apt::key and basic auth
22 views
Skip to first unread message
Douglas Rand
Mar 29, 2019, 6:17:26 PM3/29/19
to Puppet Users
I have a provider that hosts their APT repository behind a basic auth protected website, and I cannot work out how to get apt::key to add their key.
I've tried
apt::key { 'fubar-repo':
id => 'A0CFE15F71F798574AB363DD118283D9A7862CEE',
source => "https://user%40domain.com:sec...@download.fubar.com/release/${version}/xUbuntu_${facts['os']['release']['major']}/Release.key",
}
id => 'A0CFE15F71F798574AB363DD118283D9A7862CEE',
source => "https://user%40domain.com:sec...@download.fubar.com/release/${version}/xUbuntu_${facts['os']['release']['major']}/Release.key",
}
which doesn't work and results in the error:
Error: 401 Unauthorized for https://user%40domain.com:sec...@download.fubar.com/...
I've also tried to get the http_basic_authentication option to work, but I can't seem to find an example and I'm betting my shot at it here is wrong:
apt::key { 'fubar-repo':
id => 'A0CFE15F71F798574AB363DD118283D9A7862CEE',
source => "https://download.fubar.com/release/${version}/xUbuntu_${facts['os']['release']['major']}/Release.key",
options => 'http_basic_authentication=["us...@domain.com", "secret]',
}
id => 'A0CFE15F71F798574AB363DD118283D9A7862CEE',
source => "https://download.fubar.com/release/${version}/xUbuntu_${facts['os']['release']['major']}/Release.key",
options => 'http_basic_authentication=["us...@domain.com", "secret]',
}
Any thoughts? Thanks!
Martin Alfke
Mar 31, 2019, 11:37:40 AM3/31/19
to puppet...@googlegroups.com
> On 29. Mar 2019, at 19:42, Douglas Rand <ra...@iteris.com> wrote:
>
> I have a provider that hosts their APT repository behind a basic auth protected website, and I cannot work out how to get apt::key to add their key.
https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html
> I've tried
>
> apt::key { 'fubar-repo':
> id => 'A0CFE15F71F798574AB363DD118283D9A7862CEE',
> source => "https://user%40domain.com:sec...@download.fubar.com/release/${version}/xUbuntu_${facts['os']['release']['major']}/Release.key",
> }
>
> which doesn't work and results in the error:
>
> Error: 401 Unauthorized for https://user%40domain.com:sec...@download.fubar.com/...
>
> I've also tried to get the http_basic_authentication option to work, but I can't seem to find an example and I'm betting my shot at it here is wrong:
>
> apt::key { 'fubar-repo':
> id => 'A0CFE15F71F798574AB363DD118283D9A7862CEE',
> source => "https://download.fubar.com/release/${version}/xUbuntu_${facts['os']['release']['major']}/Release.key",
> options => 'http_basic_authentication=["us...@domain.com", "secret]',
> }
>
>
> Any thoughts? Thanks!
>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a3dc54b4-bfd9-40c3-bf96-11ce911864d2%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Douglas K. Rand
Apr 1, 2019, 3:44:32 PM4/1/19
to puppet...@googlegroups.com
On 3/31/19 10:37 AM, Martin Alfke wrote:>> On 29. Mar 2019, at 19:42, Douglas
Thanks Martin!
But not the problem with apt::key. I rand it down to the source_to_file
method in the apt_key.rb provider from Puppet's APT library. The
source_to_file method fetches the remote key and drops it in a temporary file
and then uses apt-key to install the key. So the fetching of the key bypasses
all of the nice apt features with apt/auth.conf. So no joy there.
But I did find a fix. The problem is that the username I need to provide in
basic auth is my email address, and includes an '@' sign. And since the '@'
sign is already part of the url coding for usernames, you can't have it in the
username. I had been using '%40' to replace the '@' sign in my username, but
the Ruby provider doesn't know that the usernames might be URI encoded.
This simple patch adds that:
---
/local-project/tmp/r10k/production/modules/apt/lib/puppet/provider/apt_key/apt_key.rb
2017-10-24 08:45:17.316572536 -0500
+++ modules/apt/lib/puppet/provider/apt_key/apt_key.rb 2019-04-01
13:38:02.026555102 -0500
@@ -129,6 +129,10 @@
begin
user_pass = parsedValue.userinfo.nil? ? nil :
parsedValue.userinfo.split(':')
parsedValue.userinfo = ''
+ unless user_pass.nil?
+ user_pass[0] = URI.unescape(user_pass[0])
+ user_pass[1] = URI.unescape(user_pass[1])
+ end
key = open(parsedValue, :http_basic_authentication => user_pass).read
rescue OpenURI::HTTPError, Net::FTPPermError => e
fail("#{e.message} for #{resource[:source]}")
Does anybody have any idea how to get this directed toward the right people?
Rand <ra...@iteris.com> wrote:
>> I have a provider that hosts their APT repository behind a basic auth
>> protected website, and I cannot work out how to get apt::key to add their
>> key.
> Have you tried using apt_auth.conf file?
> https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html
No, I hadn't. And thanks for that, it solved another problem I was having.
>> I have a provider that hosts their APT repository behind a basic auth
>> protected website, and I cannot work out how to get apt::key to add their
>> key.
> Have you tried using apt_auth.conf file?
> https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html
Thanks Martin!
But not the problem with apt::key. I rand it down to the source_to_file
method in the apt_key.rb provider from Puppet's APT library. The
source_to_file method fetches the remote key and drops it in a temporary file
and then uses apt-key to install the key. So the fetching of the key bypasses
all of the nice apt features with apt/auth.conf. So no joy there.
But I did find a fix. The problem is that the username I need to provide in
basic auth is my email address, and includes an '@' sign. And since the '@'
sign is already part of the url coding for usernames, you can't have it in the
username. I had been using '%40' to replace the '@' sign in my username, but
the Ruby provider doesn't know that the usernames might be URI encoded.
This simple patch adds that:
---
/local-project/tmp/r10k/production/modules/apt/lib/puppet/provider/apt_key/apt_key.rb
2017-10-24 08:45:17.316572536 -0500
+++ modules/apt/lib/puppet/provider/apt_key/apt_key.rb 2019-04-01
13:38:02.026555102 -0500
@@ -129,6 +129,10 @@
begin
user_pass = parsedValue.userinfo.nil? ? nil :
parsedValue.userinfo.split(':')
parsedValue.userinfo = ''
+ unless user_pass.nil?
+ user_pass[0] = URI.unescape(user_pass[0])
+ user_pass[1] = URI.unescape(user_pass[1])
+ end
key = open(parsedValue, :http_basic_authentication => user_pass).read
rescue OpenURI::HTTPError, Net::FTPPermError => e
fail("#{e.message} for #{resource[:source]}")
Does anybody have any idea how to get this directed toward the right people?
David Schmitt
Apr 2, 2019, 4:41:12 AM4/2/19
to puppet...@googlegroups.com
Hi Douglas,
thanks for identifying the issue! Please submit a PR to the apt repo, someone from the Modules Team will pick it up.
Regards, David
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3446ba74-f3f5-a512-f36c-e9f789b82d7a%40iteris.com.
For more options, visit https://groups.google.com/d/optout.
--
Karsten Heymann
Apr 2, 2019, 10:57:47 AM4/2/19
to puppet...@googlegroups.com
Hi Douglas,
> Rand <ra...@iteris.com> wrote:
> >> I have a provider that hosts their APT repository behind a basic auth
> >> protected website, and I cannot work out how to get apt::key to add their
> >> key.
more a workaround than a real solution to your problem, but I tend to
throw hard-to-reach files like this onto an internal web server and
point the apt_key-Resource to it.
But I generally don't like to put passwords into puppet code, and also
we have to do this a lot because most of our servers are not allowed
to directly access the internet.
Kind regards
Karsten
> Rand <ra...@iteris.com> wrote:
> >> I have a provider that hosts their APT repository behind a basic auth
> >> protected website, and I cannot work out how to get apt::key to add their
> >> key.
throw hard-to-reach files like this onto an internal web server and
point the apt_key-Resource to it.
But I generally don't like to put passwords into puppet code, and also
we have to do this a lot because most of our servers are not allowed
to directly access the internet.
Kind regards
Karsten
Reply all
Reply to author
Forward
0 new messages