diff options
Diffstat (limited to 'lib/ansible/modules/apt_key.py')
-rw-r--r-- | lib/ansible/modules/apt_key.py | 530 |
1 files changed, 530 insertions, 0 deletions
diff --git a/lib/ansible/modules/apt_key.py b/lib/ansible/modules/apt_key.py new file mode 100644 index 0000000..67caf6d --- /dev/null +++ b/lib/ansible/modules/apt_key.py @@ -0,0 +1,530 @@ +# -*- coding: utf-8 -*- + +# Copyright: (c) 2012, Michael DeHaan <michael.dehaan@gmail.com> +# Copyright: (c) 2012, Jayson Vantuyl <jayson@aggressive.ly> + +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +DOCUMENTATION = ''' +--- +module: apt_key +author: +- Jayson Vantuyl (@jvantuyl) +version_added: "1.0" +short_description: Add or remove an apt key +description: + - Add or remove an I(apt) key, optionally downloading it. +extends_documentation_fragment: action_common_attributes +attributes: + check_mode: + support: full + diff_mode: + support: none + platform: + platforms: debian +notes: + - The apt-key command has been deprecated and suggests to 'manage keyring files in trusted.gpg.d instead'. See the Debian wiki for details. + This module is kept for backwards compatibility for systems that still use apt-key as the main way to manage apt repository keys. + - As a sanity check, downloaded key id must match the one specified. + - "Use full fingerprint (40 characters) key ids to avoid key collisions. + To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons)." + - If you specify both the key id and the URL with C(state=present), the task can verify or add the key as needed. + - Adding a new key requires an apt cache update (e.g. using the M(ansible.builtin.apt) module's update_cache option). +requirements: + - gpg +options: + id: + description: + - The identifier of the key. + - Including this allows check mode to correctly report the changed state. + - If specifying a subkey's id be aware that apt-key does not understand how to remove keys via a subkey id. Specify the primary key's id instead. + - This parameter is required when C(state) is set to C(absent). + type: str + data: + description: + - The keyfile contents to add to the keyring. + type: str + file: + description: + - The path to a keyfile on the remote server to add to the keyring. + type: path + keyring: + description: + - The full path to specific keyring file in C(/etc/apt/trusted.gpg.d/). + type: path + version_added: "1.3" + url: + description: + - The URL to retrieve key from. + type: str + keyserver: + description: + - The keyserver to retrieve key from. + type: str + version_added: "1.6" + state: + description: + - Ensures that the key is present (added) or absent (revoked). + type: str + choices: [ absent, present ] + default: present + validate_certs: + description: + - If C(false), SSL certificates for the target url will not be validated. This should only be used + on personally controlled sites using self-signed certificates. + type: bool + default: 'yes' +''' + +EXAMPLES = ''' +- name: One way to avoid apt_key once it is removed from your distro + block: + - name: somerepo |no apt key + ansible.builtin.get_url: + url: https://download.example.com/linux/ubuntu/gpg + dest: /etc/apt/trusted.gpg.d/somerepo.asc + + - name: somerepo | apt source + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/myrepo.asc] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable" + state: present + +- name: Add an apt key by id from a keyserver + ansible.builtin.apt_key: + keyserver: keyserver.ubuntu.com + id: 36A1D7869245C8950F966E92D8576A8BA88D21E9 + +- name: Add an Apt signing key, uses whichever key is at the URL + ansible.builtin.apt_key: + url: https://ftp-master.debian.org/keys/archive-key-6.0.asc + state: present + +- name: Add an Apt signing key, will not download if present + ansible.builtin.apt_key: + id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA + url: https://ftp-master.debian.org/keys/archive-key-6.0.asc + state: present + +- name: Remove a Apt specific signing key, leading 0x is valid + ansible.builtin.apt_key: + id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA + state: absent + +# Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type. +- name: Add a key from a file on the Ansible server + ansible.builtin.apt_key: + data: "{{ lookup('ansible.builtin.file', 'apt.asc') }}" + state: present + +- name: Add an Apt signing key to a specific keyring file + ansible.builtin.apt_key: + id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA + url: https://ftp-master.debian.org/keys/archive-key-6.0.asc + keyring: /etc/apt/trusted.gpg.d/debian.gpg + +- name: Add Apt signing key on remote server to keyring + ansible.builtin.apt_key: + id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA + file: /tmp/apt.gpg + state: present +''' + +RETURN = ''' +after: + description: List of apt key ids or fingerprints after any modification + returned: on change + type: list + sample: ["D8576A8BA88D21E9", "3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"] +before: + description: List of apt key ids or fingprints before any modifications + returned: always + type: list + sample: ["3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"] +fp: + description: Fingerprint of the key to import + returned: always + type: str + sample: "D8576A8BA88D21E9" +id: + description: key id from source + returned: always + type: str + sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9" +key_id: + description: calculated key id, it should be same as 'id', but can be different + returned: always + type: str + sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9" +short_id: + description: calculated short key id + returned: always + type: str + sample: "A88D21E9" +''' + +import os + +# FIXME: standardize into module_common +from traceback import format_exc + +from ansible.module_utils._text import to_native +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.common.locale import get_best_parsable_locale +from ansible.module_utils.urls import fetch_url + + +apt_key_bin = None +gpg_bin = None +locale = None + + +def lang_env(module): + + if not hasattr(lang_env, 'result'): + locale = get_best_parsable_locale(module) + lang_env.result = dict(LANG=locale, LC_ALL=locale, LC_MESSAGES=locale) + + return lang_env.result + + +def find_needed_binaries(module): + global apt_key_bin + global gpg_bin + apt_key_bin = module.get_bin_path('apt-key', required=True) + gpg_bin = module.get_bin_path('gpg', required=True) + + +def add_http_proxy(cmd): + + for envvar in ('HTTPS_PROXY', 'https_proxy', 'HTTP_PROXY', 'http_proxy'): + proxy = os.environ.get(envvar) + if proxy: + break + + if proxy: + cmd += ' --keyserver-options http-proxy=%s' % proxy + + return cmd + + +def parse_key_id(key_id): + """validate the key_id and break it into segments + + :arg key_id: The key_id as supplied by the user. A valid key_id will be + 8, 16, or more hexadecimal chars with an optional leading ``0x``. + :returns: The portion of key_id suitable for apt-key del, the portion + suitable for comparisons with --list-public-keys, and the portion that + can be used with --recv-key. If key_id is long enough, these will be + the last 8 characters of key_id, the last 16 characters, and all of + key_id. If key_id is not long enough, some of the values will be the + same. + + * apt-key del <= 1.10 has a bug with key_id != 8 chars + * apt-key adv --list-public-keys prints 16 chars + * apt-key adv --recv-key can take more chars + + """ + # Make sure the key_id is valid hexadecimal + int(to_native(key_id), 16) + + key_id = key_id.upper() + if key_id.startswith('0X'): + key_id = key_id[2:] + + key_id_len = len(key_id) + if (key_id_len != 8 and key_id_len != 16) and key_id_len <= 16: + raise ValueError('key_id must be 8, 16, or 16+ hexadecimal characters in length') + + short_key_id = key_id[-8:] + + fingerprint = key_id + if key_id_len > 16: + fingerprint = key_id[-16:] + + return short_key_id, fingerprint, key_id + + +def parse_output_for_keys(output, short_format=False): + + found = [] + lines = to_native(output).split('\n') + for line in lines: + if (line.startswith("pub") or line.startswith("sub")) and "expired" not in line: + try: + # apt key format + tokens = line.split() + code = tokens[1] + (len_type, real_code) = code.split("/") + except (IndexError, ValueError): + # gpg format + try: + tokens = line.split(':') + real_code = tokens[4] + except (IndexError, ValueError): + # invalid line, skip + continue + found.append(real_code) + + if found and short_format: + found = shorten_key_ids(found) + + return found + + +def all_keys(module, keyring, short_format): + if keyring is not None: + cmd = "%s --keyring %s adv --list-public-keys --keyid-format=long" % (apt_key_bin, keyring) + else: + cmd = "%s adv --list-public-keys --keyid-format=long" % apt_key_bin + (rc, out, err) = module.run_command(cmd) + if rc != 0: + module.fail_json(msg="Unable to list public keys", cmd=cmd, rc=rc, stdout=out, stderr=err) + + return parse_output_for_keys(out, short_format) + + +def shorten_key_ids(key_id_list): + """ + Takes a list of key ids, and converts them to the 'short' format, + by reducing them to their last 8 characters. + """ + short = [] + for key in key_id_list: + short.append(key[-8:]) + return short + + +def download_key(module, url): + + try: + # note: validate_certs and other args are pulled from module directly + rsp, info = fetch_url(module, url, use_proxy=True) + if info['status'] != 200: + module.fail_json(msg="Failed to download key at %s: %s" % (url, info['msg'])) + + return rsp.read() + except Exception: + module.fail_json(msg="error getting key id from url: %s" % url, traceback=format_exc()) + + +def get_key_id_from_file(module, filename, data=None): + + native_data = to_native(data) + is_armored = native_data.find("-----BEGIN PGP PUBLIC KEY BLOCK-----") >= 0 + + key = None + + cmd = [gpg_bin, '--with-colons', filename] + + (rc, out, err) = module.run_command(cmd, environ_update=lang_env(module), data=(native_data if is_armored else data), binary_data=not is_armored) + if rc != 0: + module.fail_json(msg="Unable to extract key from '%s'" % ('inline data' if data is not None else filename), stdout=out, stderr=err) + + keys = parse_output_for_keys(out) + # assume we only want first key? + if keys: + key = keys[0] + + return key + + +def get_key_id_from_data(module, data): + return get_key_id_from_file(module, '-', data) + + +def import_key(module, keyring, keyserver, key_id): + + if keyring: + cmd = "%s --keyring %s adv --no-tty --keyserver %s" % (apt_key_bin, keyring, keyserver) + else: + cmd = "%s adv --no-tty --keyserver %s" % (apt_key_bin, keyserver) + + # check for proxy + cmd = add_http_proxy(cmd) + + # add recv argument as last one + cmd = "%s --recv %s" % (cmd, key_id) + + for retry in range(5): + (rc, out, err) = module.run_command(cmd, environ_update=lang_env(module)) + if rc == 0: + break + else: + # Out of retries + if rc == 2 and 'not found on keyserver' in out: + msg = 'Key %s not found on keyserver %s' % (key_id, keyserver) + module.fail_json(cmd=cmd, msg=msg, forced_environment=lang_env(module)) + else: + msg = "Error fetching key %s from keyserver: %s" % (key_id, keyserver) + module.fail_json(cmd=cmd, msg=msg, forced_environment=lang_env(module), rc=rc, stdout=out, stderr=err) + return True + + +def add_key(module, keyfile, keyring, data=None): + if data is not None: + if keyring: + cmd = "%s --keyring %s add -" % (apt_key_bin, keyring) + else: + cmd = "%s add -" % apt_key_bin + (rc, out, err) = module.run_command(cmd, data=data, binary_data=True) + if rc != 0: + module.fail_json( + msg="Unable to add a key from binary data", + cmd=cmd, + rc=rc, + stdout=out, + stderr=err, + ) + else: + if keyring: + cmd = "%s --keyring %s add %s" % (apt_key_bin, keyring, keyfile) + else: + cmd = "%s add %s" % (apt_key_bin, keyfile) + (rc, out, err) = module.run_command(cmd) + if rc != 0: + module.fail_json( + msg="Unable to add a key from file %s" % (keyfile), + cmd=cmd, + rc=rc, + keyfile=keyfile, + stdout=out, + stderr=err, + ) + return True + + +def remove_key(module, key_id, keyring): + if keyring: + cmd = '%s --keyring %s del %s' % (apt_key_bin, keyring, key_id) + else: + cmd = '%s del %s' % (apt_key_bin, key_id) + (rc, out, err) = module.run_command(cmd) + if rc != 0: + module.fail_json( + msg="Unable to remove a key with id %s" % (key_id), + cmd=cmd, + rc=rc, + key_id=key_id, + stdout=out, + stderr=err, + ) + return True + + +def main(): + module = AnsibleModule( + argument_spec=dict( + id=dict(type='str'), + url=dict(type='str'), + data=dict(type='str'), + file=dict(type='path'), + keyring=dict(type='path'), + validate_certs=dict(type='bool', default=True), + keyserver=dict(type='str'), + state=dict(type='str', default='present', choices=['absent', 'present']), + ), + supports_check_mode=True, + mutually_exclusive=(('data', 'file', 'keyserver', 'url'),), + ) + + # parameters + key_id = module.params['id'] + url = module.params['url'] + data = module.params['data'] + filename = module.params['file'] + keyring = module.params['keyring'] + state = module.params['state'] + keyserver = module.params['keyserver'] + + # internal vars + short_format = False + short_key_id = None + fingerprint = None + error_no_error = "apt-key did not return an error, but %s (check that the id is correct and *not* a subkey)" + + # ensure we have requirements met + find_needed_binaries(module) + + # initialize result dict + r = {'changed': False} + + if not key_id: + + if keyserver: + module.fail_json(msg="Missing key_id, required with keyserver.") + + if url: + data = download_key(module, url) + + if filename: + key_id = get_key_id_from_file(module, filename) + elif data: + key_id = get_key_id_from_data(module, data) + + r['id'] = key_id + try: + short_key_id, fingerprint, key_id = parse_key_id(key_id) + r['short_id'] = short_key_id + r['fp'] = fingerprint + r['key_id'] = key_id + except ValueError: + module.fail_json(msg='Invalid key_id', **r) + + if not fingerprint: + # invalid key should fail well before this point, but JIC ... + module.fail_json(msg="Unable to continue as we could not extract a valid fingerprint to compare against existing keys.", **r) + + if len(key_id) == 8: + short_format = True + + # get existing keys to verify if we need to change + r['before'] = keys = all_keys(module, keyring, short_format) + keys2 = [] + + if state == 'present': + if (short_format and short_key_id not in keys) or (not short_format and fingerprint not in keys): + r['changed'] = True + if not module.check_mode: + if filename: + add_key(module, filename, keyring) + elif keyserver: + import_key(module, keyring, keyserver, key_id) + elif data: + # this also takes care of url if key_id was not provided + add_key(module, "-", keyring, data) + elif url: + # we hit this branch only if key_id is supplied with url + data = download_key(module, url) + add_key(module, "-", keyring, data) + else: + module.fail_json(msg="No key to add ... how did i get here?!?!", **r) + + # verify it got added + r['after'] = keys2 = all_keys(module, keyring, short_format) + if (short_format and short_key_id not in keys2) or (not short_format and fingerprint not in keys2): + module.fail_json(msg=error_no_error % 'failed to add the key', **r) + + elif state == 'absent': + if not key_id: + module.fail_json(msg="key is required to remove a key", **r) + if fingerprint in keys: + r['changed'] = True + if not module.check_mode: + # we use the "short" id: key_id[-8:], short_format=True + # it's a workaround for https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871 + if short_key_id is not None and remove_key(module, short_key_id, keyring): + r['after'] = keys2 = all_keys(module, keyring, short_format) + if fingerprint in keys2: + module.fail_json(msg=error_no_error % 'the key was not removed', **r) + else: + module.fail_json(msg="error removing key_id", **r) + + module.exit_json(**r) + + +if __name__ == '__main__': + main() |