diff --git a/src/pyinfra/facts/apt.py b/src/pyinfra/facts/apt.py index a427f9e17..d3aa52bfd 100644 --- a/src/pyinfra/facts/apt.py +++ b/src/pyinfra/facts/apt.py @@ -1,13 +1,206 @@ from __future__ import annotations import re +from dataclasses import dataclass +from typing import Union from typing_extensions import TypedDict, override from pyinfra.api import FactBase from .gpg import GpgFactBase -from .util import make_cat_files_command + + +@dataclass +class AptRepo: + """Represents an APT repository configuration. + + This dataclass provides type safety for APT repository definitions, + supporting both legacy .list style and modern deb822 .sources formats. + + Provides dict-like access for backward compatibility while offering + full type safety for modern code. + """ + + type: str # "deb" or "deb-src" + url: str # Repository URL + distribution: str # Suite/distribution name + components: list[str] # List of components (e.g., ["main", "contrib"]) + options: dict[str, Union[str, list[str]]] # Repository options + + # Dict-like interface for backward compatibility + def __getitem__(self, key: str): + """Dict-like access: repo['type'] works like repo.type""" + return getattr(self, key) + + def __setitem__(self, key: str, value): + """Dict-like assignment: repo['type'] = 'deb' works like repo.type = 'deb'""" + setattr(self, key, value) + + def __contains__(self, key: str) -> bool: + """Support 'key' in repo syntax""" + return hasattr(self, key) + + def get(self, key: str, default=None): + """Dict-like get: repo.get('type', 'deb')""" + return getattr(self, key, default) + + def keys(self): + """Return dict-like keys""" + return ["type", "url", "distribution", "components", "options"] + + def values(self): + """Return dict-like values""" + return [self.type, self.url, self.distribution, self.components, self.options] + + def items(self): + """Return dict-like items""" + return [(k, getattr(self, k)) for k in self.keys()] + + @override + def __eq__(self, other) -> bool: + """Enhanced equality that works with dicts and AptRepo instances""" + if isinstance(other, dict): + return ( + self.type == other.get("type") + and self.url == other.get("url") + and self.distribution == other.get("distribution") + and self.components == other.get("components") + and self.options == other.get("options") + ) + elif isinstance(other, AptRepo): + return ( + self.type == other.type + and self.url == other.url + and self.distribution == other.distribution + and self.components == other.components + and self.options == other.options + ) + return False + + def to_json(self): + """Convert to dict for JSON serialization""" + return { + "type": self.type, + "url": self.url, + "distribution": self.distribution, + "components": self.components, + "options": self.options, + } + + +@dataclass +class AptSourcesFile: + """Represents a deb822 sources file entry before expansion into individual repositories. + + This preserves the original multi-value fields from deb822 format, + while AptRepo represents individual expanded repositories. + """ + + types: list[str] # ["deb", "deb-src"] + uris: list[str] # ["http://deb.debian.org", "https://mirror.example.com"] + suites: list[str] # ["bookworm", "bullseye"] + components: list[str] # ["main", "contrib", "non-free"] + architectures: list[str] | None = None # ["amd64", "i386"] + signed_by: list[str] | None = None # ["/path/to/key1.gpg", "/path/to/key2.gpg"] + trusted: str | None = None # "yes"/"no" + + @classmethod + def from_deb822_lines(cls, lines: list[str]) -> "AptSourcesFile | None": + """Parse deb822 stanza lines into AptSourcesFile. + + Returns None if parsing failed or repository is disabled. + """ + if not lines: + return None + + data: dict[str, str] = {} + for line in lines: + if not line or line.startswith("#"): + continue + # Field-Name: value + try: + key, value = line.split(":", 1) + except ValueError: # malformed line + continue + data[key.strip()] = value.strip() + + # Validate required fields + required = ("Types", "URIs", "Suites") + if not all(field in data for field in required): + return None + + # Filter out disabled repositories + enabled_str = data.get("Enabled", "yes").lower() + if enabled_str != "yes": + return None + + # Parse fields into appropriate types + return cls( + types=data.get("Types", "").split(), + uris=data.get("URIs", "").split(), + suites=data.get("Suites", "").split(), + components=data.get("Components", "").split(), + architectures=( + data.get("Architectures", "").split() if data.get("Architectures") else None + ), + signed_by=data.get("Signed-By", "").split() if data.get("Signed-By") else None, + trusted=data.get("Trusted", "").lower() if data.get("Trusted") else None, + ) + + @classmethod + def parse_sources_file(cls, lines: list[str]) -> list[AptRepo]: + """Parse a full deb822 .sources file into AptRepo instances. + + Splits on blank lines into stanzas and parses each one. + Returns a combined list of AptRepo instances for all stanzas. + + Args: + lines: Lines from a .sources file + """ + repos = [] + stanza: list[str] = [] + for raw in lines + [""]: # sentinel blank line to flush last stanza + line = raw.rstrip("\n") + if line.strip() == "": + if stanza: + sources_file = cls.from_deb822_lines(stanza) + if sources_file: + repos.extend(sources_file.expand_to_repos()) + stanza = [] + continue + stanza.append(line) + return repos + + def expand_to_repos(self) -> list[AptRepo]: + """Expand this sources file entry into individual AptRepo instances.""" + # Build options dict in the same format as legacy parsing + options: dict[str, Union[str, list[str]]] = {} + + if self.architectures: + options["arch"] = ( + self.architectures if len(self.architectures) > 1 else self.architectures[0] + ) + if self.signed_by: + options["signed-by"] = self.signed_by if len(self.signed_by) > 1 else self.signed_by[0] + if self.trusted: + options["trusted"] = self.trusted + + repos = [] + # Produce combinations – in most real-world cases these will each be one. + for repo_type in self.types: + for uri in self.uris: + for suite in self.suites: + repos.append( + AptRepo( + type=repo_type, + url=uri, + distribution=suite, + components=self.components.copy(), # copy to avoid shared reference + options=dict(options), # copy per entry + ) + ) + return repos def noninteractive_apt(command: str, force=False): @@ -32,13 +225,21 @@ def noninteractive_apt(command: str, force=False): ) -def parse_apt_repo(name): +def parse_apt_repo(name: str) -> AptRepo | None: + """Parse a traditional apt source line into an AptRepo. + + Args: + name: Apt source line (e.g., "deb [arch=amd64] http://example.com focal main") + + Returns: + AptRepo instance or None if parsing failed + """ regex = r"^(deb(?:-src)?)(?:\s+\[([^\]]+)\])?\s+([^\s]+)\s+([^\s]+)\s+([a-z-\s\d]*)$" matches = re.match(regex, name) if not matches: - return + return None # Parse any options options = {} @@ -51,53 +252,97 @@ def parse_apt_repo(name): options[key] = value - return { - "options": options, - "type": matches.group(1), - "url": matches.group(3), - "distribution": matches.group(4), - "components": list(matches.group(5).split()), - } + return AptRepo( + type=matches.group(1), + url=matches.group(3), + distribution=matches.group(4), + components=list(matches.group(5).split()), + options=options, + ) -class AptSources(FactBase): +def parse_apt_list_file(lines: list[str]) -> list[AptRepo]: + """Parse legacy .list style apt source file. + + Each non-comment, non-empty line is a discrete repository definition in the + traditional ``deb http://... suite components`` syntax. + Returns a list of AptRepo instances. + + Args: + lines: Lines from a .list file """ - Returns a list of installed apt sources: + repos = [] + for raw in lines: + line = raw.strip() + if not line or line.startswith("#"): + continue + repo = parse_apt_repo(line) + if repo: + repos.append(repo) + return repos - .. code:: python - [ - { - "type": "deb", - "url": "http://archive.ubuntu.org", - "distribution": "trusty", - "components", ["main", "multiverse"], - }, - ] +class AptSources(FactBase): + """Returns a list of installed apt sources (legacy .list + deb822 .sources). + + Returns a list of AptRepo instances that behave like dicts for backward compatibility: + + [AptRepo(type="deb", url="http://archive.ubuntu.org", ...)] + + Each AptRepo can be accessed like a dict: + repo['type'] # works like repo.type + repo.get('url') # works like getattr(repo, 'url') """ @override def command(self) -> str: - return make_cat_files_command( - "/etc/apt/sources.list", - "/etc/apt/sources.list.d/*.list", + # We emit file boundary markers so the parser can select the correct + # parsing function based on filename extension. + return ( + "sh -c '" + "for f in " + "/etc/apt/sources.list " + "/etc/apt/sources.list.d/*.list " + "/etc/apt/sources.list.d/*.sources; do " + '[ -e "$f" ] || continue; ' + 'echo "##FILE $f"; ' + 'cat "$f"; ' + "echo; " + "done'" ) @override def requires_command(self) -> str: - return "apt" # if apt installed, above should exist + return "apt" default = list @override - def process(self, output): - repos = [] + def process(self, output): # type: ignore[override] + repos: list[AptRepo] = [] + current_file: str | None = None + buffer: list[str] = [] + + def flush(): + nonlocal buffer, current_file, repos + if current_file is None or not buffer: + buffer = [] + return + + if current_file.endswith(".sources"): + repos.extend(AptSourcesFile.parse_sources_file(buffer)) + else: # .list files or /etc/apt/sources.list + repos.extend(parse_apt_list_file(buffer)) + buffer = [] for line in output: - repo = parse_apt_repo(line) - if repo: - repos.append(repo) + if line.startswith("##FILE "): + flush() # flush previous file buffer + current_file = line[7:].strip() # remove "##FILE " prefix + continue + buffer.append(line) + flush() # flush the final buffer return repos diff --git a/src/pyinfra/operations/gpg.py b/src/pyinfra/operations/gpg.py new file mode 100644 index 000000000..e8ce04225 --- /dev/null +++ b/src/pyinfra/operations/gpg.py @@ -0,0 +1,300 @@ +""" +Manage GPG keys and keyrings. +""" + +from pathlib import PurePosixPath +from urllib.parse import urlparse + +from pyinfra import host +from pyinfra.api import OperationError, operation + +from . import files + + +@operation() +def key( + src: str | None = None, + dest: str | None = None, + keyserver: str | None = None, + keyid: str | list[str] | None = None, + dearmor: bool = True, + mode: str = "0644", + present: bool = True, +): + """ + Install or remove GPG keys from various sources. + + Args: + src: filename or URL to a key (ASCII .asc or binary .gpg) + dest: destination path for the key file (required for installation, optional for removal) + keyserver: keyserver URL for fetching keys by ID + keyid: key ID or list of key IDs (required with keyserver, optional for removal) + dearmor: whether to convert ASCII armored keys to binary format + mode: file permissions for the installed key + present: whether the key should be present (True) or absent (False) + When False: if dest is provided, removes from specific keyring; + if dest is None, removes from all APT keyrings; + if keyid is provided, removes specific key(s); + if keyid is None, removes entire keyring file(s) + + Examples: + gpg.key( + name="Install Docker GPG key", + src="https://download.docker.com/linux/debian/gpg", + dest="/etc/apt/keyrings/docker.gpg", + ) + + gpg.key( + name="Remove old GPG key file", + dest="/etc/apt/keyrings/old-key.gpg", + present=False, + ) + + gpg.key( + name="Remove specific key by ID", + dest="/etc/apt/keyrings/vendor.gpg", + keyid="0xABCDEF12", + present=False, + ) + + gpg.key( + name="Remove key from all APT keyrings", + keyid="0xCOMPROMISED123", + present=False, + # dest=None means search in all keyrings + ) + + gpg.key( + name="Fetch keys from keyserver", + keyserver="hkps://keyserver.ubuntu.com", + keyid=["0xD88E42B4", "0x7EA0A9C3"], + dest="/etc/apt/keyrings/vendor.gpg", + ) + """ + + # Validate parameters based on operation type + if present is True: + # For installation, dest is required + if not dest: + raise OperationError("`dest` must be provided for installation") + elif present is False: + # For removal, either dest or keyid must be provided + if not dest and not keyid: + raise OperationError("For removal, either `dest` or `keyid` must be provided") + + # For removal, handle different scenarios + if present is False: + if not dest and keyid: + # Remove key(s) from all APT keyrings + if isinstance(keyid, str): + keyid = [keyid] + + # Define all APT keyring locations + # Not sure this is the best way to do this + # Cannot find a more generic way to get gpg keyring locations + keyring_patterns = [ + "/etc/apt/trusted.gpg.d/*.gpg", + "/etc/apt/keyrings/*.gpg", + "/usr/share/keyrings/*.gpg", + ] + + for pattern in keyring_patterns: + for kid in keyid: + # Remove key from all matching keyrings + yield ( + f'for keyring in {pattern}; do [ -e "$keyring" ] && ' + f'gpg --batch --no-default-keyring --keyring "$keyring" ' + f"--delete-keys {kid} 2>/dev/null || true; done" + ) + + # Clean up empty keyrings + yield ( + f'for keyring in {pattern}; do [ -e "$keyring" ] && ' + f'! gpg --batch --no-default-keyring --keyring "$keyring" ' + f'--list-keys 2>/dev/null | grep -q "pub" && rm -f "$keyring" || true; done' + ) + + return + + elif dest and keyid: + # For APT keyring files, use a simpler approach: + # Check if keys exist in file, and if so, remove the entire file + # This is appropriate for most APT use cases + if isinstance(keyid, str): + keyid = [keyid] + + # Build a condition to check if any of the keys exist in the file + key_checks = [] + for kid in keyid: + # Strip 0x prefix if present and handle both short and long key formats + clean_key = kid.replace("0x", "").replace("0X", "") + key_checks.append( + f'gpg --batch --no-default-keyring --keyring "{dest}" ' + f'--list-keys 2>/dev/null | grep -qi "{clean_key}"' + ) + + condition = " || ".join(key_checks) + + # If any of the keys exist in the file, remove the entire file + yield (f'if [ -f "{dest}" ] && ({condition}); then ' f'rm -f "{dest}"; fi') + return + + elif dest and not keyid: + # Remove entire keyring file + yield from files.file._inner( + path=dest, + present=False, + ) + return + + # For installation, validate required parameters + if not src and not keyserver: + raise OperationError("Either `src` or `keyserver` must be provided for installation") + + if keyserver and not keyid: + raise OperationError("`keyid` must be provided with `keyserver`") + + if keyid and not keyserver and not src: + raise OperationError( + "When using `keyid` for installation, either `keyserver` or `src` must be provided" + ) + + # For installation (present=True), ensure destination directory exists + if dest is None: + raise OperationError("dest is required for installation") + + dest_dir = str(PurePosixPath(dest).parent) + yield from files.directory._inner( + path=dest_dir, + mode="0755", + present=True, + ) + + # --- src branch: install a key from URL or local file --- + if src: + if urlparse(src).scheme in ("http", "https"): + # Remote source: download first, then process + temp_file = host.get_temp_filename(src) + + yield from files.download._inner( + src=src, + dest=temp_file, + ) + + # Install the key and clean up temp file + yield from _install_key_file(temp_file, dest, dearmor, mode) + + # Clean up temp file using pyinfra + yield from files.file._inner( + path=temp_file, + present=False, + ) + else: + # Local file: install directly + yield from _install_key_file(src, dest, dearmor, mode) + + # --- keyserver branch: fetch keys by ID --- + if keyserver: + if keyid is None: + raise OperationError("`keyid` must be provided with `keyserver`") + + if isinstance(keyid, str): + keyid = [keyid] + + joined = " ".join(keyid) + + # Create temporary GPG home directory + temp_dir = f"/tmp/pyinfra-gpg-{host.get_temp_filename('')[-8:]}" + + yield from files.directory._inner( + path=temp_dir, + mode="0700", # GPG directories should be more restrictive + present=True, + ) + + # Export GNUPGHOME and fetch keys + yield f'export GNUPGHOME="{temp_dir}" && gpg --batch --keyserver "{keyserver}" --recv-keys {joined}' # noqa: E501 + + # Export keys to destination + if dearmor: + # For binary output (dearmored), use --export without --armor + yield (f'export GNUPGHOME="{temp_dir}" && ' f'gpg --batch --export {joined} > "{dest}"') + else: + # For ASCII output, use --export --armor + yield ( + f'export GNUPGHOME="{temp_dir}" && ' + f'gpg --batch --export --armor {joined} > "{dest}"' + ) + + # Clean up temporary directory + yield from files.directory._inner( + path=temp_dir, + present=False, + ) + + # Set proper permissions + yield from files.file._inner( + path=dest, + mode=mode, + present=True, + ) + + +@operation() +def dearmor(src: str, dest: str, mode: str = "0644"): + """ + Convert ASCII armored GPG key to binary format. + + Args: + src: source ASCII armored key file + dest: destination binary key file + mode: file permissions for the output file + + Example: + gpg.dearmor( + name="Convert key to binary", + src="/tmp/key.asc", + dest="/etc/apt/keyrings/key.gpg", + ) + """ + + # Ensure destination directory exists + dest_dir = str(PurePosixPath(dest).parent) + yield from files.directory._inner( + path=dest_dir, + mode="0755", + present=True, + ) + + yield f'gpg --batch --dearmor -o "{dest}" "{src}"' + + # Set proper permissions + yield from files.file._inner( + path=dest, + mode=mode, + present=True, + ) + + +def _install_key_file(src_file: str, dest_path: str, dearmor: bool, mode: str): + """ + Helper function to install a GPG key file, dearmoring if necessary. + """ + if dearmor: + # Check if it's an ASCII armored key and handle accordingly + # Note: Could be enhanced using GpgKey fact + yield ( + f'if grep -q "BEGIN PGP PUBLIC KEY BLOCK" "{src_file}"; then ' + f'gpg --batch --dearmor -o "{dest_path}" "{src_file}"; ' + f'else cp "{src_file}" "{dest_path}"; fi' + ) + else: + # Simple copy for binary keys or when dearmoring is disabled + yield f'cp "{src_file}" "{dest_path}"' + + # Set proper permissions + yield from files.file._inner( + path=dest_path, + mode=mode, + present=True, + ) diff --git a/tests/facts/apt.AptSources/component_with_number.json b/tests/facts/apt.AptSources/component_with_number.json index 97b3989aa..1ab462434 100644 --- a/tests/facts/apt.AptSources/component_with_number.json +++ b/tests/facts/apt.AptSources/component_with_number.json @@ -1,8 +1,10 @@ { "output": [ - "deb http://archive.ubuntu.com/ubuntu trusty restricted pi4" + "##FILE /etc/apt/sources.list", + "deb http://archive.ubuntu.com/ubuntu trusty restricted pi4", + "" ], - "command": "(! test -f /etc/apt/sources.list || cat /etc/apt/sources.list) && (cat /etc/apt/sources.list.d/*.list || true)", + "command": "sh -c 'for f in /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources; do [ -e \"$f\" ] || continue; echo \"##FILE $f\"; cat \"$f\"; echo; done'", "requires_command": "apt", "fact": [ { diff --git a/tests/facts/apt.AptSources/deb822_sources.json b/tests/facts/apt.AptSources/deb822_sources.json new file mode 100644 index 000000000..b4ced1bd4 --- /dev/null +++ b/tests/facts/apt.AptSources/deb822_sources.json @@ -0,0 +1,48 @@ +{ + "output": [ + "##FILE /etc/apt/sources.list.d/test.sources", + "Types: deb deb-src", + "URIs: http://deb.debian.org/debian", + "Suites: bookworm", + "Components: main contrib", + "Architectures: amd64", + "Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg", + "", + "Types: deb", + "URIs: https://packages.microsoft.com/repos/code", + "Suites: stable", + "Components: main", + "" + ], + "command": "sh -c 'for f in /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources; do [ -e \"$f\" ] || continue; echo \"##FILE $f\"; cat \"$f\"; echo; done'", + "requires_command": "apt", + "fact": [ + { + "type": "deb", + "url": "http://deb.debian.org/debian", + "distribution": "bookworm", + "components": ["main", "contrib"], + "options": { + "arch": "amd64", + "signed-by": "/usr/share/keyrings/debian-archive-keyring.gpg" + } + }, + { + "type": "deb-src", + "url": "http://deb.debian.org/debian", + "distribution": "bookworm", + "components": ["main", "contrib"], + "options": { + "arch": "amd64", + "signed-by": "/usr/share/keyrings/debian-archive-keyring.gpg" + } + }, + { + "type": "deb", + "url": "https://packages.microsoft.com/repos/code", + "distribution": "stable", + "components": ["main"], + "options": {} + } + ] +} diff --git a/tests/facts/apt.AptSources/sources.json b/tests/facts/apt.AptSources/sources.json index 2b5365f28..217413074 100644 --- a/tests/facts/apt.AptSources/sources.json +++ b/tests/facts/apt.AptSources/sources.json @@ -1,11 +1,13 @@ { "output": [ + "##FILE /etc/apt/sources.list", "deb http://archive.ubuntu.com/ubuntu trusty restricted", "deb-src [arch=amd64,i386] http://archive.ubuntu.com/ubuntu trusty main", "deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse", - "nope" + "nope", + "" ], - "command": "(! test -f /etc/apt/sources.list || cat /etc/apt/sources.list) && (cat /etc/apt/sources.list.d/*.list || true)", + "command": "sh -c 'for f in /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources; do [ -e \"$f\" ] || continue; echo \"##FILE $f\"; cat \"$f\"; echo; done'", "requires_command": "apt", "fact": [ { diff --git a/tests/operations/gpg.dearmor/basic.json b/tests/operations/gpg.dearmor/basic.json new file mode 100644 index 000000000..62fa745e4 --- /dev/null +++ b/tests/operations/gpg.dearmor/basic.json @@ -0,0 +1,22 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/test.asc", + "dest": "/tmp/test.gpg" + }, + "facts": { + "files.Directory": { + "path=/tmp": { + "mode": 755 + } + }, + "files.File": { + "path=/tmp/test.gpg": null + } + }, + "commands": [ + "gpg --batch --dearmor -o \"/tmp/test.gpg\" \"/tmp/test.asc\"", + "touch /tmp/test.gpg", + "chmod 644 /tmp/test.gpg" + ] +} diff --git a/tests/operations/gpg.dearmor/custom_mode.json b/tests/operations/gpg.dearmor/custom_mode.json new file mode 100644 index 000000000..48e3f6415 --- /dev/null +++ b/tests/operations/gpg.dearmor/custom_mode.json @@ -0,0 +1,24 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/key.asc", + "dest": "/etc/apt/keyrings/key.gpg", + "mode": "0600" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/key.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "gpg --batch --dearmor -o \"/etc/apt/keyrings/key.gpg\" \"/tmp/key.asc\"", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/key.gpg", + "chmod 600 /etc/apt/keyrings/key.gpg" + ] +} diff --git a/tests/operations/gpg.key/custom_mode.json b/tests/operations/gpg.key/custom_mode.json new file mode 100644 index 000000000..2de7e69f0 --- /dev/null +++ b/tests/operations/gpg.key/custom_mode.json @@ -0,0 +1,24 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/local-key.asc", + "dest": "/etc/apt/keyrings/test.gpg", + "mode": "0600" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/test.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "if grep -q \"BEGIN PGP PUBLIC KEY BLOCK\" \"/tmp/local-key.asc\"; then gpg --batch --dearmor -o \"/etc/apt/keyrings/test.gpg\" \"/tmp/local-key.asc\"; else cp \"/tmp/local-key.asc\" \"/etc/apt/keyrings/test.gpg\"; fi", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/test.gpg", + "chmod 600 /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/keyserver_multiple.json b/tests/operations/gpg.key/keyserver_multiple.json new file mode 100644 index 000000000..571a57866 --- /dev/null +++ b/tests/operations/gpg.key/keyserver_multiple.json @@ -0,0 +1,28 @@ +{ + "args": [], + "kwargs": { + "keyserver": "hkps://keyserver.ubuntu.com", + "keyid": ["0xD88E42B4", "0x7EA0A9C3"], + "dest": "/etc/apt/keyrings/vendor.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null, + "path=/tmp/pyinfra-gpg-empfile_": null + }, + "files.File": { + "path=/etc/apt/keyrings/vendor.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "mkdir -p /tmp/pyinfra-gpg-empfile_", + "chmod 700 /tmp/pyinfra-gpg-empfile_", + "export GNUPGHOME=\"/tmp/pyinfra-gpg-empfile_\" && gpg --batch --keyserver \"hkps://keyserver.ubuntu.com\" --recv-keys 0xD88E42B4 0x7EA0A9C3", + "export GNUPGHOME=\"/tmp/pyinfra-gpg-empfile_\" && gpg --batch --export 0xD88E42B4 0x7EA0A9C3 > \"/etc/apt/keyrings/vendor.gpg\"", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/vendor.gpg", + "chmod 644 /etc/apt/keyrings/vendor.gpg" + ] +} diff --git a/tests/operations/gpg.key/keyserver_no_keyid.json b/tests/operations/gpg.key/keyserver_no_keyid.json new file mode 100644 index 000000000..f6bbf5bbe --- /dev/null +++ b/tests/operations/gpg.key/keyserver_no_keyid.json @@ -0,0 +1,12 @@ +{ + "args": [], + "kwargs": { + "keyserver": "hkps://keyserver.ubuntu.com", + "dest": "/etc/apt/keyrings/test.gpg" + }, + "exception": { + "names": ["OperationError"], + "message": "`keyid` must be provided with `keyserver`" + }, + "facts": {} +} diff --git a/tests/operations/gpg.key/keyserver_single.json b/tests/operations/gpg.key/keyserver_single.json new file mode 100644 index 000000000..26fcb4e7c --- /dev/null +++ b/tests/operations/gpg.key/keyserver_single.json @@ -0,0 +1,28 @@ +{ + "args": [], + "kwargs": { + "keyserver": "hkps://keyserver.ubuntu.com", + "keyid": ["0xD88E42B4"], + "dest": "/etc/apt/keyrings/vendor.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null, + "path=/tmp/pyinfra-gpg-empfile_": null + }, + "files.File": { + "path=/etc/apt/keyrings/vendor.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "mkdir -p /tmp/pyinfra-gpg-empfile_", + "chmod 700 /tmp/pyinfra-gpg-empfile_", + "export GNUPGHOME=\"/tmp/pyinfra-gpg-empfile_\" && gpg --batch --keyserver \"hkps://keyserver.ubuntu.com\" --recv-keys 0xD88E42B4", + "export GNUPGHOME=\"/tmp/pyinfra-gpg-empfile_\" && gpg --batch --export 0xD88E42B4 > \"/etc/apt/keyrings/vendor.gpg\"", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/vendor.gpg", + "chmod 644 /etc/apt/keyrings/vendor.gpg" + ] +} diff --git a/tests/operations/gpg.key/local_file.json b/tests/operations/gpg.key/local_file.json new file mode 100644 index 000000000..ba86d06fa --- /dev/null +++ b/tests/operations/gpg.key/local_file.json @@ -0,0 +1,23 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/local-key.asc", + "dest": "/etc/apt/keyrings/test.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/test.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "if grep -q \"BEGIN PGP PUBLIC KEY BLOCK\" \"/tmp/local-key.asc\"; then gpg --batch --dearmor -o \"/etc/apt/keyrings/test.gpg\" \"/tmp/local-key.asc\"; else cp \"/tmp/local-key.asc\" \"/etc/apt/keyrings/test.gpg\"; fi", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/test.gpg", + "chmod 644 /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/no_dearmor.json b/tests/operations/gpg.key/no_dearmor.json new file mode 100644 index 000000000..4095c6d05 --- /dev/null +++ b/tests/operations/gpg.key/no_dearmor.json @@ -0,0 +1,24 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/local-key.gpg", + "dest": "/etc/apt/keyrings/test.gpg", + "dearmor": false + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/test.gpg": null + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "cp \"/tmp/local-key.gpg\" \"/etc/apt/keyrings/test.gpg\"", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/test.gpg", + "chmod 644 /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/no_dest.json b/tests/operations/gpg.key/no_dest.json new file mode 100644 index 000000000..134562316 --- /dev/null +++ b/tests/operations/gpg.key/no_dest.json @@ -0,0 +1,11 @@ +{ + "args": [], + "kwargs": { + "src": "/tmp/test.asc" + }, + "facts": {}, + "exception": { + "names": ["OperationError"], + "message": "`dest` must be provided for installation" + } +} diff --git a/tests/operations/gpg.key/no_src_or_keyserver.json b/tests/operations/gpg.key/no_src_or_keyserver.json new file mode 100644 index 000000000..786d22d1c --- /dev/null +++ b/tests/operations/gpg.key/no_src_or_keyserver.json @@ -0,0 +1,11 @@ +{ + "args": [], + "kwargs": { + "dest": "/etc/apt/keyrings/test.gpg" + }, + "exception": { + "names": ["OperationError"], + "message": "Either `src` or `keyserver` must be provided for installation" + }, + "facts": {} +} diff --git a/tests/operations/gpg.key/remote_url.json b/tests/operations/gpg.key/remote_url.json new file mode 100644 index 000000000..509887e86 --- /dev/null +++ b/tests/operations/gpg.key/remote_url.json @@ -0,0 +1,29 @@ +{ + "args": [], + "kwargs": { + "src": "https://example.com/key.asc", + "dest": "/etc/apt/keyrings/test.gpg" + }, + "facts": { + "files.Directory": { + "path=/etc/apt/keyrings": null + }, + "files.File": { + "path=/etc/apt/keyrings/test.gpg": null, + "path=_tempfile_": null + }, + "server.Which": { + "command=curl": "/usr/bin/curl" + } + }, + "commands": [ + "mkdir -p /etc/apt/keyrings", + "chmod 755 /etc/apt/keyrings", + "curl -sSLf https://example.com/key.asc -o _tempfile_", + "mv _tempfile_ _tempfile_", + "if grep -q \"BEGIN PGP PUBLIC KEY BLOCK\" \"_tempfile_\"; then gpg --batch --dearmor -o \"/etc/apt/keyrings/test.gpg\" \"_tempfile_\"; else cp \"_tempfile_\" \"/etc/apt/keyrings/test.gpg\"; fi", + "mkdir -p /etc/apt/keyrings", + "touch /etc/apt/keyrings/test.gpg", + "chmod 644 /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/remove_by_id.json b/tests/operations/gpg.key/remove_by_id.json new file mode 100644 index 000000000..1e664e9f9 --- /dev/null +++ b/tests/operations/gpg.key/remove_by_id.json @@ -0,0 +1,15 @@ +{ + "kwargs": { + "dest": "/etc/apt/keyrings/vendor.gpg", + "keyid": "0xABCDEF12", + "present": false + }, + "facts": { + "files.File": { + "path=/etc/apt/keyrings/vendor.gpg": {"mode": 644} + } + }, + "commands": [ + "if [ -f \"/etc/apt/keyrings/vendor.gpg\" ] && (gpg --batch --no-default-keyring --keyring \"/etc/apt/keyrings/vendor.gpg\" --list-keys 2>/dev/null | grep -qi \"ABCDEF12\"); then rm -f \"/etc/apt/keyrings/vendor.gpg\"; fi" + ] +} diff --git a/tests/operations/gpg.key/remove_file.json b/tests/operations/gpg.key/remove_file.json new file mode 100644 index 000000000..ac9adcb9e --- /dev/null +++ b/tests/operations/gpg.key/remove_file.json @@ -0,0 +1,14 @@ +{ + "kwargs": { + "dest": "/etc/apt/keyrings/test.gpg", + "present": false + }, + "facts": { + "files.File": { + "path=/etc/apt/keyrings/test.gpg": {"mode": 644} + } + }, + "commands": [ + "rm -f /etc/apt/keyrings/test.gpg" + ] +} diff --git a/tests/operations/gpg.key/remove_from_all_keyrings.json b/tests/operations/gpg.key/remove_from_all_keyrings.json new file mode 100644 index 000000000..fb16a54e5 --- /dev/null +++ b/tests/operations/gpg.key/remove_from_all_keyrings.json @@ -0,0 +1,15 @@ +{ + "kwargs": { + "keyid": "0xCOMPROMISED123", + "present": false + }, + "facts": {}, + "commands": [ + "for keyring in /etc/apt/trusted.gpg.d/*.gpg; do [ -e \"$keyring\" ] && gpg --batch --no-default-keyring --keyring \"$keyring\" --delete-keys 0xCOMPROMISED123 2>/dev/null || true; done", + "for keyring in /etc/apt/trusted.gpg.d/*.gpg; do [ -e \"$keyring\" ] && ! gpg --batch --no-default-keyring --keyring \"$keyring\" --list-keys 2>/dev/null | grep -q \"pub\" && rm -f \"$keyring\" || true; done", + "for keyring in /etc/apt/keyrings/*.gpg; do [ -e \"$keyring\" ] && gpg --batch --no-default-keyring --keyring \"$keyring\" --delete-keys 0xCOMPROMISED123 2>/dev/null || true; done", + "for keyring in /etc/apt/keyrings/*.gpg; do [ -e \"$keyring\" ] && ! gpg --batch --no-default-keyring --keyring \"$keyring\" --list-keys 2>/dev/null | grep -q \"pub\" && rm -f \"$keyring\" || true; done", + "for keyring in /usr/share/keyrings/*.gpg; do [ -e \"$keyring\" ] && gpg --batch --no-default-keyring --keyring \"$keyring\" --delete-keys 0xCOMPROMISED123 2>/dev/null || true; done", + "for keyring in /usr/share/keyrings/*.gpg; do [ -e \"$keyring\" ] && ! gpg --batch --no-default-keyring --keyring \"$keyring\" --list-keys 2>/dev/null | grep -q \"pub\" && rm -f \"$keyring\" || true; done" + ] +} diff --git a/tests/operations/gpg.key/remove_no_dest_no_keyid.json b/tests/operations/gpg.key/remove_no_dest_no_keyid.json new file mode 100644 index 000000000..de89aba4d --- /dev/null +++ b/tests/operations/gpg.key/remove_no_dest_no_keyid.json @@ -0,0 +1,10 @@ +{ + "kwargs": { + "present": false + }, + "exception": { + "names": ["OperationError"], + "message": "For removal, either `dest` or `keyid` must be provided" + }, + "facts": {} +}