::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
: Copyright (c) 2018 Mirantis Inc., Enea AB and others.
:
: All rights reserved. This program and the accompanying materials
: are made available under the terms of the Apache License, Version 2.0
: which accompanies this distribution, and is available at
: http://www.apache.org/licenses/LICENSE-2.0
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Date: Sun, 3 Jun 2018 19:28:18 +0200
Subject: [PATCH] system.repo: Debian: Use proxy for keyservers

Previously, when fetching GPG keys for APT keyring, either using
public key download & import (as for default repos) or via keyserver,
we relied on simple `curl` calls or passed it down to Salt aptpkg
module.
To be able to retrieve APT keys behind a proxy, one used to have to
configure the proxy for the Salt minion, which does not yet have
`no_proxy` support (either *all* or *no* traffic hits the proxy).

When `linux:system:proxy` http(s) proxies are set:
- no longer pass key configuration to Salt aptpkg (until it properly
  supports `no_proxy`);
- handle all keys explicitly with `curl` and `apt-key`;
- set 'http(s)_proxy' env vars for `cmd.wait` calls;

If `linux:system:proxy` is not defined, the behavior is
unchanged for backwards compatibility.

NOTE: If present, per-repo proxies are also used for keyserver access.

system.repo: Fix conditions order for Debian proxy

Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
---
 linux/system/repo.sls | 65 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 53 insertions(+), 12 deletions(-)

diff --git a/linux/system/repo.sls b/linux/system/repo.sls
index 303ea9c..5dfc4c1 100644
--- a/linux/system/repo.sls
+++ b/linux/system/repo.sls
@@ -5,9 +5,15 @@ linux_repo_prereq_pkgs:
   pkg.installed:
   - pkgs: {{ system.pkgs }}

+{%- set proxies = {'system': {}, 'repo': {}} %}
+
 # global proxy setup
-{%- if system.proxy.get('pkg', {}).get('enabled', False) %}
 {%- if grains.os_family == 'Debian' %}
+{%- if system.proxy.get('pkg', {}).get('enabled', False) %}
+
+{%- do proxies.system.update({'https': system.proxy.get('pkg', {}).get('https', None) | default(system.proxy.get('https', None), true)}) %}
+{%- do proxies.system.update({'http': system.proxy.get('pkg', {}).get('http', None) | default(system.proxy.get('http', None), true)}) %}
+{%- do proxies.system.update({'ftp': system.proxy.get('pkg', {}).get('ftp', None) | default(system.proxy.get('ftp', None), true)}) %}

 /etc/apt/apt.conf.d/99proxies-salt:
   file.managed:
@@ -15,9 +21,9 @@ linux_repo_prereq_pkgs:
   - source: salt://linux/files/apt.conf.d_proxies
   - defaults:
       external_host: False
-      https: {{ system.proxy.get('pkg', {}).get('https', None) | default(system.proxy.get('https', None), true) }}
-      http: {{ system.proxy.get('pkg', {}).get('http', None) | default(system.proxy.get('http', None), true) }}
-      ftp: {{ system.proxy.get('pkg', {}).get('ftp', None) | default(system.proxy.get('ftp', None), true) }}
+      https: {{ proxies.system.https }}
+      http: {{ proxies.system.http }}
+      ftp: {{ proxies.system.ftp }}

 {%- else %}

@@ -25,9 +31,6 @@ linux_repo_prereq_pkgs:
   file.absent

 {%- endif %}
-{%- endif %}
-
-{% set default_repos = {} %}

 {%- if system.purge_repos|default(False) %}

@@ -38,6 +41,10 @@ purge_sources_list_d_repos:

 {%- endif %}

+{%- endif %}
+
+{% set default_repos = {} %}
+
 {%- for name, repo in system.repo.items() %}
 {%- set name=repo.get('name', name) %}
 {%- if grains.os_family == 'Debian' %}
@@ -45,16 +52,20 @@ purge_sources_list_d_repos:
 # per repository proxy setup
 {%- if repo.get('proxy', {}).get('enabled', False) %}
 {%- set external_host = repo.proxy.get('host', None) or repo.source.split('/')[2] %}
+{%- do proxies.repo.update({'https': repo.proxy.get('https', None) or system.proxy.get('pkg', {}).get('https', None) | default(system.proxy.get('https', None), true)}) %}
+{%- do proxies.repo.update({'http': repo.proxy.get('http', None) or system.proxy.get('pkg', {}).get('http', None) | default(system.proxy.get('http', None), true)}) %}
+{%- do proxies.repo.update({'ftp': repo.proxy.get('ftp', None) or system.proxy.get('pkg', {}).get('ftp', None) | default(system.proxy.get('ftp', None), true)}) %}
 /etc/apt/apt.conf.d/99proxies-salt-{{ name }}:
   file.managed:
   - template: jinja
   - source: salt://linux/files/apt.conf.d_proxies
   - defaults:
       external_host: {{ external_host }}
-      https: {{ repo.proxy.get('https', None) or system.proxy.get('pkg', {}).get('https', None) | default(system.proxy.get('https', None), True) }}
-      http: {{ repo.proxy.get('http', None) or system.proxy.get('pkg', {}).get('http', None) | default(system.proxy.get('http', None), True) }}
-      ftp: {{ repo.proxy.get('ftp', None) or system.proxy.get('pkg', {}).get('ftp', None) | default(system.proxy.get('ftp', None), True) }}
+      https: {{ proxies.repo.https }}
+      http: {{ proxies.repo.http }}
+      ftp: {{ proxies.repo.ftp }}
 {%- else %}
+{%- do proxies.repo.update({'https': None, 'http': None, 'ftp': None}) %}
 /etc/apt/apt.conf.d/99proxies-salt-{{ name }}:
   file.absent
 {%- endif %}
@@ -110,6 +121,13 @@ linux_repo_{{ name }}_key:
     {% else %}
       - pkgrepo: linux_repo_{{ name }}
     {% endif %}
+    - env:
+{%- if proxies.repo.get('https', None) or proxies.system.get('https', None) %}
+      - https_proxy: {{ proxies.repo.get('https', None) or proxies.system.get('https', None) }}
+{%- endif %}
+{%- if proxies.repo.get('http', None) or proxies.system.get('http', None) %}
+      - http_proxy: {{ proxies.repo.get('http', None) or proxies.system.get('http', None) }}
+{%- endif %}

 {%- endif %} {# 2 #}

@@ -120,6 +138,10 @@ linux_repo_{{ name }}_key:

 {%- if repo.get('enabled', True) %}

+{%- set use_proxy = ( ( proxies.repo.get('https', None) or proxies.system.get('https', None) or
+                        proxies.repo.get('http', None) or proxies.system.get('http', None) ) and
+                        repo.key_id is defined and repo.key_server is defined ) %}
+
 linux_repo_{{ name }}:
   pkgrepo.managed:
   {%- if repo.ppa is defined %}
@@ -132,10 +154,10 @@ linux_repo_{{ name }}:
   {%- endif %}
   - file: /etc/apt/sources.list.d/{{ name }}.list
   - clean_file: {{ repo.clean|default(True) }}
-  {%- if repo.key_id is defined %}
+  {%- if not use_proxy and repo.key_id is defined %}
   - keyid: {{ repo.key_id }}
   {%- endif %}
-  {%- if repo.key_server is defined %}
+  {%- if not use_proxy and repo.key_server is defined %}
   - keyserver: {{ repo.key_server }}
   {%- endif %}
   {%- if repo.key_url is defined and (grains['saltversioninfo'] >= [2017, 7] or repo.key_url.startswith('salt://')) %}
@@ -157,6 +179,25 @@ linux_repo_{{ name }}:
   {%- endif %}
   {%- endif %}

+{%- if use_proxy and repo.key_id is defined and repo.key_server is defined %}
+
+linux_repo_{{ name }}_key:
+  cmd.run:
+    - name: "apt-key adv --keyserver {{ repo.key_server }} --recv {{ repo.key_id }}"
+    - unless: 'test -e /etc/apt/sources.list.d/{{ name }}.list'
+    - require_in:
+      - pkgrepo: linux_repo_{{ name }}
+    - env:
+{%- if proxies.repo.get('https', None) or proxies.system.get('https', None) %}
+      - https_proxy: {{ proxies.repo.get('https', None) or proxies.system.get('https', None) }}
+{%- endif %}
+{%- if proxies.repo.get('http', None) or proxies.system.get('http', None) %}
+      - http_proxy: {{ proxies.repo.get('http', None) or proxies.system.get('http', None) }}
+{%- endif %}
+
+{%- endif %}
+
+{#- repo.enabled is false #}
 {%- else %}

 linux_repo_{{ name }}_absent: