Merge pull request #289 from netmanagers/debian-family-apt-keyrings

feat(debian): use keyrings instead of key_ids

Author: myii

docs/README.apt.keyrings.rst

@@ -0,0 +1,34 @@
+.. _readme_apt_keyrings:
+
+apt repositories' keyrings
+==========================
+
+Debian family of OSes deprecated the use of `apt-key` to manage repositories' keys
+in favor of using `keyring files` which contain a binary OpenPGP format of the key
+(also known as "GPG key public ring")
+
+As nginx and passenger don't provide such key files, we created them following the
+official recomendations in their sites and install the resulting files.
+
+Nginx
+-----
+
+See https://nginx.org/en/linux_packages.html#Debian for details
+
+.. code-block:: bash
+
+   $ curl -s https://nginx.org/keys/nginx_signing.key | \
+       gpg --dearmor --output nginx-archive-keyring.gpg
+
+Phusion-passenger
+-----------------
+
+See https://www.phusionpassenger.com/docs/tutorials/deploy_to_production/installations/oss/ownserver/ruby/nginx/
+for more details.
+
+.. code-block:: bash
+
+   $ gpg --keyserver keyserver.ubuntu.com \
+         --output - \
+         --recv-keys 561F9B9CAC40B2F7 | \
+     gpg --export --output phusionpassenger-archive-keyring.gpg

nginx/files/default/nginx-archive-keyring.gpg

@@ -19,6 +19,8 @@
             'server_use_symlink': True,
             'pid_file': '/run/nginx.pid',
             'openssl_package': 'openssl',
+            'package_repo_keyring': '/usr/share/keyrings/nginx-archive-keyring.gpg',
+            'passenger_package_repo_keyring': '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg',
         },
         'CentOS': {
             'package': 'nginx',

nginx/files/default/phusionpassenger-archive-keyring.gpg

@@ -2,7 +2,11 @@
 #
 # Manages installation of nginx from pkg.
 
-{% from 'nginx/map.jinja' import nginx, sls_block with context %}
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- from tplroot ~ "/map.jinja" import nginx, sls_block with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
+
 {%- if nginx.install_from_repo %}
   {% set from_official = true %}
   {% set from_ppa = false %}
@@ -33,7 +37,19 @@ nginx_install:
     - name: {{ nginx.lookup.package }}
     {% endif %}
 
-{% if salt['grains.get']('os_family') == 'Debian' %}
+{% if grains.os_family == 'Debian' %}
+  {%- if from_official %}
+nginx_official_repo_keyring:
+  file.managed:
+    - name: {{ nginx.lookup.package_repo_keyring }}
+    - source: {{ files_switch(['nginx-archive-keyring.gpg'],
+                              lookup='nginx_official_repo_keyring'
+                 )
+              }}
+    - require_in:
+      - pkgrepo: nginx_official_repo
+  {%- endif %}
+
 nginx_official_repo:
   pkgrepo:
     {%- if from_official %}
@@ -42,10 +58,10 @@ nginx_official_repo:
     - absent
     {%- endif %}
     - humanname: nginx apt repo
-    - name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
-    - file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list
-    - keyid: ABF5BD827BD9BF62
-    - keyserver: keyserver.ubuntu.com
+    - name: >-
+        deb [signed-by={{ nginx.lookup.package_repo_keyring }}]
+        http://nginx.org/packages/{{ grains.os | lower }}/ {{ grains.oscodename }} nginx
+    - file: /etc/apt/sources.list.d/nginx-official-{{ grains.oscodename }}.list
     - require_in:
       - pkg: nginx_install
     - watch_in:
@@ -60,10 +76,10 @@ nginx_ppa_repo:
     {%- else %}
     - absent
     {%- endif %}
-    {% if salt['grains.get']('os') == 'Ubuntu' %}
+    {% if grains.os == 'Ubuntu' %}
     - ppa: nginx/{{ nginx.ppa_version }}
     {% else %}
-    - name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains['oscodename'] }} main
+    - name: deb http://ppa.launchpad.net/nginx/{{ nginx.ppa_version }}/ubuntu {{ grains.oscodename }} main
     - keyid: C300EE8C
     - keyserver: keyserver.ubuntu.com
     {% endif %}
@@ -73,6 +89,30 @@ nginx_ppa_repo:
       - pkg: nginx_install
    {%- endif %}
 
+  {%- if from_phusionpassenger %}
+nginx_phusionpassenger_repo_keyring:
+  file.managed:
+    - name: /usr/share/keyrings/phusionpassenger-archive-keyring.gpg
+    - source: {{ files_switch(['phusionpassenger-archive-keyring.gpg'],
+                              lookup='nginx_phusionpassenger_repo_keyring'
+                 )
+              }}
+    - require_in:
+      - pkgrepo: nginx_phusionpassenger_repo
+
+# Remove the old repo file
+nginx_phusionpassenger_repo_remove:
+  pkgrepo.absent:
+    - name: deb http://nginx.org/packages/{{ grains.os |lower }}/ {{ grains.oscodename }} nginx
+    - keyid: 561F9B9CAC40B2F7
+    - require_in:
+      - pkgrepo: nginx_phusionpassenger_repo
+  file.absent:
+    - name: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains.oscodename }}.list
+    - require_in:
+      - pkgrepo: nginx_phusionpassenger_repo
+  {%- endif %}
+
 nginx_phusionpassenger_repo:
   pkgrepo:
     {%- if from_phusionpassenger %}
@@ -81,17 +121,17 @@ nginx_phusionpassenger_repo:
     - absent
     {%- endif %}
     - humanname: nginx phusionpassenger repo
-    - name: deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains['oscodename'] }} main
-    - file: /etc/apt/sources.list.d/nginx-phusionpassenger-{{ grains['oscodename'] }}.list
-    - keyid: 561F9B9CAC40B2F7
-    - keyserver: keyserver.ubuntu.com
+    - name: >-
+        deb [signed-by={{ nginx.lookup.passenger_package_repo_keyring }}]
+        https://oss-binaries.phusionpassenger.com/apt/passenger {{ grains.oscodename }} main
+    - file: /etc/apt/sources.list.d/phusionpassenger-official-{{ grains.oscodename }}.list
     - require_in:
       - pkg: nginx_install
     - watch_in:
       - pkg: nginx_install
 {% endif %}
 
-{% if salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}
+{% if grains.os_family == 'Suse' or grains.os == 'SUSE' %}
 nginx_zypp_repo:
   pkgrepo:
     {%- if from_official %}
@@ -112,8 +152,8 @@ nginx_zypp_repo:
       - pkg: nginx_install
 {% endif %}
 
-{% if salt['grains.get']('os_family') == 'RedHat' %}
-{%   if salt['grains.get']('osfinger', '') in ['Amazon Linux-2'] %}
+{% if grains.os_family == 'RedHat' %}
+  {% if grains.get('osfinger', '') == 'Amazon Linux-2' %}
 nginx_epel_repo:
   pkgrepo.managed:
     - name: epel
@@ -138,7 +178,7 @@ nginx_yum_repo:
     {%- endif %}
     - name: nginx
     - humanname: nginx repo
-    {%- if salt['grains.get']('os') == 'CentOS' %}
+    {%- if grains.os == 'CentOS' %}
     - baseurl: 'http://nginx.org/packages/centos/$releasever/$basearch/'
     {%- else %}
     - baseurl: 'http://nginx.org/packages/rhel/{{ nginx.lookup.rh_os_releasever }}/$basearch/'

nginx/map.jinja

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+case platform.family
+when 'redhat'
+  repo_file = '/etc/yum.repos.d/passenger.repo'
+  repo_url = 'https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch'
+when 'debian'
+  # Inspec does not provide a `codename` matcher, so we add ours
+  finger_codename = {
+    'ubuntu-18.04' => 'bionic',
+    'ubuntu-20.04' => 'focal',
+    'debian-9' => 'stretch',
+    'debian-10' => 'buster',
+    'debian-11' => 'bullseye'
+  }
+  codename = finger_codename[system.platform[:finger]]
+
+  repo_keyring = '/usr/share/keyrings/phusionpassenger-archive-keyring.gpg'
+  repo_file = "/etc/apt/sources.list.d/phusionpassenger-official-#{codename}.list"
+  # rubocop:disable Metrics/LineLength
+  repo_url = "deb [signed-by=#{repo_keyring}] https://oss-binaries.phusionpassenger.com/apt/passenger #{codename} main"
+  # rubocop:enable Metrics/LineLength
+end
+
+control 'Phusion-passenger repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    os.debian?
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
+end
+
+control 'Phusion-passenger repository' do
+  impact 1
+  title 'should be configured'
+  describe file(repo_file) do
+    its('content') { should include repo_url }
+  end
+end