관리-도구

편집 파일: apt_key.cpython-39.pyc

�����)g�E����������������������@���s����d�dl�mZmZmZ�eZdZdZdZd�dl	Z	d�dl
mZ�d�dlm
Z
�d�dlmZ�d�d	lmZ�d�d
lmZ�dadadZdd��Zd
d��Zdd��Zdd��Zd)dd�Zdd��Zdd��Zdd��Zd*dd�Zdd��Z d d!��Z!d+d"d#�Z"d$d%��Z#d&d'��Z$e%d(kr�e$���dS�),�����)�absolute_import�division�print_functiona�
��
---
module: apt_key
author:
- Jayson Vantuyl (@jvantuyl)
version_added: "1.0"
short_description: Add or remove an apt key
description:
    - Add or remove an I(apt) key, optionally downloading it.
extends_documentation_fragment: action_common_attributes
attributes:
    check_mode:
        support: full
    diff_mode:
        support: none
    platform:
        platforms: debian
notes:
    - The apt-key command has been deprecated and suggests to 'manage keyring files in trusted.gpg.d instead'. See the Debian wiki for details.
      This module is kept for backwards compatibility for systems that still use apt-key as the main way to manage apt repository keys.
    - As a sanity check, downloaded key id must match the one specified.
    - "Use full fingerprint (40 characters) key ids to avoid key collisions.
      To generate a full-fingerprint imported key: C(apt-key adv --list-public-keys --with-fingerprint --with-colons)."
    - If you specify both the key id and the URL with C(state=present), the task can verify or add the key as needed.
    - Adding a new key requires an apt cache update (e.g. using the M(ansible.builtin.apt) module's update_cache option).
requirements:
    - gpg
options:
    id:
        description:
            - The identifier of the key.
            - Including this allows check mode to correctly report the changed state.
            - If specifying a subkey's id be aware that apt-key does not understand how to remove keys via a subkey id.  Specify the primary key's id instead.
            - This parameter is required when C(state) is set to C(absent).
        type: str
    data:
        description:
            - The keyfile contents to add to the keyring.
        type: str
    file:
        description:
            - The path to a keyfile on the remote server to add to the keyring.
        type: path
    keyring:
        description:
            - The full path to specific keyring file in C(/etc/apt/trusted.gpg.d/).
        type: path
        version_added: "1.3"
    url:
        description:
            - The URL to retrieve key from.
        type: str
    keyserver:
        description:
            - The keyserver to retrieve key from.
        type: str
        version_added: "1.6"
    state:
        description:
            - Ensures that the key is present (added) or absent (revoked).
        type: str
        choices: [ absent, present ]
        default: present
    validate_certs:
        description:
            - If C(false), SSL certificates for the target url will not be validated. This should only be used
              on personally controlled sites using self-signed certificates.
        type: bool
        default: 'yes'
ah��
- name: One way to avoid apt_key once it is removed from your distro
  block:
    - name: somerepo |no apt key
      ansible.builtin.get_url:
        url: https://download.example.com/linux/ubuntu/gpg
        dest: /etc/apt/trusted.gpg.d/somerepo.asc

- name: somerepo | apt source
      ansible.builtin.apt_repository:
        repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/myrepo.asc] https://download.example.com/linux/ubuntu {{ ansible_distribution_release }} stable"
        state: present

- name: Add an apt key by id from a keyserver
  ansible.builtin.apt_key:
    keyserver: keyserver.ubuntu.com
    id: 36A1D7869245C8950F966E92D8576A8BA88D21E9

- name: Add an Apt signing key, uses whichever key is at the URL
  ansible.builtin.apt_key:
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

- name: Add an Apt signing key, will not download if present
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    state: present

- name: Remove a Apt specific signing key, leading 0x is valid
  ansible.builtin.apt_key:
    id: 0x9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    state: absent

# Use armored file since utf-8 string is expected. Must be of "PGP PUBLIC KEY BLOCK" type.
- name: Add a key from a file on the Ansible server
  ansible.builtin.apt_key:
    data: "{{ lookup('ansible.builtin.file', 'apt.asc') }}"
    state: present

- name: Add an Apt signing key to a specific keyring file
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    url: https://ftp-master.debian.org/keys/archive-key-6.0.asc
    keyring: /etc/apt/trusted.gpg.d/debian.gpg

- name: Add Apt signing key on remote server to keyring
  ansible.builtin.apt_key:
    id: 9FED2BCBDCD29CDF762678CBAED4B06F473041FA
    file: /tmp/apt.gpg
    state: present
a���
after:
    description: List of apt key ids or fingerprints after any modification
    returned: on change
    type: list
    sample: ["D8576A8BA88D21E9", "3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"]
before:
    description: List of apt key ids or fingprints before any modifications
    returned: always
    type: list
    sample: ["3B4FE6ACC0B21F32", "D94AA3F0EFE21092", "871920D1991BC93C"]
fp:
    description: Fingerprint of the key to import
    returned: always
    type: str
    sample: "D8576A8BA88D21E9"
id:
    description: key id from source
    returned: always
    type: str
    sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9"
key_id:
    description: calculated key id, it should be same as 'id', but can be different
    returned: always
    type: str
    sample: "36A1D7869245C8950F966E92D8576A8BA88D21E9"
short_id:
    description: calculated short key id
    returned: always
    type: str
    sample: "A88D21E9"
N)�
format_exc)�	to_native)�
AnsibleModule)�get_best_parsable_locale)�	fetch_urlc�����������������C���s(���t�td�s"t|��}t|||d�t_tjS�)N�result)�LANG�LC_ALL�LC_MESSAGES)�hasattr�lang_envr����dictr
���)�module�locale��r����;/usr/lib/python3.9/site-packages/ansible/modules/apt_key.pyr�������s����
r���c�����������������C���s ���|�j�ddd�a|�j�ddd�ad�S�)Nzapt-keyT)�requiredZgpg)Zget_bin_path�apt_key_bin�gpg_bin)r���r���r���r����find_needed_binaries����s����r���c�����������������C���s2���dD�]}t�j�|�}|r�qq|r.|�d|�7�}�|�S�)N)ZHTTPS_PROXYZhttps_proxyZ
HTTP_PROXYZ
http_proxyz" --keyserver-options http-proxy=%s)�os�environ�get)�cmdZenvvar�proxyr���r���r����add_http_proxy����s����r���c�����������������C���s����t�t|��d��|����}�|��d�r,|�dd��}�t|��}|dkrT|dkrT|dkrTtd��|�dd��}|�}|dkrx|�dd��}|||�fS�)	a���validate the key_id and break it into segments

:arg key_id: The key_id as supplied by the user.  A valid key_id will be
        8, 16, or more hexadecimal chars with an optional leading ``0x``.
    :returns: The portion of key_id suitable for apt-key del, the portion
        suitable for comparisons with --list-public-keys, and the portion that
        can be used with --recv-key.  If key_id is long enough, these will be
        the last 8 characters of key_id, the last 16 characters, and all of
        key_id.  If key_id is not long enough, some of the values will be the
        same.

* apt-key del <= 1.10 has a bug with key_id != 8 chars
    * apt-key adv --list-public-keys prints 16 chars
    * apt-key adv --recv-key can take more chars

����Z0X����N����z=key_id must be 8, 16, or 16+ hexadecimal characters in length���i�)�intr����upper�
startswith�len�
ValueError)�key_idZ
key_id_len�short_key_id�fingerprintr���r���r����parse_key_id����s����
r+���Fc�����������	���
���C���s����g�}t�|���d�}|D�]�}|�d�s.|�d�rd|vrz"|���}|d�}|�d�\}}W�nJ�ttfy����z|�d�}|d�}W�n�ttfy����Y�Y�qY�n0�Y�n0�|�|��q|r�|r�t|�}|S�)	N�
Zpub�subZexpired�����/�:����)r����splitr%����
IndexErrorr'����append�shorten_key_ids)	�output�short_format�found�lines�line�tokens�codeZlen_typeZ	real_coder���r���r����parse_output_for_keys����s$����
r=���c�����������������C���sT���|d�urdt�|f�}ndt��}|��|�\}}}|dkrJ|�jd||||d��t||�S�)Nz:%s --keyring %s adv --list-public-keys --keyid-format=longz-%s adv --list-public-keys --keyid-format=longr���zUnable to list public keys��msgr����rc�stdout�stderr)r����run_command�	fail_jsonr=���)r����keyringr7���r���r@����out�errr���r���r����all_keys��s����rH���c�����������������C���s$���g�}|�D�]}|��|dd����q|S�)z|
    Takes a list of key ids, and converts them to the 'short' format,
    by reducing them to their last 8 characters.
    r"���N)r4���)Zkey_id_listZshort�keyr���r���r���r5���"��s����r5���c�����������������C���sl���z@t�|�|dd�\}}|d�dkr8|�jd||d�f�d��|���W�S��tyf���|�jd|�t��d	��Y�n0�d�S�)
NT)Z	use_proxy�status�����z Failed to download key at %s: %sr?����r?���z!error getting key id from url: %s)r?����	traceback)r	���rD����read�	Exceptionr���)r����urlZrsp�infor���r���r����download_key-��s����
rR���c�����������������C���s����t�|�}|�d�dk}d�}td|g}|�j|t|��|r8|n||�d�\}}}	|dkrr|�jd|d�urddn|�||	d��t|�}
|
r�|
d�}|S�)Nz$-----BEGIN PGP PUBLIC KEY BLOCK-----r���z
--with-colons)�environ_update�data�binary_datazUnable to extract key from '%s'zinline data)r?���rA���rB���)r����findr���rC���r���rD���r=���)r����filenamerT���Znative_dataZ
is_armoredrI���r���r@���rF���rG����keysr���r���r����get_key_id_from_file:��s����
& rY���c�����������������C���s���t�|�d|�S�)N�-)rY���)r���rT���r���r���r����get_key_id_from_dataO��s����r[���c�����������
������C���s����|rdt�||f�}ndt�|f�}t|�}d||f�}td�D�](}|�j|t|��d�\}}}|dkr<�q�q<|dkr�d|v�r�d	||f�}	|�j||	t|��d
��n&d||f�}	|�j||	t|��|||d��d
S�)Nz+%s --keyring %s adv --no-tty --keyserver %sz%s adv --no-tty --keyserver %sz%s --recv %s����)rS���r���r ���znot found on keyserverz Key %s not found on keyserver %s)r���r?����forced_environmentz(Error fetching key %s from keyserver: %s)r���r?���r]���r@���rA���rB���T)r���r����rangerC���r���rD���)
r���rE����	keyserverr(���r���Zretryr@���rF���rG���r?���r���r���r����
import_keyS��s����r`���c�����������������C���s����|d�urV|rdt�|f�}ndt��}|�j||dd�\}}}|dkr�|�jd||||d��nR|rjdt�||f�}nd	t�|f�}|��|�\}}}|dkr�|�jd
|�|||||d��dS�)Nz%s --keyring %s add -z%s add -T)rT���rU���r���z$Unable to add a key from binary datar>���z%s --keyring %s add %sz	%s add %sz Unable to add a key from file %s)r?���r���r@����keyfilerA���rB����r���rC���rD���)r���ra���rE���rT���r���r@���rF���rG���r���r���r����add_keyo��s6������rc���c�����������������C���sV���|rdt�||f�}ndt�|f�}|��|�\}}}|dkrR|�jd|�|||||d��dS�)Nz%s --keyring %s del %sz	%s del %sr���z!Unable to remove a key with id %s)r?���r���r@���r(���rA���rB���Trb���)r���r(���rE���r���r@���rF���rG���r���r���r����
remove_key���s�����rd���c������������������C���sX��t�ttdd�tdd�tdd�tdd�tdd�tddd�tdd�tddddgd	�d
�ddd�}�|�jd
�}|�jd�}|�jd�}|�jd�}|�jd�}|�jd�}|�jd�}d}d�}	d�}
d}t|���ddi}|�s|r�|�jdd��|r�t|�|�}|r�t|�|�}n|�rt|�|�}||d
<�z*t|�\}	}
}|	|d<�|
|d<�||d<�W�n(�t	�y`���|�jf�ddi|���Y�n0�|
�s||�jf�ddi|���t
|�dk�r�d}t|�||��|d <�}
g�}|dk�r�|�r�|	|
v�s�|�sD|
|
v�rDd|d<�|�j�sD|�r�t
|�||��n`|�r
t|�|||��nJ|�r t
|�d!||��n4|�r@t|�|�}t
|�d!||��n|�jf�dd"i|���t|�||��|d#<�}|�rx|	|v�s�|�sD|
|v�rD|�jf�d|d$�i|���n�|dk�rD|�s�|�jf�dd%i|���|
|
v��rDd|d<�|�j�sD|	d�u�r0t|�|	|��r0t|�||��|d#<�}|
|v��rD|�jf�d|d&�i|���n|�jf�dd'i|���|�jf�i�|���d�S�)(N�str)�type�path�boolT)rf����defaultZpresentZabsent)rf���ri����choices)�idrP���rT����filerE���Zvalidate_certsr_����state))rT���rl���r_���rP���)Z
argument_specZsupports_check_modeZmutually_exclusiverk���rP���rT���rl���rE���rm���r_���FzYapt-key did not return an error, but %s (check that the id is correct and *not* a subkey)Zchangedz(Missing key_id, required with keyserver.rL���Zshort_id�fpr(���r?���zInvalid key_idz`Unable to continue as we could not extract a valid fingerprint to compare against existing keys.r!����beforerZ���z(No key to add ... how did i get here?!?!Zafterzfailed to add the keyzkey is required to remove a keyzthe key was not removedzerror removing key_id)r���r����paramsr���rD���rR���rY���r[���r+���r'���r&���rH���Z
check_moderc���r`���rd���Z	exit_json)r���r(���rP���rT���rW���rE���rm���r_���r7���r)���r*���Zerror_no_error�rrX���Zkeys2r���r���r����main���s�����
�
�

rr����__main__)F)N)N)&Z
__future__r���r���r���rf���Z
__metaclass__Z
DOCUMENTATIONZEXAMPLESZRETURNr���rM���r���Zansible.module_utils._textr���Zansible.module_utils.basicr���Z"ansible.module_utils.common.localer���Zansible.module_utils.urlsr	���r���r���r���r���r���r���r+���r=���rH���r5���rR���rY���r[���r`���rc���rd���rr����__name__r���r���r���r����<module>���s:���G5!	
%