o nnhF@sddlmZdZdZdZddlZddlmZddlm Z ddl m Z dd l m Z dd lmZdadadZd d Zd dZddZddZd)ddZddZddZddZd*ddZddZd d!Zd*d"d#Zd$d%Zd&d'Z e!d(krxe dSdS)+) annotationsa --- module: apt_key author: - Jayson Vantuyl (@jvantuyl) version_added: "1.0" short_description: Add or remove an apt key description: - Add or remove an I(apt) key, optionally downloading it. extends_documentation_fragment: action_common_attributes attributes: check_mode: support: full diff_mode: support: none platform: platforms: debian notes: - The apt-key command used by this module has been deprecated. See the L(Debian wiki,https://wiki.debian.org/DebianRepository/UseThirdParty) for details. This module is kept for backwards compatibility for systems that still use apt-key as the main way to manage apt repository keys. - As a sanity check, downloaded key id must match the one specified. - "Use full fingerprint (40 characters) key ids to avoid key collisions. To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons)." - If you specify both the key id and the URL with O(state=present), the task can verify or add the key as needed. - Adding a new key requires an apt cache update (e.g. using the M(ansible.builtin.apt) module's update_cache option). requirements: - gpg seealso: - module: ansible.builtin.deb822_repository options: id: description: - The identifier of the key. - Including this allows check mode to correctly report the changed state. - If specifying a subkey's id be aware that apt-key does not understand how to remove keys via a subkey id. Specify the primary key's id instead. - This parameter is required when O(state) is set to V(absent). type: str data: description: - The keyfile contents to add to the keyring. type: str file: description: - The path to a keyfile on the remote server to add to the keyring. type: path keyring: description: - The full path to specific keyring file in C(/etc/apt/trusted.gpg.d/). type: path version_added: "1.3" url: description: - The URL to retrieve key from. type: str keyserver: description: - The keyserver to retrieve key from. type: str version_added: "1.6" state: description: - Ensures that the key is present (added) or absent (revoked). type: str choices: [ absent, present ] default: present validate_certs: description: - If V(false), SSL certificates for the target url will not be validated. This should only be used on personally controlled sites using self-signed certificates. type: bool default: 'yes' a* - name: One way to avoid apt_key once it is removed from your distro, armored keys should use .asc extension, binary should use .gpg block: - name: somerepo | no apt key ansible.builtin.get_url: url: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x36a1d7869245c8950f966e92d8576a8ba88d21e9 dest: /etc/apt/keyrings/myrepo.asc checksum: sha256:bb42f0db45d46bab5f9ec619e1a47360b94c27142e57aa71f7050d08672309e0 - name: somerepo | apt source ansible.builtin.apt_repository: repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/myrepo.asc] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable" state: present - name: Add an apt key by id from a keyserver ansible.builtin.apt_key: keyserver: keyserver.ubuntu.com id: 36A1D7869245C8950F966E92D8576A8BA88D21E9 - name: Add an Apt signing key, uses whichever key is at the URL ansible.builtin.apt_key: url: https://ftp-master.debian.org/keys/archive-key-6.0.asc state: present - name: Add an Apt signing key, will not download if present ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA url: https://ftp-master.debian.org/keys/archive-key-6.0.asc state: present - name: Remove a Apt specific signing key, leading 0x is valid ansible.builtin.apt_key: id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA state: absent # Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type. - name: Add a key from a file on the Ansible server ansible.builtin.apt_key: data: "{{ lookup('ansible.builtin.file', 'apt.asc') }}" state: present - name: Add an Apt signing key to a specific keyring file ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA url: https://ftp-master.debian.org/keys/archive-key-6.0.asc keyring: /etc/apt/trusted.gpg.d/debian.gpg - name: Add Apt signing key on remote server to keyring ansible.builtin.apt_key: id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA file: /tmp/apt.gpg state: present a after: description: List of apt key ids or fingerprints after any modification returned: on change type: list sample: ["D8576A8BA88D21E9", "3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"] before: description: List of apt key ids or fingprints before any modifications returned: always type: list sample: ["3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"] fp: description: Fingerprint of the key to import returned: always type: str sample: "D8576A8BA88D21E9" id: description: key id from source returned: always type: str sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9" key_id: description: calculated key id, it should be same as 'id', but can be different returned: always type: str sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9" short_id: description: calculated short key id returned: always type: str sample: "A88D21E9" N) format_exc) to_native) AnsibleModule)get_best_parsable_locale) fetch_urlcCs(ttdst|}t|||dt_tjS)Nresult)LANGLC_ALL LC_MESSAGES)hasattrlang_envrdictr)modulelocalerB/usr/local/lib/python3.10/dist-packages/ansible/modules/apt_key.pyr s r cCs |jddda|jdddadS)Nzapt-keyT)requiredgpg) get_bin_path apt_key_bingpg_bin)rrrrfind_needed_binariessrcCs2dD] }tj|}|rnq|r|d|7}|S)N) HTTPS_PROXY https_proxy HTTP_PROXY http_proxyz" --keyserver-options http-proxy=%s)osenvironget)cmdenvvarproxyrrradd_http_proxys  r#cCstt|d|}|dr|dd}t|}|dkr*|dkr*|dkr*td|dd}|}|dkr<|dd}|||fS) avalidate the key_id and break it into segments :arg key_id: The key_id as supplied by the user. A valid key_id will be 8, 16, or more hexadecimal chars with an optional leading ``0x``. :returns: The portion of key_id suitable for apt-key del, the portion suitable for comparisons with --list-public-keys, and the portion that can be used with --recv-key. If key_id is long enough, these will be the last 8 characters of key_id, the last 16 characters, and all of key_id. If key_id is not long enough, some of the values will be the same. * apt-key del <= 1.10 has a bug with key_id != 8 chars * apt-key adv --list-public-keys prints 16 chars * apt-key adv --recv-key can take more chars 0XNz=key_id must be 8, 16, or 16+ hexadecimal characters in lengthi)intrupper startswithlen ValueError)key_id key_id_len short_key_id fingerprintrrr parse_key_ids     r2Fc Csg}t|d}|D]J}|ds|drUd|vrUz|}|d}|d\}}Wn#ttfyOz |d}|d}Wn ttfyLYYq wYnw||q |r^|r^t|}|S) N pubsubexpired/:)rsplitr+ IndexErrorr-appendshorten_key_ids) output short_formatfoundlineslinetokenscodelen_type real_coderrrparse_output_for_keyss,   rHcCsT|dur dt|f}ndt}||\}}}|dkr%|jd||||dt||S)Nz:%s --keyring %s adv --list-public-keys --keyid-format=longz-%s adv --list-public-keys --keyid-format=longrzUnable to list public keysmsgr rcstdoutstderr)r run_command fail_jsonrH)rkeyringr@r rKouterrrrrall_keyss rScCs$g}|D] }||ddq|S)z| Takes a list of key ids, and converts them to the 'short' format, by reducing them to their last 8 characters. r(N)r=) key_id_listshortkeyrrrr>$sr>cCsjz t||dd\}}|ddkr|jd||dfd|WSty4|jd|td YdSw) NT) use_proxystatusz Failed to download key at %s: %srJrJz!error getting key id from url: %s)rJ traceback)rrOread Exceptionr)rurlrspinforrr download_key/s   rac Cst|}|ddk}d}td|g}|j|t||r|n|| d\}}} |dkr9|jd|dur2dn||| dt|} | rC| d}|S)Nz$-----BEGIN PGP PUBLIC KEY BLOCK-----rz --with-colons)environ_updatedata binary_datazUnable to extract key from '%s'z inline data)rJrLrM)rfindrrNr rOrH) rfilenamerc native_data is_armoredrVr rKrQrRkeysrrrget_key_id_from_file<s & rjcCs t|d|S)N-)rj)rrcrrrget_key_id_from_dataQs rlc Cs|r dt||f}ndt|f}t|}d||f}tdD]}|j|t|d\}}}|dkr3d Sq|dkrNd|vrNd ||f} |j|| t|d d Sd ||f} |j|| t||||d d S)Nz+%s --keyring %s adv --no-tty --keyserver %sz%s adv --no-tty --keyserver %sz %s --recv %s)rbrr&znot found on keyserverz Key %s not found on keyserver %s)r rJforced_environmentz(Error fetching key %s from keyserver: %s)r rJrnrKrLrMT)rr#rangerNr rO) rrP keyserverr.r retryrKrQrRrJrrr import_keyUs$      rrcCs|dur,|r dt|f}ndt}|j||dd\}}}|dkr*|jd||||ddS|r6dt||f}nd t|f}||\}}}|dkrU|jd ||||||d dS) Nz%s --keyring %s add -z%s add -T)rcrdrz$Unable to add a key from binary datarIz%s --keyring %s add %sz %s add %sz Unable to add a key from file %s)rJr rKkeyfilerLrMrrNrO)rrsrPrcr rKrQrRrrradd_keyqs8 rucCsV|r dt||f}ndt|f}||\}}}|dkr)|jd||||||ddS)Nz%s --keyring %s del %sz %s del %srz!Unable to remove a key with id %s)rJr rKr.rLrMTrt)rr.rPr rKrQrRrrr remove_keys rvcCsFtttddtddtddtddtddtdddtddtddddgd d dd d }|jd }|jd}|jd}|jd}|jd}|jd}|jd}d}d} d} d} t|ddi} |s|rk|jdd|rrt||}|rzt||}n|rt||}|| d <zt|\} } }| | d<| | d<|| d<Wnt y|jd(ddi| Ynw| s|jd(ddi| t |dkrd}t |||| d <} g}|dkrH|r| | vs|sG| | vrGd| d<|j sG|rt |||n/|rt||||n%|rt |d!||n|rt||}t |d!||n |jd(dd"i| t |||| d#<}|r3| |vs;|sG| |vrG|jd(d| d$i| nQ|dkr|sZ|jd(dd%i| | | vrd| d<|j s| durt|| |rt |||| d#<}| |vr|jd(d| d&i| n |jd(dd'i| |jd(i| dS))Nstr)typepathboolT)rxdefaultpresentabsent)rxr{choices)idr^rcfilerPvalidate_certsrpstate))rcrrpr^) argument_specsupports_check_modemutually_exclusiverr^rcrrPrrpFzYapt-key did not return an error, but %s (check that the id is correct and *not* a subkey)changedz(Missing key_id, required with keyserver.rZshort_idfpr.rJzInvalid key_idz`Unable to continue as we could not extract a valid fingerprint to compare against existing keys.r'beforerkz(No key to add ... how did i get here?!?!afterzfailed to add the keyzkey is required to remove a keyzthe key was not removedzerror removing key_idr)rrparamsrrOrarjrlr2r-r,rS check_moderurrrv exit_json)rr.r^rcrfrPrrpr@r0r1error_no_errorrrikeys2rrrmains                      r__main__)F)N)" __future__r DOCUMENTATIONEXAMPLESRETURNrr[r+ansible.module_utils.common.text.convertersransible.module_utils.basicr"ansible.module_utils.common.localeransible.module_utils.urlsrrrrr rr#r2rHrSr>rarjrlrrrurvr__name__rrrrs< I6!       %   !o