feat(pkg): add trusted/untrusted states

This states allow to trust and untrust packages and sources when using
homebrew.

Author: cdalvaro

salt/states/pkg.py

@@ -3936,6 +3936,120 @@ def held(name, version=None, pkgs=None, replace=False, **kwargs):
     return ret
 
 
+def trusted(name, **kwargs):
+    """
+    Ensure a package source or component is marked as trusted by the package
+    manager. Only available for package managers that implement a trust model
+    (e.g. Homebrew on macOS).
+
+    .. versionadded:: 3008.2
+
+    name
+        The identifier of the package source or component to trust. The exact
+        format depends on the package manager (e.g. a tap name, a formula, a
+        URL).
+
+    kwargs
+        Additional keyword arguments are passed through to the underlying
+        ``pkg.trust`` and ``pkg.is_trusted`` module functions, allowing
+        package-manager-specific options to be supplied. For example, on macOS
+        with Homebrew, ``type`` can be set to ``tap``, ``formula``, ``cask``
+        or ``command`` to disambiguate the target.
+
+    Examples:
+
+    .. code-block:: yaml
+
+        # Homebrew: trust a third-party tap
+        cdalvaro/tap:
+          pkg.trusted:
+            - type: tap
+
+        # Homebrew: trust a specific formula from a third-party tap
+        cdalvaro/tap/salt:
+          pkg.trusted:
+            - type: formula
+    """
+    ret = {"name": name, "changes": {}, "result": True, "comment": ""}
+
+    if "pkg.trust" not in __salt__:
+        ret["result"] = False
+        ret["comment"] = "`trust` is not available for this package manager."
+        return ret
+
+    if __salt__["pkg.is_trusted"](name, **kwargs):
+        ret["comment"] = f"{name} is already trusted."
+        return ret
+
+    if __opts__["test"]:
+        ret["result"] = None
+        ret["comment"] = f"{name} would be trusted."
+        return ret
+
+    if not __salt__["pkg.trust"](name, **kwargs):
+        ret["result"] = False
+        ret["comment"] = f"Failed to trust {name}."
+        return ret
+
+    ret["changes"] = {name: {"old": "untrusted", "new": "trusted"}}
+    ret["comment"] = f"{name} is now trusted."
+    return ret
+
+
+def untrusted(name, **kwargs):
+    """
+    Ensure a package source or component is not marked as trusted by the
+    package manager. Only available for package managers that implement a
+    trust model (e.g. Homebrew on macOS).
+
+    .. versionadded:: 3008.2
+
+    name
+        The identifier of the package source or component to untrust. The
+        exact format depends on the package manager.
+
+    kwargs
+        Additional keyword arguments are passed through to the underlying
+        ``pkg.untrust`` and ``pkg.is_trusted`` module functions, allowing
+        package-manager-specific options to be supplied. For example, on macOS
+        with Homebrew, ``type`` can be set to ``tap``, ``formula``, ``cask``
+        or ``command`` to disambiguate the target.
+
+    Example:
+
+    .. code-block:: yaml
+
+        # Homebrew: remove trust from a third-party tap
+        cdalvaro/tap:
+          pkg.untrusted:
+            - type: tap
+    """
+    ret = {"name": name, "changes": {}, "result": True, "comment": ""}
+
+    if "pkg.untrust" not in __salt__:
+        ret["result"] = False
+        ret["comment"] = "`untrust` is not available for this package manager."
+        return ret
+
+    if not __salt__["pkg.is_trusted"](name, **kwargs):
+        ret["comment"] = f"{name} is already not trusted."
+        return ret
+
+    if __opts__["test"]:
+        ret["result"] = None
+        ret["comment"] = f"{name} would be untrusted."
+        return ret
+
+    if not __salt__["pkg.untrust"](name, **kwargs):
+        ret["result"] = False
+        ret["comment"] = f"Failed to untrust {name}."
+        return ret
+
+    ret["changes"] = {name: {"old": "trusted", "new": "untrusted"}}
+    ret["comment"] = f"{name} is no longer trusted."
+    return ret
+
+
 def unheld(name, version=None, pkgs=None, all=False, **kwargs):
     """
     .. versionadded:: 3005

tests/pytests/unit/modules/test_mac_brew_pkg.py

@@ -1793,7 +1793,5 @@ def test_is_trusted_with_type_not_found():
     """
     Tests is_trusted with a type filter returns False when not in list.
     """
-    with patch(
-        "salt.modules.mac_brew_pkg.list_trusted", return_value=["other/tap"]
-    ):
+    with patch("salt.modules.mac_brew_pkg.list_trusted", return_value=["other/tap"]):
         assert mac_brew.is_trusted("thirdparty/foo", type="tap") is False

tests/pytests/unit/states/test_pkg.py

@@ -1345,3 +1345,175 @@ def test_latest_no_change_windows():
     with patch.dict(pkg.__salt__, salt_dict):
         ret = pkg.latest(pkg_name)
         assert ret.get("result", False) is True
+
+
+# 'trusted' state tests
+
+
+def test_trusted_not_available():
+    """
+    Test pkg.trusted when pkg.trust is not available for the package manager.
+    """
+    with patch.dict(pkg.__salt__, {}):
+        ret = pkg.trusted("cdalvaro/tap")
+        assert ret["result"] is False
+        assert "not available" in ret["comment"]
+        assert ret["changes"] == {}
+
+
+def test_trusted_already_trusted():
+    """
+    Test pkg.trusted when the item is already trusted.
+    """
+    with patch.dict(
+        pkg.__salt__,
+        {
+            "pkg.trust": MagicMock(return_value=True),
+            "pkg.is_trusted": MagicMock(return_value=True),
+        },
+    ):
+        ret = pkg.trusted("cdalvaro/tap", type="tap")
+        assert ret["result"] is True
+        assert "already trusted" in ret["comment"]
+        assert ret["changes"] == {}
+
+
+def test_trusted_test_mode():
+    """
+    Test pkg.trusted in test mode when the item would be trusted.
+    """
+    with patch.dict(
+        pkg.__salt__,
+        {
+            "pkg.trust": MagicMock(return_value=True),
+            "pkg.is_trusted": MagicMock(return_value=False),
+        },
+    ), patch.dict(pkg.__opts__, {"test": True}):
+        ret = pkg.trusted("cdalvaro/tap")
+        assert ret["result"] is None
+        assert "would be trusted" in ret["comment"]
+        assert ret["changes"] == {}
+
+
+def test_trusted_success():
+    """
+    Test pkg.trusted successfully trusts an item.
+    """
+    trust_mock = MagicMock(return_value=True)
+    with patch.dict(
+        pkg.__salt__,
+        {
+            "pkg.trust": trust_mock,
+            "pkg.is_trusted": MagicMock(return_value=False),
+        },
+    ):
+        ret = pkg.trusted("cdalvaro/tap", type="tap")
+        assert ret["result"] is True
+        assert ret["changes"] == {
+            "cdalvaro/tap": {"old": "untrusted", "new": "trusted"}
+        }
+        assert "now trusted" in ret["comment"]
+        trust_mock.assert_called_once_with("cdalvaro/tap", type="tap")
+
+
+def test_trusted_failure():
+    """
+    Test pkg.trusted when the brew trust command fails.
+    """
+    with patch.dict(
+        pkg.__salt__,
+        {
+            "pkg.trust": MagicMock(return_value=False),
+            "pkg.is_trusted": MagicMock(return_value=False),
+        },
+    ):
+        ret = pkg.trusted("cdalvaro/tap")
+        assert ret["result"] is False
+        assert "Failed to trust" in ret["comment"]
+        assert ret["changes"] == {}
+
+
+# 'untrusted' state tests
+
+
+def test_untrusted_not_available():
+    """
+    Test pkg.untrusted when pkg.untrust is not available for the package manager.
+    """
+    with patch.dict(pkg.__salt__, {}):
+        ret = pkg.untrusted("cdalvaro/tap")
+        assert ret["result"] is False
+        assert "not available" in ret["comment"]
+        assert ret["changes"] == {}
+
+
+def test_untrusted_already_not_trusted():
+    """
+    Test pkg.untrusted when the item is already not trusted.
+    """
+    with patch.dict(
+        pkg.__salt__,
+        {
+            "pkg.untrust": MagicMock(return_value=True),
+            "pkg.is_trusted": MagicMock(return_value=False),
+        },
+    ):
+        ret = pkg.untrusted("cdalvaro/tap", type="tap")
+        assert ret["result"] is True
+        assert "already not trusted" in ret["comment"]
+        assert ret["changes"] == {}
+
+
+def test_untrusted_test_mode():
+    """
+    Test pkg.untrusted in test mode when the item would be untrusted.
+    """
+    with patch.dict(
+        pkg.__salt__,
+        {
+            "pkg.untrust": MagicMock(return_value=True),
+            "pkg.is_trusted": MagicMock(return_value=True),
+        },
+    ), patch.dict(pkg.__opts__, {"test": True}):
+        ret = pkg.untrusted("cdalvaro/tap")
+        assert ret["result"] is None
+        assert "would be untrusted" in ret["comment"]
+        assert ret["changes"] == {}
+
+
+def test_untrusted_success():
+    """
+    Test pkg.untrusted successfully untrusts an item.
+    """
+    untrust_mock = MagicMock(return_value=True)
+    with patch.dict(
+        pkg.__salt__,
+        {
+            "pkg.untrust": untrust_mock,
+            "pkg.is_trusted": MagicMock(return_value=True),
+        },
+    ):
+        ret = pkg.untrusted("cdalvaro/tap", type="tap")
+        assert ret["result"] is True
+        assert ret["changes"] == {
+            "cdalvaro/tap": {"old": "trusted", "new": "untrusted"}
+        }
+        assert "no longer trusted" in ret["comment"]
+        untrust_mock.assert_called_once_with("cdalvaro/tap", type="tap")
+
+
+def test_untrusted_failure():
+    """
+    Test pkg.untrusted when the brew untrust command fails.
+    """
+    with patch.dict(
+        pkg.__salt__,
+        {
+            "pkg.untrust": MagicMock(return_value=False),
+            "pkg.is_trusted": MagicMock(return_value=True),
+        },
+    ):
+        ret = pkg.untrusted("cdalvaro/tap")
+        assert ret["result"] is False
+        assert "Failed to untrust" in ret["comment"]
+        assert ret["changes"] == {}