Allow unauthenticated packages via puppet provider

After MOS cluster deployment APT configuration allows installation packages coming from unauthenticated DEB repositories. This is a security risk because packages installed from unsigned APT repositories are subject to various threats. This change will move the option to the puppet provider used during the deploy and leave APT configuration secure as it should be. Change-Id: I20ade67e108f0d6666d386b6e00e0cb18df5c571 Closes-Bug: #1594699 Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
2016-06-21 12:12:45 +03:00 · 2016-06-21 12:12:45 +03:00 · 0a743b70ce
parent ada1c2b3ff
commit 0a743b70ce
5 changed files with 19 additions and 17 deletions
--- a/deployment/puppet/osnailyfacter/lib/puppet/provider/package/apt_fuel.rb
+++ b/deployment/puppet/osnailyfacter/lib/puppet/provider/package/apt_fuel.rb
@ -5,6 +5,7 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt
  desc "Package management via `apt-get` managing locks."

  has_feature :versionable
+  has_feature :install_options

  defaultfor :operatingsystem => [:ubuntu]

@ -14,13 +15,13 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt
                :retry_count,
                :retry_sleep

-   def initialize(value={})
-     super(value)
-     @default_lock_timeout = 300
-     @lock_file = '/var/lib/dpkg/lock'
-     @lock_sleep = 2
-     @retry_count = 3
-     @retry_sleep = 5
+  def initialize(value={})
+    super(value)
+    @default_lock_timeout = 300
+    @lock_file = '/var/lib/dpkg/lock'
+    @lock_sleep = 2
+    @retry_count = 3
+    @retry_sleep = 5
  end

  def timeout
@ -67,6 +68,7 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt

  def install
    debug 'Call: install'
+    @resource[:install_options] = ['-o', 'APT::Get::AllowUnauthenticated=1']
    (1..@retry_count).each do |try|
      begin
        wait_for_lock do
--- a/deployment/puppet/osnailyfacter/manifests/fuel_pkgs/setup_repositories.pp
+++ b/deployment/puppet/osnailyfacter/manifests/fuel_pkgs/setup_repositories.pp
@ -41,7 +41,7 @@ class osnailyfacter::fuel_pkgs::setup_repositories {
    }

    apt::conf { 'allow-unathenticated':
-      content => 'APT::Get::AllowUnauthenticated 1;',
+      content => 'APT::Get::AllowUnauthenticated 0;',
    }

    apt::conf { 'install-recommends':
--- a/deployment/puppet/osnailyfacter/spec/unit/provider/package/apt_fuel_spec.rb
+++ b/deployment/puppet/osnailyfacter/spec/unit/provider/package/apt_fuel_spec.rb
@ -50,9 +50,9 @@ describe Puppet::Type.type(:package).provider(:apt_fuel) do

  it 'should retry the failed installation attempts' do
    subject.stubs(:locked?).returns(false)
-    subject.expects(:aptget).
-        with('-q', '-y', '-o', 'DPkg::Options::=--force-confold', :install, 'test').
-        raises(Puppet::ExecutionFailure, 'installation failed').times(3)
+    subject.expects(:aptget).with do |*options|
+      options[-2..-1] == [:install, 'test']
+    end.raises(Puppet::ExecutionFailure, 'installation failed').times(3)
    subject.expects(:aptget).with('-q', '-y', :update).times(2)
    expect do
      subject.install
@ -61,9 +61,9 @@ describe Puppet::Type.type(:package).provider(:apt_fuel) do

  it 'should be able to succeed after failing' do
    subject.stubs(:locked?).returns(false)
-    subject.expects(:aptget).
-        with('-q', '-y', '-o', 'DPkg::Options::=--force-confold', :install, 'test').
-        raises(Puppet::ExecutionFailure, 'installation failed').then.returns(true).times(2)
+    subject.expects(:aptget).with do |*options|
+      options[-2..-1] == [:install, 'test']
+    end.raises(Puppet::ExecutionFailure, 'installation failed').then.returns(true).times(2)
    subject.expects(:aptget).with('-q', '-y', :update).times(1)
    subject.install
  end
--- a/deployment/puppet/tweaks/manifests/ubuntu_service_override.pp
+++ b/deployment/puppet/tweaks/manifests/ubuntu_service_override.pp
@ -43,10 +43,10 @@ define tweaks::ubuntu_service_override (
      })

      File['create-policy-rc.d'] ->
-        Package <| name == $package_name |> ->
+        Package <| name == $package_name |> { provider =>  'apt_fuel' } ->
          Exec['remove-policy-rc.d']
      File['create-policy-rc.d'] ->
-        Package <| title == $package_name |> ->
+        Package <| title == $package_name |> { provider => 'apt_fuel' } ->
          Exec['remove-policy-rc.d']
      Exec['remove-policy-rc.d'] ->
        Service <| name == $service_name |>
--- a/tests/noop/spec/hosts/fuel_pkgs/setup_repositories_spec.rb
+++ b/tests/noop/spec/hosts/fuel_pkgs/setup_repositories_spec.rb
@ -37,7 +37,7 @@ describe manifest do
    end

    it 'apt-get should allow unathenticated packages' do
-      should contain_apt__conf('allow-unathenticated').with_content('APT::Get::AllowUnauthenticated 1;')
+      should contain_apt__conf('allow-unathenticated').with_content('APT::Get::AllowUnauthenticated 0;')
    end

    it 'apt-get shouldn\'t install recommended packages' do