Merge pull request #1824 from jvantuyl/apt-key-module
add apt_key module
This commit is contained in:
commit
26ac3efe69
1 changed files with 256 additions and 0 deletions
256
apt_key
Normal file
256
apt_key
Normal file
|
@ -0,0 +1,256 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
|
||||
# (c) 2012, Jayson Vantuyl <jayson@aggressive.ly>
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: apt_key
|
||||
author: Jayson Vantuyl
|
||||
version_added: 1.0
|
||||
short_description: Add or remove an apt key
|
||||
description:
|
||||
- Add or remove an I(apt) key, optionally downloading it
|
||||
notes:
|
||||
- doesn't download the key unless it really needs it
|
||||
- as a sanity check, downloaded key id must match the one specified
|
||||
- best practice is to specify the key id and the url
|
||||
options:
|
||||
id:
|
||||
required: false
|
||||
default: none
|
||||
description:
|
||||
- identifier of key
|
||||
url:
|
||||
required: false
|
||||
default: none
|
||||
description:
|
||||
- url to retrieve key from.
|
||||
state:
|
||||
required: false
|
||||
choices: [ absent, present ]
|
||||
default: present
|
||||
description:
|
||||
- used to specify if key is being added or revoked
|
||||
examples:
|
||||
- code: "apt_key: url=https://ftp-master.debian.org/keys/archive-key-6.0.asc state=present"
|
||||
description: Add an Apt signing key, uses whichever key is at the URL
|
||||
- code: "apt_key: id=473041FA url=https://ftp-master.debian.org/keys/archive-key-6.0.asc state=present"
|
||||
description: Add an Apt signing key, will not download if present
|
||||
- code: "apt_key: url=https://ftp-master.debian.org/keys/archive-key-6.0.asc state=absent"
|
||||
description: Remove an Apt signing key, uses whichever key is at the URL
|
||||
- code: "apt_key: id=473041FA state=absent"
|
||||
description: Remove a Apt specific signing key
|
||||
'''
|
||||
|
||||
from urllib2 import urlopen, URLError
|
||||
from traceback import format_exc
|
||||
from subprocess import Popen, PIPE, call
|
||||
from re import compile as re_compile
|
||||
from distutils.spawn import find_executable
|
||||
from os import environ
|
||||
from sys import exc_info
|
||||
|
||||
match_key = re_compile("^gpg:.*key ([0-9a-fA-F]+):.*$")
|
||||
|
||||
REQUIRED_EXECUTABLES=['gpg', 'grep', 'apt-key']
|
||||
|
||||
|
||||
def find_missing_binaries():
|
||||
return [missing for missing in REQUIRED_EXECUTABLES if not find_executable(missing)]
|
||||
|
||||
|
||||
def get_key_ids(key_data):
|
||||
p = Popen("gpg --list-only --import -", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
|
||||
(stdo, stde) = p.communicate(key_data)
|
||||
|
||||
if p.returncode > 0:
|
||||
raise Exception("error running GPG to retrieve keys")
|
||||
|
||||
output = stdo + stde
|
||||
|
||||
for line in output.split('\n'):
|
||||
match = match_key.match(line)
|
||||
if match:
|
||||
yield match.group(1)
|
||||
|
||||
|
||||
def key_present(key_id):
|
||||
return call("apt-key list | 2>&1 grep -q %s" % key_id, shell=True) == 0
|
||||
|
||||
|
||||
def download_key(url):
|
||||
if url is None:
|
||||
raise Exception("Needed URL but none specified")
|
||||
connection = urlopen(url)
|
||||
if connection is None:
|
||||
raise Exception("error connecting to download key from %r" % url)
|
||||
return connection.read()
|
||||
|
||||
|
||||
def add_key(key):
|
||||
return call("apt-key add -", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
|
||||
(_, _) = p.communicate(key)
|
||||
|
||||
return p.returncode == 0
|
||||
|
||||
|
||||
def remove_key(key_id):
|
||||
return call('apt-key del %s' % key_id, shell=True) == 0
|
||||
|
||||
|
||||
def return_values(tb=False):
|
||||
if tb:
|
||||
return {'exception': format_exc()}
|
||||
else:
|
||||
return {}
|
||||
|
||||
|
||||
# use cues from the environment to mock out functions for testing
|
||||
if 'ANSIBLE_TEST_APT_KEY' in environ:
|
||||
orig_download_key = download_key
|
||||
KEY_ADDED=0
|
||||
KEY_REMOVED=0
|
||||
KEY_DOWNLOADED=0
|
||||
|
||||
|
||||
def download_key(url):
|
||||
global KEY_DOWNLOADED
|
||||
KEY_DOWNLOADED += 1
|
||||
return orig_download_key(url)
|
||||
|
||||
|
||||
def find_missing_binaries():
|
||||
return []
|
||||
|
||||
|
||||
def add_key(key):
|
||||
global KEY_ADDED
|
||||
KEY_ADDED += 1
|
||||
return True
|
||||
|
||||
|
||||
def remove_key(key_id):
|
||||
global KEY_REMOVED
|
||||
KEY_REMOVED += 1
|
||||
return True
|
||||
|
||||
|
||||
def return_values(tb=False):
|
||||
extra = dict(
|
||||
added=KEY_ADDED,
|
||||
removed=KEY_REMOVED,
|
||||
downloaded=KEY_DOWNLOADED
|
||||
)
|
||||
if tb:
|
||||
extra['exception'] = format_exc()
|
||||
return extra
|
||||
|
||||
|
||||
if environ.get('ANSIBLE_TEST_APT_KEY') == 'none':
|
||||
def key_present(key_id):
|
||||
return False
|
||||
else:
|
||||
def key_present(key_id):
|
||||
return key_id == environ['ANSIBLE_TEST_APT_KEY']
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
id=dict(required=False, default=None),
|
||||
url=dict(required=False),
|
||||
state=dict(required=False, choices=['present', 'absent'], default='present')
|
||||
)
|
||||
)
|
||||
|
||||
expected_key_id = module.params['id']
|
||||
url = module.params['url']
|
||||
state = module.params['state']
|
||||
changed = False
|
||||
|
||||
missing = find_missing_binaries()
|
||||
|
||||
if missing:
|
||||
module.fail_json(msg="can't find needed binaries to run", missing=missing,
|
||||
**return_values())
|
||||
|
||||
if state == 'present':
|
||||
if expected_key_id and key_present(expected_key_id):
|
||||
# key is present, nothing to do
|
||||
pass
|
||||
else:
|
||||
# download key
|
||||
try:
|
||||
key = download_key(url)
|
||||
(key_id,) = tuple(get_key_ids(key)) # TODO: support multiple key ids?
|
||||
except Exception:
|
||||
module.fail_json(
|
||||
msg="error getting key id from url",
|
||||
**return_values(True)
|
||||
)
|
||||
|
||||
# sanity check downloaded key
|
||||
if expected_key_id and key_id != expected_key_id:
|
||||
module.fail_json(
|
||||
msg="expected key id %s, got key id %s" % (expected_key_id, key_id),
|
||||
**return_values()
|
||||
)
|
||||
|
||||
# actually add key
|
||||
if key_present(key_id):
|
||||
changed=False
|
||||
elif add_key(key):
|
||||
changed=True
|
||||
else:
|
||||
module.fail_json(
|
||||
msg="failed to add key id %s" % key_id,
|
||||
**return_values()
|
||||
)
|
||||
elif state == 'absent':
|
||||
# optionally download the key and get the id
|
||||
if not expected_key_id:
|
||||
try:
|
||||
key = download_key(url)
|
||||
(key_id,) = tuple(get_key_ids(key)) # TODO: support multiple key ids?
|
||||
except Exception:
|
||||
module.fail_json(
|
||||
msg="error getting key id from url",
|
||||
**return_values(True)
|
||||
)
|
||||
else:
|
||||
key_id = expected_key_id
|
||||
|
||||
# actually remove key
|
||||
if key_present(key_id):
|
||||
if remove_key(key_id):
|
||||
changed=True
|
||||
else:
|
||||
module.fail_json(msg="error removing key_id", **return_values(True))
|
||||
else:
|
||||
module.fail_json(
|
||||
msg="unexpected state: %s" % state,
|
||||
**return_values()
|
||||
)
|
||||
|
||||
module.exit_json(changed=changed, **return_values())
|
||||
|
||||
# include magic from lib/ansible/module_common.py
|
||||
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
|
||||
main()
|
Loading…
Reference in a new issue