search

puppetlabs / puppetlabs-apt

Puppet module to help manage Apt
https://forge.puppetlabs.com/puppetlabs/apt
Apache License 2.0
215 stars 462 forks source link

The proxy setting https_acng has no effect if the HTTPS location contains options #1071

Open drebs opened 1 year ago

drebs commented 1 year ago

Describe the Bug

When a proxy location contains options before an HTTPS URI (example), setting https_acng => true has not effect and updating from that repo fails with:

Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)

Expected Behavior

https:// should be replaced by http://HTTPS/// in the APT source line and updating from that repo should succeed.

Steps to Reproduce

Run this script in a disposable environment:

#!/bin/sh

export DEBIAN_FRONTEND=noninteractive
sudo --preserve-env=DEBIAN_FRONTEND apt-get -y install puppet git apt-cacher-ng

TEMPDIR=$( mktemp -d )
trap "rm -rf ${TEMPDIR}" EXIT

cd ${TEMPDIR}

git clone https://github.com/puppetlabs/puppetlabs-stdlib.git stdlib
git clone https://github.com/puppetlabs/puppetlabs-apt.git apt

git -C ./apt/ checkout v9.0.0

curl -s http://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -

cat >  manifest.pp <<EOF
class { 'apt':
  proxy => {
    host       => '127.0.0.1',
    port       => 3142,
    https_acng => true,
  },
}

ensure_packages('apt-transport-https')

apt::source { 'torproject':
  comment  => 'TorProject',
  location => '[Check-Date=yes] https://deb.torproject.org/torproject.org',
  repos    => 'main',
  release  => 'stable',
  require  => Package['apt-transport-https'];
}
EOF

sudo puppet apply --modulepath=./ ./manifest.pp
sudo apt update
echo "\n---------- /etc/apt/sources.list.d/torproject.list ----------"
cat /etc/apt/sources.list.d/torproject.list

The output ends with:

(...)
Hit:1 http://deb.debian.org/debian bullseye InRelease                      
Hit:2 http://deb.debian.org/debian bullseye-updates InRelease                                                                  
Hit:3 http://security.debian.org/debian-security bullseye-security InRelease                                                   
Err:4 https://deb.torproject.org/torproject.org stable InRelease                                                               
  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 3142]
Reading package lists... Done                                                                                                 
Building dependency tree... Done
Reading state information... Done
W: Failed to fetch https://deb.torproject.org/torproject.org/dists/stable/InRelease  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 3142]                                        
W: Some index files failed to download. They have been ignored, or old ones used instead.

---------- /etc/apt/sources.list.d/torproject.list ----------
# This file is managed by Puppet. DO NOT EDIT.
# TorProject
deb [Check-Date=yes] https://deb.torproject.org/torproject.org stable main

The URI above should've been replaced accordingly to work with apt-cacher-ng.

Environment

Additional Context

To fix this, I think the regexp should be improved here.