diff options
author | Ionuț Arțăriși <iartarisi@suse.cz> | 2013-04-03 17:17:43 +0200 |
---|---|---|
committer | Bryan McLellan <btm@opscode.com> | 2013-04-11 14:43:56 -0700 |
commit | a91e54fcee79c015b2631ca71ad4e97594a8b428 (patch) | |
tree | 7734cc7c8fbbdc4ecc9eca41dd1f422374ab3ece | |
parent | 8f62a9cdc47fb0c3bd74570ff7997ff409699125 (diff) | |
download | chef-a91e54fcee79c015b2631ca71ad4e97594a8b428.tar.gz |
CHEF-3938: create global config option for zypper gpg checks
-rw-r--r-- | lib/chef/config.rb | 6 | ||||
-rw-r--r-- | lib/chef/provider/package/zypper.rb | 30 | ||||
-rw-r--r-- | spec/unit/provider/package/zypper_spec.rb | 67 |
3 files changed, 92 insertions, 11 deletions
diff --git a/lib/chef/config.rb b/lib/chef/config.rb index 1b4ea78101..d9103b186c 100644 --- a/lib/chef/config.rb +++ b/lib/chef/config.rb @@ -308,6 +308,12 @@ class Chef signing_ca_domain "opensource.opscode.com" signing_ca_email "opensource-cert@opscode.com" + # Zypper package provider gpg checks. Set to true to enable package + # gpg signature checking. This will be default in the + # future. Setting to false disables the warnings. + # Leaving this set to nil or false is a security hazard! + zypper_check_gpg nil + # Report Handlers report_handlers [] diff --git a/lib/chef/provider/package/zypper.rb b/lib/chef/provider/package/zypper.rb index 43727466e2..f547e566f0 100644 --- a/lib/chef/provider/package/zypper.rb +++ b/lib/chef/provider/package/zypper.rb @@ -91,11 +91,11 @@ class Chef ) elsif version run_command( - :command => "zypper -n --no-gpg-checks install -l #{name}=#{version}" + :command => "zypper -n#{gpg_checks} install -l #{name}=#{version}" ) else run_command( - :command => "zypper -n --no-gpg-checks install -l #{name}" + :command => "zypper -n#{gpg_checks} install -l #{name}" ) end end @@ -107,11 +107,11 @@ class Chef ) elsif version run_command( - :command => "zypper -n --no-gpg-checks install -l #{name}=#{version}" + :command => "zypper -n#{gpg_checks} install -l #{name}=#{version}" ) else run_command( - :command => "zypper -n --no-gpg-checks install -l #{name}" + :command => "zypper -n#{gpg_checks} install -l #{name}" ) end end @@ -123,21 +123,33 @@ class Chef ) elsif version run_command( - :command => "zypper -n --no-gpg-checks remove #{name}=#{version}" + :command => "zypper -n#{gpg_checks} remove #{name}=#{version}" ) else run_command( - :command => "zypper -n --no-gpg-checks remove #{name}" + :command => "zypper -n#{gpg_checks} remove #{name}" ) end - - end def purge_package(name, version) remove_package(name, version) end - + + private + def gpg_checks() + case Chef::Config[:zypper_check_gpg] + when true + "" + when false + " --no-gpg-checks" + when nil + Chef::Log.warn("Chef::Config[:zypper_check_gpg] was not set. " + + "All packages will be installed without gpg signature checks. " + + "This is a security hazard.") + " --no-gpg-checks" + end + end end end end diff --git a/spec/unit/provider/package/zypper_spec.rb b/spec/unit/provider/package/zypper_spec.rb index fab78f4917..c0b2fe4658 100644 --- a/spec/unit/provider/package/zypper_spec.rb +++ b/spec/unit/provider/package/zypper_spec.rb @@ -92,8 +92,24 @@ describe Chef::Provider::Package::Zypper do describe "install_package" do it "should run zypper install with the package name and version" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true) @provider.should_receive(:run_command).with({ - :command => "zypper -n --no-gpg-checks install -l emacs=1.0", + :command => "zypper -n install -l emacs=1.0", + }) + @provider.install_package("emacs", "1.0") + end + it "should run zypper install without gpg checks" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks install -l emacs=1.0", + }) + @provider.install_package("emacs", "1.0") + end + it "should warn about gpg checks on zypper install" do + Chef::Log.should_receive(:warn).with( + /All packages will be installed without gpg signature checks/) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks install -l emacs=1.0", }) @provider.install_package("emacs", "1.0") end @@ -101,6 +117,22 @@ describe Chef::Provider::Package::Zypper do describe "upgrade_package" do it "should run zypper update with the package name and version" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true) + @provider.should_receive(:run_command).with({ + :command => "zypper -n install -l emacs=1.0", + }) + @provider.upgrade_package("emacs", "1.0") + end + it "should run zypper update without gpg checks" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks install -l emacs=1.0", + }) + @provider.upgrade_package("emacs", "1.0") + end + it "should warn about gpg checks on zypper upgrade" do + Chef::Log.should_receive(:warn).with( + /All packages will be installed without gpg signature checks/) @provider.should_receive(:run_command).with({ :command => "zypper -n --no-gpg-checks install -l emacs=1.0", }) @@ -110,8 +142,24 @@ describe Chef::Provider::Package::Zypper do describe "remove_package" do it "should run zypper remove with the package name" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true) + @provider.should_receive(:run_command).with({ + :command => "zypper -n remove emacs=1.0", + }) + @provider.remove_package("emacs", "1.0") + end + it "should run zypper remove without gpg checks" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks remove emacs=1.0", + }) + @provider.remove_package("emacs", "1.0") + end + it "should warn about gpg checks on zypper remove" do + Chef::Log.should_receive(:warn).with( + /All packages will be installed without gpg signature checks/) @provider.should_receive(:run_command).with({ - :command => "zypper -n --no-gpg-checks remove emacs=1.0", + :command => "zypper -n --no-gpg-checks remove emacs=1.0", }) @provider.remove_package("emacs", "1.0") end @@ -122,6 +170,21 @@ describe Chef::Provider::Package::Zypper do @provider.should_receive(:remove_package).with("emacs", "1.0") @provider.purge_package("emacs", "1.0") end + it "should run zypper purge without gpg checks" do + Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks remove emacs=1.0", + }) + @provider.purge_package("emacs", "1.0") + end + it "should warn about gpg checks on zypper purge" do + Chef::Log.should_receive(:warn).with( + /All packages will be installed without gpg signature checks/) + @provider.should_receive(:run_command).with({ + :command => "zypper -n --no-gpg-checks remove emacs=1.0", + }) + @provider.purge_package("emacs", "1.0") + end end describe "on an older zypper" do |