From 6935bfeb373c28a5416d7f6dfbbc4d0e248ae4ce Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 12:58:20 -0400 Subject: [PATCH 01/31] Start standardizing parameters --- postman-api/parameters/defaults.yaml | 15 +++++---------- postman-api/parameters/os_family/RedHat.yaml | 7 +++++-- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/postman-api/parameters/defaults.yaml b/postman-api/parameters/defaults.yaml index 11a6b16..8827ace 100644 --- a/postman-api/parameters/defaults.yaml +++ b/postman-api/parameters/defaults.yaml @@ -5,14 +5,9 @@ --- values: pkg: - name: postman-api - rootgroup: root - config: '/etc/postman-api' - service: - name: postman-api - subcomponent: - config: '/etc/postman-api-subcomponent-formula.conf' - # Just here for testing - added_in_defaults: defaults_value - winner: defaults + name: 'postman-api' + download_uri: '' + download_sig: '' + config: {} + service: {} ... diff --git a/postman-api/parameters/os_family/RedHat.yaml b/postman-api/parameters/os_family/RedHat.yaml index e6bc65b..842eeab 100644 --- a/postman-api/parameters/os_family/RedHat.yaml +++ b/postman-api/parameters/os_family/RedHat.yaml @@ -13,6 +13,9 @@ --- values: pkg: - name: postman-api-redhat - config: /etc/postman-api.conf + name: 'postman-api' + download_uri: 'https://dl.pstmn.io/download/latest/linux_64' + download_sig: '' + config: {} + service: {} ... From f12077c4a27c431d85f5eaf14677a56804889469 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 12:59:01 -0400 Subject: [PATCH 02/31] Get rid of template's irellevant state-components --- postman-api/clean.sls | 2 -- postman-api/init.sls | 2 -- 2 files changed, 4 deletions(-) diff --git a/postman-api/clean.sls b/postman-api/clean.sls index 9e45fb4..0fba65d 100644 --- a/postman-api/clean.sls +++ b/postman-api/clean.sls @@ -2,7 +2,5 @@ # vim: ft=sls include: - - .subcomponent.clean - - .service.clean - .config.clean - .package.clean diff --git a/postman-api/init.sls b/postman-api/init.sls index 275d1fc..717b68e 100644 --- a/postman-api/init.sls +++ b/postman-api/init.sls @@ -4,5 +4,3 @@ include: - .package - .config - - .service - - .subcomponent From 022b675bdd3941a1597f50ba22fb5b792a5e7afe Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 13:32:26 -0400 Subject: [PATCH 03/31] Start stubbing out functionality --- postman-api/config/lin_clean.sls | 0 postman-api/config/lin_file.sls | 0 postman-api/config/win_clean.sls | 0 postman-api/config/win_file.sls | 0 postman-api/package/lin_clean.sls | 0 postman-api/package/lin_install.sls | 22 ++++++++++++++++++++++ postman-api/package/win_clean.sls | 0 postman-api/package/win_install.sls | 0 8 files changed, 22 insertions(+) create mode 100644 postman-api/config/lin_clean.sls create mode 100644 postman-api/config/lin_file.sls create mode 100644 postman-api/config/win_clean.sls create mode 100644 postman-api/config/win_file.sls create mode 100644 postman-api/package/lin_clean.sls create mode 100644 postman-api/package/lin_install.sls create mode 100644 postman-api/package/win_clean.sls create mode 100644 postman-api/package/win_install.sls diff --git a/postman-api/config/lin_clean.sls b/postman-api/config/lin_clean.sls new file mode 100644 index 0000000..e69de29 diff --git a/postman-api/config/lin_file.sls b/postman-api/config/lin_file.sls new file mode 100644 index 0000000..e69de29 diff --git a/postman-api/config/win_clean.sls b/postman-api/config/win_clean.sls new file mode 100644 index 0000000..e69de29 diff --git a/postman-api/config/win_file.sls b/postman-api/config/win_file.sls new file mode 100644 index 0000000..e69de29 diff --git a/postman-api/package/lin_clean.sls b/postman-api/package/lin_clean.sls new file mode 100644 index 0000000..e69de29 diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls new file mode 100644 index 0000000..85ec056 --- /dev/null +++ b/postman-api/package/lin_install.sls @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} + +Extract Postman Archive: + archive.extracted: + - archive_format: 'tar' + - enforce_toplevel: False + - group: root + - keep_source: False + - name: /opt + {%- if postman_api.pkg.download_sig %} + - source: '{{ postman_api.pkg.download_uri }}' + - source_hash: '{{ postman_api.pkg.download_sig }}' + {%- else %} + - skip_verify: True + - source: '{{ postman_api.pkg.download_uri }}' + {%- endif %} + - user: root diff --git a/postman-api/package/win_clean.sls b/postman-api/package/win_clean.sls new file mode 100644 index 0000000..e69de29 diff --git a/postman-api/package/win_install.sls b/postman-api/package/win_install.sls new file mode 100644 index 0000000..e69de29 From 3bbe6247041ccc3963fa96c5356f8212d8d73450 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 13:38:43 -0400 Subject: [PATCH 04/31] Fix release-date --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1b42ed..09f95bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p ### 0.0.1 -**Released**: 2026.05.22 +**Released**: 2026.06.01 **Summary**: From aa9af06f2979b6607b43c82f20ecfb6b348d48ae Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 13:57:47 -0400 Subject: [PATCH 05/31] Account for RPM dependencies --- postman-api/package/lin_install.sls | 53 +++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index 85ec056..7785814 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -5,13 +5,23 @@ {%- set tplroot = tpldir.split('/')[0] %} {%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} +Create Postman Symlink: + file.symlink: + - force: True + - name: '/usr/local/bin/postman' + - require: + - archive: 'Extract Postman Archive' + - target: '/opt/Postman/Postman' + Extract Postman Archive: archive.extracted: - archive_format: 'tar' - enforce_toplevel: False - - group: root + - group: 'root' - keep_source: False - - name: /opt + - name: '/opt' + - require: + - pkg: 'Install Postman Dependencies' {%- if postman_api.pkg.download_sig %} - source: '{{ postman_api.pkg.download_uri }}' - source_hash: '{{ postman_api.pkg.download_sig }}' @@ -20,3 +30,42 @@ Extract Postman Archive: - source: '{{ postman_api.pkg.download_uri }}' {%- endif %} - user: root + +Install Postman Dependencies: + pkg.installed: + - pkgs: + - alsa-lib + - at-spi2-atk + - at-spi2-core + - atk + - cairo + - cups-libs + - dbus-glib + - dejavu-sans-fonts + - gdk-pixbuf2 + - gtk3 + - libX11 + - libX11-xcb + - libXScrnSaver + - libXcomposite + - libXcursor + - libXdamage + - libXext + - libXfixes + - libXi + - libXrandr + - libXrender + - libXtst + - libdrm + - libsecret + - libva + - libxcb + - libxkbcommon + - libxshmfence + - mesa-libgbm + - nspr + - nss + - nss-tools + - pango + - vulkan-loader + - xorg-x11-xauth From 602ee07f087eb438e858af026704a341b47c75c6 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 14:17:11 -0400 Subject: [PATCH 06/31] Change symlink to wrapper Note: the runtime fails because the 12.x series of Postman builds are compiled against a newer compiler version workspace (such as GCC 12+ on Ubuntu 22.04), which implements the C++ standard library symbol version GLIBCXX_3.4.30. Standard RHEL 9 ships natively with GCC 11, which only implements symbol mappings up to GLIBCXX_3.4.29 inside the default /lib64/libstdc++.so.6 library engine. Using wrapper allow passing the application the correct guidance for GLIBC-usage --- postman-api/package/lin_install.sls | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index 7785814..ad851fc 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -5,13 +5,19 @@ {%- set tplroot = tpldir.split('/')[0] %} {%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} -Create Postman Symlink: - file.symlink: - - force: True +Deploy Postman Wrapper Script: + file.managed: + - contents: | + #!/bin/bash + RHLIB="/opt/rh/gcc-toolset-13/root/usr/lib64" + export LD_LIBRARY_PATH="$RHLIB:${LD_LIBRARY_PATH:-}" + exec /opt/Postman/Postman "$@" + - group: 'root' + - mode: '0755' - name: '/usr/local/bin/postman' - require: - archive: 'Extract Postman Archive' - - target: '/opt/Postman/Postman' + - user: 'root' Extract Postman Archive: archive.extracted: @@ -42,6 +48,7 @@ Install Postman Dependencies: - cups-libs - dbus-glib - dejavu-sans-fonts + - gcc-toolset-13-runtime - gdk-pixbuf2 - gtk3 - libX11 From 9fe5a7f220a3942b1792abf135484c5ce4708b31 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 14:48:19 -0400 Subject: [PATCH 07/31] Switch to templated "os_family" logic --- postman-api/parameters/os_family/RedHat.yaml | 21 ------------------- .../parameters/os_family/RedHat.yaml.jinja | 17 +++++++++++++++ 2 files changed, 17 insertions(+), 21 deletions(-) delete mode 100644 postman-api/parameters/os_family/RedHat.yaml create mode 100644 postman-api/parameters/os_family/RedHat.yaml.jinja diff --git a/postman-api/parameters/os_family/RedHat.yaml b/postman-api/parameters/os_family/RedHat.yaml deleted file mode 100644 index 842eeab..0000000 --- a/postman-api/parameters/os_family/RedHat.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml -# -# Set values specific to: -# salt['config.get']('os_family') == RedHat. -# -# You just need to add the key:values for this `os_family` that differ -# from `defaults.yaml` + `.yaml`. -# -# If you do not need to provide defaults via the `os_family` config, -# you can remove this file or provide at least an empty dict, e.g. -# values: {} ---- -values: - pkg: - name: 'postman-api' - download_uri: 'https://dl.pstmn.io/download/latest/linux_64' - download_sig: '' - config: {} - service: {} -... diff --git a/postman-api/parameters/os_family/RedHat.yaml.jinja b/postman-api/parameters/os_family/RedHat.yaml.jinja new file mode 100644 index 0000000..a81a5b6 --- /dev/null +++ b/postman-api/parameters/os_family/RedHat.yaml.jinja @@ -0,0 +1,17 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +# +# Set values specific to the RedHat family based on OS major version. +--- +values: + config: {} + pkg: + download_sig: '' + {%- if salt['grains.get']('osmajorrelease') | int == 9 %} + download_uri: 'https://dl.pstmn.io/download/version/10.24.26/linux64' + {%- else %} + download_uri: 'https://dl.pstmn.io/download/latest/linux_64' + {%- endif %} + name: 'postman-api' + service: {} +... From 8540c7c9162de07b348c612da3487f3e8fd7ce20 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 14:49:00 -0400 Subject: [PATCH 08/31] Get rid of redundant RPM RHEL 9 requires back-rev Postman version: * Obviates the need for the `gcc-toolset-13-runtime` RPM * Obviates the need to try to use a wrapper (return to using a symlink) --- postman-api/package/lin_install.sls | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index ad851fc..7785814 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -5,19 +5,13 @@ {%- set tplroot = tpldir.split('/')[0] %} {%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} -Deploy Postman Wrapper Script: - file.managed: - - contents: | - #!/bin/bash - RHLIB="/opt/rh/gcc-toolset-13/root/usr/lib64" - export LD_LIBRARY_PATH="$RHLIB:${LD_LIBRARY_PATH:-}" - exec /opt/Postman/Postman "$@" - - group: 'root' - - mode: '0755' +Create Postman Symlink: + file.symlink: + - force: True - name: '/usr/local/bin/postman' - require: - archive: 'Extract Postman Archive' - - user: 'root' + - target: '/opt/Postman/Postman' Extract Postman Archive: archive.extracted: @@ -48,7 +42,6 @@ Install Postman Dependencies: - cups-libs - dbus-glib - dejavu-sans-fonts - - gcc-toolset-13-runtime - gdk-pixbuf2 - gtk3 - libX11 From 27b6f150733675a59211f108917fe4f7188777c9 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 15:13:21 -0400 Subject: [PATCH 09/31] Back to using a wrapper * Using wrapper allows suppressing unwanted diagnostic outputs * Using wrapper allows suppressing attempts to use GPU if calling user is coming in via an SSH tunnel (rather than using the full graphical desktop experience) --- postman-api/package/lin_install.sls | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index 7785814..2eb1270 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -5,13 +5,24 @@ {%- set tplroot = tpldir.split('/')[0] %} {%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} -Create Postman Symlink: - file.symlink: - - force: True +Deploy Postman Wrapper Script: + file.managed: + - contents: | + #!/bin/bash + FLAGS=("--log-level=3") + # Disable GPU if connected via SSH or an X11 tunnel + if [ -n "$SSH_CLIENT" ] || \ + [ -n "$SSH_TTY" ] || \ + [[ "$DISPLAY" =~ ^localhost ]]; then + FLAGS+=("--disable-gpu") + fi + exec /opt/Postman/Postman "${FLAGS[@]}" "$@" 2>/dev/null + - group: 'root' + - mode: '0755' - name: '/usr/local/bin/postman' - require: - archive: 'Extract Postman Archive' - - target: '/opt/Postman/Postman' + - user: 'root' Extract Postman Archive: archive.extracted: @@ -68,4 +79,5 @@ Install Postman Dependencies: - nss-tools - pango - vulkan-loader + - xdg-utils - xorg-x11-xauth From b9c912cb53505f65c7407bcbe549c4d687b1bae5 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 15:23:13 -0400 Subject: [PATCH 10/31] RHEL 9 req. Postman < 11.x --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index a791bf9..fba9846 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,10 @@ Executes _just_ the `config` state to uninstall the Postman API client-configura ## Compatibility Notes: +### Linux + +1. Due to library compatibilities, the installable version of Postman on RHEL 9 (and derivatives) is constrained to < `11.x`. This formula defaults the RHEL 9 (and derivatives) installation to Postman version `10.24.26` + [^1]: As of this README's writing, only Enterprise Linux and related distros (Red Hat and Oracle Enterprise, CentOS Stream, Rocky and Alma Linux). It has only been specifically tested with EL **_9_** variants. [^2]: As of this README's writing, this functionality has only been tested on Windows Server 2022 From 63f0257c31e8dc1dd424b595051d7877a1c12ba2 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Mon, 1 Jun 2026 15:35:26 -0400 Subject: [PATCH 11/31] Locating older Postman versions --- README_backrevs.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 README_backrevs.md diff --git a/README_backrevs.md b/README_backrevs.md new file mode 100644 index 0000000..7ea0481 --- /dev/null +++ b/README_backrevs.md @@ -0,0 +1,35 @@ +# How to Find/Install back-rev versions + +It is primarily expected that this formula will be used to install the "latest and greatest" version of the Postman API application from the vendor's web-site. If, however, a site requires the ability to install a specific — and almost certainly "back rev" — version of the Postman API application, it will be necessary to step through some hoops to find the desired download URL. + +## Identifying available point-releases + +To grab an exhustive list of available Postman versions, execute: + +```bash +$ curl -sL "https://dl.pstmn.io/changelog?channel=stable&platform=linux" | \ +tr '"' '\n' | \ +grep -oE '^[0-9]+\.[0-9]+\.[0-9]+' | \ +sort -rV | \ +uniq +``` + +As mentioned in the main README file's notes for Linux, RHEL 9 distros require a Postman version less than `11.x` + +## Constructing the download URL + +To fetch an arbitrary Postman version from the Vendor's download-service, you will need to construct an appropriate URL path. The general URL path will look like: + +``` + https://dl.pstmn.io/download/version//' +``` + +* The value of `` is as taken from the list output from the BASH scriptlet in the preceding, "Identifying available point-releases", section. +* The value of `` will be either of + * `linux64` for Linux distributions using the x86_64 CPU-architecture + * `windows` for all Windows versions + +By way of example: + +* The URL `https://dl.pstmn.io/download/version/10.24.26/linux64` would be used to pull Postman `10.24.26` for Linux distros +* The URL `https://dl.pstmn.io/download/version/12.12.5/windows` would be used to pull Postman `12.12.5` for Windows systems From da803a5fd566a4dc72a922673dea521070b3e959 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 07:17:29 -0400 Subject: [PATCH 12/31] Add "user-readiness" config-handles --- postman-api/parameters/defaults.yaml | 10 +++++++--- postman-api/parameters/os_family/RedHat.yaml.jinja | 6 +++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/postman-api/parameters/defaults.yaml b/postman-api/parameters/defaults.yaml index 8827ace..603a4dc 100644 --- a/postman-api/parameters/defaults.yaml +++ b/postman-api/parameters/defaults.yaml @@ -4,10 +4,14 @@ # Set default values. --- values: + config: + desktop_entry: '' + icon_source: '' + install_root: '' + wrapper_bin: '' pkg: - name: 'postman-api' - download_uri: '' download_sig: '' - config: {} + download_uri: '' + name: 'postman-api' service: {} ... diff --git a/postman-api/parameters/os_family/RedHat.yaml.jinja b/postman-api/parameters/os_family/RedHat.yaml.jinja index a81a5b6..ec50677 100644 --- a/postman-api/parameters/os_family/RedHat.yaml.jinja +++ b/postman-api/parameters/os_family/RedHat.yaml.jinja @@ -4,7 +4,11 @@ # Set values specific to the RedHat family based on OS major version. --- values: - config: {} + config: + desktop_entry: '/usr/share/applications/postman.desktop' + icon_source: '/app/resources/app/assets/icon.png' + install_root: '/opt/Postman' + wrapper_bin: '/usr/local/bin/postman' pkg: download_sig: '' {%- if salt['grains.get']('osmajorrelease') | int == 9 %} From e34647989db28717d5f4fb110ceb8bae692e018c Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 07:21:30 -0400 Subject: [PATCH 13/31] Create desktop-shortcut/launcher-icon --- postman-api/config/lin_file.sls | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/postman-api/config/lin_file.sls b/postman-api/config/lin_file.sls index e69de29..5c4b06d 100644 --- a/postman-api/config/lin_file.sls +++ b/postman-api/config/lin_file.sls @@ -0,0 +1,25 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} +{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %} + +{%- set shortcut_sources = files_switch( + ['postman.desktop', 'postman.desktop.jinja'], + lookup='Configure Postman Desktop Shortcut' + ) +%} + +Configure Postman Desktop Shortcut: + file.managed: + - context: + postman_api: {{ postman_api | json }} + - group: 'root' + - makedirs: True + - mode: '0644' + - name: {{ postman_api.config.desktop_entry }} + - source: {{ shortcut_sources }} + - template: 'jinja' + - user: 'root' From 57047a604a61cb36ce711b84d01fc2383ddc7ce3 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 08:00:00 -0400 Subject: [PATCH 14/31] Add templated postman.desktop file-content --- postman-api/files/default/postman.desktop.jinja | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 postman-api/files/default/postman.desktop.jinja diff --git a/postman-api/files/default/postman.desktop.jinja b/postman-api/files/default/postman.desktop.jinja new file mode 100644 index 0000000..4dcda81 --- /dev/null +++ b/postman-api/files/default/postman.desktop.jinja @@ -0,0 +1,8 @@ +[Desktop Entry] +Categories=Development; +Comment=Postman API Platform +Exec={{ postman_api.config.wrapper_bin }} +Icon={{ postman_api.config.install_root }}{{ postman_api.config.icon_source }} +Name=Postman +Terminal=false +Type=Application From 60c1d22357b64149c828a2bdefd9a82a529c1fb8 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 08:26:04 -0400 Subject: [PATCH 15/31] Extend for update-management --- postman-api/files/default/postman.desktop.jinja | 3 ++- postman-api/parameters/defaults.yaml | 1 + postman-api/parameters/os_family/RedHat.yaml.jinja | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/postman-api/files/default/postman.desktop.jinja b/postman-api/files/default/postman.desktop.jinja index 4dcda81..6b1b9f0 100644 --- a/postman-api/files/default/postman.desktop.jinja +++ b/postman-api/files/default/postman.desktop.jinja @@ -1,8 +1,9 @@ [Desktop Entry] Categories=Development; Comment=Postman API Platform -Exec={{ postman_api.config.wrapper_bin }} +Exec={{ postman_api.config.wrapper_bin }} %u Icon={{ postman_api.config.install_root }}{{ postman_api.config.icon_source }} +MimeType=x-scheme-handler/postman; Name=Postman Terminal=false Type=Application diff --git a/postman-api/parameters/defaults.yaml b/postman-api/parameters/defaults.yaml index 603a4dc..eb29f41 100644 --- a/postman-api/parameters/defaults.yaml +++ b/postman-api/parameters/defaults.yaml @@ -8,6 +8,7 @@ values: desktop_entry: '' icon_source: '' install_root: '' + update_mime_database: '' wrapper_bin: '' pkg: download_sig: '' diff --git a/postman-api/parameters/os_family/RedHat.yaml.jinja b/postman-api/parameters/os_family/RedHat.yaml.jinja index ec50677..5acc944 100644 --- a/postman-api/parameters/os_family/RedHat.yaml.jinja +++ b/postman-api/parameters/os_family/RedHat.yaml.jinja @@ -8,6 +8,7 @@ values: desktop_entry: '/usr/share/applications/postman.desktop' icon_source: '/app/resources/app/assets/icon.png' install_root: '/opt/Postman' + update_mime_database: '/usr/bin/update-desktop-database' wrapper_bin: '/usr/local/bin/postman' pkg: download_sig: '' From 7144e06b1168b3e042b44d79fd5cebd5b8e54fc8 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 08:26:49 -0400 Subject: [PATCH 16/31] Enable deep linking --- postman-api/config/lin_file.sls | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/postman-api/config/lin_file.sls b/postman-api/config/lin_file.sls index 5c4b06d..277dc94 100644 --- a/postman-api/config/lin_file.sls +++ b/postman-api/config/lin_file.sls @@ -6,12 +6,6 @@ {%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} {%- from tplroot ~ "/libtofs.jinja" import files_switch with context %} -{%- set shortcut_sources = files_switch( - ['postman.desktop', 'postman.desktop.jinja'], - lookup='Configure Postman Desktop Shortcut' - ) -%} - Configure Postman Desktop Shortcut: file.managed: - context: @@ -20,6 +14,14 @@ Configure Postman Desktop Shortcut: - makedirs: True - mode: '0644' - name: {{ postman_api.config.desktop_entry }} - - source: {{ shortcut_sources }} + - source: +{{ files_switch(['postman.desktop', 'postman.desktop.jinja'], + lookup='desktop_shortcut') }} - template: 'jinja' - user: 'root' + +Register Protocol Deep Linking: + cmd.run: + - name: '{{ postman_api.config.update_mime_database }} /usr/share/applications' + - onchanges: + - file: 'Configure Postman Desktop Shortcut' From 80f040ba9fd67f17687da12fd0b7d3c912ffb9a4 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 08:55:30 -0400 Subject: [PATCH 17/31] Extend overrideable defaults --- postman-api/parameters/defaults.yaml | 3 +++ postman-api/parameters/os_family/RedHat.yaml.jinja | 3 +++ 2 files changed, 6 insertions(+) diff --git a/postman-api/parameters/defaults.yaml b/postman-api/parameters/defaults.yaml index eb29f41..e1222bc 100644 --- a/postman-api/parameters/defaults.yaml +++ b/postman-api/parameters/defaults.yaml @@ -8,7 +8,10 @@ values: desktop_entry: '' icon_source: '' install_root: '' + sandbox_enabled: true + selinux_restorecon: false update_mime_database: '' + whitelist_enabled: false wrapper_bin: '' pkg: download_sig: '' diff --git a/postman-api/parameters/os_family/RedHat.yaml.jinja b/postman-api/parameters/os_family/RedHat.yaml.jinja index 5acc944..54cb173 100644 --- a/postman-api/parameters/os_family/RedHat.yaml.jinja +++ b/postman-api/parameters/os_family/RedHat.yaml.jinja @@ -8,7 +8,10 @@ values: desktop_entry: '/usr/share/applications/postman.desktop' icon_source: '/app/resources/app/assets/icon.png' install_root: '/opt/Postman' + sandbox_enabled: false + selinux_restorecon: true update_mime_database: '/usr/bin/update-desktop-database' + whitelist_enabled: true wrapper_bin: '/usr/local/bin/postman' pkg: download_sig: '' From 598ead5a546e6d5b91c1daa0f293a670efa1d367 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 08:57:48 -0400 Subject: [PATCH 18/31] Try to account for fapolicyd, etc. --- postman-api/config/lin_file.sls | 42 +++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/postman-api/config/lin_file.sls b/postman-api/config/lin_file.sls index 277dc94..708f569 100644 --- a/postman-api/config/lin_file.sls +++ b/postman-api/config/lin_file.sls @@ -20,8 +20,50 @@ Configure Postman Desktop Shortcut: - template: 'jinja' - user: 'root' +{%- if postman_api.config.get('whitelist_enabled', False) %} +Configure Whitelist Daemon Policy: + file.managed: + - contents: | + # Allow execution of system-wide Postman binaries and libraries + allow perm=any uid=all : dir={{ postman_api.config.install_root }}/ + allow perm=any uid=all : path={{ postman_api.config.wrapper_bin }} + - group: 'root' + - makedirs: True + - mode: '0644' + - name: '/etc/fapolicyd/rules.d/95-postman.rules' + - user: 'root' +{%- endif %} + +{%- if postman_api.config.get('whitelist_enabled', False) %} +Refresh Whitelist Daemon Database: + cmd.run: + - name: 'fapolicyd-cli --update' + - onchanges: + - file: 'Configure Whitelist Daemon Policy' +{%- endif %} + Register Protocol Deep Linking: cmd.run: - name: '{{ postman_api.config.update_mime_database }} /usr/share/applications' - onchanges: - file: 'Configure Postman Desktop Shortcut' + +{%- if postman_api.config.get('selinux_restorecon', False) %} +{%- set root_path = postman_api.config.install_root %} +{%- set wrap_path = postman_api.config.wrapper_bin %} +Restore SELinux Security Contexts: + cmd.run: + - name: 'restorecon -R {{ root_path }} {{ wrap_path }}' + - onchanges: + - file: 'Configure Postman Desktop Shortcut' +{%- endif %} + +Suppress Automatic Updates Globally: + file.managed: + - contents: | + # Suppress automatic update background downloads for Postman + export POSTMAN_DISABLE_AUTO_UPDATES=true + - group: 'root' + - mode: '0644' + - name: '/etc/profile.d/postman_enterprise.sh' + - user: 'root' From 11a0ac975188486c3ab9efa4a0a9c338f0ac8d6f Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 09:01:33 -0400 Subject: [PATCH 19/31] Account for SELinux --- postman-api/config/lin_file.sls | 16 +++++++++++++++- postman-api/parameters/defaults.yaml | 2 +- .../parameters/os_family/RedHat.yaml.jinja | 2 +- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/postman-api/config/lin_file.sls b/postman-api/config/lin_file.sls index 708f569..2ec9d9b 100644 --- a/postman-api/config/lin_file.sls +++ b/postman-api/config/lin_file.sls @@ -6,6 +6,9 @@ {%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} {%- from tplroot ~ "/libtofs.jinja" import files_switch with context %} +{#- Dynamically check if the host has the SELinux kernel subsystem live #} +{%- set selinux_live = salt['grains.get']('selinux:enabled', False) %} + Configure Postman Desktop Shortcut: file.managed: - context: @@ -20,6 +23,14 @@ Configure Postman Desktop Shortcut: - template: 'jinja' - user: 'root' +{%- if selinux_live and postman_api.config.get('selinux_fcontext', False) %} +Configure Postman SELinux File Contexts: + selinux.fcontext_policy_present: + - filetype: 'a' + - name: '{{ postman_api.config.install_root }}(/.*)?' + - sel_type: {{ postman_api.config.selinux_fcontext }} +{%- endif %} + {%- if postman_api.config.get('whitelist_enabled', False) %} Configure Whitelist Daemon Policy: file.managed: @@ -48,7 +59,7 @@ Register Protocol Deep Linking: - onchanges: - file: 'Configure Postman Desktop Shortcut' -{%- if postman_api.config.get('selinux_restorecon', False) %} +{%- if selinux_live %} {%- set root_path = postman_api.config.install_root %} {%- set wrap_path = postman_api.config.wrapper_bin %} Restore SELinux Security Contexts: @@ -56,6 +67,9 @@ Restore SELinux Security Contexts: - name: 'restorecon -R {{ root_path }} {{ wrap_path }}' - onchanges: - file: 'Configure Postman Desktop Shortcut' + {%- if postman_api.config.get('selinux_fcontext', False) %} + - selinux: 'Configure Postman SELinux File Contexts' + {%- endif %} {%- endif %} Suppress Automatic Updates Globally: diff --git a/postman-api/parameters/defaults.yaml b/postman-api/parameters/defaults.yaml index e1222bc..90849a6 100644 --- a/postman-api/parameters/defaults.yaml +++ b/postman-api/parameters/defaults.yaml @@ -9,7 +9,7 @@ values: icon_source: '' install_root: '' sandbox_enabled: true - selinux_restorecon: false + selinux_fcontext: '' update_mime_database: '' whitelist_enabled: false wrapper_bin: '' diff --git a/postman-api/parameters/os_family/RedHat.yaml.jinja b/postman-api/parameters/os_family/RedHat.yaml.jinja index 54cb173..32352ad 100644 --- a/postman-api/parameters/os_family/RedHat.yaml.jinja +++ b/postman-api/parameters/os_family/RedHat.yaml.jinja @@ -9,7 +9,7 @@ values: icon_source: '/app/resources/app/assets/icon.png' install_root: '/opt/Postman' sandbox_enabled: false - selinux_restorecon: true + selinux_fcontext: 'usr_t' update_mime_database: '/usr/bin/update-desktop-database' whitelist_enabled: true wrapper_bin: '/usr/local/bin/postman' From 6f53b706e6ab44f276ab11d378a8ed120ea0d5db Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 09:28:16 -0400 Subject: [PATCH 20/31] Implement a minimal TLS version --- postman-api/package/lin_install.sls | 6 +++++- postman-api/parameters/defaults.yaml | 4 +--- postman-api/parameters/os_family/RedHat.yaml.jinja | 4 +--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index 2eb1270..e9cac82 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -10,10 +10,14 @@ Deploy Postman Wrapper Script: - contents: | #!/bin/bash FLAGS=("--log-level=3") + {%- if postman_api.config.get('ssl_min_version', False) %} + FLAGS+=("--ssl-version-min={{ postman_api.config.ssl_min_version }}") + {%- endif %} # Disable GPU if connected via SSH or an X11 tunnel if [ -n "$SSH_CLIENT" ] || \ [ -n "$SSH_TTY" ] || \ - [[ "$DISPLAY" =~ ^localhost ]]; then + [[ "$DISPLAY" =~ ^localhost ]]; + then FLAGS+=("--disable-gpu") fi exec /opt/Postman/Postman "${FLAGS[@]}" "$@" 2>/dev/null diff --git a/postman-api/parameters/defaults.yaml b/postman-api/parameters/defaults.yaml index 90849a6..3807dad 100644 --- a/postman-api/parameters/defaults.yaml +++ b/postman-api/parameters/defaults.yaml @@ -8,10 +8,8 @@ values: desktop_entry: '' icon_source: '' install_root: '' - sandbox_enabled: true - selinux_fcontext: '' + ssl_min_version: '' update_mime_database: '' - whitelist_enabled: false wrapper_bin: '' pkg: download_sig: '' diff --git a/postman-api/parameters/os_family/RedHat.yaml.jinja b/postman-api/parameters/os_family/RedHat.yaml.jinja index 32352ad..d55c5d6 100644 --- a/postman-api/parameters/os_family/RedHat.yaml.jinja +++ b/postman-api/parameters/os_family/RedHat.yaml.jinja @@ -8,10 +8,8 @@ values: desktop_entry: '/usr/share/applications/postman.desktop' icon_source: '/app/resources/app/assets/icon.png' install_root: '/opt/Postman' - sandbox_enabled: false - selinux_fcontext: 'usr_t' + ssl_min_version: 'tls1.2' update_mime_database: '/usr/bin/update-desktop-database' - whitelist_enabled: true wrapper_bin: '/usr/local/bin/postman' pkg: download_sig: '' From c7fdbbff902dc90a180fe201efef74060ea705f3 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 09:35:52 -0400 Subject: [PATCH 21/31] Don't execute if command doesn't exist --- postman-api/config/lin_file.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/postman-api/config/lin_file.sls b/postman-api/config/lin_file.sls index 2ec9d9b..8a5bd30 100644 --- a/postman-api/config/lin_file.sls +++ b/postman-api/config/lin_file.sls @@ -42,6 +42,7 @@ Configure Whitelist Daemon Policy: - makedirs: True - mode: '0644' - name: '/etc/fapolicyd/rules.d/95-postman.rules' + - onlyif: 'command -v fapolicyd-cli' - user: 'root' {%- endif %} @@ -51,6 +52,7 @@ Refresh Whitelist Daemon Database: - name: 'fapolicyd-cli --update' - onchanges: - file: 'Configure Whitelist Daemon Policy' + - onlyif: 'command -v fapolicyd-cli' {%- endif %} Register Protocol Deep Linking: From ed520c4cad10eb14ad99eb70950391d458566fb3 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 10:17:37 -0400 Subject: [PATCH 22/31] Blackhole updater-service to suppress update-available notifiers --- postman-api/config/lin_file.sls | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/postman-api/config/lin_file.sls b/postman-api/config/lin_file.sls index 8a5bd30..ddf0910 100644 --- a/postman-api/config/lin_file.sls +++ b/postman-api/config/lin_file.sls @@ -75,11 +75,6 @@ Restore SELinux Security Contexts: {%- endif %} Suppress Automatic Updates Globally: - file.managed: - - contents: | - # Suppress automatic update background downloads for Postman - export POSTMAN_DISABLE_AUTO_UPDATES=true - - group: 'root' - - mode: '0644' - - name: '/etc/profile.d/postman_enterprise.sh' - - user: 'root' + host.present: + - ip: '127.0.0.1' + - name: 'dl.pstmn.io' From c07ff4f5875ab9be0a5ce7d17f176d289f2ed7c3 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 10:50:27 -0400 Subject: [PATCH 23/31] Update wrapper to read from parameters Note: The parameters: * `sandbox_enabled` (default: `false`) * `whitelist_enabled` (default: `true`) Are set to those valued because this formula is expected to be used primarily on systems that have had STIG-compliant hardening routines applied. `sandbox_enabled` is set to `false` because STIG-hardening disables the namespaces required by the application's sandboxing capability. `whitelist_enabled` is set to `true` STIG-hardened environments typically have the `fapolicyd` service configured for whitelisting of specific aplications --- postman-api/package/lin_install.sls | 3 +++ postman-api/parameters/defaults.yaml | 3 +++ postman-api/parameters/os_family/RedHat.yaml.jinja | 3 +++ 3 files changed, 9 insertions(+) diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index e9cac82..0a3ee5e 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -10,6 +10,9 @@ Deploy Postman Wrapper Script: - contents: | #!/bin/bash FLAGS=("--log-level=3") + {%- if not postman_api.config.get('sandbox_enabled', True) %} + FLAGS+=("--no-sandbox") + {%- endif %} {%- if postman_api.config.get('ssl_min_version', False) %} FLAGS+=("--ssl-version-min={{ postman_api.config.ssl_min_version }}") {%- endif %} diff --git a/postman-api/parameters/defaults.yaml b/postman-api/parameters/defaults.yaml index 3807dad..819b999 100644 --- a/postman-api/parameters/defaults.yaml +++ b/postman-api/parameters/defaults.yaml @@ -8,8 +8,11 @@ values: desktop_entry: '' icon_source: '' install_root: '' + sandbox_enabled: true + selinux_fcontext: '' ssl_min_version: '' update_mime_database: '' + whitelist_enabled: false wrapper_bin: '' pkg: download_sig: '' diff --git a/postman-api/parameters/os_family/RedHat.yaml.jinja b/postman-api/parameters/os_family/RedHat.yaml.jinja index d55c5d6..04fa54a 100644 --- a/postman-api/parameters/os_family/RedHat.yaml.jinja +++ b/postman-api/parameters/os_family/RedHat.yaml.jinja @@ -8,8 +8,11 @@ values: desktop_entry: '/usr/share/applications/postman.desktop' icon_source: '/app/resources/app/assets/icon.png' install_root: '/opt/Postman' + sandbox_enabled: false + selinux_fcontext: 'usr_t' ssl_min_version: 'tls1.2' update_mime_database: '/usr/bin/update-desktop-database' + whitelist_enabled: true wrapper_bin: '/usr/local/bin/postman' pkg: download_sig: '' From 1e8c683b9d313d33788cd82caf9a695a51a99deb Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 10:55:15 -0400 Subject: [PATCH 24/31] Explain STIG-oriented default security-settings --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fba9846..477a56a 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ Executes _just_ the `config` state to uninstall the Postman API client-configura ### Linux 1. Due to library compatibilities, the installable version of Postman on RHEL 9 (and derivatives) is constrained to < `11.x`. This formula defaults the RHEL 9 (and derivatives) installation to Postman version `10.24.26` +1. To support hardened enterprise baselines (such as the DISA STIG or CIS profiles), this formula defaults to disabling the Chromium application sandbox (`sandbox_enabled: false`) on Red Hat family distributions. These security profiles typically disable unprivileged user namespaces (`user.max_user_namespaces = 0`), which causes Electron-based applications to crash instantly on startup. For less restrictive environments where user namespaces are permitted, the sandbox can be safely re-enabled by setting `sandbox_enabled: true` via Pillar data. [^1]: As of this README's writing, only Enterprise Linux and related distros (Red Hat and Oracle Enterprise, CentOS Stream, Rocky and Alma Linux). It has only been specifically tested with EL **_9_** variants. From 14b88874525443718165aa2f2114e9158c8def92 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 10:59:16 -0400 Subject: [PATCH 25/31] Add inital "cleanup" logic --- postman-api/config/lin_clean.sls | 42 +++++++++++++++++++++++++++++++ postman-api/package/lin_clean.sls | 14 +++++++++++ 2 files changed, 56 insertions(+) diff --git a/postman-api/config/lin_clean.sls b/postman-api/config/lin_clean.sls index e69de29..667c2a9 100644 --- a/postman-api/config/lin_clean.sls +++ b/postman-api/config/lin_clean.sls @@ -0,0 +1,42 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} + +{#- Dynamically check if the host has the SELinux kernel subsystem live #} +{%- set selinux_live = salt['grains.get']('selinux:enabled', False) %} + +Refresh Whitelist Daemon Database: + cmd.run: + - name: 'fapolicyd-cli --update' + - onchanges: + - file: 'Remove Whitelist Daemon Policy' + - onlyif: 'command -v fapolicyd-cli' + +Remove Postman Desktop Shortcut: + file.absent: + - name: {{ postman_api.config.desktop_entry }} + +{%- if postman_api.config.get('selinux_fcontext', False) and selinux_live %} +Remove Postman SELinux File Contexts: + selinux.fcontext_policy_absent: + - name: '{{ postman_api.config.install_root }}(/.*)?' +{%- endif %} + +Remove Protocol Deep Linking Registration: + cmd.run: + - name: '{{ postman_api.config.update_mime_database }} /usr/share/applications' + - onchanges: + - file: 'Remove Postman Desktop Shortcut' + +Remove Whitelist Daemon Policy: + file.absent: + - name: '/etc/fapolicyd/rules.d/95-postman.rules' + - onlyif: 'command -v fapolicyd-cli' + +Suppress Automatic Updates Globally: + host.absent: + - ip: '127.0.0.1' + - name: 'dl.pstmn.io' diff --git a/postman-api/package/lin_clean.sls b/postman-api/package/lin_clean.sls index e69de29..ab5ca00 100644 --- a/postman-api/package/lin_clean.sls +++ b/postman-api/package/lin_clean.sls @@ -0,0 +1,14 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} + +Remove Postman Application Directory: + file.absent: + - name: {{ postman_api.config.install_root }} + +Remove Postman Wrapper Script: + file.absent: + - name: {{ postman_api.config.wrapper_bin }} From 21a4e25125a632fda82a38ebbd2d5b99bf0ca1ec Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 11:39:58 -0400 Subject: [PATCH 26/31] Stop hard-coding install-root --- postman-api/package/lin_install.sls | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index 0a3ee5e..8d375d5 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -5,6 +5,10 @@ {%- set tplroot = tpldir.split('/')[0] %} {%- from tplroot ~ "/map.jinja" import mapdata as postman_api with context %} +{#- Calculate the parent directory for extraction destination drops #} +{%- set install_dir = postman_api.config.install_root %} +{%- set parent_dir = install_dir.split('/')[:-1] | join('/') %} + Deploy Postman Wrapper Script: file.managed: - contents: | @@ -23,10 +27,10 @@ Deploy Postman Wrapper Script: then FLAGS+=("--disable-gpu") fi - exec /opt/Postman/Postman "${FLAGS[@]}" "$@" 2>/dev/null + exec {{ install_dir }}/Postman "${FLAGS[@]}" "$@" 2>/dev/null - group: 'root' - mode: '0755' - - name: '/usr/local/bin/postman' + - name: '{{ postman_api.config.wrapper_bin }}' - require: - archive: 'Extract Postman Archive' - user: 'root' @@ -37,7 +41,7 @@ Extract Postman Archive: - enforce_toplevel: False - group: 'root' - keep_source: False - - name: '/opt' + - name: '{{ parent_dir }}' - require: - pkg: 'Install Postman Dependencies' {%- if postman_api.pkg.download_sig %} From e990d65fb724218db85196102129f3e5280ed787 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 12:19:04 -0400 Subject: [PATCH 27/31] Allow for install_root vals with "weird" characters --- postman-api/config/lin_clean.sls | 4 ++-- postman-api/config/lin_file.sls | 18 ++++++++++-------- .../files/default/postman.desktop.jinja | 2 +- postman-api/package/lin_clean.sls | 4 ++-- postman-api/package/lin_install.sls | 8 +++++++- 5 files changed, 22 insertions(+), 14 deletions(-) diff --git a/postman-api/config/lin_clean.sls b/postman-api/config/lin_clean.sls index 667c2a9..cd2dc8f 100644 --- a/postman-api/config/lin_clean.sls +++ b/postman-api/config/lin_clean.sls @@ -17,12 +17,12 @@ Refresh Whitelist Daemon Database: Remove Postman Desktop Shortcut: file.absent: - - name: {{ postman_api.config.desktop_entry }} + - name: '{{ postman_api.config.desktop_entry }}' {%- if postman_api.config.get('selinux_fcontext', False) and selinux_live %} Remove Postman SELinux File Contexts: selinux.fcontext_policy_absent: - - name: '{{ postman_api.config.install_root }}(/.*)?' + - name: '{{ postman_api.config.install_root | replace(" ", "\s") }}(/.*)?' {%- endif %} Remove Protocol Deep Linking Registration: diff --git a/postman-api/config/lin_file.sls b/postman-api/config/lin_file.sls index ddf0910..9d59ae3 100644 --- a/postman-api/config/lin_file.sls +++ b/postman-api/config/lin_file.sls @@ -16,28 +16,31 @@ Configure Postman Desktop Shortcut: - group: 'root' - makedirs: True - mode: '0644' - - name: {{ postman_api.config.desktop_entry }} + - name: '{{ postman_api.config.desktop_entry }}' - source: {{ files_switch(['postman.desktop', 'postman.desktop.jinja'], lookup='desktop_shortcut') }} - template: 'jinja' - user: 'root' -{%- if selinux_live and postman_api.config.get('selinux_fcontext', False) %} +{%- if postman_api.config.get('selinux_fcontext', False) and selinux_live %} Configure Postman SELinux File Contexts: selinux.fcontext_policy_present: - filetype: 'a' - - name: '{{ postman_api.config.install_root }}(/.*)?' + - name: '{{ postman_api.config.install_root | replace(" ", "\s") }}(/.*)?' - sel_type: {{ postman_api.config.selinux_fcontext }} {%- endif %} {%- if postman_api.config.get('whitelist_enabled', False) %} +{#- Escape whitespaces specifically to satisfy strict fapolicyd syntax rules -#} +{%- set fapolicyd_root = postman_api.config.install_root | replace(' ', '\ ') %} +{%- set fapolicyd_wrap = postman_api.config.wrapper_bin | replace(' ', '\ ') %} Configure Whitelist Daemon Policy: file.managed: - contents: | # Allow execution of system-wide Postman binaries and libraries - allow perm=any uid=all : dir={{ postman_api.config.install_root }}/ - allow perm=any uid=all : path={{ postman_api.config.wrapper_bin }} + allow perm=any uid=all : dir={{ fapolicyd_root }}/ + allow perm=any uid=all : path={{ fapolicyd_wrap }} - group: 'root' - makedirs: True - mode: '0644' @@ -46,14 +49,12 @@ Configure Whitelist Daemon Policy: - user: 'root' {%- endif %} -{%- if postman_api.config.get('whitelist_enabled', False) %} Refresh Whitelist Daemon Database: cmd.run: - name: 'fapolicyd-cli --update' - onchanges: - file: 'Configure Whitelist Daemon Policy' - onlyif: 'command -v fapolicyd-cli' -{%- endif %} Register Protocol Deep Linking: cmd.run: @@ -66,12 +67,13 @@ Register Protocol Deep Linking: {%- set wrap_path = postman_api.config.wrapper_bin %} Restore SELinux Security Contexts: cmd.run: - - name: 'restorecon -R {{ root_path }} {{ wrap_path }}' + - name: 'restorecon -R "{{ root_path }}" "{{ wrap_path }}"' - onchanges: - file: 'Configure Postman Desktop Shortcut' {%- if postman_api.config.get('selinux_fcontext', False) %} - selinux: 'Configure Postman SELinux File Contexts' {%- endif %} + - onlyif: 'test -d "{{ root_path }}" && test -e "{{ wrap_path }}"' {%- endif %} Suppress Automatic Updates Globally: diff --git a/postman-api/files/default/postman.desktop.jinja b/postman-api/files/default/postman.desktop.jinja index 6b1b9f0..18972a0 100644 --- a/postman-api/files/default/postman.desktop.jinja +++ b/postman-api/files/default/postman.desktop.jinja @@ -2,7 +2,7 @@ Categories=Development; Comment=Postman API Platform Exec={{ postman_api.config.wrapper_bin }} %u -Icon={{ postman_api.config.install_root }}{{ postman_api.config.icon_source }} +Icon="{{ postman_api.config.install_root }}{{ postman_api.config.icon_source }}" MimeType=x-scheme-handler/postman; Name=Postman Terminal=false diff --git a/postman-api/package/lin_clean.sls b/postman-api/package/lin_clean.sls index ab5ca00..15dbc94 100644 --- a/postman-api/package/lin_clean.sls +++ b/postman-api/package/lin_clean.sls @@ -7,8 +7,8 @@ Remove Postman Application Directory: file.absent: - - name: {{ postman_api.config.install_root }} + - name: '{{ postman_api.config.install_root }}' Remove Postman Wrapper Script: file.absent: - - name: {{ postman_api.config.wrapper_bin }} + - name: '{{ postman_api.config.wrapper_bin }}' diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index 8d375d5..d2657ae 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -27,7 +27,7 @@ Deploy Postman Wrapper Script: then FLAGS+=("--disable-gpu") fi - exec {{ install_dir }}/Postman "${FLAGS[@]}" "$@" 2>/dev/null + exec "{{ install_dir }}/Postman" "${FLAGS[@]}" "$@" 2>/dev/null - group: 'root' - mode: '0755' - name: '{{ postman_api.config.wrapper_bin }}' @@ -43,6 +43,7 @@ Extract Postman Archive: - keep_source: False - name: '{{ parent_dir }}' - require: + - host: 'Permit Download Domain Access' - pkg: 'Install Postman Dependencies' {%- if postman_api.pkg.download_sig %} - source: '{{ postman_api.pkg.download_uri }}' @@ -92,3 +93,8 @@ Install Postman Dependencies: - vulkan-loader - xdg-utils - xorg-x11-xauth + +Permit Download Domain Access: + host.absent: + - ip: '127.0.0.1' + - name: 'dl.pstmn.io' From b45a2f7ef9230c8920fada223cb3d59d77e73bae Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 13:32:12 -0400 Subject: [PATCH 28/31] Document pillar-overrideable settings --- pillar.example | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 pillar.example diff --git a/pillar.example b/pillar.example new file mode 100644 index 0000000..0e1b85f --- /dev/null +++ b/pillar.example @@ -0,0 +1,51 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +postman-api: + config: + # Path where the system desktop entry file will be generated. + desktop_entry: '/usr/share/applications/postman.desktop' + + # Relative path to the application icon inside the installation directory. + icon_source: '/app/resources/app/assets/icon.png' + + # The root directory tree where the application archive is extracted. + # Natively supports paths containing spaces (e.g., '/opt/Desktop Apps/Postman'). + install_root: '/opt/Postman' + + # Controls Chromium's internal application isolation sandbox layer. + # Set to false to support profiles that disable unprivileged namespaces + # (such as DISA STIG or CIS benchmarks), allowing safe startup. + sandbox_enabled: false + + # The SELinux context type applied to the application root directory. + # Automatically triggers fcontext and restorecon operations if the + # kernel security subsystem is running in Enforcing or Permissive mode. + selinux_fcontext: 'usr_t' + + # Mandates the minimum TLS protocol allowed for transit connections. + # Ensures compliance with FIPS validation rules by preventing downgrades. + ssl_min_version: 'tls1.2' + + # Path to the system binary utility that updates the desktop MIME cache. + update_mime_database: '/usr/bin/update-desktop-database' + + # Controls registration of trusted application paths with fapolicyd. + # Set to true to inject execution rules when whitelisting is enabled. + whitelist_enabled: true + + # The system path for the generated wrapper execution bash script. + wrapper_bin: '/usr/local/bin/postman' + + pkg: + # Optional cryptographic hash string (e.g., sha256) to verify the source. + # Leave empty to skip verification when pulling dynamic latest payloads. + download_sig: '' + + # The fully qualified URI source pointing to the target install archive. + # Can point to the public CDN or an internally hosted mirror repository. + download_uri: 'https://dl.pstmn.io/download/version/10.24.26/linux64' + + # The internal name designation used for formula mapping identification. + name: 'postman-api' +... From 3ead386ff0ebd691b3e6f7bdb0c790961a96f244 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 14:21:59 -0400 Subject: [PATCH 29/31] Update release-version and release-info --- .bumpversion.cfg | 2 +- CHANGELOG.md | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 40343da..871c1b1 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 0.0.1 +current_version = 0.1.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/CHANGELOG.md b/CHANGELOG.md index 09f95bb..c2b139a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,27 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +### 0.1.0 + +**Released**: 2026.06.02 + +**Summary**: + +* Added ("Enterprise") Linux functionality + * Installs the Postman API binary (as downloaded from [vendor site](https://www.postman.com/downloads/)) + * Install-location defaults to `/opt/postman` + * Install-location overrideable via Pillar's `install_root` parameter + * For RHEL 9 (and related distros), latest installable version is 10.24.26 (override via Pillar's `download_uri` parameter) + * Creates a wrapper-script at `/usr/local/bin/postman` to ensure appropriate launch-time arguments. For example: + * "don't try to use GPU on X-over-SSH tunnels" + * "disable sandboxing on STIGed operating systems" ( override via Pillar's `sandbox_enabled` parameter) + * "require use of TLS v1.2+" ( override via Pillar's `ssl_min_version` parameter) + * Sets appropriate file-modes and SELinux contexts on binaries and wrappers + * Implements "cleanup" for all of the preceeding +* Adds pillar.example to explain parameters/inputs that may be specified via Pillar +* Update README with platform-notes + + ### 0.0.1 **Released**: 2026.06.01 From aaf432c0e5e84e3e193a54c32d5b3750779df313 Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Tue, 2 Jun 2026 14:59:04 -0400 Subject: [PATCH 30/31] Fix left-padding per tardigradelint --- postman-api/package/lin_install.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/postman-api/package/lin_install.sls b/postman-api/package/lin_install.sls index d2657ae..eac38c0 100644 --- a/postman-api/package/lin_install.sls +++ b/postman-api/package/lin_install.sls @@ -21,9 +21,9 @@ Deploy Postman Wrapper Script: FLAGS+=("--ssl-version-min={{ postman_api.config.ssl_min_version }}") {%- endif %} # Disable GPU if connected via SSH or an X11 tunnel - if [ -n "$SSH_CLIENT" ] || \ - [ -n "$SSH_TTY" ] || \ - [[ "$DISPLAY" =~ ^localhost ]]; + if [[ -n "$SSH_CLIENT" ]] || \ + [[ -n "$SSH_TTY" ]] || \ + [[ "$DISPLAY" =~ ^localhost ]] then FLAGS+=("--disable-gpu") fi From 3eeaf76bb087508e850b3c0eb223e9c76d70578a Mon Sep 17 00:00:00 2001 From: Thomas H Jones II Date: Wed, 3 Jun 2026 08:15:10 -0400 Subject: [PATCH 31/31] Add CI tests for Linux config-targets --- .github/workflows/test.yml | 16 ++++++++++++++++ tests/pillar/postman-api/main.sls | 10 ++++++++++ tests/pillar/postman-api/top.sls | 3 +++ tests/requirements.txt | 1 + 4 files changed, 30 insertions(+) create mode 100644 tests/pillar/postman-api/main.sls create mode 100644 tests/pillar/postman-api/top.sls create mode 100644 tests/requirements.txt diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 58dd810..7c91ec4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,3 +9,19 @@ concurrency: jobs: test: uses: plus3it/actions-workflows/.github/workflows/test.yml@ddd67e99878a285f728de398c1116151c2d7791a + + linux: + uses: plus3it/actions-workflows/.github/workflows/test-salt-linux.yml@ddd67e99878a285f728de398c1116151c2d7791a + strategy: + matrix: + os_version: + - 8 + - 9 + salt_state: + - postman-api + salt_pillar_root: + - ./tests/pillar/test-linux-main + with: + salt-os-version: ${{ matrix.os_version }} + salt-state: ${{ matrix.salt_state }} + salt-pillar-root: ${{ matrix.salt_pillar_root }} diff --git a/tests/pillar/postman-api/main.sls b/tests/pillar/postman-api/main.sls new file mode 100644 index 0000000..68e700c --- /dev/null +++ b/tests/pillar/postman-api/main.sls @@ -0,0 +1,10 @@ +nosql-booster: + lookup: + {%- if grains.os_family == "RedHat" %} + pkg: + download_uri: https://dl.pstmn.io/download/version/10.24.16/linux_64 + config: + sandbox_enabled: true + install_root: '/opt/Desktop Applications/Postman' + {%- elif grains.os_family == "Windows" %} + {%- endif %} diff --git a/tests/pillar/postman-api/top.sls b/tests/pillar/postman-api/top.sls new file mode 100644 index 0000000..3692e36 --- /dev/null +++ b/tests/pillar/postman-api/top.sls @@ -0,0 +1,3 @@ +base: + '*': + - main diff --git a/tests/requirements.txt b/tests/requirements.txt new file mode 100644 index 0000000..df96849 --- /dev/null +++ b/tests/requirements.txt @@ -0,0 +1 @@ +salt-minion