Improvements for APT keys management (DataDog#698)

Slavek Kabrda · web-flow · commit bebc2abab5a0 · 2021-05-13T14:54:44.000+02:00
* By default, get keys from keys.datadoghq.com, not Ubuntu keyserver
* Always add the DATADOG_APT_KEY_CURRENT.public key (contains key used to sign current repodata)
* Add 'signed-by' option to all sources list lines
* On Debian &gt;= 9 and Ubuntu &gt;= 16, only add keys to /usr/share/keyrings/datadog-archive-keyring.gpg
* On older systems, also add the same keyring to /etc/apt/trusted.gpg.d
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -342,9 +342,11 @@
   Hash[String[1], Data] $agent_extra_options = {},
   Optional[String] $agent_repo_uri = undef,
   Optional[Boolean] $rpm_repo_gpgcheck = undef,
-  Optional[Boolean] $use_apt_backup_keyserver = $datadog_agent::params::use_apt_backup_keyserver,
-  String $apt_backup_keyserver = $datadog_agent::params::apt_backup_keyserver,
-  String $apt_keyserver = $datadog_agent::params::apt_keyserver,
+  # TODO: $use_apt_backup_keyserver, $apt_backup_keyserver and $apt_keyserver can be
+  # removed in the next major version; they're kept now for backwards compatibility
+  Optional[Boolean] $use_apt_backup_keyserver = undef,
+  Optional[String] $apt_backup_keyserver = undef,
+  Optional[String] $apt_keyserver = undef,
   String $apt_release = $datadog_agent::params::apt_default_release,
   String $win_msi_location = 'C:/Windows/temp', # Temporary directory where the msi file is downloaded, must exist
   Enum['present', 'absent'] $win_ensure = 'present', #TODO: Implement uninstall also for apt and rpm install methods
@@ -424,10 +426,11 @@
   if $manage_install {
     case $::operatingsystem {
       'Ubuntu','Debian' : {
-        if $use_apt_backup_keyserver {
-          $_apt_keyserver = $apt_backup_keyserver
-        } else {
-          $_apt_keyserver = $apt_keyserver
+        if $use_apt_backup_keyserver != undef or $apt_backup_keyserver != undef or $apt_keyserver != undef {
+          notify { 'apt keyserver arguments deprecation':
+            message  => '$use_apt_backup_keyserver, $apt_backup_keyserver and $apt_keyserver are deprecated since version 3.13.0',
+            loglevel => 'warning',
+          }
         }
         class { 'datadog_agent::ubuntu':
           agent_major_version   => $_agent_major_version,
@@ -436,7 +439,6 @@
           agent_repo_uri        => $agent_repo_uri,
           release               => $apt_release,
           skip_apt_key_trusting => $skip_apt_key_trusting,
-          apt_keyserver         => $_apt_keyserver,
         }
       }
       'RedHat','CentOS','Fedora','Amazon','Scientific','OracleLinux' : {
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -19,9 +19,6 @@
   $logs_enabled                   = false
   $logs_open_files_limit          = undef
   $container_collect_all          = false
-  $use_apt_backup_keyserver       = false
-  $apt_backup_keyserver           = 'hkp://pool.sks-keyservers.net:80'
-  $apt_keyserver                  = 'hkp://keyserver.ubuntu.com:80'
   $sysprobe_service_name          = 'datadog-agent-sysprobe'
   $module_metadata                = load_module_metadata($module_name)
 
diff --git a/manifests/ubuntu.pp b/manifests/ubuntu.pp
@@ -5,13 +5,18 @@
 
 class datadog_agent::ubuntu(
   Integer $agent_major_version = $datadog_agent::params::default_agent_major_version,
-  Array[String] $apt_keys = ['A2923DFF56EDA6E76E55E492D3A80E30382E94DE', 'D75CEA17048B9ACBF186794B32637D44F14F620E'],
   String $agent_version = $datadog_agent::params::agent_version,
   Optional[String] $agent_repo_uri = undef,
   String $release = $datadog_agent::params::apt_default_release,
   Boolean $skip_apt_key_trusting = false,
-  String $apt_keyserver = $datadog_agent::params::apt_keyserver,
   String $agent_flavor = $datadog_agent::params::package_name,
+  Optional[String] $apt_trusted_d_keyring = '/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg',
+  Optional[String] $apt_usr_share_keyring = '/usr/share/keyrings/datadog-archive-keyring.gpg',
+  Optional[Hash[String, String]] $apt_default_keys = {
+    'DATADOG_APT_KEY_CURRENT.public'           => 'https://keys.datadoghq.com/DATADOG_APT_KEY_CURRENT.public',
+    'D75CEA17048B9ACBF186794B32637D44F14F620E' => 'https://keys.datadoghq.com/DATADOG_APT_KEY_F14F620E.public',
+    'A2923DFF56EDA6E76E55E492D3A80E30382E94DE' => 'https://keys.datadoghq.com/DATADOG_APT_KEY_382E94DE.public',
+  },
 ) inherits datadog_agent::params {
 
   if $agent_version =~ /^[0-9]+\.[0-9]+\.[0-9]+((?:~|-)[^0-9\s-]+[^-\s]*)?$/ {
@@ -29,18 +34,40 @@
   }
 
   if !$skip_apt_key_trusting {
-    $apt_keys.each |String $apt_key| {
-      apt::key { $apt_key:
-        id     => $apt_key,
-        server => $apt_keyserver,
+    file { $apt_usr_share_keyring:
+      ensure => file,
+      mode   => '0644',
+    }
+
+    $apt_default_keys.each |String $key_fingerprint, String $key_url| {
+      $key_path = "/tmp/${key_fingerprint}"
+
+      file { $key_path:
+        owner  => root,
+        group  => root,
+        mode   => '0600',
+        source => $key_url,
+      }
+
+      exec { "ensure key ${key_fingerprint} is imported in APT keyring":
+        command => "/bin/cat /tmp/${key_fingerprint} | gpg --import --batch --no-default-keyring --keyring ${apt_usr_share_keyring}",
+        unless  => "/bin/cat /tmp/${key_fingerprint} | gpg --dry-run --import --batch --no-default-keyring --keyring ${apt_usr_share_keyring} 2>&1 | grep 'unchanged: 1'",
+      }
+    }
+
+    if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '16') == -1) or
+        ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') == -1) {
+      file { $apt_trusted_d_keyring:
+        mode   => '0644',
+        source => "file://${apt_usr_share_keyring}",
       }
     }
   }
 
   if ($agent_repo_uri != undef) {
     $location = $agent_repo_uri
   } else {
-    $location = 'https://apt.datadoghq.com/'
+    $location = "[signed-by=${apt_usr_share_keyring}] https://apt.datadoghq.com/"
   }
 
   apt::source { 'datadog-beta':
diff --git a/spec/classes/datadog_agent_spec.rb b/spec/classes/datadog_agent_spec.rb
@@ -34,7 +34,7 @@
 
       it do
         is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-          .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+main})
+          .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+main})
       end
     end
 
@@ -53,7 +53,7 @@
 
       it do
         is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-          .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6})
+          .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6})
       end
     end
 
@@ -72,7 +72,7 @@
 
       it do
         is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-          .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+7})
+          .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+7})
       end
     end
 
@@ -91,7 +91,7 @@
 
       it do
         is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-          .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6})
+          .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6})
       end
     end
 
@@ -110,7 +110,7 @@
 
       it do
         is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-          .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6})
+          .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6})
       end
     end
 
@@ -129,7 +129,7 @@
 
       it do
         is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-          .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6})
+          .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6})
       end
     end
 
@@ -1606,25 +1606,7 @@
             end
           end
 
-          if DEBIAN_OS.include?(operatingsystem)
-            it do
-              is_expected.to contain_class('datadog_agent::ubuntu')\
-                .with_apt_keyserver('hkp://keyserver.ubuntu.com:80')
-            end
-            context 'use backup keyserver' do
-              let(:params) do
-                {
-                  use_apt_backup_keyserver: true,
-                  agent_major_version: 5,
-                }
-              end
-
-              it do
-                is_expected.to contain_class('datadog_agent::ubuntu')\
-                  .with_apt_keyserver('hkp://pool.sks-keyservers.net:80')
-              end
-            end
-          elsif REDHAT_OS.include?(operatingsystem)
+          if REDHAT_OS.include?(operatingsystem)
             it { is_expected.to contain_class('datadog_agent::redhat') }
           end
         end
diff --git a/spec/classes/datadog_agent_ubuntu_spec.rb b/spec/classes/datadog_agent_ubuntu_spec.rb
@@ -1,5 +1,25 @@
 require 'spec_helper'
 
+shared_examples 'old debianoid' do
+  it do
+    is_expected.to contain_file('/usr/share/keyrings/datadog-archive-keyring.gpg')
+    is_expected.to contain_file('/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg')
+    is_expected.to contain_exec('ensure key DATADOG_APT_KEY_CURRENT.public is imported in APT keyring')
+    is_expected.to contain_exec('ensure key D75CEA17048B9ACBF186794B32637D44F14F620E is imported in APT keyring')
+    is_expected.to contain_exec('ensure key A2923DFF56EDA6E76E55E492D3A80E30382E94DE is imported in APT keyring')
+  end
+end
+
+shared_examples 'new debianoid' do
+  it do
+    is_expected.to contain_file('/usr/share/keyrings/datadog-archive-keyring.gpg')
+    is_expected.not_to contain_file('/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg')
+    is_expected.to contain_exec('ensure key DATADOG_APT_KEY_CURRENT.public is imported in APT keyring')
+    is_expected.to contain_exec('ensure key D75CEA17048B9ACBF186794B32637D44F14F620E is imported in APT keyring')
+    is_expected.to contain_exec('ensure key A2923DFF56EDA6E76E55E492D3A80E30382E94DE is imported in APT keyring')
+  end
+end
+
 describe 'datadog_agent::ubuntu' do
   context 'agent 5' do
     if RSpec::Support::OS.windows?
@@ -23,30 +43,11 @@
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list')
         .with_ensure('absent')
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-        .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+main})
+        .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+main})
     end
 
     # it should install the mirror
     it { is_expected.not_to contain_apt__key('935F5A436A5A6E8788F0765B226AE980C7A7DA52') }
-    it do
-      is_expected.to contain_apt__key('A2923DFF56EDA6E76E55E492D3A80E30382E94DE')
-      is_expected.to contain_apt__key('D75CEA17048B9ACBF186794B32637D44F14F620E')
-    end
-
-    context 'overriding keyserver' do
-      let(:params) do
-        {
-          apt_keyserver: 'hkp://pool.sks-keyservers.net:80',
-        }
-      end
-
-      it do
-        is_expected.to contain_apt__key('A2923DFF56EDA6E76E55E492D3A80E30382E94DE')\
-          .with_server('hkp://pool.sks-keyservers.net:80')
-        is_expected.to contain_apt__key('D75CEA17048B9ACBF186794B32637D44F14F620E')\
-          .with_server('hkp://pool.sks-keyservers.net:80')
-      end
-    end
 
     it do
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
@@ -87,15 +88,11 @@
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list')
         .with_ensure('absent')
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-        .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+6})
+        .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+6})
     end
 
     # it should install the mirror
     it { is_expected.not_to contain_apt__key('935F5A436A5A6E8788F0765B226AE980C7A7DA52') }
-    it do
-      is_expected.to contain_apt__key('A2923DFF56EDA6E76E55E492D3A80E30382E94DE')
-      is_expected.to contain_apt__key('D75CEA17048B9ACBF186794B32637D44F14F620E')
-    end
 
     it do
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list')\
@@ -136,13 +133,9 @@
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list')
         .with_ensure('absent')
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog.list')\
-        .with_content(%r{deb\s+https://apt.datadoghq.com/\s+stable\s+7})
+        .with_content(%r{deb\s+\[signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg\]\s+https://apt.datadoghq.com/\s+stable\s+7})
     end
 
-    # it should install the mirror
-    it { is_expected.not_to contain_apt__key('935F5A436A5A6E8788F0765B226AE980C7A7DA52') }
-    it { is_expected.to contain_apt__key('A2923DFF56EDA6E76E55E492D3A80E30382E94DE') }
-
     it do
       is_expected.to contain_file('/etc/apt/sources.list.d/datadog6.list')\
         .that_notifies('exec[apt_update]')
@@ -161,4 +154,76 @@
         .that_requires('exec[apt_update]')
     end
   end
+
+  context 'ubuntu < 16' do
+    let(:params) do
+      {
+        agent_major_version: 7,
+      }
+    end
+
+    let(:facts) do
+      {
+        osfamily: 'debian',
+        operatingsystem: 'Ubuntu',
+        operatingsystemrelease: '14.04',
+      }
+    end
+
+    include_examples 'old debianoid'
+  end
+
+  context 'ubuntu >= 16' do
+    let(:params) do
+      {
+        agent_major_version: 7,
+      }
+    end
+
+    let(:facts) do
+      {
+        osfamily: 'debian',
+        operatingsystem: 'Ubuntu',
+        operatingsystemrelease: '16.04',
+      }
+    end
+
+    include_examples 'new debianoid'
+  end
+
+  context 'debian < 9' do
+    let(:params) do
+      {
+        agent_major_version: 7,
+      }
+    end
+
+    let(:facts) do
+      {
+        osfamily: 'debian',
+        operatingsystem: 'Debian',
+        operatingsystemrelease: '8.0',
+      }
+    end
+
+    include_examples 'old debianoid'
+  end
+
+  context 'debian >= 9' do
+    let(:params) do
+      {
+        agent_major_version: 7,
+      }
+    end
+
+    let(:facts) do
+      {
+        osfamily: 'debian',
+        operatingsystem: 'Debian',
+        operatingsystemrelease: '9.0',
+      }
+    end
+
+    include_examples 'new debianoid'
+  end
 end
