Handle signed-by option in __apt_source

Allow users to specify a GPG key fingerprint or keyring file to be
included as the 'signed-by' option.

cdist/conf/type/__apt_ppa/files/remove-apt-repository

@@ -1,55 +0,0 @@
-#!/usr/bin/env python
-#
-# Remove the given apt repository.
-#
-# Exit with:
-#   0: if it worked
-#   1: if not
-#   2: on other error
-
-import os
-import sys
-from aptsources import distro, sourceslist
-from softwareproperties import ppa
-from softwareproperties.SoftwareProperties import SoftwareProperties
-
-
-def remove_if_empty(file_name):
-    with open(file_name, 'r') as f:
-        if f.read().strip():
-            return
-        os.unlink(file_name)
-
-def remove_repository(repository):
-    #print 'repository:', repository
-    codename = distro.get_distro().codename
-    #print 'codename:', codename
-    (line, file) = ppa.expand_ppa_line(repository.strip(), codename)
-    #print 'line:', line
-    #print 'file:', file
-    deb_source_entry = sourceslist.SourceEntry(line, file)
-    src_source_entry = sourceslist.SourceEntry('deb-src{}'.format(line[3:]), file)
-
-    try:
-        sp = SoftwareProperties()
-        sp.remove_source(deb_source_entry)
-        try:
-            # If there's a deb-src entry, remove that too
-            sp.remove_source(src_source_entry)
-        except:
-            pass
-        remove_if_empty(file)
-        return True
-    except ValueError:
-        print >> sys.stderr, "Error: '%s' doesn't exists in a sourcelist file" % line
-        return False
-
-if __name__ == '__main__':
-    if (len(sys.argv) != 2):
-        print >> sys.stderr, 'Error: need a repository as argument'
-        sys.exit(2)
-    repository = sys.argv[1]
-    if remove_repository(repository):
-        sys.exit(0)
-    else:
-        sys.exit(1)

cdist/conf/type/__apt_ppa/gencode-remote

@@ -29,9 +29,9 @@ fi
 
 case "$state_should" in
    present)
-      echo "add-apt-repository '$name'"
+      echo "add-apt-repository -y '$name'"
    ;;
    absent)
-      echo "remove-apt-repository '$name'"
+      echo "add-apt-repository -r -y '$name'"
    ;;
 esac

cdist/conf/type/__apt_ppa/manifest

@@ -20,9 +20,4 @@
 
 __package software-properties-common
 
-require="__package/software-properties-common" \
-   __file /usr/local/bin/remove-apt-repository \
-   --source "$__type/files/remove-apt-repository" \
-   --mode 0755
-
 require="$__object_name" __apt_update_index

cdist/conf/type/__apt_source/files/source.list.template

@@ -2,13 +2,14 @@
 set -u
 
 entry="$uri $distribution $component"
+
 cat << DONE
 # Created by cdist ${__type##*/}
 # Do not change. Changes will be overwritten.
 #
 
 # $name
-deb ${forcedarch} $entry
+deb ${options} $entry
 DONE
 if [ -f "$__object/parameter/include-src" ]; then
    echo "deb-src $entry"

cdist/conf/type/__apt_source/man.rst

@@ -23,6 +23,9 @@ OPTIONAL PARAMETERS
 arch
    set this if you need to force and specific arch (ubuntu specific)
 
+signed-by
+   provide a GPG key fingerprint or keyring path for signature checks
+
 state
    'present' or 'absent', defaults to 'present'
 
@@ -56,6 +59,11 @@ EXAMPLES
        --uri http://archive.canonical.com/ \
        --component partner --state present
 
+    __apt_source goaccess \
+       --uri http://deb.goaccess.io/ \
+       --component main \
+       --signed-by C03B48887D5E56B046715D3297BD1A0133449C3D
+   
 
 AUTHORS
 -------

cdist/conf/type/__apt_source/manifest

@@ -31,9 +31,15 @@ fi
 component="$(cat "$__object/parameter/component")"
 
 if [ -f "$__object/parameter/arch" ]; then
-   forcedarch="[arch=$(cat "$__object/parameter/arch")]"
-else
-   forcedarch=""
+   options="arch=$(cat "$__object/parameter/arch")"
+fi
+
+if [ -f "$__object/parameter/signed-by" ]; then
+   options="$options signed-by=$(cat "$__object/parameter/signed-by")"
+fi
+
+if [ "$options" != "" ]; then
+    options="[$options]"
 fi
 
 # export variables for use in template
@@ -41,7 +47,7 @@ export name
 export uri
 export distribution
 export component
-export forcedarch
+export options
 
 # generate file from template
 mkdir "$__object/files"

cdist/conf/type/__apt_source/parameter/optional

@@ -1,4 +1,5 @@
 state
 distribution
 component
-arch
+arch
+signed-by

cdist/conf/type/__dot_file/man.rst

@@ -37,6 +37,12 @@ state
 source
     forwarded to :strong:`__file` type
 
+file
+    forwarded to :strong:`__file` type
+    This can be used if multiple users need to have a dotfile updated,
+    which will result in duplicate object id errors. When using the
+    file parameter the object id can be some unique value.
+
 MESSAGES
 --------
 
@@ -61,6 +67,15 @@ EXAMPLES
     # Install default xmonad config for user 'eve'. Parent directory is created automatically.
     __dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
 
+    # install .vimrc for root and some users
+    for user in root userx usery userz; do
+        __dot_file "${user}_dot_vimrc" \
+            --user $user \
+            --file .vimrc \
+            --state exists \
+            --source "$__files/$user/.vimrc"
+    done
+
 SEE ALSO
 --------
 

cdist/conf/type/__dot_file/manifest

@@ -20,13 +20,19 @@ user="$(cat "${__object}/parameter/user")"
 home="$(cat "${__object}/explorer/home")"
 primary_group="$(cat "${__object}/explorer/primary_group")"
 dirmode="$(cat "${__object}/parameter/dirmode")"
+if [ -f "${__object}/parameter/file" ]; then
+    file="$(cat "${__object}/parameter/file")"
+else
+    file="${__object_id}"
+fi
+
 
 # Create parent directory. Type __directory has flag 'parents', but it
 # will leave us with root-owned directory in user home, which is not
 # acceptable. So we create parent directories one-by-one. XXX: maybe
 # it should be fixed in '__directory'?
 set --
-subpath=${__object_id}
+subpath=${file}
 while subpath="$(dirname "${subpath}")" ; do
 	[ "${subpath}" = . ] && break
 	set -- "${subpath}" "$@"
@@ -64,4 +70,4 @@ if [ "${source}" = "-" ] ; then
 fi
 unset source
 
-__file "${home}/${__object_id}" --owner "$user" --group "$primary_group" "$@"
+__file "${home}/${file}" --owner "$user" --group "$primary_group" "$@"

cdist/conf/type/__file/gencode-local

@@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
-# 2013 Steven Armstrong (steven-cdist armstrong.cc)
+# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
 #
 # This file is part of cdist.
 #
@@ -72,6 +72,7 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
          if [ "$type" != "file" ]; then
             # destination is not a regular file, upload source to replace it
             upload_file=1
+            echo upload >> "$__messages_out"
          else
             local_cksum="$(cksum < "$source")"
             remote_cksum="$(cat "$__object/explorer/cksum")"
@@ -88,27 +89,39 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
       mkdir "$__object/files"
       touch "$__object/files/set-attributes"
 
-      # upload file to temp location
-      tempfile_template="${destination}.cdist.XXXXXXXXXX"
-      cat << DONE
-destination_upload="\$($__remote_exec $__target_host "mktemp $tempfile_template")"
-DONE
-      if [ "$upload_file" ]; then
-         echo upload >> "$__messages_out"
-         # IPv6 fix
-         if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
-         then
-             my_target_host="[${__target_host}]"
-         else
-             my_target_host="${__target_host}"
-         fi
-         cat << DONE
-$__remote_copy "$source" "${my_target_host}:\$destination_upload"
-DONE
+      if [ "$create_file" ]; then
+         # When creating an empty file we create it locally and then
+         # upload it so that permissions can be set before moving the file
+         # into place.
+         source="$__object/files/empty"
+         touch "$source"
       fi
-# move uploaded file into place
-cat << DONE
-$__remote_exec $__target_host "rm -rf \"$destination\"; mv \"\$destination_upload\" \"$destination\""
+
+      # upload file to temp location
+      upload_destination="${destination}.cdist.${__cdist_object_marker}.$$"
+      # Yes, we are aware that this is a race condition.
+      # However:
+      # a) cdist usually writes to directories that are not user writable
+      #    (probably > 99.9%)
+      # b) if they are user owned, the user / attacker always wins
+      #    (probably < 0.1%)
+      # c) the only case which we could improve are tmp directories and we
+      #    don't think managing tmp directories with cdist is a typical case
+      #    ("the rest %)"
+
+      # Tell gencode-remote to where we uploaded the file so it can move
+      # it to its final destination.
+      echo "$upload_destination" > "$__object/files/upload-destination"
+
+      # IPv6 fix
+      if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
+      then
+          my_target_host="[${__target_host}]"
+      else
+          my_target_host="${__target_host}"
+      fi
+      cat << DONE
+$__remote_copy "$source" "${my_target_host}:${upload_destination}"
 DONE
    fi
 fi

cdist/conf/type/__file/gencode-remote

@@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
-# 2013 Steven Armstrong (steven-cdist armstrong.cc)
+# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
 #
 # This file is part of cdist.
 #
@@ -62,6 +62,13 @@ set_mode() {
 
 case "$state_should" in
     present|exists)
+        if [ -f "$__object/files/upload-destination" ]; then
+            final_destination="$destination"
+            # We change the 'global' $destination variable here so we can
+            # change attributes of the new/uploaded file before moving it
+            # to it's final destination.
+            destination="$(cat "$__object/files/upload-destination")"
+        fi
         # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
         #  clearing S_ISUID and S_ISGID bits (see chown(2))
         for attribute in group owner mode; do
@@ -81,6 +88,11 @@ case "$state_should" in
                 fi
             fi
         done
+        if [ -f "$__object/files/upload-destination" ]; then
+            # move uploaded file into place
+            printf 'rm -rf "%s"\n' "$final_destination"
+            printf 'mv "%s" "%s"\n' "$destination" "$final_destination"
+        fi
         if [ -f "$__object/files/set-attributes" ]; then
             # set-attributes is created if file is created or uploaded in gencode-local
             fire_onchange=1

docs/changelog

@@ -14,6 +14,9 @@ next:
 	* Types __letsencrypt_cert, __grafana_dashboard: Improve bullseye support (Evilham)
 	* Type __ssh_authorized_key: Also remove tmpfile if removing line (Mark Verboom)
 	* Type __apt_pin: Add default priority, add comment in generated files (Daniel Fancsali)
+	* Type __file: make file uploading and attribute changes more atomic	(Steven Armstrong)
+	* Type __dot_file: Add support for using --file parameter (Stephan Leemburg)
+	* Type __apt_ppa: Replace custom "remove-apt-repository" with add-apt-repository -r (Romain Dartigues)
 
 6.9.8: 2021-08-24
 	* Type __rsync: Rewrite (Ander Punnar)