet/type/apt_key.rb                |  5 ++++
 manifests/key.pp                          | 32 ++++++++++++++---------
 spec/acceptance/apt_key_provider_spec.rb  | 14 ++++++++++
 spec/unit/puppet/provider/apt_key_spec.rb | 15 +++++++++++
 spec/unit/puppet/type/apt_key_spec.rb     | 18 +++++++++++++
 6 files changed, 76 insertions(+), 14 deletions(-)

diff --git a/lib/puppet/provider/apt_key/apt_key.rb b/lib/puppet/provider/apt_key/apt_key.rb
index 494dd12..9f70cc6 100644
--- a/lib/puppet/provider/apt_key/apt_key.rb
+++ b/lib/puppet/provider/apt_key/apt_key.rb
@@ -126,7 +126,11 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
         # Only send basic auth if URL contains userinfo
         # Some webservers (e.g. Amazon S3) return code 400 if empty basic auth is sent
         if parsed_value.userinfo.nil?
-          key = parsed_value.read
+          key = if parsed_value.scheme == 'https' && resource[:weak_ssl] == true
+                  open(parsed_value, ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE).read
+                else
+                  parsed_value.read
+                end
         else
           user_pass = parsed_value.userinfo.split(':')
           parsed_value.userinfo = ''
diff --git a/lib/puppet/type/apt_key.rb b/lib/puppet/type/apt_key.rb
index 467f568..8c5c84c 100644
--- a/lib/puppet/type/apt_key.rb
+++ b/lib/puppet/type/apt_key.rb
@@ -80,6 +80,11 @@ Puppet::Type.newtype(:apt_key) do
     defaultto false
   end
 
+  newparam(:weak_ssl, boolean: true, parent: Puppet::Parameter::Boolean) do
+    desc 'When true and source uses https, accepts download of keys without SSL verfication'
+    defaultto false
+  end
+
   newproperty(:fingerprint) do
     desc <<-MANIFEST
       The 40-digit hexadecimal fingerprint of the specified GPG key.
diff --git a/manifests/key.pp b/manifests/key.pp
index 13b4770..1f9a495 100644
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -29,6 +29,9 @@
 #   Specifies a keyserver to provide the GPG key. Valid options: a string containing a domain name or a full URL (http://, https://,
 #   hkp:// or hkps://). The hkps:// protocol is currently only supported on Ubuntu 18.04.
 #
+# @param weak_ssl
+#    Specifies whether strict SSL verification on a https URL should be disabled. Valid options: true or false.
+#
 # @param options
 #   Passes additional options to `apt-key adv --keyserver-options`.
 #
@@ -38,6 +41,7 @@ define apt::key (
   Optional[String] $content                                                                          = undef,
   Optional[Pattern[/\Ahttps?:\/\//, /\Aftp:\/\//, /\A\/\w+/]] $source                                = undef,
   Pattern[/\A((hkp|hkps|http|https):\/\/)?([a-z\d])([a-z\d-]{0,61}\.)+[a-z\d]+(:\d{2,5})?$/] $server = $::apt::keyserver,
+  Boolean $weak_ssl                                                                                  = false,
   Optional[String] $options                                                                          = undef,
   ) {
 
@@ -49,13 +53,14 @@ define apt::key (
 
       if !defined(Anchor["apt_key ${id} present"]) {
         apt_key { $title:
-          ensure  => present,
-          refresh => $ensure == 'refreshed',
-          id      => $id,
-          source  => $source,
-          content => $content,
-          server  => $server,
-          options => $options,
+          ensure   => present,
+          refresh  => $ensure == 'refreshed',
+          id       => $id,
+          source   => $source,
+          content  => $content,
+          server   => $server,
+          weak_ssl => $weak_ssl,
+          options  => $options,
         } -> anchor { "apt_key ${id} present": }
 
         case $facts['os']['name'] {
@@ -83,12 +88,13 @@ define apt::key (
 
       if !defined(Anchor["apt_key ${id} absent"]){
         apt_key { $title:
-          ensure  => $ensure,
-          id      => $id,
-          source  => $source,
-          content => $content,
-          server  => $server,
-          options => $options,
+          ensure   => $ensure,
+          id       => $id,
+          source   => $source,
+          content  => $content,
+          server   => $server,
+          weak_ssl => $weak_ssl,
+          options  => $options,
         } -> anchor { "apt_key ${id} absent": }
       }
     }
diff --git a/spec/acceptance/apt_key_provider_spec.rb b/spec/acceptance/apt_key_provider_spec.rb
index f3dc4d3..18c8857 100644
--- a/spec/acceptance/apt_key_provider_spec.rb
+++ b/spec/acceptance/apt_key_provider_spec.rb
@@ -533,6 +533,15 @@ https_works_pp = <<-MANIFEST
         }
   MANIFEST
 
+https_with_weak_ssl_works_pp = <<-MANIFEST
+        apt_key { 'puppetlabs':
+          id     => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
+          ensure => 'present',
+          source => 'https://#{PUPPETLABS_APT_URL}/#{PUPPETLABS_GPG_KEY_FILE}',
+          weak_ssl => true,
+        }
+  MANIFEST
+
 https_userinfo_pp = <<-MANIFEST
         apt_key { 'puppetlabs':
           id     => '#{PUPPETLABS_GPG_KEY_LONG_ID}',
@@ -793,6 +802,11 @@ describe 'apt_key' do
         shell(PUPPETLABS_KEY_CHECK_COMMAND)
       end
 
+      it 'works with weak ssl' do
+        apply_manifest_twice(https_with_weak_ssl_works_pp)
+        shell(PUPPETLABS_KEY_CHECK_COMMAND)
+      end
+
       it 'works with userinfo' do
         apply_manifest_twice(https_userinfo_pp)
         shell(PUPPETLABS_KEY_CHECK_COMMAND)
diff --git a/spec/unit/puppet/provider/apt_key_spec.rb b/spec/unit/puppet/provider/apt_key_spec.rb
index a514793..ca35ff7 100644
--- a/spec/unit/puppet/provider/apt_key_spec.rb
+++ b/spec/unit/puppet/provider/apt_key_spec.rb
@@ -113,6 +113,21 @@ OUTPUT
       expect(provider).to be_exist
     end
 
+    it 'apt_key with source and weak ssl verify set' do
+      expect(described_class).to receive(:apt_key).with(array_including('add', kind_of(String)))
+      resource = Puppet::Type::Apt_key.new(name: 'gsd',
+                                           id: 'C105B9DE',
+                                           source: 'https://bla/herpderp.gpg',
+                                           ensure: 'present',
+                                           weak_ssl: true)
+
+      provider = described_class.new(resource)
+      expect(provider).not_to be_exist
+      expect(provider).to receive(:source_to_file).and_return(Tempfile.new('foo'))
+      provider.create
+      expect(provider).to be_exist
+    end
+
     describe 'different valid id keys' do
       hash_of_keys = {
         '32bit key id' => 'EF8D349F',
diff --git a/spec/unit/puppet/type/apt_key_spec.rb b/spec/unit/puppet/type/apt_key_spec.rb
index 5b205e9..253b644 100644
--- a/spec/unit/puppet/type/apt_key_spec.rb
+++ b/spec/unit/puppet/type/apt_key_spec.rb
@@ -32,6 +32,10 @@ describe Puppet::Type.type(:apt_key) do
     it 'refresh is not set' do
       expect(resource[:refresh]).to eq nil
     end
+
+    it 'weak_ssl is not set' do
+      expect(resource[:weak_ssl]).to eq nil
+    end
   end
 
   context 'with a lowercase 32bit key id' do
@@ -107,6 +111,20 @@ describe Puppet::Type.type(:apt_key) do
     end
   end
 
+  context 'with source and weak_ssl' do
+    let(:resource) do
+      Puppet::Type.type(:apt_key).new(
+        id: 'EF8D349F',
+        source: 'https://apt.puppetlabs.com/pubkey.gpg',
+        weak_ssl: true,
+      )
+    end
+
+    it 'source is set to the URL' do
+      expect(resource[:source]).to eq 'https://apt.puppetlabs.com/pubkey.gpg'
+    end
+  end
+
   context 'with content' do
     let(:resource) do
       Puppet::Type.type(:apt_key).new(
-- 
2.32.3