ansible/library/packaging/apt_key

#!/usr/bin/python
# -*- coding: utf-8 -*-

# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
# (c) 2012, Jayson Vantuyl <jayson@aggressive.ly>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.

DOCUMENTATION = '''
---
module: apt_key
author: Jayson Vantuyl & others
version_added: "1.0"
short_description: Add or remove an apt key
description:
    - Add or remove an I(apt) key, optionally downloading it
notes:
    - doesn't download the key unless it really needs it
    - as a sanity check, downloaded key id must match the one specified
    - best practice is to specify the key id and the url
options:
    id:
        required: false
        default: none
        description:
            - identifier of key
    data:
        required: false
        default: none
        description:
            - keyfile contents
    file:
        required: false
        default: none
        description:
            - keyfile path
    keyring:
        required: false
        default: none
        description:
            - path to specific keyring file in /etc/apt/trusted.gpg.d
        version_added: "1.3"
    url:
        required: false
        default: none
        description:
            - url to retrieve key from.
    state:
        required: false
        choices: [ absent, present ]
        default: present
        description:
            - used to specify if key is being added or revoked
    validate_certs:
        description:
            - If C(no), SSL certificates for the target url will not be validated. This should only be used
              on personally controlled sites using self-signed certificates.
        required: false
        default: 'yes'
        choices: ['yes', 'no']

'''

EXAMPLES = '''
# Add an Apt signing key, uses whichever key is at the URL
- apt_key: url=https://ftp-master.debian.org/keys/archive-key-6.0.asc state=present

# Add an Apt signing key, will not download if present
- apt_key: id=473041FA url=https://ftp-master.debian.org/keys/archive-key-6.0.asc state=present

# Remove an Apt signing key, uses whichever key is at the URL
- apt_key: url=https://ftp-master.debian.org/keys/archive-key-6.0.asc state=absent

# Remove a Apt specific signing key, leading 0x is valid
- apt_key: id=0x473041FA state=absent

# Add a key from a file on the Ansible server
- apt_key: data="{{ lookup('file', 'apt.gpg') }}" state=present

# Add an Apt signing key to a specific keyring file
- apt_key: id=473041FA url=https://ftp-master.debian.org/keys/archive-key-6.0.asc keyring=/etc/apt/trusted.gpg.d/debian.gpg state=present
'''


# FIXME: standardize into module_common
from traceback import format_exc
from re import compile as re_compile
# FIXME: standardize into module_common
from distutils.spawn import find_executable
from os import environ
from sys import exc_info
import traceback

match_key = re_compile("^gpg:.*key ([0-9a-fA-F]+):.*$")

REQUIRED_EXECUTABLES=['gpg', 'grep', 'apt-key']


def check_missing_binaries(module):
    missing = [e for e in REQUIRED_EXECUTABLES if not find_executable(e)]
    if len(missing):
        module.fail_json(msg="binaries are missing", names=missing)

def all_keys(module, keyring):
    if keyring:
        cmd = "apt-key --keyring %s list" % keyring
    else:
        cmd = "apt-key list"
    (rc, out, err) = module.run_command(cmd)
    results = []
    lines = out.split('\n')
    for line in lines:
        if line.startswith("pub"):
            tokens = line.split()
            code = tokens[1]
            (len_type, real_code) = code.split("/")
            results.append(real_code)
    return results

def key_present(module, key_id):
    (rc, out, err) = module.run_command("apt-key list | 2>&1 grep -i -q %s" % pipes.quote(key_id), use_unsafe_shell=True)
    return rc == 0

def download_key(module, url):
    # FIXME: move get_url code to common, allow for in-memory D/L, support proxies
    # and reuse here
    if url is None:
        module.fail_json(msg="needed a URL but was not specified")
    try:
        rsp, info = fetch_url(module, url)
        return rsp.read()
    except Exception:
        module.fail_json(msg="error getting key id from url", traceback=format_exc())


def add_key(module, keyfile, keyring, data=None):
    if data is not None:
        if keyring:
            cmd = "apt-key --keyring %s add -" % keyring
        else:
            cmd = "apt-key add -"
        (rc, out, err) = module.run_command(cmd, data=data, check_rc=True, binary_data=True)
    else:
        if keyring:
            cmd = "apt-key --keyring %s add %s" % (keyring, keyfile)
        else:
            cmd = "apt-key add %s" % (keyfile)
        (rc, out, err) = module.run_command(cmd, check_rc=True)
    return True

def remove_key(module, key_id, keyring):
    # FIXME: use module.run_command, fail at point of error and don't discard useful stdin/stdout
    if keyring:
        cmd = 'apt-key --keyring %s del %s' % (keyring, key_id)
    else:
        cmd = 'apt-key del %s' % key_id
    (rc, out, err) = module.run_command(cmd, check_rc=True)
    return True

def main():
    module = AnsibleModule(
        argument_spec=dict(
            id=dict(required=False, default=None),
            url=dict(required=False),
            data=dict(required=False),
            file=dict(required=False),
            key=dict(required=False),
            keyring=dict(required=False),
            state=dict(required=False, choices=['present', 'absent'], default='present'),
            validate_certs=dict(default='yes', type='bool'),
        ),
        supports_check_mode=True
    )

    key_id          = module.params['id']
    url             = module.params['url']
    data            = module.params['data']
    filename        = module.params['file']
    keyring         = module.params['keyring']
    state           = module.params['state']
    changed         = False

    if key_id:
        try:
            _ = int(key_id, 16)
            if key_id.startswith('0x'):
                key_id = key_id[2:]
        except ValueError:
            module.fail_json(msg="Invalid key_id", id=key_id)

    # FIXME: I think we have a common facility for this, if not, want
    check_missing_binaries(module)

    keys = all_keys(module, keyring)
    return_values = {}

    if state == 'present':
        if key_id and key_id in keys:
            module.exit_json(changed=False)
        else:
            if not filename and not data:
                data = download_key(module, url)
            if key_id and key_id in keys:
                module.exit_json(changed=False)
            else:
                if module.check_mode:
                    module.exit_json(changed=True)
                if filename:
                    add_key(module, filename, keyring)
                else:
                    add_key(module, "-", keyring, data)
                changed=False
                keys2 = all_keys(module, keyring)
                if len(keys) != len(keys2):
                    changed=True
                if key_id and not key_id in keys2:
                    module.fail_json(msg="key does not seem to have been added", id=key_id)
                module.exit_json(changed=changed)
    elif state == 'absent':
        if not key_id:
            module.fail_json(msg="key is required")
        if key_id in keys:
            if module.check_mode:
                module.exit_json(changed=True)
            if remove_key(module, key_id, keyring):
                changed=True
            else:
                # FIXME: module.fail_json  or exit-json immediately at point of failure
                module.fail_json(msg="error removing key_id", **return_values)

    module.exit_json(changed=changed, **return_values)

# import module snippets
from ansible.module_utils.basic import *
from ansible.module_utils.urls import *
main()