diff --git a/.typos.toml b/.typos.toml index 747773133..2fbc80f5b 100644 --- a/.typos.toml +++ b/.typos.toml @@ -3,6 +3,7 @@ extend-exclude = [ "tests/facts/apt.SimulateOperationWillChange/upgrade.json", "tests/facts/opkg.OpkgPackages/opkg_packages.json", "tests/words.txt", + "tests/facts/gpg.GpgKeyrings/*.json", # GPG keyring test files contain hex key IDs ] [default] diff --git a/src/pyinfra/facts/gpg.py b/src/pyinfra/facts/gpg.py index 3d9fdf97b..b88e06190 100644 --- a/src/pyinfra/facts/gpg.py +++ b/src/pyinfra/facts/gpg.py @@ -148,3 +148,71 @@ def command(self, keyring=None): return ("gpg --list-secret-keys --with-colons --keyring {0} --no-default-keyring").format( keyring, ) + + +class GpgKeyrings(GpgFactBase): + """ + Returns information on all GPG keyrings found in specified directories. + + .. code:: python + + { + "/etc/apt/keyrings/docker.gpg": { + "format": "gpg", + "keys": {...} # Same format as GpgKeys fact + } + } + """ + + @override + def command(self, directories): + if isinstance(directories, str): + directories = [directories] + + search_locations = " ".join(f'"{d}"' for d in directories) + + # Generate a command that finds keyrings and lists their keys + # We'll use a shell script that outputs keyring path followed by key info + return ( + f"for keyring in $(find {search_locations} -type f \\( -name '*.gpg' " + f"-o -name '*.asc' -o -name '*.kbx' \\) 2>/dev/null); do " + f'echo "KEYRING:$keyring"; ' + f'if [[ "$keyring" == *.asc ]]; then ' + f'gpg --with-colons "$keyring" 2>/dev/null || true; ' + f"else " + f'gpg --list-keys --with-colons --keyring "$keyring" --no-default-keyring 2>/dev/null || true; ' # noqa: E501 + f"fi; done" + ) + + @override + def process(self, output): + keyrings = {} + current_keyring = None + current_output: list[str] = [] + + for line in output: + line = line.strip() + if not line: + continue + + if line.startswith("KEYRING:"): + # Process previous keyring if exists + if current_keyring and current_output: + keyring_format = current_keyring.split(".")[-1].lower() + keys = super().process(current_output) + keyrings[current_keyring] = {"format": keyring_format, "keys": keys} + + # Start new keyring + current_keyring = line[8:] # Remove "KEYRING:" prefix + current_output = [] + else: + # Accumulate GPG output for current keyring + current_output.append(line) + + # Process final keyring + if current_keyring and current_output: + keyring_format = current_keyring.split(".")[-1].lower() + keys = super().process(current_output) + keyrings[current_keyring] = {"format": keyring_format, "keys": keys} + + return keyrings diff --git a/src/pyinfra/operations/gpg.py b/src/pyinfra/operations/gpg.py new file mode 100644 index 000000000..5b714bba2 --- /dev/null +++ b/src/pyinfra/operations/gpg.py @@ -0,0 +1,414 @@ +""" +Manage GPG keys and keyrings. +""" + +from pathlib import PurePosixPath +from urllib.parse import urlparse + +from pyinfra import host +from pyinfra.api import OperationError, operation +from pyinfra.facts.gpg import GpgKeyrings +from pyinfra.facts import files as file_facts + +from . import files + + +def _install_key_from_src(src: str, dest: str, dearmor: bool, mode: str): + """Install a GPG key from a file or URL.""" + if urlparse(src).scheme in ("http", "https"): + # Remote source: download first, then process + temp_file = host.get_temp_filename(src) + + yield from files.download._inner( + src=src, + dest=temp_file, + ) + + # Install the key and clean up temp file + yield from _install_key_file(temp_file, dest, dearmor, mode) + + # Clean up temp file using pyinfra + yield from files.file._inner( + path=temp_file, + present=False, + ) + else: + # Local file: install directly + yield from _install_key_file(src, dest, dearmor, mode) + + +def _install_key_from_keyserver(keyserver: str, keyid: str | list[str], dest: str, mode: str): + """Install GPG keys from a keyserver.""" + if isinstance(keyid, str): + keyid = [keyid] + + joined = " ".join(keyid) + + # Create temporary GPG home directory + temp_dir = f"/tmp/pyinfra-gpg-{host.get_temp_filename('')[-8:]}" + + yield from files.directory._inner( + path=temp_dir, + mode="0700", # GPG directories should be more restrictive + present=True, + ) + + # Export GNUPGHOME and fetch keys + yield f'export GNUPGHOME="{temp_dir}" && gpg --batch --keyserver "{keyserver}" --recv-keys {joined}' # noqa: E501 + + # Export keys to destination - always use direct binary export + # gpg --export produces binary format by default, no dearmoring needed + yield (f'export GNUPGHOME="{temp_dir}" && gpg --batch --export {joined} > "{dest}"') + + # Clean up temporary directory + yield from files.directory._inner( + path=temp_dir, + present=False, + ) + + # Set proper permissions + yield from files.file._inner( + path=dest, + mode=mode, + present=True, + ) + + +def _remove_key_from_keyrings(keyid: str | list[str], working_dirs: list[str]): + """Remove specific keys from all keyrings in specified directories.""" + if isinstance(keyid, str): + keyid = [keyid] + + # Use the GpgKeyrings fact to find all keyrings in specified directories + keyrings_info = host.get_fact(GpgKeyrings, directories=working_dirs) + + for keyring_path, keyring_data in keyrings_info.items(): + # Get the keys from the GpgKeyrings fact data + keys_in_keyring = keyring_data.get("keys", {}) + + # Check if any of the target keys exist in this keyring + keys_to_remove = [] + for kid in keyid: + # Handle different key ID formats (short, long, with/without 0x prefix) + clean_key = kid.replace("0x", "").replace("0X", "").upper() + + # Check for exact match or if the key ID is a suffix/prefix of any key + # in the keyring + for existing_key_id in keys_in_keyring.keys(): + if ( + clean_key == existing_key_id.upper() + or existing_key_id.upper().endswith(clean_key) + or existing_key_id.upper().startswith(clean_key) + ): + keys_to_remove.append(existing_key_id) + + if keys_to_remove: + # Remove the entire keyring file if any target keys are found + # This is the safest approach for keyring management + yield from files.file._inner( + path=keyring_path, + present=False, + ) + + +def _remove_key_from_keyring(keyid: str | list[str], dest: str): + """Remove specific keys from a specific keyring file.""" + if isinstance(keyid, str): + keyid = [keyid] + + # Check if the destination keyring exists and contains the target keys + keyrings_info = host.get_fact(GpgKeyrings, directories=[str(PurePosixPath(dest).parent)]) + + if dest in keyrings_info: + keyring_data = keyrings_info[dest] + keys_in_keyring = keyring_data.get("keys", {}) + + # Check if any of the target keys exist in this keyring + keys_found = False + for kid in keyid: + clean_key = kid.replace("0x", "").replace("0X", "").upper() + for existing_key_id in keys_in_keyring.keys(): + # Check for exact match, suffix (short key ID), or prefix match + if ( + clean_key == existing_key_id.upper() + or existing_key_id.upper().endswith(clean_key) + or existing_key_id.upper().startswith(clean_key) + ): + keys_found = True + break + if keys_found: + break + + if keys_found: + # Remove the entire keyring file - safest approach for keyring management + yield from files.file._inner( + path=dest, + present=False, + ) + + +def _remove_keyring_file(dest: str): + """Remove an entire keyring file.""" + yield from files.file._inner( + path=dest, + present=False, + ) + + +def _validate_installation_params( + src: str | None, keyserver: str | None, keyid: str | list[str] | None, dest: str | None +): + """Validate parameters for key installation.""" + if not src and not keyserver: + raise OperationError("Either `src` or `keyserver` must be provided for installation") + + if keyserver and not keyid: + raise OperationError("`keyid` must be provided with `keyserver`") + + if keyid and not keyserver and not src: + raise OperationError( + "When using `keyid` for installation, either `keyserver` or `src` must be provided" + ) + + if dest is None: + raise OperationError("`dest` must be provided for installation") + + +def _validate_removal_params( + dest: str | None, keyid: str | list[str] | None, working_dirs: list[str] | None +): + """Validate parameters for key removal.""" + if not dest and not (keyid and working_dirs): + raise OperationError( + "For removal, either `dest` or both `keyid` and `working_dirs` must be provided" + ) + + +@operation() +def key( + src: str | None = None, + dest: str | None = None, + keyserver: str | None = None, + keyid: str | list[str] | None = None, + dearmor: bool = True, + mode: str = "0644", + present: bool = True, + working_dirs: list[str] | None = None, +): + """ + Install or remove GPG keys from various sources. + + Args: + src: filename or URL to a key (ASCII .asc or binary .gpg) + dest: destination path for the key file (required for installation, optional for removal) + keyserver: keyserver URL for fetching keys by ID + keyid: key ID or list of key IDs (required with keyserver, optional for removal) + dearmor: whether to convert ASCII armored keys to binary format + mode: file permissions for the installed key + present: whether the key should be present (True) or absent (False) + working_dirs: dirs to search for existing keyrings (required for removal without dest) + When False: if dest is provided, removes from specific keyring; + if dest is None, removes from keyrings found in working_dirs; + if keyid is provided, removes specific key(s); + if keyid is None, removes entire keyring file(s) + + Examples: + gpg.key( + name="Install Docker GPG key", + src="https://download.docker.com/linux/debian/gpg", + dest="/etc/apt/keyrings/docker.gpg", + ) + + gpg.key( + name="Remove old GPG key file", + dest="/etc/apt/keyrings/old-key.gpg", + present=False, + ) + + gpg.key( + name="Remove specific key by ID", + dest="/etc/apt/keyrings/vendor.gpg", + keyid="0xABCDEF12", + present=False, + ) + + gpg.key( + name="Remove key from specific directories", + keyid="0xCOMPROMISED123", + present=False, + working_dirs=["/etc/apt/keyrings", "/usr/share/keyrings"], + ) + + gpg.key( + name="Fetch keys from keyserver", + keyserver="hkps://keyserver.ubuntu.com", + keyid=["0xD88E42B4", "0x7EA0A9C3"], + dest="/etc/apt/keyrings/vendor.gpg", + ) + """ + + # Handle removal operations + if present is False: + _validate_removal_params(dest, keyid, working_dirs) + + if not dest and keyid: + # Remove key(s) from all keyrings found in specified directories + if not working_dirs: + raise OperationError( + "`working_dirs` must be provided when removing keys without `dest`" + ) + yield from _remove_key_from_keyrings(keyid, working_dirs) + + elif dest and keyid: + # Remove specific key(s) from a specific keyring file + yield from _remove_key_from_keyring(keyid, dest) + + elif dest and not keyid: + # Remove entire keyring file + yield from _remove_keyring_file(dest) + + else: + raise OperationError("Invalid parameters for removal operation") + + return + + # Handle installation operations + _validate_installation_params(src, keyserver, keyid, dest) + + # After validation, we know dest is not None for installation + assert dest is not None, "dest should not be None after validation" + + # Check if key already exists (for idempotence) + if keyid: + # If we have keyid(s), check if they exist in the destination keyring + try: + dest_dir = str(PurePosixPath(dest).parent) + keyring_fact = host.get_fact(GpgKeyrings, [dest_dir]) + + # keyring_fact contains keyring paths as keys + # Check if our destination keyring exists in the fact + keyring_info = keyring_fact.get(dest) + + if keyring_info: + existing_keys = keyring_info["keys"] + keyids_to_check = keyid if isinstance(keyid, list) else [keyid] + + # Check if all requested keys already exist + all_keys_exist = True + for kid in keyids_to_check: + # Remove 0x prefix if present for comparison + clean_keyid = kid.replace("0x", "").replace("0X", "").upper() + key_exists = any( + clean_keyid in existing_key_id.upper() + or existing_key_id.upper().endswith(clean_keyid) + for existing_key_id in existing_keys.keys() + ) + if not key_exists: + all_keys_exist = False + break + + if all_keys_exist: + # All keys already exist, ensure file permissions are correct + yield from files.file._inner( + path=dest, + mode=mode, + present=True, + ) + host.noop(f"GPG keys {keyid} already exist in {dest}") + return + except (KeyError, AttributeError): + # Fact not available or incomplete, proceed with installation + pass + else: + # If no keyid specified, check if destination file exists (for file/URL sources) + try: + file_fact = host.get_fact(file_facts.File, dest) + if file_fact: + # File exists, ensure permissions are correct + yield from files.file._inner( + path=dest, + mode=mode, + present=True, + ) + host.noop(f"GPG keyring {dest} already exists") + return + except (KeyError, AttributeError): + # Fact not available, proceed with installation + pass + + # Ensure destination directory exists + dest_dir = str(PurePosixPath(dest).parent) + yield from files.directory._inner( + path=dest_dir, + mode="0755", + present=True, + ) + + # Install from source (file or URL) + if src: + yield from _install_key_from_src(src, dest, dearmor, mode) + + # Install from keyserver + if keyserver: + assert keyid is not None, "keyid should not be None after validation" + yield from _install_key_from_keyserver(keyserver, keyid, dest, mode) + + +@operation() +def dearmor(src: str, dest: str, mode: str = "0644"): + """ + Convert ASCII armored GPG key to binary format. + + Args: + src: source ASCII armored key file + dest: destination binary key file + mode: file permissions for the output file + + Example: + gpg.dearmor( + name="Convert key to binary", + src="/tmp/key.asc", + dest="/etc/apt/keyrings/key.gpg", + ) + """ + + # Ensure destination directory exists + dest_dir = str(PurePosixPath(dest).parent) + yield from files.directory._inner( + path=dest_dir, + mode="0755", + present=True, + ) + + yield f'gpg --batch --dearmor -o "{dest}" "{src}"' + + # Set proper permissions + yield from files.file._inner( + path=dest, + mode=mode, + present=True, + ) + + +def _install_key_file(src_file: str, dest_path: str, dearmor: bool, mode: str): + """ + Helper function to install a GPG key file, dearmoring if necessary. + """ + if dearmor: + # Check if it's an ASCII armored key and handle accordingly + # Note: Could be enhanced using GpgKey fact + yield ( + f'if grep -q "BEGIN PGP PUBLIC KEY BLOCK" "{src_file}"; then ' + f'gpg --batch --dearmor -o "{dest_path}" "{src_file}"; ' + f'else cp "{src_file}" "{dest_path}"; fi' + ) + else: + # Simple copy for binary keys or when dearmoring is disabled + yield f'cp "{src_file}" "{dest_path}"' + + # Set proper permissions + yield from files.file._inner( + path=dest_path, + mode=mode, + present=True, + ) diff --git a/tests/facts/gpg.GpgKeyrings/asc_only.json b/tests/facts/gpg.GpgKeyrings/asc_only.json new file mode 100644 index 000000000..6804b7526 --- /dev/null +++ b/tests/facts/gpg.GpgKeyrings/asc_only.json @@ -0,0 +1,59 @@ +{ + "command": "for keyring in $(find \"/etc/apt/trusted.gpg.d\" -type f \\( -name '*.gpg' -o -name '*.asc' -o -name '*.kbx' \\) 2>/dev/null); do echo \"KEYRING:$keyring\"; if [[ \"$keyring\" == *.asc ]]; then gpg --with-colons \"$keyring\" 2>/dev/null || true; else gpg --list-keys --with-colons --keyring \"$keyring\" --no-default-keyring 2>/dev/null || true; fi; done", + "requires_command": "gpg", + "arg": ["/etc/apt/trusted.gpg.d"], + "output": [ + "KEYRING:/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc", + "pub:-:4096:1:B7C5D7D6350947F8:1663251644:::-:::scSC::::::23::0:", + "fpr:::::::::4D64390375060AA4D3E84D8FB7C5D7D6350947F8:", + "uid:-::::1663251644::7B1EFED0F7198D8488DD53F0E95BB93FC4D0A10C::Debian Stable Release Key (12/bookworm) ::::::::::0:", + "sub:-:4096:1:16E0B0B5FC11C3A7:1663251644:::-:::e::::::23:", + "fpr:::::::::CFD35E5D1F5CBDE15AE59C5E16E0B0B5FC11C3A7:", + "KEYRING:/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.asc", + "pub:-:4096:1:4F368D5D67269BAC:1663251677:::-:::scSC::::::23::0:", + "fpr:::::::::80E46CDDD2798E51FB74F84E4F368D5D67269BAC:", + "uid:-::::1663251677::BB28BDBA35F9A1A92F44E4C96A9E86FC66F9D4E6::Debian Archive Automatic Signing Key (12/bookworm) ::::::::::0:", + "sub:-:4096:1:D7AB25251C0A3EE3:1663251677:::-:::e::::::23:", + "fpr:::::::::C5691F97B9C30A5CF0A3B1F9D7AB25251C0A3EE3:" + ], + "fact": { + "/etc/apt/trusted.gpg.d/debian-archive-bookworm-automatic.asc": { + "format": "asc", + "keys": { + "B7C5D7D6350947F8": { + "validity": "-", + "length": 4096, + "subkeys": { + "16E0B0B5FC11C3A7": { + "validity": "-", + "length": 4096, + "fingerprint": "CFD35E5D1F5CBDE15AE59C5E16E0B0B5FC11C3A7" + } + }, + "fingerprint": "4D64390375060AA4D3E84D8FB7C5D7D6350947F8", + "uid_hash": "7B1EFED0F7198D8488DD53F0E95BB93FC4D0A10C", + "uid": "Debian Stable Release Key (12/bookworm) " + } + } + }, + "/etc/apt/trusted.gpg.d/debian-archive-bookworm-stable.asc": { + "format": "asc", + "keys": { + "4F368D5D67269BAC": { + "validity": "-", + "length": 4096, + "subkeys": { + "D7AB25251C0A3EE3": { + "validity": "-", + "length": 4096, + "fingerprint": "C5691F97B9C30A5CF0A3B1F9D7AB25251C0A3EE3" + } + }, + "fingerprint": "80E46CDDD2798E51FB74F84E4F368D5D67269BAC", + "uid_hash": "BB28BDBA35F9A1A92F44E4C96A9E86FC66F9D4E6", + "uid": "Debian Archive Automatic Signing Key (12/bookworm) " + } + } + } + } +} diff --git a/tests/facts/gpg.GpgKeyrings/custom_directory.json b/tests/facts/gpg.GpgKeyrings/custom_directory.json new file mode 100644 index 000000000..884ce59e0 --- /dev/null +++ b/tests/facts/gpg.GpgKeyrings/custom_directory.json @@ -0,0 +1,26 @@ +{ + "command": "for keyring in $(find \"/custom/keyring/path\" -type f \\( -name '*.gpg' -o -name '*.asc' -o -name '*.kbx' \\) 2>/dev/null); do echo \"KEYRING:$keyring\"; if [[ \"$keyring\" == *.asc ]]; then gpg --with-colons \"$keyring\" 2>/dev/null || true; else gpg --list-keys --with-colons --keyring \"$keyring\" --no-default-keyring 2>/dev/null || true; fi; done", + "requires_command": "gpg", + "arg": ["/custom/keyring/path"], + "output": [ + "KEYRING:/custom/keyring/path/custom.asc", + "pub:-:4096:1:9A3B3C4D5E6F7890:1622505600:::-:::scSC::::::23::0:", + "fpr:::::::::1234567890ABCDEF1234567890ABCDEF12345678:", + "uid:-::::1622505600::::Custom Key ::::::::::0:" + ], + "fact": { + "/custom/keyring/path/custom.asc": { + "format": "asc", + "keys": { + "9A3B3C4D5E6F7890": { + "validity": "-", + "length": 4096, + "subkeys": {}, + "fingerprint": "1234567890ABCDEF1234567890ABCDEF12345678", + "uid_hash": "", + "uid": "Custom Key " + } + } + } + } +} diff --git a/tests/facts/gpg.GpgKeyrings/default.json b/tests/facts/gpg.GpgKeyrings/default.json new file mode 100644 index 000000000..5bce9cf17 --- /dev/null +++ b/tests/facts/gpg.GpgKeyrings/default.json @@ -0,0 +1,42 @@ +{ + "command": "for keyring in $(find \"/etc/apt/trusted.gpg.d\" \"/etc/apt/keyrings\" \"/usr/share/keyrings\" -type f \\( -name '*.gpg' -o -name '*.asc' -o -name '*.kbx' \\) 2>/dev/null); do echo \"KEYRING:$keyring\"; if [[ \"$keyring\" == *.asc ]]; then gpg --with-colons \"$keyring\" 2>/dev/null || true; else gpg --list-keys --with-colons --keyring \"$keyring\" --no-default-keyring 2>/dev/null || true; fi; done", + "requires_command": "gpg", + "arg": [["/etc/apt/trusted.gpg.d", "/etc/apt/keyrings", "/usr/share/keyrings"]], + "output": [ + "KEYRING:/etc/apt/keyrings/docker.gpg", + "tru:t:1:1601454628:0:3:1:5", + "pub:-:4096:1:ABCD1234EFGH5678:1336770936:::-:::scSC::::::23::0:", + "fpr:::::::::ABCD1234EFGH5678IJKL9012MNOP3456QRST7890:", + "uid:-::::1336770936::ABC123DEF456::Docker Release (CE deb) ::::::::::0:", + "KEYRING:/etc/apt/trusted.gpg.d/ubuntu-keyring.asc", + "pub:-:4096:1:1234ABCD5678EFGH:1336774248:::-:::scSC::::::23::0:", + "uid:-::::1336774248::::Ubuntu Archive Signing Key ::::::::::0:" + ], + "fact": { + "/etc/apt/keyrings/docker.gpg": { + "format": "gpg", + "keys": { + "ABCD1234EFGH5678": { + "validity": "-", + "length": 4096, + "subkeys": {}, + "fingerprint": "ABCD1234EFGH5678IJKL9012MNOP3456QRST7890", + "uid_hash": "ABC123DEF456", + "uid": "Docker Release (CE deb) " + } + } + }, + "/etc/apt/trusted.gpg.d/ubuntu-keyring.asc": { + "format": "asc", + "keys": { + "1234ABCD5678EFGH": { + "validity": "-", + "length": 4096, + "subkeys": {}, + "uid_hash": "", + "uid": "Ubuntu Archive Signing Key " + } + } + } + } +} diff --git a/tests/facts/gpg.GpgKeyrings/empty_directory.json b/tests/facts/gpg.GpgKeyrings/empty_directory.json new file mode 100644 index 000000000..51f1c4eaf --- /dev/null +++ b/tests/facts/gpg.GpgKeyrings/empty_directory.json @@ -0,0 +1,7 @@ +{ + "command": "for keyring in $(find \"/empty/directory\" -type f \\( -name '*.gpg' -o -name '*.asc' -o -name '*.kbx' \\) 2>/dev/null); do echo \"KEYRING:$keyring\"; if [[ \"$keyring\" == *.asc ]]; then gpg --with-colons \"$keyring\" 2>/dev/null || true; else gpg --list-keys --with-colons --keyring \"$keyring\" --no-default-keyring 2>/dev/null || true; fi; done", + "requires_command": "gpg", + "arg": ["/empty/directory"], + "output": [], + "fact": {} +} diff --git a/tests/facts/gpg.GpgKeyrings/mixed_formats.json b/tests/facts/gpg.GpgKeyrings/mixed_formats.json new file mode 100644 index 000000000..ea649e7a2 --- /dev/null +++ b/tests/facts/gpg.GpgKeyrings/mixed_formats.json @@ -0,0 +1,62 @@ +{ + "command": "for keyring in $(find \"/etc/apt/trusted.gpg.d\" -type f \\( -name '*.gpg' -o -name '*.asc' -o -name '*.kbx' \\) 2>/dev/null); do echo \"KEYRING:$keyring\"; if [[ \"$keyring\" == *.asc ]]; then gpg --with-colons \"$keyring\" 2>/dev/null || true; else gpg --list-keys --with-colons --keyring \"$keyring\" --no-default-keyring 2>/dev/null || true; fi; done", + "requires_command": "gpg", + "arg": ["/etc/apt/trusted.gpg.d"], + "output": [ + "KEYRING:/etc/apt/trusted.gpg.d/debian-archive.gpg", + "tru:t:1:1601454628:0:3:1:5", + "pub:-:4096:1:73A4F27B8DD47936:1663251644:::-:::scSC::::::23::0:", + "fpr:::::::::4D64390375060AA4D3E84D8F73A4F27B8DD47936:", + "uid:-::::1663251644::7B1EFED0F7198D8488DD53F0E95BB93FC4D0A10C::Debian Archive Automatic Signing Key (11/bullseye) ::::::::::0:", + "KEYRING:/etc/apt/trusted.gpg.d/ubuntu-keyring.asc", + "pub:-:4096:1:1E9377A2BA9EF27F:1336770936:::-:::scSC::::::23::0:", + "fpr:::::::::790BC7277767219C42C86F931E9377A2BA9EF27F:", + "uid:-::::1336770936::::Ubuntu Archive Signing Key ::::::::::0:", + "KEYRING:/etc/apt/trusted.gpg.d/docker.kbx", + "tru:t:1:1601454628:0:3:1:5", + "pub:-:4096:1:9DC858229FC7DD38:1498167007:::-:::scSC::::::23::0:", + "fpr:::::::::9DC858229FC7DD38B3088BD89DC858229FC7DD38:", + "uid:-::::1498167007::::Docker Release (CE deb) ::::::::::0:" + ], + "fact": { + "/etc/apt/trusted.gpg.d/debian-archive.gpg": { + "format": "gpg", + "keys": { + "73A4F27B8DD47936": { + "validity": "-", + "length": 4096, + "subkeys": {}, + "fingerprint": "4D64390375060AA4D3E84D8F73A4F27B8DD47936", + "uid_hash": "7B1EFED0F7198D8488DD53F0E95BB93FC4D0A10C", + "uid": "Debian Archive Automatic Signing Key (11/bullseye) " + } + } + }, + "/etc/apt/trusted.gpg.d/ubuntu-keyring.asc": { + "format": "asc", + "keys": { + "1E9377A2BA9EF27F": { + "validity": "-", + "length": 4096, + "subkeys": {}, + "fingerprint": "790BC7277767219C42C86F931E9377A2BA9EF27F", + "uid_hash": "", + "uid": "Ubuntu Archive Signing Key " + } + } + }, + "/etc/apt/trusted.gpg.d/docker.kbx": { + "format": "kbx", + "keys": { + "9DC858229FC7DD38": { + "validity": "-", + "length": 4096, + "subkeys": {}, + "fingerprint": "9DC858229FC7DD38B3088BD89DC858229FC7DD38", + "uid_hash": "", + "uid": "Docker Release (CE deb) " + } + } + } + } +} diff --git a/tests/operations/gpg.dearmor/basic.json b/tests/operations/gpg.dearmor/basic.json new file mode 100644 index 000000000..62fa745e4 --- /dev/null +++ b/tests/operations/gpg.dearmor/basic.json @@ -0,0 +1,22 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/test.asc", + "dest": "/tmp/test.gpg" + }, + "facts": { + "files.Directory": { + "path=/tmp": { + "mode": 755 + } + }, + "files.File": { + "path=/tmp/test.gpg": null + } + }, + "commands": [ + "gpg --batch --dearmor -o \"/tmp/test.gpg\" \"/tmp/test.asc\"", + "touch /tmp/test.gpg", + "chmod 644 /tmp/test.gpg" + ] +} diff --git a/tests/operations/gpg.dearmor/custom_mode.json b/tests/operations/gpg.dearmor/custom_mode.json new file mode 100644 index 000000000..48e3f6415 --- /dev/null +++ b/tests/operations/gpg.dearmor/custom_mode.json @@ -0,0 +1,24 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/key.asc", + "dest": "/etc/apt/keyrings/key.gpg", + "mode": "0600" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/key.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "gpg --batch --dearmor -o \"/etc/apt/keyrings/key.gpg\" \"/tmp/key.asc\"", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/key.gpg", + "chmod 600 /etc/apt/keyrings/key.gpg" + ] +} diff --git a/tests/operations/gpg.key/custom_mode.json b/tests/operations/gpg.key/custom_mode.json new file mode 100644 index 000000000..2de7e69f0 --- /dev/null +++ b/tests/operations/gpg.key/custom_mode.json @@ -0,0 +1,24 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/local-key.asc", + "dest": "/etc/apt/keyrings/test.gpg", + "mode": "0600" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/test.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "if grep -q \"BEGIN PGP PUBLIC KEY BLOCK\" \"/tmp/local-key.asc\"; then gpg --batch --dearmor -o \"/etc/apt/keyrings/test.gpg\" \"/tmp/local-key.asc\"; else cp \"/tmp/local-key.asc\" \"/etc/apt/keyrings/test.gpg\"; fi", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/test.gpg", + "chmod 600 /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/keyserver_multiple.json b/tests/operations/gpg.key/keyserver_multiple.json new file mode 100644 index 000000000..571a57866 --- /dev/null +++ b/tests/operations/gpg.key/keyserver_multiple.json @@ -0,0 +1,28 @@ +{ + "args": [], + "kwargs": { + "keyserver": "hkps://keyserver.ubuntu.com", + "keyid": ["0xD88E42B4", "0x7EA0A9C3"], + "dest": "/etc/apt/keyrings/vendor.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null, + "path=/tmp/pyinfra-gpg-empfile_": null + }, + "files.File": { + "path=/etc/apt/keyrings/vendor.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "mkdir -p /tmp/pyinfra-gpg-empfile_", + "chmod 700 /tmp/pyinfra-gpg-empfile_", + "export GNUPGHOME=\"/tmp/pyinfra-gpg-empfile_\" && gpg --batch --keyserver \"hkps://keyserver.ubuntu.com\" --recv-keys 0xD88E42B4 0x7EA0A9C3", + "export GNUPGHOME=\"/tmp/pyinfra-gpg-empfile_\" && gpg --batch --export 0xD88E42B4 0x7EA0A9C3 > \"/etc/apt/keyrings/vendor.gpg\"", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/vendor.gpg", + "chmod 644 /etc/apt/keyrings/vendor.gpg" + ] +} diff --git a/tests/operations/gpg.key/keyserver_no_keyid.json b/tests/operations/gpg.key/keyserver_no_keyid.json new file mode 100644 index 000000000..f6bbf5bbe --- /dev/null +++ b/tests/operations/gpg.key/keyserver_no_keyid.json @@ -0,0 +1,12 @@ +{ + "args": [], + "kwargs": { + "keyserver": "hkps://keyserver.ubuntu.com", + "dest": "/etc/apt/keyrings/test.gpg" + }, + "exception": { + "names": ["OperationError"], + "message": "`keyid` must be provided with `keyserver`" + }, + "facts": {} +} diff --git a/tests/operations/gpg.key/keyserver_single.json b/tests/operations/gpg.key/keyserver_single.json new file mode 100644 index 000000000..26fcb4e7c --- /dev/null +++ b/tests/operations/gpg.key/keyserver_single.json @@ -0,0 +1,28 @@ +{ + "args": [], + "kwargs": { + "keyserver": "hkps://keyserver.ubuntu.com", + "keyid": ["0xD88E42B4"], + "dest": "/etc/apt/keyrings/vendor.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null, + "path=/tmp/pyinfra-gpg-empfile_": null + }, + "files.File": { + "path=/etc/apt/keyrings/vendor.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "mkdir -p /tmp/pyinfra-gpg-empfile_", + "chmod 700 /tmp/pyinfra-gpg-empfile_", + "export GNUPGHOME=\"/tmp/pyinfra-gpg-empfile_\" && gpg --batch --keyserver \"hkps://keyserver.ubuntu.com\" --recv-keys 0xD88E42B4", + "export GNUPGHOME=\"/tmp/pyinfra-gpg-empfile_\" && gpg --batch --export 0xD88E42B4 > \"/etc/apt/keyrings/vendor.gpg\"", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/vendor.gpg", + "chmod 644 /etc/apt/keyrings/vendor.gpg" + ] +} diff --git a/tests/operations/gpg.key/keyserver_single_idempotent.json b/tests/operations/gpg.key/keyserver_single_idempotent.json new file mode 100644 index 000000000..6c58b95c1 --- /dev/null +++ b/tests/operations/gpg.key/keyserver_single_idempotent.json @@ -0,0 +1,42 @@ +{ + "args": [], + "kwargs": { + "keyserver": "hkps://keyserver.ubuntu.com", + "keyid": ["0xD88E42B4"], + "dest": "/etc/apt/keyrings/vendor.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": { + "mode": "755", + "user": "root", + "group": "root" + }, + "path=/tmp/pyinfra-gpg-empfile_": null + }, + "files.File": { + "path=/etc/apt/keyrings/vendor.gpg": { + "mode": "644", + "user": "root", + "group": "root" + } + }, + "gpg.GpgKeyrings": { + "directories=['/etc/apt/keyrings']": { + "/etc/apt/keyrings/vendor.gpg": { + "format": "gpg", + "keys": { + "D88E42B4": { + "length": 4096, + "uid": "Test Key " + } + } + } + } + } + }, + "commands": [ + "chmod 644 /etc/apt/keyrings/vendor.gpg" + ], + "noop_description": "GPG keys ['0xD88E42B4'] already exist in /etc/apt/keyrings/vendor.gpg" +} diff --git a/tests/operations/gpg.key/local_file.json b/tests/operations/gpg.key/local_file.json new file mode 100644 index 000000000..ba86d06fa --- /dev/null +++ b/tests/operations/gpg.key/local_file.json @@ -0,0 +1,23 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/local-key.asc", + "dest": "/etc/apt/keyrings/test.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/test.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "if grep -q \"BEGIN PGP PUBLIC KEY BLOCK\" \"/tmp/local-key.asc\"; then gpg --batch --dearmor -o \"/etc/apt/keyrings/test.gpg\" \"/tmp/local-key.asc\"; else cp \"/tmp/local-key.asc\" \"/etc/apt/keyrings/test.gpg\"; fi", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/test.gpg", + "chmod 644 /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/no_dearmor.json b/tests/operations/gpg.key/no_dearmor.json new file mode 100644 index 000000000..4095c6d05 --- /dev/null +++ b/tests/operations/gpg.key/no_dearmor.json @@ -0,0 +1,24 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/local-key.gpg", + "dest": "/etc/apt/keyrings/test.gpg", + "dearmor": false + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/test.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "cp \"/tmp/local-key.gpg\" \"/etc/apt/keyrings/test.gpg\"", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/test.gpg", + "chmod 644 /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/no_dest.json b/tests/operations/gpg.key/no_dest.json new file mode 100644 index 000000000..134562316 --- /dev/null +++ b/tests/operations/gpg.key/no_dest.json @@ -0,0 +1,11 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/test.asc" + }, + "facts": {}, + "exception": { + "names": ["OperationError"], + "message": "`dest` must be provided for installation" + } +} diff --git a/tests/operations/gpg.key/no_src_or_keyserver.json b/tests/operations/gpg.key/no_src_or_keyserver.json new file mode 100644 index 000000000..786d22d1c --- /dev/null +++ b/tests/operations/gpg.key/no_src_or_keyserver.json @@ -0,0 +1,11 @@ +{ + "args": [], + "kwargs": { + "dest": "/etc/apt/keyrings/test.gpg" + }, + "exception": { + "names": ["OperationError"], + "message": "Either `src` or `keyserver` must be provided for installation" + }, + "facts": {} +} diff --git a/tests/operations/gpg.key/remote_url.json b/tests/operations/gpg.key/remote_url.json new file mode 100644 index 000000000..509887e86 --- /dev/null +++ b/tests/operations/gpg.key/remote_url.json @@ -0,0 +1,29 @@ +{ + "args": [], + "kwargs": { + "src": "https://example.com/key.asc", + "dest": "/etc/apt/keyrings/test.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/test.gpg": null, + "path=_tempfile_": null + }, + "server.Which": { + "command=curl": "/usr/bin/curl" + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "curl -sSLf https://example.com/key.asc -o _tempfile_", + "mv _tempfile_ _tempfile_", + "if grep -q \"BEGIN PGP PUBLIC KEY BLOCK\" \"_tempfile_\"; then gpg --batch --dearmor -o \"/etc/apt/keyrings/test.gpg\" \"_tempfile_\"; else cp \"_tempfile_\" \"/etc/apt/keyrings/test.gpg\"; fi", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/test.gpg", + "chmod 644 /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/remove_by_id.json b/tests/operations/gpg.key/remove_by_id.json new file mode 100644 index 000000000..8d6e7eb98 --- /dev/null +++ b/tests/operations/gpg.key/remove_by_id.json @@ -0,0 +1,32 @@ +{ + "kwargs": { + "dest": "/etc/apt/keyrings/vendor.gpg", + "keyid": "0xABCDEF12", + "present": false + }, + "facts": { + "gpg.GpgKeyrings": { + "directories=['/etc/apt/keyrings']": { + "/etc/apt/keyrings/vendor.gpg": { + "format": "gpg", + "keys": { + "ABCDEF1234567890": { + "validity": "-", + "length": 4096, + "subkeys": {}, + "fingerprint": "ABCDEF1234567890FEDCBA0987654321ABCDEF12", + "uid_hash": "ABC123DEF456", + "uid": "Vendor Key " + } + } + } + } + }, + "files.File": { + "path=/etc/apt/keyrings/vendor.gpg": {"mode": 644} + } + }, + "commands": [ + "rm -f /etc/apt/keyrings/vendor.gpg" + ] +} diff --git a/tests/operations/gpg.key/remove_file.json b/tests/operations/gpg.key/remove_file.json new file mode 100644 index 000000000..ac9adcb9e --- /dev/null +++ b/tests/operations/gpg.key/remove_file.json @@ -0,0 +1,14 @@ +{ + "kwargs": { + "dest": "/etc/apt/keyrings/test.gpg", + "present": false + }, + "facts": { + "files.File": { + "path=/etc/apt/keyrings/test.gpg": {"mode": 644} + } + }, + "commands": [ + "rm -f /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/remove_from_all_keyrings.json b/tests/operations/gpg.key/remove_from_all_keyrings.json new file mode 100644 index 000000000..62a932659 --- /dev/null +++ b/tests/operations/gpg.key/remove_from_all_keyrings.json @@ -0,0 +1,32 @@ +{ + "kwargs": { + "keyid": "0xCOMPROMISED123", + "present": false, + "working_dirs": ["/etc/apt/trusted.gpg.d", "/etc/apt/keyrings", "/usr/share/keyrings"] + }, + "facts": { + "gpg.GpgKeyrings": { + "directories=['/etc/apt/trusted.gpg.d', '/etc/apt/keyrings', '/usr/share/keyrings']": { + "/etc/apt/trusted.gpg.d/compromised.gpg": { + "format": "gpg", + "keys": { + "COMPROMISED123567890": { + "validity": "-", + "length": 4096, + "subkeys": {}, + "fingerprint": "COMPROMISED123567890FEDCBA0987654321COMPROMISED123", + "uid_hash": "ABC123DEF456", + "uid": "Compromised Key " + } + } + } + } + }, + "files.File": { + "path=/etc/apt/trusted.gpg.d/compromised.gpg": {"mode": 644} + } + }, + "commands": [ + "rm -f /etc/apt/trusted.gpg.d/compromised.gpg" + ] +} diff --git a/tests/operations/gpg.key/remove_no_dest_no_keyid.json b/tests/operations/gpg.key/remove_no_dest_no_keyid.json new file mode 100644 index 000000000..03225013d --- /dev/null +++ b/tests/operations/gpg.key/remove_no_dest_no_keyid.json @@ -0,0 +1,10 @@ +{ + "kwargs": { + "present": false + }, + "exception": { + "names": ["OperationError"], + "message": "For removal, either `dest` or both `keyid` and `working_dirs` must be provided" + }, + "facts": {} +}