Added support for importing keys via primary/security mirror clauses (#882)

Presently, mirror keys cannot be associated with primary/security mirrors. Unfortunately, this prevents use of Landscape-managed package mirrors as the mirror key for the Landscape-hosted repository cannot be provided. This patch allows the same key-related fields usable on "sources" entries to be used on the "primary" and "security" entries as well. LP: #1925395
author: Paul Goins <paul.goins@canonical.com> 2021-05-18 17:02:51 +0000
committer: GitHub <noreply@github.com> 2021-05-18 12:02:51 -0500
commit: 1793b8b70ca2e3587c271155033ef943207136ae (patch)
tree: 119b896a67d8fc0be9bd1c505690c8da50cd3e13
parent: 21a0b12052691d6634d0848dfa353c12939945e9 (diff)
download: cloud-init-git-1793b8b70ca2e3587c271155033ef943207136ae.tar.gz
3 files changed, 55 insertions, 0 deletions
diff --git a/cloudinit/config/cc_apt_configure.py b/cloudinit/config/cc_apt_configure.py
index bb8a1278..0c9c7925 100644
--- a/cloudinit/config/cc_apt_configure.py
+++ b/cloudinit/config/cc_apt_configure.py
@@ -57,6 +57,15 @@ mirror_property = {
             },
             'search_dns': {
                 'type': 'boolean',
+            },
+            'keyid': {
+                'type': 'string'
+            },
+            'key': {
+                'type': 'string'
+            },
+            'keyserver': {
+                'type': 'string'
             }
         }
     }
@@ -228,6 +237,15 @@ schema = {
                         key, the search pattern will be
                         ``<distro>-security-mirror``.
 
+                        Each mirror may also specify a key to import via
+                        any of the following optional keys:
+
+                            - ``keyid``: a key to import via shortid or \
+                                  fingerprint.
+                            - ``key``: a raw PGP key.
+                            - ``keyserver``: alternate keyserver to pull \
+                                    ``keyid`` key from.
+
                         If no mirrors are specified, or all lookups fail,
                         then default mirrors defined in the datasource
                         are used. If none are present in the datasource
@@ -453,6 +471,7 @@ def apply_apt(cfg, cloud, target):
     LOG.debug("Apt Mirror info: %s", mirrors)
 
     if util.is_false(cfg.get('preserve_sources_list', False)):
+        add_mirror_keys(cfg, target)
         generate_sources_list(cfg, release, mirrors, cloud)
         rename_apt_lists(mirrors, target, arch)
 
@@ -660,6 +679,13 @@ def disable_suites(disabled, src, release):
     return retsrc
 
 
+def add_mirror_keys(cfg, target):
+    """Adds any keys included in the primary/security mirror clauses"""
+    for key in ('primary', 'security'):
+        for mirror in cfg.get(key, []):
+            add_apt_key(mirror, target)
+
+
 def generate_sources_list(cfg, release, mirrors, cloud):
     """generate_sources_list
        create a source.list file based on a custom or default template
diff --git a/doc/examples/cloud-config-apt.txt b/doc/examples/cloud-config-apt.txt
index 004894b7..f4392326 100644
--- a/doc/examples/cloud-config-apt.txt
+++ b/doc/examples/cloud-config-apt.txt
@@ -138,6 +138,12 @@ apt:
       # the first defining a valid mirror wins (in the order as defined here,
       # not the order as listed in the config).
       #
+      # Additionally, if the repository requires a custom signing key, it can be
+      # specified via the same fields as for custom sources:
+      #   'keyid': providing a key to import via shortid or fingerprint
+      #   'key': providing a raw PGP key
+      #   'keyserver': specify an alternate keyserver to pull keys from that
+      #                were specified by keyid
     - arches: [s390x, arm64]
       # as above, allowing to have one config for different per arch mirrors
   # security is optional, if not defined it is set to the same value as primary
diff --git a/tests/unittests/test_handler/test_handler_apt_source_v3.py b/tests/unittests/test_handler/test_handler_apt_source_v3.py
index ac847238..abb0a9b6 100644
--- a/tests/unittests/test_handler/test_handler_apt_source_v3.py
+++ b/tests/unittests/test_handler/test_handler_apt_source_v3.py
@@ -1009,6 +1009,29 @@ deb http://ubuntu.com/ubuntu/ xenial-proposed main""")
         self.assertEqual(mirrors['SECURITY'],
                          smir)
 
+    def test_apt_v3_add_mirror_keys(self):
+        """test_apt_v3_add_mirror_keys - Test adding key for mirrors"""
+        arch = 'amd64'
+        cfg = {
+            'primary': [
+                {'arches': [arch],
+                 'uri': 'http://test.ubuntu.com/',
+                 'key': 'fakekey_primary'}],
+            'security': [
+                {'arches': [arch],
+                 'uri': 'http://testsec.ubuntu.com/',
+                 'key': 'fakekey_security'}]
+        }
+
+        with mock.patch.object(cc_apt_configure,
+                               'add_apt_key_raw') as mockadd:
+            cc_apt_configure.add_mirror_keys(cfg, TARGET)
+        calls = [
+            mock.call('fakekey_primary', TARGET),
+            mock.call('fakekey_security', TARGET),
+        ]
+        mockadd.assert_has_calls(calls, any_order=True)
+
 
 class TestDebconfSelections(TestCase):
author	Paul Goins <paul.goins@canonical.com>	2021-05-18 17:02:51 +0000
committer	GitHub <noreply@github.com>	2021-05-18 12:02:51 -0500
commit	1793b8b70ca2e3587c271155033ef943207136ae (patch)
tree	119b896a67d8fc0be9bd1c505690c8da50cd3e13
parent	21a0b12052691d6634d0848dfa353c12939945e9 (diff)
download	cloud-init-git-1793b8b70ca2e3587c271155033ef943207136ae.tar.gz