summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIonuț Arțăriși <iartarisi@suse.cz>2013-04-03 17:17:43 +0200
committerBryan McLellan <btm@opscode.com>2013-04-11 14:43:56 -0700
commita91e54fcee79c015b2631ca71ad4e97594a8b428 (patch)
tree7734cc7c8fbbdc4ecc9eca41dd1f422374ab3ece
parent8f62a9cdc47fb0c3bd74570ff7997ff409699125 (diff)
downloadchef-a91e54fcee79c015b2631ca71ad4e97594a8b428.tar.gz
CHEF-3938: create global config option for zypper gpg checks
-rw-r--r--lib/chef/config.rb6
-rw-r--r--lib/chef/provider/package/zypper.rb30
-rw-r--r--spec/unit/provider/package/zypper_spec.rb67
3 files changed, 92 insertions, 11 deletions
diff --git a/lib/chef/config.rb b/lib/chef/config.rb
index 1b4ea78101..d9103b186c 100644
--- a/lib/chef/config.rb
+++ b/lib/chef/config.rb
@@ -308,6 +308,12 @@ class Chef
signing_ca_domain "opensource.opscode.com"
signing_ca_email "opensource-cert@opscode.com"
+ # Zypper package provider gpg checks. Set to true to enable package
+ # gpg signature checking. This will be default in the
+ # future. Setting to false disables the warnings.
+ # Leaving this set to nil or false is a security hazard!
+ zypper_check_gpg nil
+
# Report Handlers
report_handlers []
diff --git a/lib/chef/provider/package/zypper.rb b/lib/chef/provider/package/zypper.rb
index 43727466e2..f547e566f0 100644
--- a/lib/chef/provider/package/zypper.rb
+++ b/lib/chef/provider/package/zypper.rb
@@ -91,11 +91,11 @@ class Chef
)
elsif version
run_command(
- :command => "zypper -n --no-gpg-checks install -l #{name}=#{version}"
+ :command => "zypper -n#{gpg_checks} install -l #{name}=#{version}"
)
else
run_command(
- :command => "zypper -n --no-gpg-checks install -l #{name}"
+ :command => "zypper -n#{gpg_checks} install -l #{name}"
)
end
end
@@ -107,11 +107,11 @@ class Chef
)
elsif version
run_command(
- :command => "zypper -n --no-gpg-checks install -l #{name}=#{version}"
+ :command => "zypper -n#{gpg_checks} install -l #{name}=#{version}"
)
else
run_command(
- :command => "zypper -n --no-gpg-checks install -l #{name}"
+ :command => "zypper -n#{gpg_checks} install -l #{name}"
)
end
end
@@ -123,21 +123,33 @@ class Chef
)
elsif version
run_command(
- :command => "zypper -n --no-gpg-checks remove #{name}=#{version}"
+ :command => "zypper -n#{gpg_checks} remove #{name}=#{version}"
)
else
run_command(
- :command => "zypper -n --no-gpg-checks remove #{name}"
+ :command => "zypper -n#{gpg_checks} remove #{name}"
)
end
-
-
end
def purge_package(name, version)
remove_package(name, version)
end
-
+
+ private
+ def gpg_checks()
+ case Chef::Config[:zypper_check_gpg]
+ when true
+ ""
+ when false
+ " --no-gpg-checks"
+ when nil
+ Chef::Log.warn("Chef::Config[:zypper_check_gpg] was not set. " +
+ "All packages will be installed without gpg signature checks. " +
+ "This is a security hazard.")
+ " --no-gpg-checks"
+ end
+ end
end
end
end
diff --git a/spec/unit/provider/package/zypper_spec.rb b/spec/unit/provider/package/zypper_spec.rb
index fab78f4917..c0b2fe4658 100644
--- a/spec/unit/provider/package/zypper_spec.rb
+++ b/spec/unit/provider/package/zypper_spec.rb
@@ -92,8 +92,24 @@ describe Chef::Provider::Package::Zypper do
describe "install_package" do
it "should run zypper install with the package name and version" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true)
@provider.should_receive(:run_command).with({
- :command => "zypper -n --no-gpg-checks install -l emacs=1.0",
+ :command => "zypper -n install -l emacs=1.0",
+ })
+ @provider.install_package("emacs", "1.0")
+ end
+ it "should run zypper install without gpg checks" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks install -l emacs=1.0",
+ })
+ @provider.install_package("emacs", "1.0")
+ end
+ it "should warn about gpg checks on zypper install" do
+ Chef::Log.should_receive(:warn).with(
+ /All packages will be installed without gpg signature checks/)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks install -l emacs=1.0",
})
@provider.install_package("emacs", "1.0")
end
@@ -101,6 +117,22 @@ describe Chef::Provider::Package::Zypper do
describe "upgrade_package" do
it "should run zypper update with the package name and version" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n install -l emacs=1.0",
+ })
+ @provider.upgrade_package("emacs", "1.0")
+ end
+ it "should run zypper update without gpg checks" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks install -l emacs=1.0",
+ })
+ @provider.upgrade_package("emacs", "1.0")
+ end
+ it "should warn about gpg checks on zypper upgrade" do
+ Chef::Log.should_receive(:warn).with(
+ /All packages will be installed without gpg signature checks/)
@provider.should_receive(:run_command).with({
:command => "zypper -n --no-gpg-checks install -l emacs=1.0",
})
@@ -110,8 +142,24 @@ describe Chef::Provider::Package::Zypper do
describe "remove_package" do
it "should run zypper remove with the package name" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(true)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n remove emacs=1.0",
+ })
+ @provider.remove_package("emacs", "1.0")
+ end
+ it "should run zypper remove without gpg checks" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks remove emacs=1.0",
+ })
+ @provider.remove_package("emacs", "1.0")
+ end
+ it "should warn about gpg checks on zypper remove" do
+ Chef::Log.should_receive(:warn).with(
+ /All packages will be installed without gpg signature checks/)
@provider.should_receive(:run_command).with({
- :command => "zypper -n --no-gpg-checks remove emacs=1.0",
+ :command => "zypper -n --no-gpg-checks remove emacs=1.0",
})
@provider.remove_package("emacs", "1.0")
end
@@ -122,6 +170,21 @@ describe Chef::Provider::Package::Zypper do
@provider.should_receive(:remove_package).with("emacs", "1.0")
@provider.purge_package("emacs", "1.0")
end
+ it "should run zypper purge without gpg checks" do
+ Chef::Config.stub(:[]).with(:zypper_check_gpg).and_return(false)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks remove emacs=1.0",
+ })
+ @provider.purge_package("emacs", "1.0")
+ end
+ it "should warn about gpg checks on zypper purge" do
+ Chef::Log.should_receive(:warn).with(
+ /All packages will be installed without gpg signature checks/)
+ @provider.should_receive(:run_command).with({
+ :command => "zypper -n --no-gpg-checks remove emacs=1.0",
+ })
+ @provider.purge_package("emacs", "1.0")
+ end
end
describe "on an older zypper" do