From 6c56b0dc3bb5d8783f23673bb0d243bb499ef7e6 Mon Sep 17 00:00:00 2001
From: Ossi Herrala <oherrala@gmail.com>
Date: Tue, 20 Jan 2015 14:52:49 +0000
Subject: [PATCH] yum: Multiple enhancements

 * Add support for specifying path for X.509 CA file so Yum validates HTTPS connections to repository.
 * Add support for disabling package's GPG signature validation.
 * Add support for validating repository's metadata using GPG signature.
 * Add define for using repositories from packagecloud.io.
 * Add repository for Basho's Riak using packagecloud.io.
---
 yum/files/keys/packagecloud.io.key | 64 ++++++++++++++++++++++++++++++
 yum/manifests/init.pp              | 57 ++++++++++++++++++++++++--
 yum/templates/yum.repo.erb         | 14 ++++++-
 3 files changed, 130 insertions(+), 5 deletions(-)
 create mode 100644 yum/files/keys/packagecloud.io.key

diff --git a/yum/files/keys/packagecloud.io.key b/yum/files/keys/packagecloud.io.key
new file mode 100644
index 0000000..59477ba
--- /dev/null
+++ b/yum/files/keys/packagecloud.io.key
@@ -0,0 +1,64 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+mQINBFLUbogBEADceEoxBDoE6QM5xV/13qiELbFIkQgy/eEi3UesXmJblFdU7wcD
+LOW3NuOIx/dgbZljeMEerj6N1cR7r7X5sVoFVEZiK4RLkC3Cpdns0d90ud2f3VyK
+K7PXRBstdLm3JlW9OWZoe4VSADSMGWm1mIhT601qLKKAuWJoBIhnKY/RhA/RBXt7
+z22g4ta9bT67PlliTo1a8y6DhUA7gd+5TsVHaxDRrzc3mKObdyS5LOT/gf8Ti2tY
+BY5MBbQ8NUGExls4dXKlieePhKutFbde7sq3n5sdp1Ndoran1u0LsWnaSDx11R3x
+iYfXJ6xGukAc6pYlUD1yYjU4oRGhD2fPyuewqhHNUVwqupTBQtEGULrtdwK04kgI
+H93ssGRsLqUKe88uZeeBczVuupv8ZLd1YcQ29AfJHe6nsevsgjF+eajYlzsvC8BN
+q3nOvvedcuI6BW4WWFjraH06GNTyMAZi0HibTg65guZXpLcpPW9hTzXMoUrZz8Mv
+J9yUBcFPKuFOLDpRP6uaIbxJsYqiituoltl0vgS/vJcpIVVRwSaqPHa6S63dmKm2
+6gq18v4l05mVcInPn+ciHtcSlZgQkCsRTSvfUrK+7nzyWtNQMGKstAZ7AHCoA8Pb
+c3i7wyOtnTgfPFHVpHg3JHsPXKk9/71YogtoNFoETMFeKL1K+O+GMQddYQARAQAB
+tDdwYWNrYWdlY2xvdWQgb3BzIChwcm9kdWN0aW9uIGtleSkgPG9wc0BwYWNrYWdl
+Y2xvdWQuaW8+iQI+BBMBAgAoBQJS1G6IAhsvBQkJZgGABgsJCAcDAgYVCAIJCgsE
+FgIDAQIeAQIXgAAKCRDC5zQk1ZCXq13KD/wNzAi6rEzRyx6NH61Hc19s2QAgcU1p
+1mX1Tw0fU7CThx1nr8JrG63465c9dzUpVzNTYvMsUSBJwbb1phahCMNGbJpZRQ5b
+vW/i3azmk/EHKL7wgMV8wu1atu6crrxGoDEfWUa4aIwbxZGkoxDZKZeKaLxz2ZCh
+uKzjvkGUk4PUoOxxPn9XeFmJQ68ys4Z0CgIGfx2i64apqfsjVEdWEEBLoxHFIPy7
+FgFafRL0bgsquwPkb5q/dihIzJEZ2EMOGwXuUaKI/UAhgRIUGizuW7ECEjX4FG92
+8RsizHBjYL5Gl7DMt1KcPFe/YU/AdWEirs9pLQUr9eyGZN7HYJ03Aiy8R5aMBoeY
+sfxjifkbWCpbN+SEATaB8YY6Zy2LK/5TiUYNUYb/VHP//ZEv0+uPgkoro6gWVkvG
+DdXqH2d9svwfrQKfGSEQYXlLytZKvQSDLAqclSANs/y5HDjUxgtWKdsL3xNPCmff
+jpyiqS4pvoTiUwS4FwBsIR2sBDToIEHDvTNk1imeSmxCUgDxFzWkmB70FBmwz7zs
+9FzuoegrAxXonVit0+f3CxquN7tS0mHaWrZfhHxEIt65edkIz1wETOch3LIg6RaF
+wsXgrZCNTB/zjKGAFEzxOSBkjhyJCY2g74QNObKgTSeGNFqG0ZBHe2/JQ33UxrDt
+peKvCYTbjuWlyrkCDQRS1G6IARAArtNBXq+CNU9DR2YCi759fLR9F62Ec/QLWY3c
+/D26OqjTgjxAzGKbu1aLzphP8tq1GDCbWQ2BMMZI+L0Ed502u6kC0fzvbppRRXrV
+axBrwxY9XhnzvkXXzwNwnBalkrJ5Yk0lN8ocwCuUJohms7V14nEDyHgAB8yqCEWz
+Qm/SIZw35N/insTXshcdiUGeyufo85SFhCUqZ1x1TkSC/FyDG+BCwArfj8Qwdab3
+UlUEkF6czTjwWIO+5vYuR8bsCGYKCSrGRh5nxw0tuGXWXWFlBMSZP6mFcCDRQDGc
+KOuGTjiWzLJcgsEcBoIX4WpHJYgl6ovex7HkfQsWPYL5V1FIHMlw34ALx4aQDH0d
+PJpC+FxynrfTfsIzPnmm2huXPGGYul/TmOp00CsJEcKOjqcrYOgraYkCGVXbd4ri
+6Pf7wJNiJ8V1iKTzQIrNpqGDk306Fww1VsYBLOnrSxNPYOOu1s8c8c9N5qbEbOCt
+QdFf5pfuqsr5nJ0G4mhjQ/eLtDA4E7GPrdtUoceOkYKcQFt/yqnL1Sj9Ojeht3EN
+PyVSgE8NiWxNIEM0YxPyJEPQawejT66JUnTjzLfGaDUxHfseRcyMMTbTrZ0fLJSR
+aIH1AubPxhiYy+IcWOVMyLiUwjBBpKMStej2XILEpIJXP6Pn96KjMcB1grd0J2vM
+w2Kg3E8AEQEAAYkERAQYAQIADwUCUtRuiAIbLgUJCWYBgAIpCRDC5zQk1ZCXq8Fd
+IAQZAQIABgUCUtRuiAAKCRA3u+4/etlbPwI5D/4idr7VHQpou6c/YLnK1lmz3hEi
+kdxUxjC4ymOyeODsGRlaxXfjvjOCdocMzuCY3C+ZfNFKOTtVY4fV5Pd82MuY1H8l
+nuzqLxT6UwpIwo+yEv6xSK0mqm2FhT0JSQ7E7MnoHqsU0aikHegyEucGIFzew6BJ
+UD2xBu/qmVP/YEPUzhW4g8uD+oRMxdAHXqvtThvFySY/rakLQRMRVwYdTFHrvu3z
+HP+6hpZt25llJb3DiO+dTsv+ptLmlUr5JXLSSw2DfLxQa0kD5PGWpFPVJcxraS2p
+NDK9KTi2nr1ZqDxeKjDBT6zZOs9+4JQ9fepn1S26AmHWHhyzvpjKxVm4sOilKysi
+84CYluNrlEnidNf9wQa3NlLmtvxXQfm1py5tlwL5rE+ek1fwleaKXRcNNmm+T+vD
+dIw+JcHy8a53nK1JEfBqEuY6IqEPKDke0wDIsDLSwI1OgtQoe7Cm1PBujfJu4rYQ
+E+wwgWILTAgIy8WZXAloTcwVMtgfSsgHia++LqKfLDZ3JuwpaUAHAtguPy0QddvF
+I4R7eFDVwHT0sS3AsG0HAOCY/1FRe8cAw/+9Vp0oDtOvBWAXycnCbdQeHvwh2+Uj
+2u2f7K3CDMoevcBl4L5fkFkYTkmixCDy5nst1VM5nINueUIkUAJJbOGpd6yFdif7
+mQR0JWcPLudb+fwusJ4UEACYWhPa8Gxa7eYopRsydlcdEzwpmo6E+V8GIdLFRFFp
+KHQEzbSW5coxzU6oOiPbTurCZorIMHTA9cpAZoMUGKaSt19UKIMvSqtcDayhgf4c
+Z2ay1z0fdJ2PuLeNnWeiGyfq78q6wqSaJq/h6JdAiwXplFd3gqJZTrFZz7A6Q6Pd
+7B+9PZ/DUdEO3JeZlHJDfRmfU2XPoyPUoq79+whP5Tl3WwHUv7Fg357kRSdzKv9D
+bgmhqRHlgVeKn9pwN4cpVBN+idzwPefQksSKH4lBDvVr/9j+V9mmrOx7QmQ5LCc/
+1on+L0dqo6suoajADhKy+lDQbzs2mVb4CLpPKncDup/9iJbjiR17DDFMwgyCoy5O
+HJICQ5lckNNgkHTS6Xiogkt28YfK4P3S0GaZgIrhKQ7AmO3O+hB12Zr+olpeyhGB
+OpBD80URntdEcenvfnXBY/BsuAVbTGXiBzrlBEyQxg656jUeqAdXg+nzCvP0yJlB
+UOjEcwyhK/U2nw9nGyaR3u0a9r24LgijGpdGabIeJm6O9vuuqFHHGI72pWUEs355
+lt8q1pAoJUv8NehQmlaR0h5wcwhEtwM6fiSIUTnuJnyHT053GjsUD7ef5fY1KEFm
+aZeW04kRtFDOPinz0faE8hvsxzsVgkKye1c2vkXKdOXvA3x+pZzlTHtcgMOhjKQA
+sA==
+=H60S
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/yum/manifests/init.pp b/yum/manifests/init.pp
index 797e5c1..2489dca 100644
--- a/yum/manifests/init.pp
+++ b/yum/manifests/init.pp
@@ -199,8 +199,16 @@ class yum::exclude {
 #   $descr:
 #       Repository description. Defaults to $name.
 #   $gpgkey:
-#       Location where GPG signing key can be found. If not set
-#       GPG check will be disabled.
+#       Location where GPG signing key can be found.
+#   $gpgcheck:
+#       Perform GPG signature check for packages. Enabled by default
+#       if $gpgkey is set.
+#   $repocheck:
+#       Perform GPG signature check for repository metadata.
+#   $sslcacert:
+#       Path to the file containing the certificates of the
+#       certificate authorities yum should use to verify TLS
+#       connections.
 #   $priority:
 #       Optional priority for this repository.
 #
@@ -212,7 +220,17 @@ class yum::exclude {
 #     gpgkey  => "http://tmz.fedorapeople.org/repo/RPM-GPG-KEY-tmz",
 # }
 #
-define yum::repo($ensure="present", $baseurl="", $mirrorlist="", $descr="", $gpgkey="", $priority="") {
+define yum::repo(
+  $ensure="present",
+  $baseurl="",
+  $mirrorlist="",
+  $descr="",
+  $gpgkey="",
+  $gpgcheck=true,
+  $repocheck=false,
+  $sslcacert="",
+  $priority=""
+) {
 
     tag("bootstrap")
 
@@ -271,6 +289,30 @@ define yum::repo($ensure="present", $baseurl="", $mirrorlist="", $descr="", $gpg
 }
 
 
+# packagecloud.io repositories
+#
+# === Parameters
+#
+#   $name:
+#       Repository path under packagecloud.io. For example
+#       "basho/riak".
+#
+define yum::repo::packagecloud() {
+
+  $filename = regsubst($name, '\/', '_')
+
+  yum::repo { $filename:
+    descr     => "$name repository from packagecloud.io",
+    baseurl   => "https://packagecloud.io/$name/el/\$releasever/\$basearch",
+    gpgkey    => "puppet:///modules/yum/keys/packagecloud.io.key",
+    gpgcheck  => false,
+    repocheck => true,
+    sslcacert => "/etc/pki/tls/certs/ca-bundle.crt",
+  }
+
+}
+
+
 # Add Adobe repository
 #
 class yum::repo::adobe {
@@ -676,3 +718,12 @@ class yum::repo::mod_spdy {
   }
 
 }
+
+
+# Add Basho's riak repository
+#
+class yum::repo::riak {
+
+  yum::repo::packagecloud { "basho/riak": }
+
+}
diff --git a/yum/templates/yum.repo.erb b/yum/templates/yum.repo.erb
index bd5e765..91eab1c 100644
--- a/yum/templates/yum.repo.erb
+++ b/yum/templates/yum.repo.erb
@@ -6,12 +6,22 @@ baseurl=<%= @baseurl %>
 <% else -%>
 mirrorlist=<%= @mirrorlist %>
 <% end -%>
-<% if @gpgkey_real != '' -%>
-gpgcheck=1
+<% if @gpgkey_real != '' && gpgcheck != false -%>
 gpgkey=<%= @gpgkey_real %>
+gpgcheck=1
+<% elsif @gpgkey_real != '' -%>
+gpgkey=<%= @gpgkey_real %>
+gpgcheck=0
 <% else -%>
 gpgcheck=0
 <% end -%>
+<% if @repocheck != false -%>
+repo_gpgcheck=1
+<% end -%>
+<% if @sslcacert != '' -%>
+sslverify=1
+sslcacert=<%= @sslcacert %>
+<% end -%>
 <% if @priority != '' -%>
 priority=<%= @priority %>
 <% end -%>