The apt_key module did not properly handle GnuPG errors for certain actions (#74478)

* Not all GnuPG return codes were analyzed (rc != 0) and not all relevant GnuPG error information was returned by the 'ansible.builtin.apt_key' module (https://github.com/ansible/ansible/issues/74477) * Update changelogs/fragments/74478-apt_key-gpg-error-check.yaml Co-authored-by: Brian Coca <bcoca@users.noreply.github.com> Co-authored-by: Sam Doran <sdoran@redhat.com>
2021-04-30 23:53:41 +03:00 · 2021-04-30 23:53:41 +03:00 · daecb30ac9
parent 38fb05102c
commit daecb30ac9
2 changed files with 35 additions and 6 deletions
--- a/changelogs/fragments/74478-apt_key-gpg-error-check.yaml
+++ b/changelogs/fragments/74478-apt_key-gpg-error-check.yaml
@ -0,0 +1,2 @@
+bugfixes:
+  - The ``apt_key`` module did not properly handle GnuPG errors (https://github.com/ansible/ansible/issues/74477)
--- a/lib/ansible/modules/apt_key.py
+++ b/lib/ansible/modules/apt_key.py
@ -253,6 +253,8 @@ def all_keys(module, keyring, short_format):
    else:
        cmd = "%s adv --list-public-keys --keyid-format=long" % apt_key_bin
    (rc, out, err) = module.run_command(cmd)
+    if rc != 0:
+        module.fail_json(msg="Unable to list public keys", cmd=cmd, rc=rc, stdout=out, stderr=err)

    return parse_output_for_keys(out, short_format)

@ -326,10 +328,10 @@ def import_key(module, keyring, keyserver, key_id):
        # Out of retries
        if rc == 2 and 'not found on keyserver' in out:
            msg = 'Key %s not found on keyserver %s' % (key_id, keyserver)
-            module.fail_json(cmd=cmd, msg=msg)
+            module.fail_json(cmd=cmd, msg=msg, forced_environment=lang_env)
        else:
            msg = "Error fetching key %s from keyserver: %s" % (key_id, keyserver)
-            module.fail_json(cmd=cmd, msg=msg, rc=rc, stdout=out, stderr=err)
+            module.fail_json(cmd=cmd, msg=msg, forced_environment=lang_env, rc=rc, stdout=out, stderr=err)
    return True


@ -339,23 +341,48 @@ def add_key(module, keyfile, keyring, data=None):
            cmd = "%s --keyring %s add -" % (apt_key_bin, keyring)
        else:
            cmd = "%s add -" % apt_key_bin
-        (rc, out, err) = module.run_command(cmd, data=data, check_rc=True, binary_data=True)
+        (rc, out, err) = module.run_command(cmd, data=data, binary_data=True)
+        if rc != 0:
+            module.fail_json(
+                msg="Unable to add a key from binary data",
+                cmd=cmd,
+                rc=rc,
+                stdout=out,
+                stderr=err,
+            )
    else:
        if keyring:
            cmd = "%s --keyring %s add %s" % (apt_key_bin, keyring, keyfile)
        else:
            cmd = "%s add %s" % (apt_key_bin, keyfile)
-        (rc, out, err) = module.run_command(cmd, check_rc=True)
+        (rc, out, err) = module.run_command(cmd)
+        if rc != 0:
+            module.fail_json(
+                msg="Unable to add a key from file %s" % (keyfile),
+                cmd=cmd,
+                rc=rc,
+                keyfile=keyfile,
+                stdout=out,
+                stderr=err,
+            )
    return True


 def remove_key(module, key_id, keyring):
-    # FIXME: use module.run_command, fail at point of error and don't discard useful stdin/stdout
    if keyring:
        cmd = '%s --keyring %s del %s' % (apt_key_bin, keyring, key_id)
    else:
        cmd = '%s del %s' % (apt_key_bin, key_id)
-    (rc, out, err) = module.run_command(cmd, check_rc=True)
+    (rc, out, err) = module.run_command(cmd)
+    if rc != 0:
+        module.fail_json(
+            msg="Unable to remove a key with id %s" % (key_id),
+            cmd=cmd,
+            rc=rc,
+            key_id=key_id,
+            stdout=out,
+            stderr=err,
+        )
    return True