mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
This standardizes the apt_key module some
* improves error handling and reporting * uses run_command to reduce code * fails quicker on errors as opposed to return codes and tracebacks * can now also specify the key as data versus needing to wget it from a file
This commit is contained in:
parent
0bfec51a04
commit
4d8f3b0924
2 changed files with 82 additions and 103 deletions
|
@ -677,7 +677,7 @@ class AnsibleModule(object):
|
||||||
self.set_context_if_different(src, context, False)
|
self.set_context_if_different(src, context, False)
|
||||||
os.rename(src, dest)
|
os.rename(src, dest)
|
||||||
|
|
||||||
def run_command(self, args, check_rc=False, close_fds=False, executable=None):
|
def run_command(self, args, check_rc=False, close_fds=False, executable=None, data=None):
|
||||||
'''
|
'''
|
||||||
Execute a command, returns rc, stdout, and stderr.
|
Execute a command, returns rc, stdout, and stderr.
|
||||||
args is the command to run
|
args is the command to run
|
||||||
|
@ -700,12 +700,20 @@ class AnsibleModule(object):
|
||||||
self.fail_json(rc=257, cmd=args, msg=msg)
|
self.fail_json(rc=257, cmd=args, msg=msg)
|
||||||
rc = 0
|
rc = 0
|
||||||
msg = None
|
msg = None
|
||||||
|
st_in = None
|
||||||
|
if data:
|
||||||
|
st_in = subprocess.PIPE
|
||||||
try:
|
try:
|
||||||
cmd = subprocess.Popen(args,
|
cmd = subprocess.Popen(args,
|
||||||
executable=executable,
|
executable=executable,
|
||||||
shell=shell,
|
shell=shell,
|
||||||
close_fds=close_fds,
|
close_fds=close_fds,
|
||||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
stdin=st_in,
|
||||||
|
stdout=subprocess.PIPE,
|
||||||
|
stderr=subprocess.PIPE)
|
||||||
|
if data:
|
||||||
|
cmd.stdin.write(data)
|
||||||
|
cmd.stdin.write('\\n')
|
||||||
out, err = cmd.communicate()
|
out, err = cmd.communicate()
|
||||||
rc = cmd.returncode
|
rc = cmd.returncode
|
||||||
except (OSError, IOError), e:
|
except (OSError, IOError), e:
|
||||||
|
|
173
library/apt_key
173
library/apt_key
|
@ -22,7 +22,7 @@
|
||||||
DOCUMENTATION = '''
|
DOCUMENTATION = '''
|
||||||
---
|
---
|
||||||
module: apt_key
|
module: apt_key
|
||||||
author: Jayson Vantuyl
|
author: Jayson Vantuyl & others
|
||||||
version_added: 1.0
|
version_added: 1.0
|
||||||
short_description: Add or remove an apt key
|
short_description: Add or remove an apt key
|
||||||
description:
|
description:
|
||||||
|
@ -59,145 +59,116 @@ examples:
|
||||||
description: Remove a Apt specific signing key
|
description: Remove a Apt specific signing key
|
||||||
'''
|
'''
|
||||||
|
|
||||||
|
# FIXME: standardize into module_common
|
||||||
from urllib2 import urlopen, URLError
|
from urllib2 import urlopen, URLError
|
||||||
from traceback import format_exc
|
from traceback import format_exc
|
||||||
from subprocess import Popen, PIPE, call
|
|
||||||
from re import compile as re_compile
|
from re import compile as re_compile
|
||||||
|
# FIXME: standardize into module_common
|
||||||
from distutils.spawn import find_executable
|
from distutils.spawn import find_executable
|
||||||
from os import environ
|
from os import environ
|
||||||
from sys import exc_info
|
from sys import exc_info
|
||||||
|
import traceback
|
||||||
|
|
||||||
match_key = re_compile("^gpg:.*key ([0-9a-fA-F]+):.*$")
|
match_key = re_compile("^gpg:.*key ([0-9a-fA-F]+):.*$")
|
||||||
|
|
||||||
REQUIRED_EXECUTABLES=['gpg', 'grep', 'apt-key']
|
REQUIRED_EXECUTABLES=['gpg', 'grep', 'apt-key']
|
||||||
|
|
||||||
|
|
||||||
def find_missing_binaries():
|
def check_missing_binaries(module):
|
||||||
return [missing for missing in REQUIRED_EXECUTABLES if not find_executable(missing)]
|
missing = [e for e in REQUIRED_EXECUTABLES if not find_executable(e)]
|
||||||
|
if len(missing):
|
||||||
|
module.fail_json(msg="binaries are missing", names=all)
|
||||||
|
|
||||||
|
def all_keys(module):
|
||||||
|
(rc, out, err) = module.run_command("apt-key list")
|
||||||
|
results = []
|
||||||
|
lines = out.split('\n')
|
||||||
|
for line in lines:
|
||||||
|
if line.startswith("pub"):
|
||||||
|
tokens = line.split()
|
||||||
|
code = tokens[1]
|
||||||
|
(len_type, real_code) = code.split("/")
|
||||||
|
results.append(real_code)
|
||||||
|
return results
|
||||||
|
|
||||||
def get_key_ids(key_data):
|
def key_present(module, key_id):
|
||||||
p = Popen("gpg --list-only --import -", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
|
(rc, out, err) = module.run_command("apt-key list | 2>&1 grep -q %s" % key_id)
|
||||||
(stdo, stde) = p.communicate(key_data)
|
return rc == 0
|
||||||
|
|
||||||
if p.returncode > 0:
|
def download_key(module, url):
|
||||||
raise Exception("error running GPG to retrieve keys")
|
# FIXME: move get_url code to common, allow for in-memory D/L, support proxies
|
||||||
|
# and reuse here
|
||||||
output = stdo + stde
|
|
||||||
|
|
||||||
for line in output.split('\n'):
|
|
||||||
match = match_key.match(line)
|
|
||||||
if match:
|
|
||||||
yield match.group(1)
|
|
||||||
|
|
||||||
|
|
||||||
def key_present(key_id):
|
|
||||||
return call("apt-key list | 2>&1 grep -q %s" % key_id, shell=True) == 0
|
|
||||||
|
|
||||||
|
|
||||||
def download_key(url):
|
|
||||||
if url is None:
|
if url is None:
|
||||||
raise Exception("Needed URL but none specified")
|
module.fail_json(msg="needed a URL but was not specified")
|
||||||
connection = urlopen(url)
|
try:
|
||||||
if connection is None:
|
connection = urlopen(url)
|
||||||
raise Exception("error connecting to download key from %r" % url)
|
if connection is None:
|
||||||
return connection.read()
|
module.fail_json("error connecting to download key from url")
|
||||||
|
data = connection.read()
|
||||||
|
return data
|
||||||
|
except:
|
||||||
|
module.fail_json(msg="error getting key id from url", traceback=format_exc())
|
||||||
|
|
||||||
|
|
||||||
def add_key(key):
|
def add_key(module, key):
|
||||||
p = Popen("apt-key add -", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
|
cmd = "apt-key add -"
|
||||||
(_, _) = p.communicate(key)
|
(rc, out, err) = module.run_command(cmd, data=key, check_rc=True)
|
||||||
|
return True
|
||||||
return p.returncode == 0
|
|
||||||
|
|
||||||
|
|
||||||
def remove_key(key_id):
|
def remove_key(key_id):
|
||||||
return call('apt-key del %s' % key_id, shell=True) == 0
|
# FIXME: use module.run_command, fail at point of error and don't discard useful stdin/stdout
|
||||||
|
cmd = 'apt-key del %s'
|
||||||
|
(rc, out, err) = module.run_command(cmd, check_rc=True)
|
||||||
def return_values(tb=False):
|
return True
|
||||||
if tb:
|
|
||||||
return {'exception': format_exc()}
|
|
||||||
else:
|
|
||||||
return {}
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
id=dict(required=False, default=None),
|
id=dict(required=False, default=None),
|
||||||
url=dict(required=False),
|
url=dict(required=False),
|
||||||
|
data=dict(required=False),
|
||||||
|
key=dict(required=False),
|
||||||
state=dict(required=False, choices=['present', 'absent'], default='present')
|
state=dict(required=False, choices=['present', 'absent'], default='present')
|
||||||
)
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
expected_key_id = module.params['id']
|
key_id = module.params['id']
|
||||||
url = module.params['url']
|
url = module.params['url']
|
||||||
state = module.params['state']
|
data = module.params['data']
|
||||||
changed = False
|
state = module.params['state']
|
||||||
|
changed = False
|
||||||
|
|
||||||
|
# FIXME: I think we have a common facility for this, if not, want
|
||||||
|
check_missing_binaries(module)
|
||||||
|
|
||||||
missing = find_missing_binaries()
|
keys = all_keys(module)
|
||||||
|
|
||||||
if missing:
|
|
||||||
module.fail_json(msg="can't find needed binaries to run", missing=missing,
|
|
||||||
**return_values())
|
|
||||||
|
|
||||||
if state == 'present':
|
if state == 'present':
|
||||||
if expected_key_id and key_present(expected_key_id):
|
if key_id and key_id in keys:
|
||||||
# key is present, nothing to do
|
module.exit_json(changed=False)
|
||||||
pass
|
|
||||||
else:
|
else:
|
||||||
# download key
|
if not data:
|
||||||
try:
|
data = download_key(module, url)
|
||||||
key = download_key(url)
|
if key_id and key_id in keys:
|
||||||
(key_id,) = tuple(get_key_ids(key)) # TODO: support multiple key ids?
|
module.exit_json(changed=False)
|
||||||
except Exception:
|
|
||||||
module.fail_json(
|
|
||||||
msg="error getting key id from url",
|
|
||||||
**return_values(True)
|
|
||||||
)
|
|
||||||
|
|
||||||
# sanity check downloaded key
|
|
||||||
if expected_key_id and key_id != expected_key_id:
|
|
||||||
module.fail_json(
|
|
||||||
msg="expected key id %s, got key id %s" % (expected_key_id, key_id),
|
|
||||||
**return_values()
|
|
||||||
)
|
|
||||||
|
|
||||||
# actually add key
|
|
||||||
if key_present(key_id):
|
|
||||||
changed=False
|
|
||||||
elif add_key(key):
|
|
||||||
changed=True
|
|
||||||
else:
|
else:
|
||||||
module.fail_json(
|
add_key(module, data)
|
||||||
msg="failed to add key id %s" % key_id,
|
changed=False
|
||||||
**return_values()
|
keys2 = all_keys(module)
|
||||||
)
|
if len(keys) != len(keys2):
|
||||||
|
changed=True
|
||||||
|
if key_id and not key_id in keys2:
|
||||||
|
module.fail_json(msg="key does not seem to have been added", id=key_id)
|
||||||
|
module.exit_json(changed=changed)
|
||||||
elif state == 'absent':
|
elif state == 'absent':
|
||||||
# optionally download the key and get the id
|
if not key_id:
|
||||||
if not expected_key_id:
|
module.fail_json(msg="key is required")
|
||||||
try:
|
if key_id in keys:
|
||||||
key = download_key(url)
|
|
||||||
(key_id,) = tuple(get_key_ids(key)) # TODO: support multiple key ids?
|
|
||||||
except Exception:
|
|
||||||
module.fail_json(
|
|
||||||
msg="error getting key id from url",
|
|
||||||
**return_values(True)
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
key_id = expected_key_id
|
|
||||||
|
|
||||||
# actually remove key
|
|
||||||
if key_present(key_id):
|
|
||||||
if remove_key(key_id):
|
if remove_key(key_id):
|
||||||
changed=True
|
changed=True
|
||||||
else:
|
else:
|
||||||
|
# FIXME: module.fail_json or exit-json immediately at point of failure
|
||||||
module.fail_json(msg="error removing key_id", **return_values(True))
|
module.fail_json(msg="error removing key_id", **return_values(True))
|
||||||
else:
|
|
||||||
module.fail_json(
|
|
||||||
msg="unexpected state: %s" % state,
|
|
||||||
**return_values()
|
|
||||||
)
|
|
||||||
|
|
||||||
module.exit_json(changed=changed, **return_values())
|
module.exit_json(changed=changed, **return_values())
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue