From 4953fc7b267e3eb7dff5ed79cab54c9623ccf22e Mon Sep 17 00:00:00 2001
From: Brian Coca <bcoca@users.noreply.github.com>
Date: Tue, 21 Jan 2025 14:45:38 -0500
Subject: [PATCH] Apt key bye (#84555)

* apt-key module updates due to debian removal

Still kept for now for backwards compat, but removing from testing when not present
And adding more explicit mesasges to errors to point to new module

* added docs and error msg

* clog

* aslkdfj

* no docs to document doc changes

* also add warning to apt_repository

* clog on apt_repo too

* fix string concat

* Apply suggestions from code review

Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>

---------

Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
---
 changelogs/fragments/apt_key_bye.yml          |  5 ++++
 lib/ansible/modules/apt_key.py                | 15 +++++++++---
 lib/ansible/modules/apt_repository.py         |  5 +++-
 .../targets/apt_key/tasks/main.yml            | 24 +++++++++++--------
 4 files changed, 35 insertions(+), 14 deletions(-)
 create mode 100644 changelogs/fragments/apt_key_bye.yml

diff --git a/changelogs/fragments/apt_key_bye.yml b/changelogs/fragments/apt_key_bye.yml
new file mode 100644
index 00000000000..a1792fd9c7c
--- /dev/null
+++ b/changelogs/fragments/apt_key_bye.yml
@@ -0,0 +1,5 @@
+minor_changes:
+  - apt_key module - add notes to docs and errors to point at the CLI tool deprecation by Debian and alternatives
+  - apt_repository module - add notes to errors to point at the CLI tool deprecation by Debian and alternatives
+bugfixes:
+  - apt_key module - prevent tests from running when apt-key was removed
diff --git a/lib/ansible/modules/apt_key.py b/lib/ansible/modules/apt_key.py
index 3828f9a882b..8ae5c77dbfb 100644
--- a/lib/ansible/modules/apt_key.py
+++ b/lib/ansible/modules/apt_key.py
@@ -33,6 +33,8 @@ notes:
       To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons)."
     - If you specify both the key O(id) and the O(url) with O(state=present), the task can verify or add the key as needed.
     - Adding a new key requires an apt cache update (e.g. using the M(ansible.builtin.apt) module's C(update_cache) option).
+    - The C(apt-key) utility has been deprecated and removed in modern debian versions, use M(ansible.legacy.deb822_repository) as an alternative
+      to M(ansible.legacy.apt_repository) + apt_key combinations.
 requirements:
     - gpg
 seealso:
@@ -170,7 +172,6 @@ short_id:
 
 import os
 
-# FIXME: standardize into module_common
 from traceback import format_exc
 
 from ansible.module_utils.common.text.converters import to_native
@@ -196,8 +197,16 @@ def lang_env(module):
 def find_needed_binaries(module):
     global apt_key_bin
     global gpg_bin
-    apt_key_bin = module.get_bin_path('apt-key', required=True)
-    gpg_bin = module.get_bin_path('gpg', required=True)
+
+    try:
+        apt_key_bin = module.get_bin_path('apt-key', required=True)
+    except ValueError as e:
+        module.exit_json(f'{to_native(e)}. Apt-key has been deprecated. See the deb822_repository as an alternative.')
+
+    try:
+        gpg_bin = module.get_bin_path('gpg', required=True)
+    except ValueError as e:
+        module.exit_json(msg=to_native(e))
 
 
 def add_http_proxy(cmd):
diff --git a/lib/ansible/modules/apt_repository.py b/lib/ansible/modules/apt_repository.py
index 27efa187b5b..39b2e58b83a 100644
--- a/lib/ansible/modules/apt_repository.py
+++ b/lib/ansible/modules/apt_repository.py
@@ -475,7 +475,10 @@ class UbuntuSourcesList(SourcesList):
         self.apt_key_bin = self.module.get_bin_path('apt-key', required=False)
         self.gpg_bin = self.module.get_bin_path('gpg', required=False)
         if not self.apt_key_bin and not self.gpg_bin:
-            self.module.fail_json(msg='Either apt-key or gpg binary is required, but neither could be found')
+            msg = 'Either apt-key or gpg binary is required, but neither could be found.' \
+                  'The apt-key CLI has been deprecated and removed in modern Debian and derivatives, ' \
+                  'you might want to use "deb822_repository" instead.'
+            self.module.fail_json(msg)
 
     def __deepcopy__(self, memo=None):
         return UbuntuSourcesList(self.module)
diff --git a/test/integration/targets/apt_key/tasks/main.yml b/test/integration/targets/apt_key/tasks/main.yml
index 7aee56a77ef..5dcf5eb6336 100644
--- a/test/integration/targets/apt_key/tasks/main.yml
+++ b/test/integration/targets/apt_key/tasks/main.yml
@@ -16,14 +16,18 @@
 # You should have received a copy of the GNU General Public License
 # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 
-- import_tasks: 'apt_key.yml'
-  when: ansible_distribution in ('Ubuntu', 'Debian')
+- name: apt key tests
+  when:
+    - ansible_distribution in ('Ubuntu', 'Debian')
+  block:
+  - shell: which apt-key
+    ignore_errors: True
+    register: has_aptkey
 
-- import_tasks: 'apt_key_inline_data.yml'
-  when: ansible_distribution in ('Ubuntu', 'Debian')
-
-- import_tasks: 'file.yml'
-  when: ansible_distribution in ('Ubuntu', 'Debian')
-
-- import_tasks: 'apt_key_binary.yml'
-  when: ansible_distribution in ('Ubuntu', 'Debian')
+  - name: actually test if i have apt-key
+    when: has_aptkey is success
+    block:
+      - import_tasks: 'apt_key.yml'
+      - import_tasks: 'apt_key_inline_data.yml'
+      - import_tasks: 'file.yml'
+      - import_tasks: 'apt_key_binary.yml'