Fix gpg.verify with python-gnupg >=0.5.1

lkubb · lkubb · commit f1b10c665f86 · 2024-12-12T10:10:55.000+01:00
The reported signature validity levels were bumped in vsajip/python-gnupg#205
diff --git a/salt/modules/gpg.py b/salt/modules/gpg.py
@@ -29,9 +29,17 @@
 
 log = logging.getLogger(__name__)
 
-# Define the module's virtual name
+try:
+    import gnupg
+
+    HAS_GPG_BINDINGS = True
+except ImportError:
+    HAS_GPG_BINDINGS = False
+
+
 __virtualname__ = "gpg"
 
+# Map of letters indicating key validity to pretty string (for display)
 LETTER_TRUST_DICT = immutabletypes.freeze(
     {
         "e": "Expired",
@@ -45,6 +53,22 @@
     }
 )
 
+
+# Map of allowed `trust_level` param values in `trust_key`
+# to trust parameter for python-gnupg trust_keys (to manage owner trust)
+TRUST_KEYS_TRUST_LEVELS = immutabletypes.freeze(
+    {
+        "expired": "TRUST_EXPIRED",
+        "unknown": "TRUST_UNDEFINED",
+        "not_trusted": "TRUST_NEVER",
+        "marginally": "TRUST_MARGINAL",
+        "fully": "TRUST_FULLY",
+        "ultimately": "TRUST_ULTIMATE",
+    }
+)
+
+# Map of allowed `trust_level` param values in `trust_key`
+# to owner trust numeric values
 NUM_TRUST_DICT = immutabletypes.freeze(
     {
         "expired": "1",
@@ -56,6 +80,7 @@
     }
 )
 
+# Map of owner trust numeric values to pretty string (for display)
 INV_NUM_TRUST_DICT = immutabletypes.freeze(
     {
         "1": "Expired",
@@ -67,36 +92,33 @@
     }
 )
 
-VERIFY_TRUST_LEVELS = immutabletypes.freeze(
-    {
-        "0": "Undefined",
-        "1": "Never",
-        "2": "Marginal",
-        "3": "Fully",
-        "4": "Ultimate",
-    }
-)
-
-TRUST_KEYS_TRUST_LEVELS = immutabletypes.freeze(
-    {
-        "expired": "TRUST_EXPIRED",
-        "unknown": "TRUST_UNDEFINED",
-        "never": "TRUST_NEVER",
-        "marginally": "TRUST_MARGINAL",
-        "fully": "TRUST_FULLY",
-        "ultimately": "TRUST_ULTIMATE",
-    }
-)
+# Map of signature validity numeric values to pretty string (for display)
+if not HAS_GPG_BINDINGS:
+    VERIFY_TRUST_LEVELS = {}
+elif salt.utils.versions.version_cmp(gnupg.__version__, "0.5.1") >= 0:
+    VERIFY_TRUST_LEVELS = immutabletypes.freeze(
+        {
+            "0": "Expired",
+            "1": "Undefined",
+            "2": "Never",
+            "3": "Marginal",
+            "4": "Fully",
+            "5": "Ultimate",
+        }
+    )
+else:
+    VERIFY_TRUST_LEVELS = immutabletypes.freeze(
+        {
+            "0": "Undefined",
+            "1": "Never",
+            "2": "Marginal",
+            "3": "Fully",
+            "4": "Ultimate",
+        }
+    )
 
 _DEFAULT_KEY_SERVER = "keys.openpgp.org"
 
-try:
-    import gnupg
-
-    HAS_GPG_BINDINGS = True
-except ImportError:
-    HAS_GPG_BINDINGS = False
-
 
 def _gpg():
     """
diff --git a/tests/pytests/functional/modules/test_gpg.py b/tests/pytests/functional/modules/test_gpg.py
@@ -797,7 +797,7 @@ def test_verify_with_keyring(gpghome, gnupg, gpg, keyring, sig, signed_data, key
 @pytest.mark.usefixtures("_pubkeys_present")
 # Can't easily test the other signature validity levels since
 # we would need to sign the pubkey ourselves, which is not
-# exposed by python-gpg as of release 0.5.2.
+# exposed by python-gnupg as of release 0.5.2.
 @pytest.mark.parametrize(
     "ownertrust,text", (("TRUST_NEVER", "Undefined"), ("TRUST_ULTIMATE", "Ultimate"))
 )

Original file line number	Diff line number	Diff line change
`@@ -797,7 +797,7 @@ def test_verify_with_keyring(gpghome, gnupg, gpg, keyring, sig, signed_data, key`
`797`	`797`	`@pytest.mark.usefixtures("_pubkeys_present")`
`798`	`798`	`# Can't easily test the other signature validity levels since`
`799`	`799`	`# we would need to sign the pubkey ourselves, which is not`
`800`		`-# exposed by python-gpg as of release 0.5.2.`
	`800`	`+# exposed by python-gnupg as of release 0.5.2.`
`801`	`801`	`@pytest.mark.parametrize(`
`802`	`802`	`"ownertrust,text", (("TRUST_NEVER", "Undefined"), ("TRUST_ULTIMATE", "Ultimate"))`
`803`	`803`	`)`