Add ability to secure all available repos
Add parameter which allows to secure all repos available or directly
specify which should be existed. Also precedence repo parameters over
common_repo_secured saved.
Change-Id: Ic8d72bcd4457dfce94088ff6bd0a1d4dc23d318e
Related-Prod: PROD-23434
diff --git a/README.rst b/README.rst
index 6ee52c4..c653097 100644
--- a/README.rst
+++ b/README.rst
@@ -1231,6 +1231,49 @@
secure: true
url: example2.org/ubuntu
+Also it is possible to specify list of repos, which should be secured
+within ``common_repo_secured`` block and without changing current
+existing repo source parameter:
+
+.. code-block:: yaml
+
+ linux:
+ system:
+ ...
+ common_repo_secured:
+ user: foo
+ password: bar
+ secured_repos: [ 'test1', 'test2' ]
+ repo:
+ test1:
+ ...
+ test2:
+ ...
+ test3:
+ ...
+
+Repos ``test1, test2`` will be secured. In case if you want secure all
+available repos use ``secured_repos: [ 'all' ]``. But repo parameters have
+precedence over parameters from ``common_repo_secured``. In next case:
+
+ linux:
+ system:
+ ...
+ common_repo_secured:
+ user: foo
+ password: bar
+ secured_repos: [ 'all' ]
+ repo:
+ test1:
+ ...
+ test2:
+ ...
+ test3:
+ secure: False
+ ...
+
+Repo ``test3`` will not be secured.
+
Remove all repositories:
.. code-block:: yaml
diff --git a/linux/system/repo.sls b/linux/system/repo.sls
index 4d59761..bf4ca5e 100644
--- a/linux/system/repo.sls
+++ b/linux/system/repo.sls
@@ -48,13 +48,32 @@
{%- for name, repo in system.repo.items() %}
{%- if grains.os_family == 'Debian' %}
- {%- if repo.get('secure', False) %}
- {%- set repo_source = repo.get('arch', system.get('common_repo_secured', {}).get('arch', 'deb')) + ' ' +
- repo.get('protocol', system.get('common_repo_secured', {}).get('protocol', 'http')) + '://' +
- repo.get('user', system.get('common_repo_secured', {}).get('user')) + ':' +
- repo.get('password', system.get('common_repo_secured', {}).get('password')) + '@' +
- repo.url + ' ' + repo.get('distribution', system.get('common_repo_secured', {}).get('distribution')) + ' ' +
- repo.get('component', system.get('common_repo_secured', {}).get('component')) %}
+ {%- set securedReposConf = system.get('common_repo_secured', {}).get('secured_repos', []) %}
+ {%- if repo.secure is defined %}
+ {%- set secureRepoEnabled = repo.secure %}
+ {%- else %}
+ {%- if ('all' in securedReposConf) or (name in securedReposConf) %}
+ {%- set secureRepoEnabled = True %}
+ {%- else %}
+ {%- set secureRepoEnabled = False %}
+ {%- endif %}
+ {%- endif %}
+ {%- if secureRepoEnabled %}
+ {%- if repo.url is defined %}
+ {%- set repo_source = repo.get('arch', system.get('common_repo_secured', {}).get('arch', 'deb')) + ' ' +
+ repo.get('protocol', system.get('common_repo_secured', {}).get('protocol', 'http')) + '://' +
+ repo.get('user', system.get('common_repo_secured', {}).get('user')) + ':' +
+ repo.get('password', system.get('common_repo_secured', {}).get('password')) + '@' +
+ repo.url + ' ' + repo.get('distribution', system.get('common_repo_secured', {}).get('distribution')) + ' ' +
+ repo.get('component', system.get('common_repo_secured', {}).get('component')) %}
+ {%- else %}
+ {# if params for secure repo are not specified try to insert user:password inline #}
+ {%- set urlItems = repo.source.split('://') %}
+ {%- set repo_source = urlItems[0] +
+ '://' + repo.get('user', system.get('common_repo_secured', {}).get('user')) +
+ ':' + repo.get('password', system.get('common_repo_secured', {}).get('password')) +
+ '@' + urlItems[1] %}
+ {%- endif %}
{%- else %}
{%- set repo_source = repo.source %}
{%- endif %}
@@ -126,7 +145,9 @@
{%- endif %}
{%- if repo.get('default', False) %}
- {%- do default_repos.update({name: repo}) %}
+ {%- set repoUpdateSource = repo %}
+ {%- do repoUpdateSource.update({'source': repo_source}) %}
+ {%- do default_repos.update({name: repoUpdateSource}) %}
{%- else %}
{%- if repo.get('enabled', True) %}