feat(debian): use repository keyring instead of key_id

2025-04-10 14:51:46 +00:00 · 2022-02-04 18:02:08 -03:00 · 2022-02-04 18:02:08 -03:00 · b6a28fee0d
commit b6a28fee0d
parent ebe3841df8
5 changed files with 73 additions and 2 deletions
--- a/postgres/codenamemap.yaml
+++ b/postgres/codenamemap.yaml
@ -29,7 +29,7 @@
  data_dir: {{ data_dir }}
  fromrepo: {{ fromrepo }}
  pkg_repo:
-    name: 'deb http://apt.postgresql.org/pub/repos/apt {{ name }}-pgdg main'
+    name: 'deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg] http://apt.postgresql.org/pub/repos/apt {{ name }}-pgdg main'
  pkg: postgresql-{{ version }}
  pkg_client: postgresql-client-{{ version }}
  prepare_cluster:
--- a/postgres/osfamilymap.yaml
+++ b/postgres/osfamilymap.yaml
@ -16,8 +16,8 @@ Debian:
  pkgs_deps: ['python3-apt']
  pkg_repo:
    humanname: PostgreSQL Official Repository
-    key_url: 'https://www.postgresql.org/media/keys/ACCC4CF8.asc'
    file: /etc/apt/sources.list.d/pgdg.list
+  pkg_repo_keyring: 'https://download.postgresql.org/pub/repos/apt/pool/main/p/pgdg-keyring/pgdg-keyring_2018.2_all.deb'
  pkg_repo_keyid: ACCC4CF8
    {% if repo.use_upstream_repo == true %}
  pkg_dev: ''
--- a/postgres/server/remove.sls
+++ b/postgres/server/remove.sls
@ -12,6 +12,12 @@ postgresql-repo-removed:
    - keyid: {{ postgres.pkg_repo_keyid }}
    {%- endif %}

+    {% if grains.os_family == 'Debian' %}
+postgresql-repo-keyring-removed:
+  pkg.removed:
+    - name: pgdg-keyring
+    {%- endif -%}
+
 #remove release installed by formula
 postgresql-server-removed:
  pkg.removed:
--- a/postgres/upstream.sls
+++ b/postgres/upstream.sls
@ -23,6 +23,15 @@ postgresql-pkg-deps:
    - pkgs: {{ postgres.pkgs_deps | json }}

 # Add upstream repository for your distro
+  {% if grains.os_family == 'Debian' %}
+postgresql-repo-keyring:
+  pkg.installed:
+    - sources:
+      - pgdg-keyring: {{ postgres.pkg_repo_keyring }}
+    - require_in:
+      - pkgrepo: postgresql-repo
+  {%- endif %}
+
 postgresql-repo:
  pkgrepo.managed:
    {{- format_kwargs(postgres.pkg_repo) }}
@ -39,6 +48,12 @@ postgresql-repo:
    - keyid: {{ postgres.pkg_repo_keyid }}
    {%- endif %}

+    {% if grains.os_family == 'Debian' %}
+postgresql-repo-keyring:
+  pkg.removed:
+    - name: pgdg-keyring
+    {%- endif -%}
+
  {%- endif -%}

 {%- elif grains.os not in ('Windows', 'MacOS',) %}
--- a/test/integration/repo/controls/repository.rb
+++ b/test/integration/repo/controls/repository.rb
@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+case platform.family
+when 'redhat'
+  repo_file = '/etc/yum.repos.d/pgdg13.repo'
+  repo_url = 'https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-$releasever-$basearch'
+when 'debian'
+  # Inspec does not provide a `codename` matcher, so we add ours
+  finger_codename = {
+    'ubuntu-18.04' => 'bionic',
+    'ubuntu-20.04' => 'focal',
+    'debian-9' => 'stretch',
+    'debian-10' => 'buster',
+    'debian-11' => 'bullseye'
+  }
+  codename = finger_codename[system.platform[:finger]]
+
+  repo_keyring = '/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg'
+  repo_file = '/etc/apt/sources.list.d/pgdg.list'
+  # rubocop:disable Metrics/LineLength
+  repo_url = "deb [signed-by=#{repo_keyring}] http://apt.postgresql.org/pub/repos/apt #{codename}-pgdg main"
+  # rubocop:enable Metrics/LineLength
+end
+
+control 'Postgresql repository keyring' do
+  title 'should be installed'
+
+  only_if('Requirement for Debian family') do
+    os.debian?
+  end
+
+  describe package('pgdg-keyring') do
+    it { should be_installed }
+  end
+
+  describe file(repo_keyring) do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
+end
+
+control 'Postgresql repository' do
+  impact 1
+  title 'should be configured'
+  describe file(repo_file) do
+    its('content') { should include repo_url }
+  end
+end