From 3e11c5999255f22f36e1fd63e10e9e553ed3f538 Mon Sep 17 00:00:00 2001
From: Didier METRAL <didier.metral@fraudbuster.mobi>
Date: Thu, 10 Apr 2025 18:23:04 +0200
Subject: [PATCH] fix(repositories): force aptkey if signed-by and allow aptkey

---
 apt/map.jinja                                 |  4 ++++
 apt/repositories.sls                          | 15 +++++++++++++++
 pillar.example                                | 10 ++++++++++
 .../controls/repositories_spec.rb             | 19 +++++++++++++++++++
 test/salt/pillar/repositories.sls             |  8 ++++++++
 5 files changed, 56 insertions(+)

diff --git a/apt/map.jinja b/apt/map.jinja
index d77073e..2355584 100644
--- a/apt/map.jinja
+++ b/apt/map.jinja
@@ -13,6 +13,8 @@
         'preferences': {},
         'remove_preferences': false,
         'clean_preferences_d': false,
+        'keyrings_dir': '/etc/apt/keyrings',
+        'clean_keyrings_d': false,
         'remove_apt_conf': false,
         'clean_apt_conf_d': false,
         'apt_conf_d': {},
@@ -52,6 +54,8 @@
         'preferences': {},
         'remove_preferences': false,
         'clean_preferences_d': false,
+        'keyrings_dir': '/etc/apt/keyrings',
+        'clean_keyrings_d': false,
         'remove_apt_conf': false,
         'clean_apt_conf_d': false,
         'apt_conf_d': {},
diff --git a/apt/repositories.sls b/apt/repositories.sls
index 032cc47..beb3266 100644
--- a/apt/repositories.sls
+++ b/apt/repositories.sls
@@ -4,6 +4,8 @@
 {% set clean_sources_list_d = apt.get('clean_sources_list_d', apt_map.clean_sources_list_d) %}
 {% set sources_list_dir = apt.get('sources_list_dir', apt_map.sources_list_dir) %}
 {% set repositories = apt.get('repositories', apt_map.repositories) %}
+{% set keyrings_dir = apt.get('keyrings_dir', apt_map.keyrings_dir) %}
+{% set clean_keyrings_d = apt.get('clean_keyrings_d', apt_map.clean_keyrings_d) %}
 {% set default_url = apt.get('default_url', apt_map.default_url) %}
 {% set keyring_package = apt.get('keyring_package', apt_map.default_keyring_package) %}
 
@@ -30,6 +32,13 @@
     - group: root
     - clean: {{ clean_sources_list_d }}
 
+{{ keyrings_dir }}:
+  file.directory:
+    - mode: '0755'
+    - user: root
+    - group: root
+    - clean: {{ clean_keyrings_d }}
+
 {% for repo, args in repositories.items() %}
 
 {% set r_opts = '' %}
@@ -69,6 +78,9 @@
        the latter will be used. #}
     {% if args.key_url is defined %}
     - key_url: {{ args.key_url }}
+      {% if 'signed-by=' in r_opts|lower and args.aptkey is not defined %}
+    - aptkey: false
+      {% endif %}
     {% elif args.key_text is defined %}
     - key_text: {{ args.key_text }}
     {% elif args.keyid is defined %}
@@ -78,6 +90,9 @@
     - clean_file: true
     - refresh: False
     - refresh_db: False
+    {% if args.aptkey is defined %}
+    - aptkey: {{ args.aptkey }}
+    {% endif %}
     - onchanges_in:
       - module: apt.refresh_db
 
diff --git a/pillar.example b/pillar.example
index 6f313a0..9a217ef 100644
--- a/pillar.example
+++ b/pillar.example
@@ -14,6 +14,9 @@ apt:
   remove_preferences: true
   clean_preferences_d: true
 
+  keyrings_dir: '/etc/apt/keyrings'
+  clean_keyrings_d: true
+
   apt_conf_d:
     30release:
       'APT::Default-Release': stable
@@ -126,6 +129,13 @@ apt:
       opts:
         trusted: 'yes'
         another: whatever
+    saltstack:
+      distro: stable
+      url: https://packages.broadcom.com/artifactory/saltproject-deb
+      comps: [main]
+      type: [binary]
+      key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public  # yamllint disable-line rule:line-length
+      opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp"
 
   preferences:
     00-rspamd:
diff --git a/test/integration/repositories/controls/repositories_spec.rb b/test/integration/repositories/controls/repositories_spec.rb
index c08eef9..cac9731 100644
--- a/test/integration/repositories/controls/repositories_spec.rb
+++ b/test/integration/repositories/controls/repositories_spec.rb
@@ -64,4 +64,23 @@
   describe file('/etc/apt/sources.list.d/raspbian-binary.list') do
     it { should_not exist }
   end
+
+  describe file('/etc/apt/sources.list.d/saltstack.list') do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+    its(:content) do
+      should match(
+        %r{deb \[\s?signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp\s?\] https://packages.broadcom.com/artifactory/saltproject-deb stable main}
+      )
+    end
+  end
+
+  describe file('/etc/apt/keyrings/salt-archive-keyring.pgp') do
+    it { should exist }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+  end
 end
diff --git a/test/salt/pillar/repositories.sls b/test/salt/pillar/repositories.sls
index 97aeb3b..ade535e 100644
--- a/test/salt/pillar/repositories.sls
+++ b/test/salt/pillar/repositories.sls
@@ -27,3 +27,11 @@ apt:
       url: http://archive.raspbian.org/raspbian
       type: [source]
       key_url: https://archive.raspbian.org/raspbian.public.key
+    saltstack:
+      filename: saltstack.list
+      distro: stable
+      url: https://packages.broadcom.com/artifactory/saltproject-deb
+      comps: [main]
+      type: [binary]
+      key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public  # yamllint disable-line rule:line-length
+      opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp"