issues/1196

#1196 * Adds checksum and checksum_value parameter to apt::keyring, this should address issue/1196 as commented here #1196 (comment) * Includes tests, all green.
puppetlabs · Sep 9, 2024 · 53e717f · 53e717f
1 parent 9b6aa36
commit 53e717f
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 12 deletions.
diff --git a/manifests/keyring.pp b/manifests/keyring.pp
@@ -13,6 +13,17 @@
 #       source => 'https://apt.puppetlabs.com/keyring.gpg'
 #     }
 #   }
+# @example Deploy the apt source and associated keyring file with checksum
+#   apt::source { 'puppet8-release':
+#     location => 'http://apt.puppetlabs.com',
+#     repos    => 'puppet8',
+#     key      => {
+#       name           => 'puppetlabs-keyring.gpg',
+#       source         => 'https://apt.puppetlabs.com/keyring.gpg'
+#       checksum       => 'sha256',
+#       checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
+#     }
+#   }
 #
 # @param dir
 #   Path to the directory where the keyring will be stored.
@@ -32,13 +43,28 @@
 # @param ensure
 #   Ensure presence or absence of the resource.
 #
+# @param checksum
+#  Checksum type of the keyfile.
+#  Only md5, sha256, sha224, sha384 and sha512 are supported when specifying 
+#  this parameter. (due to checksum_value parameter).
+#  Optional, but is useful if the keyfile is from a remote HTTP source that
+#  does not provide the necessary headers for the file resource to determine if
+#  content has changed.
+#
+# @param checksum_value
+#  The value of the checksum, must be a String.
+#  Only md5, sha256, sha224, sha384 and sha512 are supported when specifying
+#  this parameter.
+#
 define apt::keyring (
-  Stdlib::Absolutepath $dir = '/etc/apt/keyrings',
-  String[1] $filename = $name,
-  Stdlib::Filemode $mode = '0644',
-  Optional[Stdlib::Filesource] $source = undef,
-  Optional[String[1]] $content = undef,
-  Enum['present','absent'] $ensure = 'present',
+  Stdlib::Absolutepath $dir                                           = '/etc/apt/keyrings',
+  String[1] $filename                                                 = $name,
+  Stdlib::Filemode $mode                                              = '0644',
+  Optional[Stdlib::Filesource] $source                                = undef,
+  Optional[String[1]] $content                                        = undef,
+  Enum['present','absent'] $ensure                                    = 'present',
+  Optional[Enum['md5','sha256','sha224','sha384','sha512']] $checksum = undef,
+  Optional[String] $checksum_value                                    = undef,
 ) {
   ensure_resource('file', $dir, { ensure => 'directory', mode => '0755', })
   if $source and $content {
@@ -52,12 +78,14 @@
   case $ensure {
     'present': {
       file { $file:
-        ensure  => 'file',
-        mode    => $mode,
-        owner   => 'root',
-        group   => 'root',
-        source  => $source,
-        content => $content,
+        ensure          => 'file',
+        mode            => $mode,
+        owner           => 'root',
+        group           => 'root',
+        source          => $source,
+        content         => $content,
+        checksum        => $checksum,
+        checksum_value  => $checksum_value,
       }
     }
     'absent': {

diff --git a/spec/defines/keyring_spec.rb b/spec/defines/keyring_spec.rb
@@ -15,6 +15,18 @@
       let(:facts) { os_facts }
 
       it { is_expected.to compile }
+
+      context 'with checksum verification enabled' do
+        let (:params) do
+          {
+            source: 'https://apt.puppetlabs.com/pubkey.gpg',
+            checksum: 'sha256',
+            checksum_value: '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
+          }
+        end
+
+        it { is_expected.to compile }
+      end
     end
   end
 end