Permalink
Browse files

CHEF-3938: create global config option for zypper gpg checks

  • Loading branch information...
1 parent 8a3c33f commit ff39329bfdd5fb080919091f845ee78b46582bf7 @mapleoin committed Apr 3, 2013
Showing with 92 additions and 11 deletions.
  1. +6 −0 lib/chef/config.rb
  2. +21 −9 lib/chef/provider/package/zypper.rb
  3. +65 −2 spec/unit/provider/package/zypper_spec.rb
View
@@ -297,6 +297,12 @@ def self.formatters
signing_ca_domain "opensource.opscode.com"
signing_ca_email "opensource-cert@opscode.com"
+ # Zypper package provider gpg checks. Set to true to enable package
+ # gpg signature checking. This will be default in the
+ # future. Setting to false disables the warnings.
+ # Leaving this set to nil or false is a security hazard!
+ zypper_check_gpg nil
+
# Report Handlers
report_handlers []
@@ -91,11 +91,11 @@ def install_package(name, version)
)
elsif version
run_command(
- :command => "zypper -n --no-gpg-checks install -l #{name}=#{version}"
+ :command => "zypper -n#{gpg_checks} install -l #{name}=#{version}"
)
else
run_command(
- :command => "zypper -n --no-gpg-checks install -l #{name}"
+ :command => "zypper -n#{gpg_checks} install -l #{name}"
)
end
end
@@ -107,11 +107,11 @@ def upgrade_package(name, version)
)
elsif version
run_command(
- :command => "zypper -n --no-gpg-checks install -l #{name}=#{version}"
+ :command => "zypper -n#{gpg_checks} install -l #{name}=#{version}"
)
else
run_command(
- :command => "zypper -n --no-gpg-checks install -l #{name}"
+ :command => "zypper -n#{gpg_checks} install -l #{name}"
)
end
end
@@ -123,21 +123,33 @@ def remove_package(name, version)
)
elsif version
run_command(
- :command => "zypper -n --no-gpg-checks remove #{name}=#{version}"
+ :command => "zypper -n#{gpg_checks} remove #{name}=#{version}"
)
else
run_command(
- :command => "zypper -n --no-gpg-checks remove #{name}"
+ :command => "zypper -n#{gpg_checks} remove #{name}"
)
end
-
-
end
def purge_package(name, version)
remove_package(name, version)
end
-
+
+ private
+ def gpg_checks()
+ case Chef::Config[:zypper_check_gpg]
+ when true
+ ""
+ when false
+ " --no-gpg-checks"
+ when nil
+ Chef::Log.warn("Chef::Config[:zypper_check_gpg] was not set. " +
+ "All packages will be installed without gpg signature checks. " +
+ "This is a security hazard.")
+ " --no-gpg-checks"
+ end
+ end
end
end
end
@@ -92,15 +92,47 @@
describe "install_package" do
it "should run zypper install with the package name and version" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true)
@provider.should_receive(:run_command).with({
- :command => "zypper -n --no-gpg-checks install -l emacs=1.0",
+ :command => "zypper -n install -l emacs=1.0",
+ })
+ @provider.install_package("emacs", "1.0")
+ end
+ it "should run zypper install without gpg checks" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks install -l emacs=1.0",
+ })
+ @provider.install_package("emacs", "1.0")
+ end
+ it "should warn about gpg checks on zypper install" do
+ Chef::Log.should_receive(:warn).with(
+ /All packages will be installed without gpg signature checks/)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks install -l emacs=1.0",
})
@provider.install_package("emacs", "1.0")
end
end
describe "upgrade_package" do
it "should run zypper update with the package name and version" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n install -l emacs=1.0",
+ })
+ @provider.upgrade_package("emacs", "1.0")
+ end
+ it "should run zypper update without gpg checks" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks install -l emacs=1.0",
+ })
+ @provider.upgrade_package("emacs", "1.0")
+ end
+ it "should warn about gpg checks on zypper upgrade" do
+ Chef::Log.should_receive(:warn).with(
+ /All packages will be installed without gpg signature checks/)
@provider.should_receive(:run_command).with({
:command => "zypper -n --no-gpg-checks install -l emacs=1.0",
})
@@ -110,8 +142,24 @@
describe "remove_package" do
it "should run zypper remove with the package name" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n remove emacs=1.0",
+ })
+ @provider.remove_package("emacs", "1.0")
+ end
+ it "should run zypper remove without gpg checks" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks remove emacs=1.0",
+ })
+ @provider.remove_package("emacs", "1.0")
+ end
+ it "should warn about gpg checks on zypper remove" do
+ Chef::Log.should_receive(:warn).with(
+ /All packages will be installed without gpg signature checks/)
@provider.should_receive(:run_command).with({
- :command => "zypper -n --no-gpg-checks remove emacs=1.0",
+ :command => "zypper -n --no-gpg-checks remove emacs=1.0",
})
@provider.remove_package("emacs", "1.0")
end
@@ -122,6 +170,21 @@
@provider.should_receive(:remove_package).with("emacs", "1.0")
@provider.purge_package("emacs", "1.0")
end
+ it "should run zypper purge without gpg checks" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks remove emacs=1.0",
+ })
+ @provider.purge_package("emacs", "1.0")
+ end
+ it "should warn about gpg checks on zypper purge" do
+ Chef::Log.should_receive(:warn).with(
+ /All packages will be installed without gpg signature checks/)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks remove emacs=1.0",
+ })
+ @provider.purge_package("emacs", "1.0")
+ end
end
describe "on an older zypper" do

0 comments on commit ff39329

Please sign in to comment.