Merge pull request #322 from netmanagers/debian-family-apt-keyrings

myii · web-flow · commit c9aea571f615 · 2022-02-07T23:22:44.000Z
feat(debian): use repository keyring instead of key_id
diff --git a/postgres/codenamemap.yaml b/postgres/codenamemap.yaml
@@ -29,7 +29,7 @@
   data_dir: {{ data_dir }}
   fromrepo: {{ fromrepo }}
   pkg_repo:
-    name: 'deb http://apt.postgresql.org/pub/repos/apt {{ name }}-pgdg main'
+    name: 'deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg] http://apt.postgresql.org/pub/repos/apt {{ name }}-pgdg main'
   pkg: postgresql-{{ version }}
   pkg_client: postgresql-client-{{ version }}
   prepare_cluster:
diff --git a/postgres/osfamilymap.yaml b/postgres/osfamilymap.yaml
@@ -16,8 +16,8 @@ Debian:
   pkgs_deps: ['python3-apt']
   pkg_repo:
     humanname: PostgreSQL Official Repository
-    key_url: 'https://www.postgresql.org/media/keys/ACCC4CF8.asc'
     file: /etc/apt/sources.list.d/pgdg.list
+  pkg_repo_keyring: 'https://download.postgresql.org/pub/repos/apt/pool/main/p/pgdg-keyring/pgdg-keyring_2018.2_all.deb'
   pkg_repo_keyid: ACCC4CF8
     {% if repo.use_upstream_repo == true %}
   pkg_dev: ''
@@ -145,7 +145,7 @@ Suse:
     humanname: PostgreSQL {{ repo.version }} $releasever - $basearch
     # works for postgres 11 onwards
     baseurl: 'https://download.postgresql.org/pub/repos/zypp/{{ repo.version }}/suse/sles-$releasever-$basearch'
-    key_url: 'https://download.postgresql.org/pub/repos/zypp/{{ repo.version }}/suse/sles-$releasever-$basearch/repodata/repomd.xml.key'
+    gpgkey: 'https://download.postgresql.org/pub/repos/zypp/{{ repo.version }}/suse/sles-$releasever-$basearch/repodata/repomd.xml.key'
     gpgcheck: 1
     gpgautoimport: True
 
diff --git a/postgres/server/remove.sls b/postgres/server/remove.sls
@@ -12,6 +12,12 @@ postgresql-repo-removed:
     - keyid: {{ postgres.pkg_repo_keyid }}
     {%- endif %}
 
+    {% if grains.os_family == 'Debian' %}
+postgresql-repo-keyring-removed:
+  pkg.removed:
+    - name: pgdg-keyring
+    {%- endif -%}
+
 #remove release installed by formula
 postgresql-server-removed:
   pkg.removed:
diff --git a/postgres/upstream.sls b/postgres/upstream.sls
@@ -23,6 +23,15 @@ postgresql-pkg-deps:
     - pkgs: {{ postgres.pkgs_deps | json }}
 
 # Add upstream repository for your distro
+  {% if grains.os_family == 'Debian' %}
+postgresql-repo-keyring:
+  pkg.installed:
+    - sources:
+      - pgdg-keyring: {{ postgres.pkg_repo_keyring }}
+    - require_in:
+      - pkgrepo: postgresql-repo
+  {%- endif %}
+
 postgresql-repo:
   pkgrepo.managed:
     {{- format_kwargs(postgres.pkg_repo) }}
@@ -39,6 +48,12 @@ postgresql-repo:
     - keyid: {{ postgres.pkg_repo_keyid }}
     {%- endif %}
 
+    {% if grains.os_family == 'Debian' %}
+postgresql-repo-keyring:
+  pkg.removed:
+    - name: pgdg-keyring
+    {%- endif -%}
+
   {%- endif -%}
 
 {%- elif grains.os not in ('Windows', 'MacOS',) %}
diff --git a/test/integration/repo/controls/repository.rb b/test/integration/repo/controls/repository.rb
@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+case platform.family
+when 'redhat', 'fedora', 'suse'
+  os_name_repo_file = {
+    'opensuse' => '/etc/zypp/repos.d/pgdg-sles-13.repo'
+  }
+  os_name_repo_file.default = '/etc/yum.repos.d/pgdg13.repo'
+
+  os_name_repo_url = {
+    'amazon' => 'https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-7-$basearch',
+    'fedora' => 'https://download.postgresql.org/pub/repos/yum/13/fedora/fedora-$releasever-$basearch',
+    'opensuse' => 'https://download.postgresql.org/pub/repos/zypp/13/suse/sles-$releasever-$basearch'
+  }
+  os_name_repo_url.default = 'https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-$releasever-$basearch'
+
+  repo_url = os_name_repo_url[platform.name]
+  repo_file = os_name_repo_file[platform.name]
+
+when 'debian'
+  # Inspec does not provide a `codename` matcher, so we add ours
+  finger_codename = {
+    'ubuntu-18.04' => 'bionic',
+    'ubuntu-20.04' => 'focal',
+    'debian-9' => 'stretch',
+    'debian-10' => 'buster',
+    'debian-11' => 'bullseye'
+  }
+  codename = finger_codename[system.platform[:finger]]
+
+  repo_keyring = '/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg'
+  repo_file = '/etc/apt/sources.list.d/pgdg.list'
+  # rubocop:disable Metrics/LineLength
+  repo_url = "deb [signed-by=#{repo_keyring}] http://apt.postgresql.org/pub/repos/apt #{codename}-pgdg main"
+  # rubocop:enable Metrics/LineLength
+end
+
+control 'Postgresql repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    os.debian?
+  end
+
+  describe package('pgdg-keyring') do
+    it { should be_installed }
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
+end
+
+control 'Postgresql repository' do
+  impact 1
+  title 'should be configured'
+  describe file(repo_file) do
+    its('content') { should include repo_url }
+  end
+end
