From 0a743b70ce6764d33b8b8cf3d2a57194895c6ec3 Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Tue, 21 Jun 2016 12:12:45 +0300 Subject: [PATCH] Allow unauthenticated packages via puppet provider After MOS cluster deployment APT configuration allows installation packages coming from unauthenticated DEB repositories. This is a security risk because packages installed from unsigned APT repositories are subject to various threats. This change will move the option to the puppet provider used during the deploy and leave APT configuration secure as it should be. Change-Id: I20ade67e108f0d6666d386b6e00e0cb18df5c571 Closes-Bug: #1594699 Signed-off-by: Maksim Malchuk --- .../lib/puppet/provider/package/apt_fuel.rb | 16 +++++++++------- .../manifests/fuel_pkgs/setup_repositories.pp | 2 +- .../spec/unit/provider/package/apt_fuel_spec.rb | 12 ++++++------ .../tweaks/manifests/ubuntu_service_override.pp | 4 ++-- .../hosts/fuel_pkgs/setup_repositories_spec.rb | 2 +- 5 files changed, 19 insertions(+), 17 deletions(-) diff --git a/deployment/puppet/osnailyfacter/lib/puppet/provider/package/apt_fuel.rb b/deployment/puppet/osnailyfacter/lib/puppet/provider/package/apt_fuel.rb index b2b5c337e8..c2de89cd62 100644 --- a/deployment/puppet/osnailyfacter/lib/puppet/provider/package/apt_fuel.rb +++ b/deployment/puppet/osnailyfacter/lib/puppet/provider/package/apt_fuel.rb @@ -5,6 +5,7 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt desc "Package management via `apt-get` managing locks." has_feature :versionable + has_feature :install_options defaultfor :operatingsystem => [:ubuntu] @@ -14,13 +15,13 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt :retry_count, :retry_sleep - def initialize(value={}) - super(value) - @default_lock_timeout = 300 - @lock_file = '/var/lib/dpkg/lock' - @lock_sleep = 2 - @retry_count = 3 - @retry_sleep = 5 + def initialize(value={}) + super(value) + @default_lock_timeout = 300 + @lock_file = '/var/lib/dpkg/lock' + @lock_sleep = 2 + @retry_count = 3 + @retry_sleep = 5 end def timeout @@ -67,6 +68,7 @@ Puppet::Type.type(:package).provide :apt_fuel, :parent => :apt, :source => :apt def install debug 'Call: install' + @resource[:install_options] = ['-o', 'APT::Get::AllowUnauthenticated=1'] (1..@retry_count).each do |try| begin wait_for_lock do diff --git a/deployment/puppet/osnailyfacter/manifests/fuel_pkgs/setup_repositories.pp b/deployment/puppet/osnailyfacter/manifests/fuel_pkgs/setup_repositories.pp index 875517ee1f..cbe451b796 100644 --- a/deployment/puppet/osnailyfacter/manifests/fuel_pkgs/setup_repositories.pp +++ b/deployment/puppet/osnailyfacter/manifests/fuel_pkgs/setup_repositories.pp @@ -41,7 +41,7 @@ class osnailyfacter::fuel_pkgs::setup_repositories { } apt::conf { 'allow-unathenticated': - content => 'APT::Get::AllowUnauthenticated 1;', + content => 'APT::Get::AllowUnauthenticated 0;', } apt::conf { 'install-recommends': diff --git a/deployment/puppet/osnailyfacter/spec/unit/provider/package/apt_fuel_spec.rb b/deployment/puppet/osnailyfacter/spec/unit/provider/package/apt_fuel_spec.rb index 855a00a141..5d4b06020d 100644 --- a/deployment/puppet/osnailyfacter/spec/unit/provider/package/apt_fuel_spec.rb +++ b/deployment/puppet/osnailyfacter/spec/unit/provider/package/apt_fuel_spec.rb @@ -50,9 +50,9 @@ describe Puppet::Type.type(:package).provider(:apt_fuel) do it 'should retry the failed installation attempts' do subject.stubs(:locked?).returns(false) - subject.expects(:aptget). - with('-q', '-y', '-o', 'DPkg::Options::=--force-confold', :install, 'test'). - raises(Puppet::ExecutionFailure, 'installation failed').times(3) + subject.expects(:aptget).with do |*options| + options[-2..-1] == [:install, 'test'] + end.raises(Puppet::ExecutionFailure, 'installation failed').times(3) subject.expects(:aptget).with('-q', '-y', :update).times(2) expect do subject.install @@ -61,9 +61,9 @@ describe Puppet::Type.type(:package).provider(:apt_fuel) do it 'should be able to succeed after failing' do subject.stubs(:locked?).returns(false) - subject.expects(:aptget). - with('-q', '-y', '-o', 'DPkg::Options::=--force-confold', :install, 'test'). - raises(Puppet::ExecutionFailure, 'installation failed').then.returns(true).times(2) + subject.expects(:aptget).with do |*options| + options[-2..-1] == [:install, 'test'] + end.raises(Puppet::ExecutionFailure, 'installation failed').then.returns(true).times(2) subject.expects(:aptget).with('-q', '-y', :update).times(1) subject.install end diff --git a/deployment/puppet/tweaks/manifests/ubuntu_service_override.pp b/deployment/puppet/tweaks/manifests/ubuntu_service_override.pp index 4764bee359..0c022d89b3 100644 --- a/deployment/puppet/tweaks/manifests/ubuntu_service_override.pp +++ b/deployment/puppet/tweaks/manifests/ubuntu_service_override.pp @@ -43,10 +43,10 @@ define tweaks::ubuntu_service_override ( }) File['create-policy-rc.d'] -> - Package <| name == $package_name |> -> + Package <| name == $package_name |> { provider => 'apt_fuel' } -> Exec['remove-policy-rc.d'] File['create-policy-rc.d'] -> - Package <| title == $package_name |> -> + Package <| title == $package_name |> { provider => 'apt_fuel' } -> Exec['remove-policy-rc.d'] Exec['remove-policy-rc.d'] -> Service <| name == $service_name |> diff --git a/tests/noop/spec/hosts/fuel_pkgs/setup_repositories_spec.rb b/tests/noop/spec/hosts/fuel_pkgs/setup_repositories_spec.rb index 1ee5567257..e3c884a582 100644 --- a/tests/noop/spec/hosts/fuel_pkgs/setup_repositories_spec.rb +++ b/tests/noop/spec/hosts/fuel_pkgs/setup_repositories_spec.rb @@ -37,7 +37,7 @@ describe manifest do end it 'apt-get should allow unathenticated packages' do - should contain_apt__conf('allow-unathenticated').with_content('APT::Get::AllowUnauthenticated 1;') + should contain_apt__conf('allow-unathenticated').with_content('APT::Get::AllowUnauthenticated 0;') end it 'apt-get shouldn\'t install recommended packages' do