diff --git a/postgres/codenamemap.yaml b/postgres/codenamemap.yaml index fbfc5fd1..43596f5e 100644 --- a/postgres/codenamemap.yaml +++ b/postgres/codenamemap.yaml @@ -29,7 +29,7 @@ data_dir: {{ data_dir }} fromrepo: {{ fromrepo }} pkg_repo: - name: 'deb http://apt.postgresql.org/pub/repos/apt {{ name }}-pgdg main' + name: 'deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg] http://apt.postgresql.org/pub/repos/apt {{ name }}-pgdg main' pkg: postgresql-{{ version }} pkg_client: postgresql-client-{{ version }} prepare_cluster: diff --git a/postgres/osfamilymap.yaml b/postgres/osfamilymap.yaml index e572e94a..47033fcd 100644 --- a/postgres/osfamilymap.yaml +++ b/postgres/osfamilymap.yaml @@ -16,8 +16,8 @@ Debian: pkgs_deps: ['python3-apt'] pkg_repo: humanname: PostgreSQL Official Repository - key_url: 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' file: /etc/apt/sources.list.d/pgdg.list + pkg_repo_keyring: 'https://download.postgresql.org/pub/repos/apt/pool/main/p/pgdg-keyring/pgdg-keyring_2018.2_all.deb' pkg_repo_keyid: ACCC4CF8 {% if repo.use_upstream_repo == true %} pkg_dev: '' diff --git a/postgres/server/remove.sls b/postgres/server/remove.sls index 45336f49..65cefab1 100644 --- a/postgres/server/remove.sls +++ b/postgres/server/remove.sls @@ -12,6 +12,12 @@ postgresql-repo-removed: - keyid: {{ postgres.pkg_repo_keyid }} {%- endif %} + {% if grains.os_family == 'Debian' %} +postgresql-repo-keyring-removed: + pkg.removed: + - name: pgdg-keyring + {%- endif -%} + #remove release installed by formula postgresql-server-removed: pkg.removed: diff --git a/postgres/upstream.sls b/postgres/upstream.sls index 8bdc0e81..239f151f 100644 --- a/postgres/upstream.sls +++ b/postgres/upstream.sls @@ -23,6 +23,15 @@ postgresql-pkg-deps: - pkgs: {{ postgres.pkgs_deps | json }} # Add upstream repository for your distro + {% if grains.os_family == 'Debian' %} +postgresql-repo-keyring: + pkg.installed: + - sources: + - pgdg-keyring: {{ postgres.pkg_repo_keyring }} + - require_in: + - pkgrepo: postgresql-repo + {%- endif %} + postgresql-repo: pkgrepo.managed: {{- format_kwargs(postgres.pkg_repo) }} @@ -39,6 +48,12 @@ postgresql-repo: - keyid: {{ postgres.pkg_repo_keyid }} {%- endif %} + {% if grains.os_family == 'Debian' %} +postgresql-repo-keyring: + pkg.removed: + - name: pgdg-keyring + {%- endif -%} + {%- endif -%} {%- elif grains.os not in ('Windows', 'MacOS',) %} diff --git a/test/integration/repo/controls/repository.rb b/test/integration/repo/controls/repository.rb new file mode 100644 index 00000000..e1875b58 --- /dev/null +++ b/test/integration/repo/controls/repository.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +case platform.family +when 'redhat' + repo_file = '/etc/yum.repos.d/pgdg13.repo' + repo_url = 'https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-$releasever-$basearch' +when 'debian' + # Inspec does not provide a `codename` matcher, so we add ours + finger_codename = { + 'ubuntu-18.04' => 'bionic', + 'ubuntu-20.04' => 'focal', + 'debian-9' => 'stretch', + 'debian-10' => 'buster', + 'debian-11' => 'bullseye' + } + codename = finger_codename[system.platform[:finger]] + + repo_keyring = '/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg' + repo_file = '/etc/apt/sources.list.d/pgdg.list' + # rubocop:disable Metrics/LineLength + repo_url = "deb [signed-by=#{repo_keyring}] http://apt.postgresql.org/pub/repos/apt #{codename}-pgdg main" + # rubocop:enable Metrics/LineLength +end + +control 'Postgresql repository keyring' do + title 'should be installed' + + only_if('Requirement for Debian family') do + os.debian? + end + + describe package('pgdg-keyring') do + it { should be_installed } + end + + describe file(repo_keyring) do + it { should exist } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + end +end + +control 'Postgresql repository' do + impact 1 + title 'should be configured' + describe file(repo_file) do + its('content') { should include repo_url } + end +end