Update cookbooks and add wordpress cookbook

cookbooks/apt/providers/preference.rb

@@ -28,12 +28,16 @@ def build_pref(package_name, pin, pin_priority)
   "Package: #{package_name}\nPin: #{pin}\nPin-Priority: #{pin_priority}\n"
 end
 
+def safe_name(name)
+  name.tr('.', '_').gsub('*', 'wildcard')
+end
+
 action :add do
   preference = build_pref(
     new_resource.glob || new_resource.package_name,
     new_resource.pin,
     new_resource.pin_priority
-    )
+  )
 
   directory '/etc/apt/preferences.d' do
     owner 'root'
@@ -43,6 +47,16 @@ action :add do
     action :create
   end
 
+  name = safe_name(new_resource.name)
+
+  file "/etc/apt/preferences.d/#{new_resource.name}.pref" do
+    action :delete
+    if ::File.exist?("/etc/apt/preferences.d/#{new_resource.name}.pref")
+      Chef::Log.warn "Replacing #{new_resource.name}.pref with #{name}.pref in /etc/apt/preferences.d/"
+    end
+    only_if { name != new_resource.name }
+  end
+
   file "/etc/apt/preferences.d/#{new_resource.name}" do
     action :delete
     if ::File.exist?("/etc/apt/preferences.d/#{new_resource.name}")
@@ -50,7 +64,7 @@ action :add do
     end
   end
 
-  file "/etc/apt/preferences.d/#{new_resource.name}.pref" do
+  file "/etc/apt/preferences.d/#{name}.pref" do
     owner 'root'
     group 'root'
     mode 00644
@@ -60,9 +74,10 @@ action :add do
 end
 
 action :remove do
-  if ::File.exist?("/etc/apt/preferences.d/#{new_resource.name}.pref")
-    Chef::Log.info "Un-pinning #{new_resource.name} from /etc/apt/preferences.d/"
-    file "/etc/apt/preferences.d/#{new_resource.name}.pref" do
+  name = safe_name(new_resource.name)
+  if ::File.exist?("/etc/apt/preferences.d/#{name}.pref")
+    Chef::Log.info "Un-pinning #{name} from /etc/apt/preferences.d/"
+    file "/etc/apt/preferences.d/#{name}.pref" do
       action :delete
     end
   end

cookbooks/apt/providers/repository.rb

@@ -24,25 +24,37 @@ def whyrun_supported?
 end
 
 # install apt key from keyserver
-def install_key_from_keyserver(key, keyserver)
+def install_key_from_keyserver(key, keyserver, key_proxy)
   execute "install-key #{key}" do
-    if !node['apt']['key_proxy'].empty?
-      command "apt-key adv --keyserver-options http-proxy=#{node['apt']['key_proxy']} --keyserver hkp://#{keyserver}:80 --recv #{key}"
-    else
+    if keyserver.start_with?('hkp://')
       command "apt-key adv --keyserver #{keyserver} --recv #{key}"
+    elsif key_proxy.empty?
+      command "apt-key adv --keyserver hkp://#{keyserver}:80 --recv #{key}"
+    else
+      command "apt-key adv --keyserver-options http-proxy=#{key_proxy} --keyserver hkp://#{keyserver}:80 --recv #{key}"
     end
+    sensitive new_resource.sensitive if respond_to?(:sensitive)
     action :run
     not_if do
-      extract_fingerprints_from_cmd('apt-key finger').any? do |fingerprint|
+      key_present = extract_fingerprints_from_cmd('apt-key finger').any? do |fingerprint|
         fingerprint.end_with?(key.upcase)
       end
+
+      key_present && key_is_valid('apt-key list', key.upcase)
     end
   end
+
+  ruby_block "validate-key #{key}" do
+    block do
+      fail "The key #{key} is no longer valid and cannot be used for an apt repository."
+    end
+    not_if { key_is_valid('apt-key list', key.upcase) }
+  end
 end
 
 # run command and extract gpg ids
 def extract_fingerprints_from_cmd(cmd)
-  so = Mixlib::ShellOut.new(cmd, env: { 'LANG' => 'en_US' })
+  so = Mixlib::ShellOut.new(cmd, env: { 'LANG' => 'en_US', 'LANGUAGE' => 'en_US' })
   so.run_command
   so.stdout.split(/\n/).map do |t|
     if z = t.match(/^ +Key fingerprint = ([0-9A-F ]+)/)
@@ -51,14 +63,34 @@ def extract_fingerprints_from_cmd(cmd)
   end.compact
 end
 
+# determine whether apt thinks the key is still valid
+def key_is_valid(cmd, key)
+  valid = true
+
+  so = Mixlib::ShellOut.new(cmd, env: { 'LANG' => 'en_US', 'LANGUAGE' => 'en_US' })
+  so.run_command
+  # rubocop:disable Style/Next
+  so.stdout.split(/\n/).map do |t|
+    if t.match(%r{^\/#{key}.*\[expired: .*\]$})
+      Chef::Log.debug "Found expired key: #{t}"
+      valid = false
+      break
+    end
+  end
+
+  Chef::Log.debug "key #{key} validity: #{valid}"
+  valid
+end
+
 # install apt key from URI
 def install_key_from_uri(uri)
-  key_name = uri.split(/\//).last
+  key_name = uri.split(%r{\/}).last
   cached_keyfile = "#{Chef::Config[:file_cache_path]}/#{key_name}"
   if new_resource.key =~ /http/
     remote_file cached_keyfile do
       source new_resource.key
       mode 00644
+      sensitive new_resource.sensitive if respond_to?(:sensitive)
       action :create
     end
   else
@@ -66,12 +98,20 @@ def install_key_from_uri(uri)
       source new_resource.key
       cookbook new_resource.cookbook
       mode 00644
+      sensitive new_resource.sensitive if respond_to?(:sensitive)
       action :create
     end
+
+    ruby_block "validate-key #{cached_keyfile}" do
+      block do
+        fail "The key #{cached_keyfile} is no longer valid and cannot be used for an apt repository." unless key_is_valid("gpg #{cached_keyfile}", '')
+      end
+    end
   end
 
   execute "install-key #{key_name}" do
     command "apt-key add #{cached_keyfile}"
+    sensitive new_resource.sensitive if respond_to?(:sensitive)
     action :run
     not_if do
       installed_keys = extract_fingerprints_from_cmd('apt-key finger')
@@ -83,19 +123,19 @@ end
 
 # build repo file contents
 def build_repo(uri, distribution, components, trusted, arch, add_deb_src)
+  uri = '"' + uri + '"' unless uri.start_with?("\"", "'")
   components = components.join(' ') if components.respond_to?(:join)
   repo_options = []
   repo_options << "arch=#{arch}" if arch
   repo_options << 'trusted=yes' if trusted
-  repo_options = '[' + repo_options.join(' ') + ']' unless repo_options.empty?
-  repo_info = "#{uri} #{distribution} #{components}\n"
-  repo_info = "#{repo_options} #{repo_info}" unless repo_options.empty?
+  repo_opts = '[' + repo_options.join(' ') + ']' unless repo_options.empty?
+  repo_info = "#{repo_opts} #{uri} #{distribution} #{components}\n".lstrip
   repo =  "deb     #{repo_info}"
   repo << "deb-src #{repo_info}" if add_deb_src
   repo
 end
 
-def get_ppa_key(ppa_owner, ppa_repo)
+def get_ppa_key(ppa_owner, ppa_repo, key_proxy)
   # Launchpad has currently only one stable API which is marked as EOL April 2015.
   # The new api in devel still uses the same api call for +archive, so I made the version
   # configurable to provide some sort of workaround if api 1.0 ceases to exist.
@@ -115,12 +155,12 @@ def get_ppa_key(ppa_owner, ppa_repo)
     raise error
   end
 
-  install_key_from_keyserver(key_id, default_keyserver)
+  install_key_from_keyserver(key_id, default_keyserver, key_proxy)
 end
 
 # fetch ppa key, return full repo url
-def get_ppa_url(ppa)
-  repo_schema       = 'http://ppa.launchpad.net/%s/%s/ubuntu'
+def get_ppa_url(ppa, key_proxy)
+  repo_schema = 'http://ppa.launchpad.net/%s/%s/ubuntu'
 
   # ppa:user/repo logic ported from
   # http://bazaar.launchpad.net/~ubuntu-core-dev/software-properties/main/view/head:/softwareproperties/ppa.py#L86
@@ -131,7 +171,7 @@ def get_ppa_url(ppa)
   ppa_repo  = ppa_name.split('/')[1]
   ppa_repo  = 'ppa' if ppa_repo.nil?
 
-  get_ppa_key(ppa_owner, ppa_repo)
+  get_ppa_key(ppa_owner, ppa_repo, key_proxy)
 
   format(repo_schema, ppa_owner, ppa_repo)
 end
@@ -139,7 +179,7 @@ end
 action :add do
   # add key
   if new_resource.keyserver && new_resource.key
-    install_key_from_keyserver(new_resource.key, new_resource.keyserver)
+    install_key_from_keyserver(new_resource.key, new_resource.keyserver, new_resource.key_proxy)
   elsif new_resource.key
     install_key_from_uri(new_resource.key)
   end
@@ -156,6 +196,7 @@ action :add do
   execute 'apt-get update' do
     command "apt-get update -o Dir::Etc::sourcelist='sources.list.d/#{new_resource.name}.list' -o Dir::Etc::sourceparts='-' -o APT::Get::List-Cleanup='0'"
     ignore_failure true
+    sensitive new_resource.sensitive if respond_to?(:sensitive)
     action :nothing
     notifies :run, 'execute[apt-cache gencaches]', :immediately
   end
@@ -163,13 +204,13 @@ action :add do
   if new_resource.uri.start_with?('ppa:')
     # build ppa repo file
     repository = build_repo(
-      get_ppa_url(new_resource.uri),
+      get_ppa_url(new_resource.uri, new_resource.key_proxy),
       new_resource.distribution,
       'main',
       new_resource.trusted,
       new_resource.arch,
       new_resource.deb_src
-      )
+    )
   else
     # build repo file
     repository = build_repo(
@@ -179,7 +220,7 @@ action :add do
       new_resource.trusted,
       new_resource.arch,
       new_resource.deb_src
-      )
+    )
   end
 
   file "/etc/apt/sources.list.d/#{new_resource.name}.list" do
@@ -187,6 +228,7 @@ action :add do
     group 'root'
     mode 00644
     content repository
+    sensitive new_resource.sensitive if respond_to?(:sensitive)
     action :create
     notifies :delete, 'file[/var/lib/apt/periodic/update-success-stamp]', :immediately
     notifies :run, 'execute[apt-get update]', :immediately if new_resource.cache_rebuild
@@ -197,6 +239,7 @@ action :remove do
   if ::File.exist?("/etc/apt/sources.list.d/#{new_resource.name}.list")
     Chef::Log.info "Removing #{new_resource.name} repository from /etc/apt/sources.list.d/"
     file "/etc/apt/sources.list.d/#{new_resource.name}.list" do
+      sensitive new_resource.sensitive if respond_to?(:sensitive)
       action :delete
     end
   end