diff --git a/changelogs/fragments/82377-git-gpg-whitelist-allowlist.yml b/changelogs/fragments/82377-git-gpg-whitelist-allowlist.yml new file mode 100644 index 00000000000..f0205c15017 --- /dev/null +++ b/changelogs/fragments/82377-git-gpg-whitelist-allowlist.yml @@ -0,0 +1,3 @@ +--- +minor_changes: + - git module - gpg_allowlist name was added in 2.17 and we will eventually deprecate the gpg_whitelist alias. diff --git a/lib/ansible/modules/git.py b/lib/ansible/modules/git.py index 5460a24a269..26d4c59f924 100644 --- a/lib/ansible/modules/git.py +++ b/lib/ansible/modules/git.py @@ -207,15 +207,18 @@ options: type: path version_added: "2.7" - gpg_whitelist: + gpg_allowlist: description: - A list of trusted GPG fingerprints to compare to the fingerprint of the GPG-signed commit. - Only used when O(verify_commit=yes). - Use of this feature requires Git 2.6+ due to its reliance on git's C(--raw) flag to C(verify-commit) and C(verify-tag). + - Alias O(gpg_allowlist) is added in version 2.17. + - Alias O(gpg_whitelist) is deprecated and will be removed in version 2.21. type: list elements: str default: [] + aliases: [ gpg_whitelist ] version_added: "2.9" requirements: @@ -567,7 +570,7 @@ def get_submodule_versions(git_path, module, dest, version='HEAD'): def clone(git_path, module, repo, dest, remote, depth, version, bare, - reference, refspec, git_version_used, verify_commit, separate_git_dir, result, gpg_whitelist, single_branch): + reference, refspec, git_version_used, verify_commit, separate_git_dir, result, gpg_allowlist, single_branch): ''' makes a new git repo if it does not already exist ''' dest_dirname = os.path.dirname(dest) try: @@ -634,7 +637,7 @@ def clone(git_path, module, repo, dest, remote, depth, version, bare, module.run_command(cmd, check_rc=True, cwd=dest) if verify_commit: - verify_commit_sign(git_path, module, dest, version, gpg_whitelist) + verify_commit_sign(git_path, module, dest, version, gpg_allowlist) def has_local_mods(module, git_path, dest, bare): @@ -1015,7 +1018,7 @@ def set_remote_branch(git_path, module, dest, remote, version, depth): module.fail_json(msg="Failed to fetch branch from remote: %s" % version, stdout=out, stderr=err, rc=rc) -def switch_version(git_path, module, dest, remote, version, verify_commit, depth, gpg_whitelist): +def switch_version(git_path, module, dest, remote, version, verify_commit, depth, gpg_allowlist): cmd = '' if version == 'HEAD': branch = get_head_branch(git_path, module, dest, remote) @@ -1051,26 +1054,26 @@ def switch_version(git_path, module, dest, remote, version, verify_commit, depth stdout=out1, stderr=err1, rc=rc, cmd=cmd) if verify_commit: - verify_commit_sign(git_path, module, dest, version, gpg_whitelist) + verify_commit_sign(git_path, module, dest, version, gpg_allowlist) return (rc, out1, err1) -def verify_commit_sign(git_path, module, dest, version, gpg_whitelist): +def verify_commit_sign(git_path, module, dest, version, gpg_allowlist): if version in get_annotated_tags(git_path, module, dest): git_sub = "verify-tag" else: git_sub = "verify-commit" cmd = "%s %s %s" % (git_path, git_sub, version) - if gpg_whitelist: + if gpg_allowlist: cmd += " --raw" (rc, out, err) = module.run_command(cmd, cwd=dest) if rc != 0: module.fail_json(msg='Failed to verify GPG signature of commit/tag "%s"' % version, stdout=out, stderr=err, rc=rc) - if gpg_whitelist: + if gpg_allowlist: fingerprint = get_gpg_fingerprint(err) - if fingerprint not in gpg_whitelist: - module.fail_json(msg='The gpg_whitelist does not include the public key "%s" for this commit' % fingerprint, stdout=out, stderr=err, rc=rc) + if fingerprint not in gpg_allowlist: + module.fail_json(msg='The gpg_allowlist does not include the public key "%s" for this commit' % fingerprint, stdout=out, stderr=err, rc=rc) return (rc, out, err) @@ -1183,7 +1186,16 @@ def main(): clone=dict(default='yes', type='bool'), update=dict(default='yes', type='bool'), verify_commit=dict(default='no', type='bool'), - gpg_whitelist=dict(default=[], type='list', elements='str'), + gpg_allowlist=dict( + default=[], type='list', aliases=['gpg_whitelist'], elements='str', + deprecated_aliases=[ + dict( + name='gpg_whitelist', + version='2.21', + collection_name='ansible.builtin', + ) + ], + ), accept_hostkey=dict(default='no', type='bool'), accept_newhostkey=dict(default='no', type='bool'), key_file=dict(default=None, type='path', required=False), @@ -1214,7 +1226,7 @@ def main(): allow_clone = module.params['clone'] bare = module.params['bare'] verify_commit = module.params['verify_commit'] - gpg_whitelist = module.params['gpg_whitelist'] + gpg_allowlist = module.params['gpg_allowlist'] reference = module.params['reference'] single_branch = module.params['single_branch'] git_path = module.params['executable'] or module.get_bin_path('git', True) @@ -1321,7 +1333,7 @@ def main(): module.exit_json(**result) # there's no git config, so clone clone(git_path, module, repo, dest, remote, depth, version, bare, reference, - refspec, git_version_used, verify_commit, separate_git_dir, result, gpg_whitelist, single_branch) + refspec, git_version_used, verify_commit, separate_git_dir, result, gpg_allowlist, single_branch) elif not update: # Just return having found a repo already in the dest path # this does no checking that the repo is the actual repo @@ -1376,7 +1388,7 @@ def main(): # switch to version specified regardless of whether # we got new revisions from the repository if not bare: - switch_version(git_path, module, dest, remote, version, verify_commit, depth, gpg_whitelist) + switch_version(git_path, module, dest, remote, version, verify_commit, depth, gpg_allowlist) # Deal with submodules submodules_updated = False