summaryrefslogtreecommitdiff
path: root/global/post-tasks.d/018packages
blob: bf7bf64bb1908ac7979179aef1aa87ad845e5cb4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/bash

CONFIG=${CONFIG:=/etc/puppet/cosmos-modules.conf}
CACHE_DIR=/var/cache/puppet-modules
MODULES_DIR=${MODULES_DIR:=/etc/puppet/cosmos-modules}
export GNUPGHOME=/etc/cosmos/gnupg

python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml


stage_module() {
  rm -rf $CACHE_DIR/staging/$1
  git archive --format=tar --prefix=$1/ $2 | (cd $CACHE_DIR/staging/ && tar xf -)
}

if [ -f $CONFIG ]; then
  if [ ! -d $MODULES_DIR ]; then
    mkdir -p $MODULES_DIR
  fi
  if [ ! -d $CACHE_DIR ]; then
    mkdir -p $CACHE_DIR/{scm,staging}
  fi

  # First pass to clone any new modules, and update those marked for updating.
  grep -E -v "^#" $CONFIG | (
    while read module src update pattern; do
      # We only support git:// urls atm
      if [ "${src:0:6}" = "git://" ]; then
        if [ ! -d $CACHE_DIR/scm/$module ]; then
          git clone -q $src $CACHE_DIR/scm/$module
        elif [ -d $CACHE_DIR/scm/$module/.git ]; then
          if [ "$update" = "yes" ]; then
            cd $CACHE_DIR/scm/$module
            git pull -q
          else
            continue
          fi
        else
          echo "ERROR: Ignoring non-git repository"
          continue
        fi
      fi
    done
  )

  # Second pass to verify the signatures on all modules and stage those that
  # have good signatures.
  grep -E -v "^#" $CONFIG | (
    while read module src update pattern; do
      # We only support git:// urls atm
      if [ "${src:0:6}" = "git://" ]; then
        # Verify git tag
        cd $CACHE_DIR/scm/$module
        TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)
        if [ "$COSMOS_VERBOSE" = "y" ]; then
          echo ""
          echo "Checking signature on tag ${TAG} for puppet-module $module"
        fi
        if [ -z "$TAG" ]; then
          echo "ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module $module"
          continue
        fi
        git tag -v $TAG &> /dev/null
        if [ $? == 0 ]; then
          if [ "$COSMOS_VERBOSE" = "y" ]; then
            # short output on good signature
            git tag -v $TAG 2>&1 | grep "gpg: Good signature"
          fi
          # Put archive in staging since tag verified OK
          stage_module $module $TAG
        else
          echo "################################################################"
          echo "FAILED signature check on puppet-module $module"
          echo "################################################################"
          git tag -v $TAG
        fi
      fi
    done
  )

  # Cleanup removed puppet modules from CACHE_DIR
  for MODULE in $(ls -1 $CACHE_DIR/staging/); do
      if ! grep -E -q "^$MODULE\s+" $CONFIG; then
          rm -rf $CACHE_DIR/{scm,staging}/$MODULE
      fi
  done

  # Installing verified puppet modules
  rsync --archive --delete $CACHE_DIR/staging/ $MODULES_DIR/
fi