File add-migrated-state-and-gpg-key-management-functions-.patch of Package salt

From c5236dadcffc24c00181c10ac4cf56020371c538 Mon Sep 17 00:00:00 2001
From: Alexander Graul <agraul@suse.com>
Date: Tue, 18 Jan 2022 18:40:40 +0100
Subject: [PATCH] Add "migrated" state and GPG key management functions
 (#290)

* rpm_lowpkg: add API for GPG keys

* zypperpkg: do not quote the repo name

* pkgrepo: add migrated function

* pkg: unify apt and rpm API for key repo

aptpkg is the virtual package "pkg" for Debian, and contains some API
for key management.

This patch add a similar API for zypperpkg and yumpkg, also part of the
same virtual package, based on the counterpart from rpm_lowpkg API.

Convert test to pytests
---
 salt/modules/aptpkg.py                       |   4 +-
 salt/modules/rpm_lowpkg.py                   | 151 +++++++
 salt/modules/yumpkg.py                       |  88 ++++
 salt/modules/zypperpkg.py                    |  88 ++++
 salt/states/pkgrepo.py                       | 207 +++++++++
 tests/pytests/unit/modules/test_yumpkg.py    |  44 +-
 tests/pytests/unit/modules/test_zypperpkg.py |  45 +-
 tests/pytests/unit/states/test_pkgrepo.py    | 448 +++++++++++++++++++
 8 files changed, 1070 insertions(+), 5 deletions(-)

diff --git a/salt/modules/aptpkg.py b/salt/modules/aptpkg.py
index 3289f6604d..9885e9fb60 100644
--- a/salt/modules/aptpkg.py
+++ b/salt/modules/aptpkg.py
@@ -2197,7 +2197,7 @@ def _parse_repo_keys_output(cmd_ret):
     return ret
 
 
-def get_repo_keys(aptkey=True, keydir=None):
+def get_repo_keys(aptkey=True, keydir=None, **kwargs):
     """
     .. versionadded:: 2017.7.0
 
@@ -2305,6 +2305,7 @@ def add_repo_key(
     aptkey=True,
     keydir=None,
     keyfile=None,
+    **kwargs
 ):
     """
     .. versionadded:: 2017.7.0
@@ -2358,7 +2359,6 @@ def add_repo_key(
     if not salt.utils.path.which("apt-key"):
         aptkey = False
     cmd = ["apt-key"]
-    kwargs = {}
 
     # If the keyid is provided or determined, check it against the existing
     # repo key ids to determine whether it needs to be imported.
diff --git a/salt/modules/rpm_lowpkg.py b/salt/modules/rpm_lowpkg.py
index 4cd137c258..b360ec8df3 100644
--- a/salt/modules/rpm_lowpkg.py
+++ b/salt/modules/rpm_lowpkg.py
@@ -865,3 +865,154 @@ def checksum(*paths, **kwargs):
         )
 
     return ret
+
+
+def list_gpg_keys(info=False, root=None):
+    """Return the list of all the GPG keys stored in the RPM database
+
+    .. versionadded:: TBD
+
+    info
+       get the key information, returing a dictionary instead of a
+       list
+
+    root
+       use root as top level directory (default: "/")
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' lowpkg.list_gpg_keys
+        salt '*' lowpkg.list_gpg_keys info=True
+
+    """
+    cmd = ["rpm"]
+    if root:
+        cmd.extend(["--root", root])
+    cmd.extend(["-qa", "gpg-pubkey*"])
+    keys = __salt__["cmd.run_stdout"](cmd, python_shell=False).splitlines()
+    if info:
+        return {key: info_gpg_key(key, root=root) for key in keys}
+    else:
+        return keys
+
+
+def info_gpg_key(key, root=None):
+    """Return a dictionary with the information of a GPG key parsed
+
+    .. versionadded:: TBD
+
+    key
+       key identificatior
+
+    root
+       use root as top level directory (default: "/")
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' lowpkg.info_gpg_key gpg-pubkey-3dbdc284-53674dd4
+
+    """
+    cmd = ["rpm"]
+    if root:
+        cmd.extend(["--root", root])
+    cmd.extend(["-qi", key])
+    info = __salt__["cmd.run_stdout"](cmd, python_shell=False)
+
+    res = {}
+    # The parser algorithm is very ad-hoc.  Works under the
+    # expectation that all the fields are of the type "key: value" in
+    # a single line, except "Description", that will be composed of
+    # multiple lines.  Note that even if the official `rpm` makes this
+    # field the last one, other (like openSUSE) exted it with more
+    # fields.
+    in_description = False
+    description = []
+    for line in info.splitlines():
+        if line.startswith("Description"):
+            in_description = True
+        elif in_description:
+            description.append(line)
+            if line.startswith("-----END"):
+                res["Description"] = "\n".join(description)
+                in_description = False
+        elif line:
+            key, _, value = line.partition(":")
+            value = value.strip()
+            if "Date" in key:
+                try:
+                    value = datetime.datetime.strptime(
+                        value, "%a %d %b %Y %H:%M:%S %p %Z"
+                    )
+                except ValueError:
+                    pass
+            elif "Size" in key:
+                try:
+                    value = int(value)
+                except TypeError:
+                    pass
+            elif "(none)" in value:
+                value = None
+            res[key.strip()] = value
+    return res
+
+
+def import_gpg_key(key, root=None):
+    """Import a new key into the key storage
+
+    .. versionadded:: TBD
+
+    key
+       public key block content
+
+    root
+       use root as top level directory (default: "/")
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' lowpkg.import_gpg_key "-----BEGIN ..."
+
+    """
+    key_file = salt.utils.files.mkstemp()
+    with salt.utils.files.fopen(key_file, "w") as f:
+        f.write(key)
+
+    cmd = ["rpm"]
+    if root:
+        cmd.extend(["--root", root])
+    cmd.extend(["--import", key_file])
+    ret = __salt__["cmd.retcode"](cmd)
+
+    os.remove(key_file)
+
+    return ret == 0
+
+
+def remove_gpg_key(key, root=None):
+    """Remove a key from the key storage
+
+    .. versionadded:: TBD
+
+    key
+       key identificatior
+
+    root
+       use root as top level directory (default: "/")
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' lowpkg.remove_gpg_key gpg-pubkey-3dbdc284-53674dd4
+
+    """
+    cmd = ["rpm"]
+    if root:
+        cmd.extend(["--root", root])
+    cmd.extend(["-e", key])
+    return __salt__["cmd.retcode"](cmd) == 0
diff --git a/salt/modules/yumpkg.py b/salt/modules/yumpkg.py
index b362d30bf4..b2be251a40 100644
--- a/salt/modules/yumpkg.py
+++ b/salt/modules/yumpkg.py
@@ -3535,3 +3535,91 @@ def services_need_restart(**kwargs):
                 services.add(service)
 
     return list(services)
+
+
+def get_repo_keys(info=False, root=None, **kwargs):
+    """Return the list of all the GPG keys stored in the RPM database
+
+    .. versionadded:: TBD
+
+    info
+       get the key information, returing a dictionary instead of a
+       list
+
+    root
+       use root as top level directory (default: "/")
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' pkg.get_repo_keys
+        salt '*' pkg.get_repo_keys info=True
+
+    """
+    return __salt__["lowpkg.list_gpg_keys"](info, root)
+
+
+def add_repo_key(path=None, text=None, root=None, saltenv="base", **kwargs):
+    """Import a new key into the key storage
+
+    .. versionadded:: TBD
+
+    path
+        the path of the key file to import
+
+    text
+        the key data to import, in string form
+
+    root
+        use root as top level directory (default: "/")
+
+    saltenv
+        the environment the key file resides in
+
+    CLI Examples:
+
+    .. code-block:: bash
+
+        salt '*' pkg.add_repo_key 'salt://apt/sources/test.key'
+        salt '*' pkg.add_repo_key text="'$KEY1'"
+
+    """
+    if not path and not text:
+        raise SaltInvocationError("Provide a key to add")
+
+    if path and text:
+        raise SaltInvocationError("Add a key via path or key")
+
+    if path:
+        cache_path = __salt__["cp.cache_file"](path, saltenv)
+
+        if not cache_path:
+            log.error("Unable to get cached copy of file: %s", path)
+            return False
+
+        with salt.utils.files.fopen(cache_path, "r") as f:
+            text = f.read()
+
+    return __salt__["lowpkg.import_gpg_key"](text, root)
+
+
+def del_repo_key(keyid, root=None, **kwargs):
+    """Remove a key from the key storage
+
+    .. versionadded:: TBD
+
+    keyid
+        key identificatior
+
+    root
+       use root as top level directory (default: "/")
+
+    CLI Examples:
+
+    .. code-block:: bash
+
+        salt '*' pkg.del_repo_key keyid=gpg-pubkey-3dbdc284-53674dd4
+
+    """
+    return __salt__["lowpkg.remove_gpg_key"](keyid, root)
diff --git a/salt/modules/zypperpkg.py b/salt/modules/zypperpkg.py
index 2da470bea3..318c871b37 100644
--- a/salt/modules/zypperpkg.py
+++ b/salt/modules/zypperpkg.py
@@ -3261,3 +3261,91 @@ def services_need_restart(root=None, **kwargs):
     services = zypper_output.split()
 
     return services
+
+
+def get_repo_keys(info=False, root=None, **kwargs):
+    """Return the list of all the GPG keys stored in the RPM database
+
+    .. versionadded:: TBD
+
+    info
+       get the key information, returing a dictionary instead of a
+       list
+
+    root
+       use root as top level directory (default: "/")
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' pkg.get_repo_keys
+        salt '*' pkg.get_repo_keys info=True
+
+    """
+    return __salt__["lowpkg.list_gpg_keys"](info, root)
+
+
+def add_repo_key(path=None, text=None, root=None, saltenv="base", **kwargs):
+    """Import a new key into the key storage
+
+    .. versionadded:: TBD
+
+    path
+        the path of the key file to import
+
+    text
+        the key data to import, in string form
+
+    root
+        use root as top level directory (default: "/")
+
+    saltenv
+        the environment the key file resides in
+
+    CLI Examples:
+
+    .. code-block:: bash
+
+        salt '*' pkg.add_repo_key 'salt://apt/sources/test.key'
+        salt '*' pkg.add_repo_key text="'$KEY1'"
+
+    """
+    if not path and not text:
+        raise SaltInvocationError("Provide a key to add")
+
+    if path and text:
+        raise SaltInvocationError("Add a key via path or key")
+
+    if path:
+        cache_path = __salt__["cp.cache_file"](path, saltenv)
+
+        if not cache_path:
+            log.error("Unable to get cached copy of file: %s", path)
+            return False
+
+        with salt.utils.files.fopen(cache_path, "r") as f:
+            text = f.read()
+
+    return __salt__["lowpkg.import_gpg_key"](text, root)
+
+
+def del_repo_key(keyid, root=None, **kwargs):
+    """Remove a key from the key storage
+
+    .. versionadded:: TBD
+
+    keyid
+        key identificatior
+
+    root
+       use root as top level directory (default: "/")
+
+    CLI Examples:
+
+    .. code-block:: bash
+
+        salt '*' pkg.del_repo_key keyid=gpg-pubkey-3dbdc284-53674dd4
+
+    """
+    return __salt__["lowpkg.remove_gpg_key"](keyid, root)
diff --git a/salt/states/pkgrepo.py b/salt/states/pkgrepo.py
index 67a50c3ca0..c2d23f95bb 100644
--- a/salt/states/pkgrepo.py
+++ b/salt/states/pkgrepo.py
@@ -118,6 +118,7 @@ Using ``aptkey: False`` with ``keyserver`` and ``keyid``:
 """
 
 
+import os
 import sys
 
 import salt.utils.data
@@ -745,3 +746,209 @@ def absent(name, **kwargs):
         ret["comment"] = "Failed to remove repo {}".format(name)
 
     return ret
+
+
+def _normalize_repo(repo):
+    """Normalize the get_repo information"""
+    # `pkg.get_repo()` specific virtual module implementation is
+    # parsing the information directly from the repository
+    # configuration file, and can be different from the ones that
+    # `pkg.mod_repo()` accepts
+
+    # If the field is not present will be dropped
+    suse = {
+        # "alias": "repo",
+        "name": "humanname",
+        "priority": "priority",
+        "enabled": "enabled",
+        "autorefresh": "refresh",
+        "gpgcheck": "gpgcheck",
+        "keepackages": "cache",
+        "baseurl": "url",
+    }
+    translator = {
+        "Suse": suse,
+    }
+    table = translator.get(__grains__["os_family"], {})
+    return {table[k]: v for k, v in repo.items() if k in table}
+
+
+def _normalize_key(key):
+    """Normalize the info_gpg_key information"""
+
+    # If the field is not present will be dropped
+    rpm = {
+        "Description": "key",
+    }
+    translator = {
+        "Suse": rpm,
+        "RedHat": rpm,
+    }
+    table = translator.get(__grains__["os_family"], {})
+    return {table[k]: v for k, v in key.items() if k in table}
+
+
+def _repos_keys_migrate_drop(root, keys, drop):
+    """Helper function to calculate repost and key migrations"""
+
+    def _d2s(d):
+        """Serialize a dict and store in a set"""
+        return {
+            (k, tuple((_k, _v) for _k, _v in sorted(v.items())))
+            for k, v in sorted(d.items())
+        }
+
+    src_repos = _d2s(
+        {k: _normalize_repo(v) for k, v in __salt__["pkg.list_repos"]().items()}
+    )
+    # There is no guarantee that the target repository is even initialized
+    try:
+        tgt_repos = _d2s(
+            {
+                k: _normalize_repo(v)
+                for k, v in __salt__["pkg.list_repos"](root=root).items()
+            }
+        )
+    except Exception:  # pylint: disable=broad-except
+        tgt_repos = set()
+
+    src_keys = set()
+    tgt_keys = set()
+    if keys:
+        src_keys = _d2s(
+            {
+                k: _normalize_key(v)
+                for k, v in __salt__["lowpkg.list_gpg_keys"](info=True).items()
+            }
+        )
+        try:
+            tgt_keys = _d2s(
+                {
+                    k: _normalize_key(v)
+                    for k, v in __salt__["lowpkg.list_gpg_keys"](
+                        info=True, root=root
+                    ).items()
+                }
+            )
+        except Exception:  # pylint: disable=broad-except
+            pass
+
+    repos_to_migrate = src_repos - tgt_repos
+    repos_to_drop = tgt_repos - src_repos if drop else set()
+
+    keys_to_migrate = src_keys - tgt_keys
+    keys_to_drop = tgt_keys - src_keys if drop else set()
+
+    return (repos_to_migrate, repos_to_drop, keys_to_migrate, keys_to_drop)
+
+
+def _copy_repository_to(root):
+    repo = {
+        "Suse": ["/etc/zypp/repos.d"],
+        "RedHat": ["/etc/yum.conf", "/etc/yum.repos.d"],
+    }
+    for src in repo.get(__grains__["os_family"], []):
+        dst = os.path.join(root, os.path.relpath(src, os.path.sep))
+        __salt__["file.copy"](src=src, dst=dst, recurse=True)
+
+
+def migrated(name, keys=True, drop=False, method=None, **kwargs):
+    """Migrate a repository from one directory to another, including the
+    GPG keys if requested
+
+    .. versionadded:: TBD
+
+    name
+        Directory were to migrate the repositories. For example, if we
+        are booting from a USB key and we mounted the rootfs in
+        "/mnt", the repositories will live in "/mnt/etc/yum.repos.d"
+        or in "/etc/zypp/repos.d", depending on the system.  For both
+        cases the expected value for "name" would be "/mnt"
+
+    keys
+        If is is True, will migrate all the keys
+
+    drop
+        If True, the target repositories that do not exist in the
+        source will be dropped
+
+    method
+        If None or "salt", it will use the Salt API to migrate the
+        repositories, if "copy", it will copy the repository files
+        directly
+
+    """
+    ret = {"name": name, "result": False, "changes": {}, "comment": ""}
+
+    if __grains__["os_family"] not in ("Suse",):
+        ret["comment"] = "Migration not supported for this platform"
+        return ret
+
+    if keys and "lowpkg.import_gpg_key" not in __salt__:
+        ret["comment"] = "Keys cannot be migrated for this platform"
+        return ret
+
+    if method not in (None, "salt", "copy"):
+        ret["comment"] = "Migration method not supported"
+        return ret
+
+    (
+        repos_to_migrate,
+        repos_to_drop,
+        keys_to_migrate,
+        keys_to_drop,
+    ) = _repos_keys_migrate_drop(name, keys, drop)
+
+    if not any((repos_to_migrate, repos_to_drop, keys_to_migrate, keys_to_drop)):
+        ret["result"] = True
+        ret["comment"] = "Repositories are already migrated"
+        return ret
+
+    if __opts__["test"]:
+        ret["result"] = None
+        ret["comment"] = "There are keys or repositories to migrate or drop"
+        ret["changes"] = {
+            "repos to migrate": [repo for repo, _ in repos_to_migrate],
+            "repos to drop": [repo for repo, _ in repos_to_drop],
+            "keys to migrate": [key for key, _ in keys_to_migrate],
+            "keys to drop": [key for key, _ in keys_to_drop],
+        }
+        return ret
+
+    for repo, repo_info in repos_to_migrate:
+        if method == "copy":
+            _copy_repository_to(name)
+        else:
+            __salt__["pkg.mod_repo"](repo, **dict(repo_info), root=name)
+    for repo, _ in repos_to_drop:
+        __salt__["pkg.del_repo"](repo, root=name)
+
+    for _, key_info in keys_to_migrate:
+        __salt__["lowpkg.import_gpg_key"](dict(key_info)["key"], root=name)
+    for key, _ in keys_to_drop:
+        __salt__["lowpkg.remove_gpg_key"](key, root=name)
+
+    (
+        rem_repos_to_migrate,
+        rem_repos_to_drop,
+        rem_keys_to_migrate,
+        rem_keys_to_drop,
+    ) = _repos_keys_migrate_drop(name, keys, drop)
+
+    if any(
+        (rem_repos_to_migrate, rem_repos_to_drop, rem_keys_to_migrate, rem_keys_to_drop)
+    ):
+        ret["result"] = False
+        ret["comment"] = "Migration of repositories failed"
+        return ret
+
+    ret["result"] = True
+    ret["comment"] = "Repositories synchronized"
+    ret["changes"] = {
+        "repos migrated": [repo for repo, _ in repos_to_migrate],
+        "repos dropped": [repo for repo, _ in repos_to_drop],
+        "keys migrated": [key for key, _ in keys_to_migrate],
+        "keys dropped": [key for key, _ in keys_to_drop],
+    }
+
+    return ret
diff --git a/tests/pytests/unit/modules/test_yumpkg.py b/tests/pytests/unit/modules/test_yumpkg.py
index 1354ee5d2d..45c62d793d 100644
--- a/tests/pytests/unit/modules/test_yumpkg.py
+++ b/tests/pytests/unit/modules/test_yumpkg.py
@@ -9,7 +9,7 @@ import salt.modules.rpm_lowpkg as rpm
 import salt.modules.yumpkg as yumpkg
 import salt.utils.platform
 from salt.exceptions import CommandExecutionError, SaltInvocationError
-from tests.support.mock import MagicMock, Mock, call, patch
+from tests.support.mock import MagicMock, Mock, call, mock_open, patch
 
 log = logging.getLogger(__name__)
 
@@ -1908,6 +1908,48 @@ def test_get_repo_with_non_existent_repo(list_repos_var):
     assert ret == expected, ret
 
 
+def test_get_repo_keys():
+    salt_mock = {"lowpkg.list_gpg_keys": MagicMock(return_value=True)}
+    with patch.dict(yumpkg.__salt__, salt_mock):
+        assert yumpkg.get_repo_keys(info=True, root="/mnt")
+        salt_mock["lowpkg.list_gpg_keys"].assert_called_once_with(True, "/mnt")
+
+
+def test_add_repo_key_fail():
+    with pytest.raises(SaltInvocationError):
+        yumpkg.add_repo_key()
+
+    with pytest.raises(SaltInvocationError):
+        yumpkg.add_repo_key(path="path", text="text")
+
+
+def test_add_repo_key_path():
+    salt_mock = {
+        "cp.cache_file": MagicMock(return_value="path"),
+        "lowpkg.import_gpg_key": MagicMock(return_value=True),
+    }
+    with patch("salt.utils.files.fopen", mock_open(read_data="text")), patch.dict(
+        yumpkg.__salt__, salt_mock
+    ):
+        assert yumpkg.add_repo_key(path="path", root="/mnt")
+        salt_mock["cp.cache_file"].assert_called_once_with("path", "base")
+        salt_mock["lowpkg.import_gpg_key"].assert_called_once_with("text", "/mnt")
+
+
+def test_add_repo_key_text():
+    salt_mock = {"lowpkg.import_gpg_key": MagicMock(return_value=True)}
+    with patch.dict(yumpkg.__salt__, salt_mock):
+        assert yumpkg.add_repo_key(text="text", root="/mnt")
+        salt_mock["lowpkg.import_gpg_key"].assert_called_once_with("text", "/mnt")
+
+
+def test_del_repo_key():
+    salt_mock = {"lowpkg.remove_gpg_key": MagicMock(return_value=True)}
+    with patch.dict(yumpkg.__salt__, salt_mock):
+        assert yumpkg.del_repo_key(keyid="keyid", root="/mnt")
+        salt_mock["lowpkg.remove_gpg_key"].assert_called_once_with("keyid", "/mnt")
+
+
 def test_pkg_update_dnf():
     """
     Tests that the proper CLI options are added when obsoletes=False
diff --git a/tests/pytests/unit/modules/test_zypperpkg.py b/tests/pytests/unit/modules/test_zypperpkg.py
index 1e2d6ea443..91132b7277 100644
--- a/tests/pytests/unit/modules/test_zypperpkg.py
+++ b/tests/pytests/unit/modules/test_zypperpkg.py
@@ -10,8 +10,8 @@ import pytest
 
 import salt.modules.pkg_resource as pkg_resource
 import salt.modules.zypperpkg as zypper
-from salt.exceptions import CommandExecutionError
-from tests.support.mock import MagicMock, patch
+from salt.exceptions import CommandExecutionError, SaltInvocationError
+from tests.support.mock import MagicMock, mock_open, patch
 
 
 @pytest.fixture
@@ -354,3 +354,44 @@ def test_dist_upgrade_failure():
 
             assert exc.exception.info["changes"] == {}
             assert exc.exception.info["result"]["stdout"] == zypper_output
+
+def test_get_repo_keys():
+    salt_mock = {"lowpkg.list_gpg_keys": MagicMock(return_value=True)}
+    with patch.dict(zypper.__salt__, salt_mock):
+        assert zypper.get_repo_keys(info=True, root="/mnt")
+        salt_mock["lowpkg.list_gpg_keys"].assert_called_once_with(True, "/mnt")
+
+
+def test_add_repo_key_fail():
+    with pytest.raises(SaltInvocationError):
+        zypper.add_repo_key()
+
+    with pytest.raises(SaltInvocationError):
+        zypper.add_repo_key(path="path", text="text")
+
+
+def test_add_repo_key_path():
+    salt_mock = {
+        "cp.cache_file": MagicMock(return_value="path"),
+        "lowpkg.import_gpg_key": MagicMock(return_value=True),
+    }
+    with patch("salt.utils.files.fopen", mock_open(read_data="text")), patch.dict(
+        zypper.__salt__, salt_mock
+    ):
+        assert zypper.add_repo_key(path="path", root="/mnt")
+        salt_mock["cp.cache_file"].assert_called_once_with("path", "base")
+        salt_mock["lowpkg.import_gpg_key"].assert_called_once_with("text", "/mnt")
+
+
+def test_add_repo_key_text():
+    salt_mock = {"lowpkg.import_gpg_key": MagicMock(return_value=True)}
+    with patch.dict(zypper.__salt__, salt_mock):
+        assert zypper.add_repo_key(text="text", root="/mnt")
+        salt_mock["lowpkg.import_gpg_key"].assert_called_once_with("text", "/mnt")
+
+
+def test_del_repo_key():
+    salt_mock = {"lowpkg.remove_gpg_key": MagicMock(return_value=True)}
+    with patch.dict(zypper.__salt__, salt_mock):
+        assert zypper.del_repo_key(keyid="keyid", root="/mnt")
+        salt_mock["lowpkg.remove_gpg_key"].assert_called_once_with("keyid", "/mnt")
diff --git a/tests/pytests/unit/states/test_pkgrepo.py b/tests/pytests/unit/states/test_pkgrepo.py
index c572583d19..5f540bd245 100644
--- a/tests/pytests/unit/states/test_pkgrepo.py
+++ b/tests/pytests/unit/states/test_pkgrepo.py
@@ -72,3 +72,451 @@ def test_managed_insecure_key():
             ret["comment"]
             == "Cannot have 'key_url' using http with 'allow_insecure_key' set to True"
         )
+
+
+def test__normalize_repo_suse():
+    repo = {
+        "name": "repo name",
+        "autorefresh": True,
+        "priority": 0,
+        "pkg_gpgcheck": True,
+    }
+    grains = {"os_family": "Suse"}
+    with patch.dict(pkgrepo.__grains__, grains):
+        assert pkgrepo._normalize_repo(repo) == {
+            "humanname": "repo name",
+            "refresh": True,
+            "priority": 0,
+        }
+
+
+def test__normalize_key_rpm():
+    key = {"Description": "key", "Date": "Date", "Other": "Other"}
+    for os_family in ("Suse", "RedHat"):
+        grains = {"os_family": os_family}
+        with patch.dict(pkgrepo.__grains__, grains):
+            assert pkgrepo._normalize_key(key) == {"key": "key"}
+
+
+def test__repos_keys_migrate_drop_migrate_to_empty():
+    src_repos = {
+        "repo-1": {
+            "name": "repo name 1",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": True,
+        },
+        "repo-2": {
+            "name": "repo name 2",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": False,
+        },
+    }
+    tgt_repos = {}
+
+    src_keys = {
+        "key1": {"Description": "key1", "Other": "Other1"},
+        "key2": {"Description": "key2", "Other": "Other2"},
+    }
+    tgt_keys = {}
+
+    grains = {"os_family": "Suse"}
+    salt_mock = {
+        "pkg.list_repos": MagicMock(side_effect=[src_repos, tgt_repos]),
+        "lowpkg.list_gpg_keys": MagicMock(side_effect=[src_keys, tgt_keys]),
+    }
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__salt__, salt_mock
+    ):
+        assert pkgrepo._repos_keys_migrate_drop("/mnt", False, False) == (
+            {
+                (
+                    "repo-1",
+                    (
+                        ("humanname", "repo name 1"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+                (
+                    "repo-2",
+                    (
+                        ("humanname", "repo name 2"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+            },
+            set(),
+            set(),
+            set(),
+        )
+
+
+def test__repos_keys_migrate_drop_migrate_to_empty_keys():
+    src_repos = {
+        "repo-1": {
+            "name": "repo name 1",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": True,
+        },
+        "repo-2": {
+            "name": "repo name 2",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": False,
+        },
+    }
+    tgt_repos = {}
+
+    src_keys = {
+        "key1": {"Description": "key1", "Other": "Other1"},
+        "key2": {"Description": "key2", "Other": "Other2"},
+    }
+    tgt_keys = {}
+
+    grains = {"os_family": "Suse"}
+    salt_mock = {
+        "pkg.list_repos": MagicMock(side_effect=[src_repos, tgt_repos]),
+        "lowpkg.list_gpg_keys": MagicMock(side_effect=[src_keys, tgt_keys]),
+    }
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__salt__, salt_mock
+    ):
+        assert pkgrepo._repos_keys_migrate_drop("/mnt", True, False) == (
+            {
+                (
+                    "repo-1",
+                    (
+                        ("humanname", "repo name 1"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+                (
+                    "repo-2",
+                    (
+                        ("humanname", "repo name 2"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+            },
+            set(),
+            {("key1", (("key", "key1"),)), ("key2", (("key", "key2"),))},
+            set(),
+        )
+
+
+def test__repos_keys_migrate_drop_migrate_to_populated_no_drop():
+    src_repos = {
+        "repo-1": {
+            "name": "repo name 1",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": True,
+        },
+        "repo-2": {
+            "name": "repo name 2",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": False,
+        },
+    }
+    tgt_repos = {
+        "repo-1": {
+            "name": "repo name 1",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": True,
+        },
+        "repo-3": {
+            "name": "repo name 3",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": False,
+        },
+    }
+
+    src_keys = {
+        "key1": {"Description": "key1", "Other": "Other1"},
+        "key2": {"Description": "key2", "Other": "Other2"},
+    }
+    tgt_keys = {
+        "key1": {"Description": "key1", "Other": "Other1"},
+        "key3": {"Description": "key3", "Other": "Other2"},
+    }
+
+    grains = {"os_family": "Suse"}
+    salt_mock = {
+        "pkg.list_repos": MagicMock(side_effect=[src_repos, tgt_repos]),
+        "lowpkg.list_gpg_keys": MagicMock(side_effect=[src_keys, tgt_keys]),
+    }
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__salt__, salt_mock
+    ):
+        assert pkgrepo._repos_keys_migrate_drop("/mnt", True, False) == (
+            {
+                (
+                    "repo-2",
+                    (
+                        ("humanname", "repo name 2"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+            },
+            set(),
+            {("key2", (("key", "key2"),))},
+            set(),
+        )
+
+
+def test__repos_keys_migrate_drop_migrate_to_populated_drop():
+    src_repos = {
+        "repo-1": {
+            "name": "repo name 1",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": True,
+        },
+        "repo-2": {
+            "name": "repo name 2",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": False,
+        },
+    }
+    tgt_repos = {
+        "repo-1": {
+            "name": "repo name 1",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": True,
+        },
+        "repo-3": {
+            "name": "repo name 3",
+            "autorefresh": True,
+            "priority": 0,
+            "pkg_gpgcheck": False,
+        },
+    }
+
+    src_keys = {
+        "key1": {"Description": "key1", "Other": "Other1"},
+        "key2": {"Description": "key2", "Other": "Other2"},
+    }
+    tgt_keys = {
+        "key1": {"Description": "key1", "Other": "Other1"},
+        "key3": {"Description": "key3", "Other": "Other2"},
+    }
+
+    grains = {"os_family": "Suse"}
+    salt_mock = {
+        "pkg.list_repos": MagicMock(side_effect=[src_repos, tgt_repos]),
+        "lowpkg.list_gpg_keys": MagicMock(side_effect=[src_keys, tgt_keys]),
+    }
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__salt__, salt_mock
+    ):
+        assert pkgrepo._repos_keys_migrate_drop("/mnt", True, True) == (
+            {
+                (
+                    "repo-2",
+                    (
+                        ("humanname", "repo name 2"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+            },
+            {
+                (
+                    "repo-3",
+                    (
+                        ("humanname", "repo name 3"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+            },
+            {("key2", (("key", "key2"),))},
+            {("key3", (("key", "key3"),))},
+        )
+
+
+@pytest.mark.skip_on_windows(reason="Not a Windows test")
+def test__copy_repository_to_suse():
+    grains = {"os_family": "Suse"}
+    salt_mock = {"file.copy": MagicMock()}
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__salt__, salt_mock
+    ):
+        pkgrepo._copy_repository_to("/mnt")
+        salt_mock["file.copy"].assert_called_with(
+            src="/etc/zypp/repos.d", dst="/mnt/etc/zypp/repos.d", recurse=True
+        )
+
+
+def test_migrated_non_supported_platform():
+    grains = {"os_family": "Debian"}
+    with patch.dict(pkgrepo.__grains__, grains):
+        assert pkgrepo.migrated("/mnt") == {
+            "name": "/mnt",
+            "result": False,
+            "changes": {},
+            "comment": "Migration not supported for this platform",
+        }
+
+
+def test_migrated_missing_keys_api():
+    grains = {"os_family": "Suse"}
+    with patch.dict(pkgrepo.__grains__, grains):
+        assert pkgrepo.migrated("/mnt") == {
+            "name": "/mnt",
+            "result": False,
+            "changes": {},
+            "comment": "Keys cannot be migrated for this platform",
+        }
+
+
+def test_migrated_wrong_method():
+    grains = {"os_family": "Suse"}
+    salt_mock = {
+        "lowpkg.import_gpg_key": True,
+    }
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__salt__, salt_mock
+    ):
+        assert pkgrepo.migrated("/mnt", method_="magic") == {
+            "name": "/mnt",
+            "result": False,
+            "changes": {},
+            "comment": "Migration method not supported",
+        }
+
+
+@patch(
+    "salt.states.pkgrepo._repos_keys_migrate_drop",
+    MagicMock(return_value=(set(), set(), set(), set())),
+)
+def test_migrated_empty():
+    grains = {"os_family": "Suse"}
+    salt_mock = {
+        "lowpkg.import_gpg_key": True,
+    }
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__salt__, salt_mock
+    ):
+        assert pkgrepo.migrated("/mnt") == {
+            "name": "/mnt",
+            "result": True,
+            "changes": {},
+            "comment": "Repositories are already migrated",
+        }
+
+
+def test_migrated():
+    _repos_keys_migrate_drop = MagicMock()
+    _repos_keys_migrate_drop.side_effect = [
+        (
+            {
+                (
+                    "repo-1",
+                    (
+                        ("humanname", "repo name 1"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+            },
+            {
+                (
+                    "repo-2",
+                    (
+                        ("humanname", "repo name 2"),
+                        ("priority", 0),
+                        ("refresh", True),
+                    ),
+                ),
+            },
+            {("key1", (("key", "key1"),))},
+            {("key2", (("key", "key2"),))},
+        ),
+        (set(), set(), set(), set()),
+    ]
+
+    grains = {"os_family": "Suse"}
+    opts = {"test": False}
+    salt_mock = {
+        "pkg.mod_repo": MagicMock(),
+        "pkg.del_repo": MagicMock(),
+        "lowpkg.import_gpg_key": MagicMock(),
+        "lowpkg.remove_gpg_key": MagicMock(),
+    }
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__opts__, opts
+    ), patch.dict(pkgrepo.__salt__, salt_mock), patch(
+        "salt.states.pkgrepo._repos_keys_migrate_drop", _repos_keys_migrate_drop
+    ):
+        assert pkgrepo.migrated("/mnt", True, True) == {
+            "name": "/mnt",
+            "result": True,
+            "changes": {
+                "repos migrated": ["repo-1"],
+                "repos dropped": ["repo-2"],
+                "keys migrated": ["key1"],
+                "keys dropped": ["key2"],
+            },
+            "comment": "Repositories synchronized",
+        }
+        salt_mock["pkg.mod_repo"].assert_called_with(
+            "repo-1", humanname="repo name 1", priority=0, refresh=True, root="/mnt"
+        )
+        salt_mock["pkg.del_repo"].assert_called_with("repo-2", root="/mnt")
+        salt_mock["lowpkg.import_gpg_key"].assert_called_with("key1", root="/mnt")
+        salt_mock["lowpkg.remove_gpg_key"].assert_called_with("key2", root="/mnt")
+
+
+def test_migrated_test():
+    _repos_keys_migrate_drop = MagicMock()
+    _repos_keys_migrate_drop.return_value = (
+        {
+            (
+                "repo-1",
+                (("humanname", "repo name 1"), ("priority", 0), ("refresh", True)),
+            ),
+        },
+        {
+            (
+                "repo-2",
+                (("humanname", "repo name 2"), ("priority", 0), ("refresh", True)),
+            ),
+        },
+        {("key1", (("key", "key1"),))},
+        {("key2", (("key", "key2"),))},
+    )
+
+    grains = {"os_family": "Suse"}
+    opts = {"test": True}
+    salt_mock = {
+        "lowpkg.import_gpg_key": True,
+    }
+    with patch.dict(pkgrepo.__grains__, grains), patch.dict(
+        pkgrepo.__opts__, opts
+    ), patch.dict(pkgrepo.__salt__, salt_mock), patch(
+        "salt.states.pkgrepo._repos_keys_migrate_drop", _repos_keys_migrate_drop
+    ):
+        assert pkgrepo.migrated("/mnt", True, True) == {
+            "name": "/mnt",
+            "result": None,
+            "changes": {
+                "repos to migrate": ["repo-1"],
+                "repos to drop": ["repo-2"],
+                "keys to migrate": ["key1"],
+                "keys to drop": ["key2"],
+            },
+            "comment": "There are keys or repositories to migrate or drop",
+        }
-- 
2.39.2


openSUSE Build Service is sponsored by