Last active
February 2, 2017 16:21
-
-
Save subuk/fb02804a787c631fd06364d5aee5b6f0 to your computer and use it in GitHub Desktop.
Ansible module for managing gpg keyring
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # - gnupg: "keyring=/srv/packages/trusted.gpg state=present content='{{ lookup('file', 'userkeys/'+item+'.gpg') }}'" | |
| # with_items: trusted_users | |
| def get_key_id(module): | |
| gnupg = module.get_bin_path('gpg', True) | |
| armored_key = module.params['content'] | |
| result = module.run_command([gnupg, "-"], data=armored_key, check_rc=True) | |
| out = result[1] | |
| keyid = None | |
| for line in out.split('\n'): | |
| if not line.startswith('pub ') and not line.startswith('sec '): | |
| continue | |
| keyid = line.split()[1].split('/')[1] | |
| if keyid is None: | |
| module.fail_json(msg='invalid key content') | |
| return keyid | |
| def check_keyid_exists(module, keyid): | |
| gnupg = module.get_bin_path('gpg', True) | |
| args = [gnupg] | |
| if module.params['keyring']: | |
| args.extend(['--primary-keyring', module.params['keyring']]) | |
| args.extend(['--list-keys', keyid]) | |
| rc, _, _ = module.run_command(args, check_rc=False) | |
| if rc == 0: | |
| return True | |
| return False | |
| def add_key(module): | |
| gnupg = module.get_bin_path('gpg', True) | |
| armored_key = module.params['content'] | |
| args = [gnupg] | |
| if module.params['keyring']: | |
| module.run_command(["touch", module.params['keyring']], check_rc=True) | |
| args.extend(['--primary-keyring', module.params['keyring']]) | |
| args.extend(['--import', '-']) | |
| module.run_command(args, data=armored_key, check_rc=True) | |
| def remove_key(module, keyid): | |
| gnupg = module.get_bin_path('gpg', True) | |
| args = [gnupg, '--batch', '--yes'] | |
| if module.params['keyring']: | |
| args.extend(['--primary-keyring', module.params['keyring']]) | |
| args.extend(['--delete-secret-and-public-keys', keyid]) | |
| module.run_command(args, check_rc=True) | |
| def main(): | |
| module = AnsibleModule( | |
| argument_spec=dict( | |
| content=dict(required=True, type='str'), | |
| src=dict(required=False, type='str'), | |
| keyring=dict(required=False, type='str'), | |
| state=dict(default='present', choices=['absent', 'present']), | |
| ), | |
| supports_check_mode=True | |
| ) | |
| keyid = get_key_id(module) | |
| if module.params['state'] == "present": | |
| if check_keyid_exists(module, keyid): | |
| module.exit_json(changed=False) | |
| if module.check_mode: | |
| module.exit_json(changed=True) | |
| add_key(module) | |
| module.exit_json(changed=True) | |
| if module.params['state'] == "absent": | |
| if not check_keyid_exists(module, keyid): | |
| module.exit_json(changed=False) | |
| if module.check_mode: | |
| module.exit_json(changed=True) | |
| remove_key(module, keyid) | |
| module.exit_json(changed=True) | |
| module.fail_json() | |
| from ansible.module_utils.basic import * | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment