operations/gpg: enhance key management to support removal of GPG keys and keyrings

Author: maisim

pyinfra/operations/gpg.py

@@ -11,6 +11,7 @@
 from pyinfra.facts.gpg import GpgKey
 
 from . import files
+from pathlib import Path
 
 
 @operation()
@@ -21,17 +22,23 @@ def key(
     keyid: str | list[str] | None = None,
     dearmor: bool = True,
     mode: str = "0644",
+    present: bool = True,
 ):
     """
-    Install GPG keys from various sources.
+    Install or remove GPG keys from various sources.
 
     Args:
         src: filename or URL to a key (ASCII .asc or binary .gpg)
-        dest: destination path for the key file (required)
+        dest: destination path for the key file (required for installation, optional for removal)
         keyserver: keyserver URL for fetching keys by ID
-        keyid: key ID or list of key IDs (required with keyserver)
+        keyid: key ID or list of key IDs (required with keyserver, optional for removal)
         dearmor: whether to convert ASCII armored keys to binary format
         mode: file permissions for the installed key
+        present: whether the key should be present (True) or absent (False)
+                When False: if dest is provided, removes from specific keyring;
+                           if dest is None, removes from all APT keyrings;
+                           if keyid is provided, removes specific key(s);
+                           if keyid is None, removes entire keyring file(s)
 
     Examples:
         gpg.key(
@@ -40,6 +47,26 @@ def key(
             dest="/etc/apt/keyrings/docker.gpg",
         )
 
+        gpg.key(
+            name="Remove old GPG key file",
+            dest="/etc/apt/keyrings/old-key.gpg",
+            present=False,
+        )
+
+        gpg.key(
+            name="Remove specific key by ID",
+            dest="/etc/apt/keyrings/vendor.gpg",
+            keyid="0xABCDEF12",
+            present=False,
+        )
+
+        gpg.key(
+            name="Remove key from all APT keyrings",
+            keyid="0xCOMPROMISED123",
+            present=False,
+            # dest=None means search in all keyrings
+        )
+
         gpg.key(
             name="Fetch keys from keyserver",
             keyserver="hkps://keyserver.ubuntu.com",
@@ -48,17 +75,73 @@ def key(
         )
     """
 
+    # Validate parameters based on operation type
+    if present is True:
+        # For installation, dest is required
+        if not dest:
+            raise OperationError("`dest` must be provided for installation")
+    elif present is False:
+        # For removal, either dest or keyid must be provided
+        if not dest and not keyid:
+            raise OperationError("For removal, either `dest` or `keyid` must be provided")
+
+    # For removal, handle different scenarios
+    if present is False:
+        if not dest and keyid:
+            # Remove key(s) from all APT keyrings
+            if isinstance(keyid, str):
+                keyid = [keyid]
+            
+            # Define all APT keyring locations
+            keyring_patterns = [
+                "/etc/apt/trusted.gpg.d/*.gpg",
+                "/etc/apt/keyrings/*.gpg", 
+                "/usr/share/keyrings/*.gpg"
+            ]
+            
+            for pattern in keyring_patterns:
+                for kid in keyid:
+                    # Remove key from all matching keyrings
+                    yield f'for keyring in {pattern}; do [ -e "$keyring" ] && gpg --batch --no-default-keyring --keyring "$keyring" --delete-keys {kid} 2>/dev/null || true; done'
+                
+                # Clean up empty keyrings
+                yield f'for keyring in {pattern}; do [ -e "$keyring" ] && ! gpg --batch --no-default-keyring --keyring "$keyring" --list-keys 2>/dev/null | grep -q "pub" && rm -f "$keyring" || true; done'
+            
+            return
+            
+        elif dest and keyid:
+            # Remove specific key(s) by ID from specific keyring
+            if isinstance(keyid, str):
+                keyid = [keyid]
+            
+            for kid in keyid:
+                # Remove the specific key from the keyring
+                yield f'gpg --batch --no-default-keyring --keyring "{dest}" --delete-keys {kid} 2>/dev/null || true'
+            
+            # If keyring becomes empty, remove the file
+            yield f'if ! gpg --batch --no-default-keyring --keyring "{dest}" --list-keys 2>/dev/null | grep -q "pub"; then rm -f "{dest}"; fi'
+            return
+            
+        elif dest and not keyid:
+            # Remove entire keyring file
+            yield from files.file._inner(
+                path=dest,
+                present=False,
+            )
+            return
+
+    # For installation, validate required parameters
     if not src and not keyserver:
-        raise OperationError("Either `src` or `keyserver` must be provided")
+        raise OperationError("Either `src` or `keyserver` must be provided for installation")
 
     if keyserver and not keyid:
         raise OperationError("`keyid` must be provided with `keyserver`")
 
-    if not dest:
-        raise OperationError("`dest` must be provided")
+    if keyid and not keyserver and not src:
+        raise OperationError("When using `keyid` for installation, either `keyserver` or `src` must be provided")
 
-    # Ensure destination directory exists
-    dest_dir = dest.rsplit("/", 1)[0]
+    # For installation (present=True), ensure destination directory exists
+    dest_dir = str(Path(dest).parent)
     yield from files.directory._inner(
         path=dest_dir,
         mode="0755",
@@ -126,7 +209,6 @@ def key(
             present=True,
         )
 
-
 @operation()
 def dearmor(src: str, dest: str, mode: str = "0644"):
     """
@@ -168,8 +250,11 @@ def _install_key_file(src_file: str, dest_path: str, dearmor: bool, mode: str):
     Helper function to install a GPG key file, dearmoring if necessary.
     """
     if dearmor:
+        # Check if it's an ASCII armored key and handle accordingly
+        # Note: Could be enhanced using GpgKey fact for better detection
         yield f'if grep -q "BEGIN PGP PUBLIC KEY BLOCK" "{src_file}"; then gpg --batch --dearmor -o "{dest_path}" "{src_file}"; else cp "{src_file}" "{dest_path}"; fi'
     else:
+        # Simple copy for binary keys or when dearmoring is disabled
         yield f'cp "{src_file}" "{dest_path}"'
 
     # Set proper permissions using pyinfra

tests/facts/apt.AptKeys/keys.json

@@ -1,6 +1,5 @@
 {
-    "command": "! command -v gpg || apt-key list --with-colons",
-    "requires_command": "apt-key",
+    "command": "for f in   /etc/apt/trusted.gpg   /etc/apt/trusted.gpg.d/*.gpg /etc/apt/trusted.gpg.d/*.asc   /etc/apt/keyrings/*.gpg /etc/apt/keyrings/*.asc   /usr/share/keyrings/*.gpg /usr/share/keyrings/*.asc ; do   [ -e \"$f\" ] || continue;   case \"$f\" in     *.asc)       gpg --batch --show-keys --with-colons --keyid-format LONG \"$f\"       ;;     *)       gpg --batch --no-default-keyring --keyring \"$f\"           --list-keys --with-colons --keyid-format LONG       ;;   esac; done",
     "output": [
         "tru:t:1:1601454628:0:3:1:5",
         "pub:-:4096:1:3B4FE6ACC0B21F32:1336770936:::-:::scSC::::::23::0:",

tests/facts/apt.AptSources/component_with_number.json

@@ -1,8 +1,10 @@
 {
     "output": [
-        "deb http://archive.ubuntu.com/ubuntu trusty restricted pi4"
+        "##FILE /etc/apt/sources.list",
+        "deb http://archive.ubuntu.com/ubuntu trusty restricted pi4",
+        ""
     ],
-    "command": "(! test -f /etc/apt/sources.list || cat /etc/apt/sources.list) && (cat /etc/apt/sources.list.d/*.list || true)",
+    "command": "sh -c 'for f in /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources; do [ -e \"$f\" ] || continue; echo \"##FILE $f\"; cat \"$f\"; echo; done'",
     "requires_command": "apt",
     "fact": [
         {

tests/facts/apt.AptSources/sources.json

@@ -1,11 +1,13 @@
 {
     "output": [
+        "##FILE /etc/apt/sources.list",
         "deb http://archive.ubuntu.com/ubuntu trusty restricted",
         "deb-src [arch=amd64,i386] http://archive.ubuntu.com/ubuntu trusty main",
         "deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse",
-        "nope"
+        "nope",
+        ""
     ],
-    "command": "(! test -f /etc/apt/sources.list || cat /etc/apt/sources.list) && (cat /etc/apt/sources.list.d/*.list || true)",
+    "command": "sh -c 'for f in /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources; do [ -e \"$f\" ] || continue; echo \"##FILE $f\"; cat \"$f\"; echo; done'",
     "requires_command": "apt",
     "fact": [
         {

tests/operations/gpg.key/no_dest.json

@@ -6,6 +6,6 @@
     "facts": {},
     "exception": {
         "names": ["OperationError"],
-        "message": "`dest` must be provided"
+        "message": "`dest` must be provided for installation"
     }
 }

tests/operations/gpg.key/no_src_or_keyserver.json

@@ -5,7 +5,7 @@
     },
     "exception": {
         "names": ["OperationError"],
-        "message": "Either `src` or `keyserver` must be provided"
+        "message": "Either `src` or `keyserver` must be provided for installation"
     },
     "facts": {}
 }

tests/operations/gpg.key/remove_by_id.json

@@ -0,0 +1,16 @@
+{
+    "kwargs": {
+        "dest": "/etc/apt/keyrings/vendor.gpg",
+        "keyid": "0xABCDEF12",
+        "present": false
+    },
+    "facts": {
+        "files.File": {
+            "path=/etc/apt/keyrings/vendor.gpg": {"mode": 644}
+        }
+    },
+    "commands": [
+        "gpg --batch --no-default-keyring --keyring \"/etc/apt/keyrings/vendor.gpg\" --delete-keys 0xABCDEF12 2>/dev/null || true",
+        "if ! gpg --batch --no-default-keyring --keyring \"/etc/apt/keyrings/vendor.gpg\" --list-keys 2>/dev/null | grep -q \"pub\"; then rm -f \"/etc/apt/keyrings/vendor.gpg\"; fi"
+    ]
+}

tests/operations/gpg.key/remove_file.json

@@ -0,0 +1,14 @@
+{
+    "kwargs": {
+        "dest": "/etc/apt/keyrings/test.gpg",
+        "present": false
+    },
+    "facts": {
+        "files.File": {
+            "path=/etc/apt/keyrings/test.gpg": {"mode": 644}
+        }
+    },
+    "commands": [
+        "rm -f /etc/apt/keyrings/test.gpg"
+    ]
+}

tests/operations/gpg.key/remove_from_all_keyrings.json

@@ -0,0 +1,15 @@
+{
+    "kwargs": {
+        "keyid": "0xCOMPROMISED123",
+        "present": false
+    },
+    "facts": {},
+    "commands": [
+        "for keyring in /etc/apt/trusted.gpg.d/*.gpg; do [ -e \"$keyring\" ] && gpg --batch --no-default-keyring --keyring \"$keyring\" --delete-keys 0xCOMPROMISED123 2>/dev/null || true; done",
+        "for keyring in /etc/apt/trusted.gpg.d/*.gpg; do [ -e \"$keyring\" ] && ! gpg --batch --no-default-keyring --keyring \"$keyring\" --list-keys 2>/dev/null | grep -q \"pub\" && rm -f \"$keyring\" || true; done",
+        "for keyring in /etc/apt/keyrings/*.gpg; do [ -e \"$keyring\" ] && gpg --batch --no-default-keyring --keyring \"$keyring\" --delete-keys 0xCOMPROMISED123 2>/dev/null || true; done",
+        "for keyring in /etc/apt/keyrings/*.gpg; do [ -e \"$keyring\" ] && ! gpg --batch --no-default-keyring --keyring \"$keyring\" --list-keys 2>/dev/null | grep -q \"pub\" && rm -f \"$keyring\" || true; done",
+        "for keyring in /usr/share/keyrings/*.gpg; do [ -e \"$keyring\" ] && gpg --batch --no-default-keyring --keyring \"$keyring\" --delete-keys 0xCOMPROMISED123 2>/dev/null || true; done",
+        "for keyring in /usr/share/keyrings/*.gpg; do [ -e \"$keyring\" ] && ! gpg --batch --no-default-keyring --keyring \"$keyring\" --list-keys 2>/dev/null | grep -q \"pub\" && rm -f \"$keyring\" || true; done"
+    ]
+}

tests/operations/gpg.key/remove_no_dest_no_keyid.json

@@ -0,0 +1,10 @@
+{
+    "kwargs": {
+        "present": false
+    },
+    "exception": {
+        "names": ["OperationError"],
+        "message": "For removal, either `dest` or `keyid` must be provided"
+    },
+    "facts": {}
+}