unattended_upgrades: Fix matching security archive

manifests/params.pp

@@ -10,28 +10,40 @@
       case $::lsbdistcodename {
         'squeeze': {
           $backports_location = 'http://backports.debian.org/debian-backports'
+          $legacy_origin       = true
+          $origins             = ['${distro_id} ${distro_codename}-security']
         }
         'wheezy': {
           $backports_location = 'http://ftp.debian.org/debian/'
+          $legacy_origin      = false
+          $origins            = ['origin=Debian,archive=stable,label=Debian-Security']
         }
         default: {
           $backports_location = 'http://http.debian.net/debian/'
+          $legacy_origin      = false
+          $origins            = ['origin=Debian,archive=stable,label=Debian-Security']
         }
       }
     }
     'ubuntu': {
       case $::lsbdistcodename {
-        'precise','trusty': {
+        'lucid': {
           $backports_location = 'http://us.archive.ubuntu.com/ubuntu'
-          $ppa_options = '-y'
+          $ppa_options        = undef
+          $legacy_origin      = true
+          $origins            = ['${distro_id} ${distro_codename}-security']
         }
-        'lucid': {
+        'precise', 'trusty': {
           $backports_location = 'http://us.archive.ubuntu.com/ubuntu'
-          $ppa_options = undef
+          $ppa_options        = '-y'
+          $legacy_origin      = true
+          $origins            = ['${distro_id}:${distro_codename}-security']
         }
         default: {
           $backports_location = 'http://old-releases.ubuntu.com/ubuntu'
-          $ppa_options = '-y'
+          $ppa_options        = '-y'
+          $legacy_origin      = true
+          $origins            = ['${distro_id}:${distro_codename}-security']
         }
       }
     }

manifests/unattended_upgrades.pp

@@ -14,30 +14,29 @@
 # file and in /etc/cron.daily/apt
 #
 class apt::unattended_upgrades (
-  $origins = ['${distro_id}:${distro_codename}-security'],
-  $blacklist = [],
-  $update = "1",
-  $download = "1",
-  $upgrade = "1",
-  $autoclean = "7",
-  $auto_fix = true,
-  $minimal_steps = false,
+  $origins             = $::apt::params::origins,
+  $blacklist           = [],
+  $update              = "1",
+  $download            = "1",
+  $upgrade             = "1",
+  $autoclean           = "7",
+  $auto_fix            = true,
+  $minimal_steps       = false,
   $install_on_shutdown = false,
-  $mail_to = "NONE",
-  $mail_only_on_error = false,
-  $remove_unused = true,
-  $auto_reboot = false,
-  $dl_limit = "NONE",
-  $enable = "1",
-  $backup_interval = "0",
-  $backup_level = "3",
-  $max_age = "0",
-  $min_age = "0",
-  $max_size = "0",
-  $download_delta = "0",
-  $verbose = "0",
-) {
-  include apt::params
+  $mail_to             = "NONE",
+  $mail_only_on_error  = false,
+  $remove_unused       = true,
+  $auto_reboot         = false,
+  $dl_limit            = "NONE",
+  $enable              = "1",
+  $backup_interval     = "0",
+  $backup_level        = "3",
+  $max_age             = "0",
+  $min_age             = "0",
+  $max_size            = "0",
+  $download_delta      = "0",
+  $verbose             = "0",
+) inherits ::apt::params {
 
   validate_bool(
     $auto_fix,
@@ -47,6 +46,7 @@
     $remove_unused,
     $auto_reboot
   )
+  validate_array($origins)
 
   package { 'unattended-upgrades':
     ensure => present,

spec/classes/unattended_upgrades_spec.rb

@@ -25,16 +25,100 @@
   }
 
   describe "origins" do
-    describe "with param defaults" do
-      let(:params) {{ }}
-      it { should contain_file(file_unattended).with_content(/^Unattended-Upgrade::Allowed-Origins \{\n\t"\$\{distro_id\}:\$\{distro_codename\}-security";\n\};$/) }
+    describe 'on Debian' do
+      default_facts = { :lsbdistid => 'Debian' }
+      context 'defaults' do
+        let :facts do default_facts end
+        it {
+          should contain_file(file_unattended).with_content(
+            /^Unattended-Upgrade::Origins-Pattern/
+          ).with_content(
+            /"origin=Debian,archive=stable,label=Debian-Security";/
+          )
+        }
+      end
+      context 'defaults with custom origin' do
+        let :facts do default_facts end
+        let :params do { :origins => ['bananana']} end
+        it {
+          should contain_file(file_unattended).with_content(
+            /^Unattended-Upgrade::Origins-Pattern/
+          ).with_content(
+            /"bananana";/
+          )
+        }
+      end
+      context 'defaults with invalid origin' do
+        let :facts do default_facts end
+        let :params do { :origins => 'bananana'} end
+        it {
+          expect {subject}.to raise_error(/is not an Array/)
+        }
+      end
+      context 'squeeze' do
+        let :facts do default_facts.merge({:lsbdistcodename => 'squeeze'}) end
+        it {
+          should contain_file(file_unattended).with_content(
+            /^Unattended-Upgrade::Allowed-Origins/
+          ).with_content(
+            /"\${distro_id} \${distro_codename}-security";/
+          )
+        }
+      end
+      context 'wheezy' do
+        let :facts do default_facts.merge({:lsbdistcodename => 'wheezy'}) end
+        it {
+          should contain_file(file_unattended).with_content(
+            /^Unattended-Upgrade::Origins-Pattern/
+          ).with_content(
+            /"origin=Debian,archive=stable,label=Debian-Security";/
+          )
+        }
+      end
     end
 
-    describe "with origins => ['ubuntu:precise-security']" do
-      let :params do
-        { :origins => ['ubuntu:precise-security'] }
+    describe 'on Ubuntu' do
+      default_facts = { :lsbdistid => 'Ubuntu' }
+      context 'default' do
+        let :facts do default_facts end
+        it {
+          should contain_file(file_unattended).with_content(
+            /^Unattended-Upgrade::Allowed-Origins/
+          ).with_content(
+            /"\${distro_id}\:\${distro_codename}-security";/
+          )
+        }
+      end
+      context 'lucid' do
+        let :facts do default_facts.merge({:lsbdistcodename => 'lucid'}) end
+        it {
+          should contain_file(file_unattended).with_content(
+            /^Unattended-Upgrade::Allowed-Origins/
+          ).with_content(
+            /"\${distro_id} \${distro_codename}-security";/
+          )
+        }
+      end
+      context 'precise' do
+        let :facts do default_facts.merge({:lsbdistcodename => 'precise'}) end
+        it {
+          should contain_file(file_unattended).with_content(
+            /^Unattended-Upgrade::Allowed-Origins/
+          ).with_content(
+            /"\${distro_id}\:\${distro_codename}-security";/
+          )
+        }
+      end
+      context 'trusty' do
+        let :facts do default_facts.merge({:lsbdistcodename => 'trusty'}) end
+        it {
+          should contain_file(file_unattended).with_content(
+            /^Unattended-Upgrade::Allowed-Origins/
+          ).with_content(
+            /"\${distro_id}\:\${distro_codename}-security";/
+          )
+        }
       end
-      it { should contain_file(file_unattended).with_content(/^Unattended-Upgrade::Allowed-Origins \{\n\t"ubuntu:precise-security";\n\};$/) }
     end
   end
 

templates/50unattended-upgrades.erb

@@ -1,5 +1,9 @@
 // Automatically upgrade packages from these (origin:archive) pairs
+<%- if @legacy_origin -%>
 Unattended-Upgrade::Allowed-Origins {
+<%- else -%>
+Unattended-Upgrade::Origins-Pattern {
+<%- end -%>
 <% @origins.each do |origin| -%>
 	"<%= origin %>";
 <% end -%>