Add support for checking if an apt::keyring is up-to-date with checksums

REFERENCE.md

@@ -17,7 +17,7 @@
 
 ### Defined types
 
-* [`apt::auth`](#apt--auth)
+* [`apt::auth`](#apt--auth): Manages the Apt auth conf in /etc/apt/auth.conf.d/.
 * [`apt::conf`](#apt--conf): Specifies a custom Apt configuration file.
 * [`apt::key`](#apt--key): Manages the GPG keys that Apt uses to authenticate packages.
 * [`apt::keyring`](#apt--keyring): Manage GPG keyrings for apt repositories
@@ -31,9 +31,7 @@
 
 #### Private Resource types
 
-* `apt_key`: This type provides Puppet with the capabilities to manage GPG keys needed
-by apt to perform package validation. Apt has it's own GPG keyring that can
-be manipulated through the `apt-key` command.
+* `apt_key`: Manages GPG keys needed by apt to perform package validation.
 
 ### Data types
 
@@ -577,7 +575,19 @@ Default value: `{}`
 
 ### <a name="apt--auth"></a>`apt::auth`
 
-The apt::auth class.
+Manages the Apt auth conf in /etc/apt/auth.conf.d/.
+
+#### Examples
+
+##### Install the puppetlabs apt auth
+
+```puppet
+apt::auth { 'puppetlabs':
+  machine  => 'apt.puppetlabs.com',
+  login    => 'apt',
+  password => 'password',
+}
+```
 
 #### Parameters
 
@@ -592,31 +602,31 @@ The following parameters are available in the `apt::auth` defined type:
 
 Data type: `String`
 
-
+Specifies whether the Apt auth file should exist. Valid options: 'present' and 'absent'.
 
 Default value: `'present'`
 
 ##### <a name="-apt--auth--machine"></a>`machine`
 
 Data type: `String`
 
-
+The machine entry specifies the auth URI.
 
 Default value: `$name`
 
 ##### <a name="-apt--auth--login"></a>`login`
 
 Data type: `String`
 
-
+The username to be used.
 
 Default value: `undef`
 
 ##### <a name="-apt--auth--password"></a>`password`
 
 Data type: `String`
 
-
+The password to be used.
 
 Default value: `undef`
 
@@ -784,6 +794,21 @@ apt::source { 'puppet8-release':
 }
 ```
 
+##### Deploy the apt source and associated keyring file with checksum
+
+```puppet
+apt::source { 'puppet8-release':
+  location => 'http://apt.puppetlabs.com',
+  repos    => 'puppet8',
+  key      => {
+    name           => 'puppetlabs-keyring.gpg',
+    source         => 'https://apt.puppetlabs.com/keyring.gpg'
+    checksum       => 'sha256',
+    checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
+  }
+}
+```
+
 #### Parameters
 
 The following parameters are available in the `apt::keyring` defined type:
@@ -794,6 +819,8 @@ The following parameters are available in the `apt::keyring` defined type:
 * [`source`](#-apt--keyring--source)
 * [`content`](#-apt--keyring--content)
 * [`ensure`](#-apt--keyring--ensure)
+* [`checksum`](#-apt--keyring--checksum)
+* [`checksum_value`](#-apt--keyring--checksum_value)
 
 ##### <a name="-apt--keyring--dir"></a>`dir`
 
@@ -843,6 +870,29 @@ Ensure presence or absence of the resource.
 
 Default value: `'present'`
 
+##### <a name="-apt--keyring--checksum"></a>`checksum`
+
+Data type: `Optional[Enum['md5','sha256','sha224','sha384','sha512']]`
+
+Checksum type of the keyfile.
+Only md5, sha256, sha224, sha384 and sha512 are supported when specifying
+this parameter (due to checksum_value parameter).
+Optional, but is useful if the keyfile is from a remote HTTP source that
+does not provide the necessary headers for the file resource to determine if
+content has changed.
+
+Default value: `undef`
+
+##### <a name="-apt--keyring--checksum_value"></a>`checksum_value`
+
+Data type: `Optional[String]`
+
+The value of the checksum, must be a String.
+Only md5, sha256, sha224, sha384 and sha512 are supported when specifying
+this parameter.
+
+Default value: `undef`
+
 ### <a name="apt--mark"></a>`apt::mark`
 
 Manages apt-mark settings
@@ -1149,14 +1199,31 @@ apt::source { 'puppetlabs':
 extension. Absence of extension will result in file formation with just name and no extension.
 apt::source { 'puppetlabs':
   location => 'http://apt.puppetlabs.com',
-  comment  => 'Puppet8',
+  repos    => 'puppet8'
+  comment  => 'Puppet 8 release',
   key      => {
-    'name'   => 'puppetlabs.gpg',
+    'name'   => 'puppetlabs-keyring.gpg',
     'source' => 'https://apt.puppetlabs.com/keyring.gpg',
   },
 }
 ```
 
+##### Deploy the apt source and associated keyring file with checksum
+
+```puppet
+apt::source { 'puppetlabs':
+  location => 'http://apt.puppetlabs.com',
+  repos    => 'puppet8',
+  comment  => 'Puppet 8 release',
+  key      => {
+    name           => 'puppetlabs-keyring.gpg',
+    source         => 'https://apt.puppetlabs.com/keyring.gpg'
+    checksum       => 'sha256',
+    checksum_value => '9d7a61ab06b18454e9373edec4fc7c87f9a91bacfc891893ba0da37a33069771',
+  }
+}
+```
+
 ##### Install the puppetlabs apt source (deb822 format)
 
 ```puppet
@@ -1275,7 +1342,7 @@ Default value: `{}`
 Data type: `Optional[Variant[String[1], Hash]]`
 
 Creates an `apt::keyring` in `/etc/apt/keyrings` (or anywhere on disk given `filename`) Valid options:
-  * a hash of `parameter => value` pairs to be passed to `file`: `name` (title), `content`, `source`, `filename`
+  * a hash of `parameter => value` pairs to be passed to `file`: `name` (title), `content`, `source`, `filename`, `checksum`, `checksum_value`.
 
 The following inputs are valid for the (deprecated) `apt::key` defined type. Valid options:
   * a string to be passed to the `id` parameter of the `apt::key` defined type

lib/puppet/type/apt_key.rb

@@ -5,9 +5,10 @@
 
 Puppet::Type.newtype(:apt_key) do
   @doc = <<-MANIFEST
-    @summary This type provides Puppet with the capabilities to manage GPG keys needed
-      by apt to perform package validation. Apt has it's own GPG keyring that can
-      be manipulated through the `apt-key` command.
+    @summary Manages GPG keys needed by apt to perform package validation.
+
+    Apt has its own GPG keyring that can be manipulated through the
+    `apt-key` command.
 
     @example Basic usage
       apt_key { '6F6B15509CF8E59E6E469F327F438280EF8D349F':

manifests/auth.pp

@@ -19,7 +19,6 @@
 # @param password
 #   The password to be used.
 #
-
 define apt::auth (
   String $ensure   = 'present',
   String $machine  = $name,

manifests/backports.pp

@@ -41,13 +41,13 @@
 #   Specifies whether to include 'deb' or 'src', or both.
 #
 class apt::backports (
-  Optional[Stdlib::HTTPUrl] $location = undef,
-  Optional[String[1]] $release = undef,
-  Optional[String[1]] $repos = undef,
+  Optional[Stdlib::HTTPUrl] $location     = undef,
+  Optional[String[1]] $release            = undef,
+  Optional[String[1]] $repos              = undef,
   Optional[Variant[String[1], Hash]] $key = undef,
-  Stdlib::AbsolutePath $keyring = "/usr/share/keyrings/${facts['os']['name'].downcase}-archive-keyring.gpg",
-  Variant[Integer, String[1], Hash] $pin = 200,
-  Hash $include = {},
+  Stdlib::AbsolutePath $keyring           = "/usr/share/keyrings/${facts['os']['name'].downcase}-archive-keyring.gpg",
+  Variant[Integer, String[1], Hash] $pin  = 200,
+  Hash $include                           = {},
 ) {
   include apt
 

manifests/conf.pp

@@ -14,10 +14,10 @@
 #   Specifies whether to trigger an `apt-get update` run.
 #
 define apt::conf (
-  Optional[String[1]] $content = undef,
-  Enum['present', 'absent'] $ensure = present,
+  Optional[String[1]] $content             = undef,
+  Enum['present', 'absent'] $ensure        = present,
   Variant[String[1], Integer[0]] $priority = 50,
-  Optional[Boolean] $notify_update = undef,
+  Optional[Boolean] $notify_update         = undef,
 ) {
   unless $ensure == 'absent' {
     unless $content {

manifests/init.pp

@@ -155,61 +155,61 @@
 #   The fault `source_key` settings
 #
 class apt (
-  Hash $update_defaults = {
+  Hash $update_defaults                          = {
     'frequency' => 'reluctantly',
     'loglevel'  => undef,
     'timeout'   => undef,
     'tries'     => undef,
   },
-  Hash $purge_defaults = {
+  Hash $purge_defaults                           = {
     'sources.list'   => false,
     'sources.list.d' => false,
     'preferences'    => false,
     'preferences.d'  => false,
     'apt.conf.d'     => false,
     'auth.conf.d'    => false,
   },
-  Hash $proxy_defaults = {
+  Hash $proxy_defaults                           = {
     'ensure'     => undef,
     'host'       => undef,
     'port'       => 8080,
     'https'      => false,
     'https_acng' => false,
     'direct'     => false,
   },
-  Hash $include_defaults = {
+  Hash $include_defaults                         = {
     'deb' => true,
     'src' => false,
   },
-  Stdlib::Absolutepath $provider = '/usr/bin/apt-get',
-  Stdlib::Host $keyserver = 'keyserver.ubuntu.com',
-  Optional[String[1]] $key_options = undef,
-  Optional[Array[String[1]]] $ppa_options = undef,
-  Optional[String[1]] $ppa_package = undef,
-  Optional[Hash] $backports = undef,
-  Hash $confs = {},
-  Hash $update = {},
-  Hash $purge = {},
-  Apt::Proxy $proxy = {},
-  Hash $sources = {},
-  Hash $auths = {},
-  Hash $keys = {},
-  Hash $keyrings = {},
-  Hash $ppas = {},
-  Hash $pins = {},
-  Hash $settings = {},
-  Boolean $manage_auth_conf = true,
+  Stdlib::Absolutepath $provider                 = '/usr/bin/apt-get',
+  Stdlib::Host $keyserver                        = 'keyserver.ubuntu.com',
+  Optional[String[1]] $key_options               = undef,
+  Optional[Array[String[1]]] $ppa_options        = undef,
+  Optional[String[1]] $ppa_package               = undef,
+  Optional[Hash] $backports                      = undef,
+  Hash $confs                                    = {},
+  Hash $update                                   = {},
+  Hash $purge                                    = {},
+  Apt::Proxy $proxy                              = {},
+  Hash $sources                                  = {},
+  Hash $auths                                    = {},
+  Hash $keys                                     = {},
+  Hash $keyrings                                 = {},
+  Hash $ppas                                     = {},
+  Hash $pins                                     = {},
+  Hash $settings                                 = {},
+  Boolean $manage_auth_conf                      = true,
   Array[Apt::Auth_conf_entry] $auth_conf_entries = [],
-  String[1] $auth_conf_owner = '_apt',
-  Stdlib::Absolutepath $root = '/etc/apt',
-  Stdlib::Absolutepath $sources_list = "${root}/sources.list",
-  Stdlib::Absolutepath $sources_list_d = "${root}/sources.list.d",
-  Stdlib::Absolutepath $conf_d = "${root}/apt.conf.d",
-  Stdlib::Absolutepath $preferences = "${root}/preferences",
-  Stdlib::Absolutepath $preferences_d = "${root}/preferences.d",
-  Stdlib::Absolutepath $apt_conf_d = "${root}/apt.conf.d",
-  Stdlib::Absolutepath $auth_conf_d = "${root}/auth.conf.d",
-  Hash $config_files = {
+  String[1] $auth_conf_owner                     = '_apt',
+  Stdlib::Absolutepath $root                     = '/etc/apt',
+  Stdlib::Absolutepath $sources_list             = "${root}/sources.list",
+  Stdlib::Absolutepath $sources_list_d           = "${root}/sources.list.d",
+  Stdlib::Absolutepath $conf_d                   = "${root}/apt.conf.d",
+  Stdlib::Absolutepath $preferences              = "${root}/preferences",
+  Stdlib::Absolutepath $preferences_d            = "${root}/preferences.d",
+  Stdlib::Absolutepath $apt_conf_d               = "${root}/apt.conf.d",
+  Stdlib::Absolutepath $auth_conf_d              = "${root}/auth.conf.d",
+  Hash $config_files                             = {
     'conf'   => {
       'path' => $conf_d,
       'ext'  => '',
@@ -227,8 +227,8 @@
       'ext'  => '.sources',
     },
   },
-  Boolean $sources_list_force = false,
-  Hash $source_key_defaults = {
+  Boolean $sources_list_force                    = false,
+  Hash $source_key_defaults                      = {
     'server'  => $keyserver,
     'options' => undef,
     'content' => undef,

manifests/key.pp

@@ -37,13 +37,13 @@
 #   Passes additional options to `apt-key adv --keyserver-options`.
 #
 define apt::key (
-  Pattern[/\A(0x)?[0-9a-fA-F]{8}\Z/, /\A(0x)?[0-9a-fA-F]{16}\Z/, /\A(0x)?[0-9a-fA-F]{40}\Z/] $id                        = $title,
-  Enum['present', 'absent', 'refreshed'] $ensure                                                                        = present,
-  Optional[String[1]] $content                                                                                          = undef,
-  Optional[Pattern[/\Ahttps?:\/\//, /\Aftp:\/\//, /\A\/\w+/]] $source                                                   = undef,
+  Pattern[/\A(0x)?[0-9a-fA-F]{8}\Z/, /\A(0x)?[0-9a-fA-F]{16}\Z/, /\A(0x)?[0-9a-fA-F]{40}\Z/] $id                            = $title,
+  Enum['present', 'absent', 'refreshed'] $ensure                                                                            = present,
+  Optional[String[1]] $content                                                                                              = undef,
+  Optional[Pattern[/\Ahttps?:\/\//, /\Aftp:\/\//, /\A\/\w+/]] $source                                                       = undef,
   Pattern[/\A((hkp|hkps|http|https):\/\/)?([a-z\d])([a-z\d-]{0,61}\.)+[a-z\d]+(:\d{2,5})?(\/[a-zA-Z\d\-_.]+)*\/?$/] $server = $apt::keyserver,
-  Boolean $weak_ssl                                                                                                     = false,
-  Optional[String[1]] $options                                                                                          = $apt::key_options,
+  Boolean $weak_ssl                                                                                                         = false,
+  Optional[String[1]] $options                                                                                              = $apt::key_options,
 ) {
   case $ensure {
     /^(refreshed|present)$/: {