X-Git-Url: https://review.fuel-infra.org/gitweb?a=blobdiff_plain;f=lib%2Fpuppet%2Fprovider%2Fapt_key%2Fapt_key.rb;h=d663ee36276303773a0e8be37acb31d0517f7f2a;hb=cd315457372a8f7d642c49c2ac5d64854da639c6;hp=494dd12d1e822de61e7053a90c6f7aa61f29d4df;hpb=76a12dc6d700bbda754c75a3be49a19b7798ab0c;p=puppet-modules%2Fpuppetlabs-apt.git

diff --git a/lib/puppet/provider/apt_key/apt_key.rb b/lib/puppet/provider/apt_key/apt_key.rb
index 494dd12..d663ee3 100644
--- a/lib/puppet/provider/apt_key/apt_key.rb
+++ b/lib/puppet/provider/apt_key/apt_key.rb
@@ -1,8 +1,14 @@
+# frozen_string_literal: true
+
 require 'open-uri'
-require 'net/ftp'
+begin
+  require 'net/ftp'
+rescue LoadError
+  # Ruby 3.0 changed net-ftp to a default gem
+end
 require 'tempfile'
 
-Puppet::Type.type(:apt_key).provide(:apt_key) do
+Puppet::Type.type(:apt_key).provide(:apt_key) do # rubocop:disable Metrics/BlockLength
   desc 'apt-key provider for apt_key resource'
 
   confine    osfamily: :debian
@@ -10,44 +16,38 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
   commands   apt_key: 'apt-key'
   commands   gpg: '/usr/bin/gpg'
 
-  def self.instances
+  def self.instances # rubocop:disable Metrics/AbcSize
+    key_array = []
+
     cli_args = ['adv', '--no-tty', '--list-keys', '--with-colons', '--fingerprint', '--fixed-list-mode']
 
     key_output = apt_key(cli_args).encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
 
-    pub_line, sub_line, fpr_line = nil
-
-    key_array = key_output.split("\n").map do |line|
-      if line.start_with?('pub')
-        pub_line = line
-        # reset fpr_line, to skip any previous subkeys which were collected
-        fpr_line = nil
-        sub_line = nil
-      elsif line.start_with?('sub')
-        sub_line = line
-      elsif line.start_with?('fpr')
-        fpr_line = line
+    pub_line = nil
+    fpr_lines = []
+    sub_lines = []
+
+    lines = key_output.split("\n")
+
+    lines.each_index do |i|
+      if lines[i].start_with?('pub')
+        pub_line = lines[i]
+        # starting a new public key, so reset fpr_lines and sub_lines
+        fpr_lines = []
+        sub_lines = []
+      elsif lines[i].start_with?('fpr')
+        fpr_lines << lines[i]
+      elsif lines[i].start_with?('sub')
+        sub_lines << lines[i]
       end
 
-      if sub_line && fpr_line
-        sub_line, fpr_line = nil
-        next
-      end
-
-      next unless pub_line && fpr_line
-
-      line_hash = key_line_hash(pub_line, fpr_line)
+      next unless (pub_line && !fpr_lines.empty?) && (!lines[i + 1] || lines[i + 1].start_with?('pub'))
 
-      # reset everything
-      pub_line, fpr_line = nil
+      line_hash = key_line_hash(pub_line, fpr_lines)
 
-      expired = false
+      expired = line_hash[:key_expired] || subkeys_all_expired(sub_lines)
 
-      if line_hash[:key_expiry]
-        expired = Time.now >= line_hash[:key_expiry]
-      end
-
-      new(
+      key_array << new(
         name: line_hash[:key_fingerprint],
         id: line_hash[:key_long],
         fingerprint: line_hash[:key_fingerprint],
@@ -61,38 +61,49 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
         created: line_hash[:key_created].strftime('%Y-%m-%d'),
       )
     end
-    key_array.compact!
+    key_array
   end
 
   def self.prefetch(resources)
     apt_keys = instances
     resources.each_key do |name|
-      if name.length == 40
+      case name.length
+      when 40
         provider = apt_keys.find { |key| key.fingerprint == name }
         resources[name].provider = provider if provider
-      elsif name.length == 16
+      when 16
         provider = apt_keys.find { |key| key.long == name }
         resources[name].provider = provider if provider
-      elsif name.length == 8
+      when 8
         provider = apt_keys.find { |key| key.short == name }
         resources[name].provider = provider if provider
       end
     end
   end
 
-  def self.key_line_hash(pub_line, fpr_line)
+  def self.subkeys_all_expired(sub_lines)
+    return false if sub_lines.empty?
+
+    sub_lines.each do |line|
+      return false if line.split(':')[1] == '-'
+    end
+    true
+  end
+
+  def self.key_line_hash(pub_line, fpr_lines)
     pub_split = pub_line.split(':')
-    fpr_split = fpr_line.split(':')
+    fpr_split = fpr_lines.first.split(':')
 
     fingerprint = fpr_split.last
     return_hash = {
       key_fingerprint: fingerprint,
-      key_long: fingerprint[-16..-1], # last 16 characters of fingerprint
-      key_short: fingerprint[-8..-1], # last 8 characters of fingerprint
+      key_long: fingerprint[-16..], # last 16 characters of fingerprint
+      key_short: fingerprint[-8..], # last 8 characters of fingerprint
       key_size: pub_split[2],
       key_type: nil,
       key_created: Time.at(pub_split[5].to_i),
-      key_expiry: pub_split[6].empty? ? nil : Time.at(pub_split[6].to_i),
+      key_expired: pub_split[1] == 'e',
+      key_expiry: pub_split[6].empty? ? nil : Time.at(pub_split[6].to_i)
     }
 
     # set key type based on types defined in /usr/share/doc/gnupg/DETAILS.gz
@@ -114,6 +125,7 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
     parsed_value = URI.parse(value)
     if parsed_value.scheme.nil?
       raise(_('The file %{_value} does not exist') % { _value: value }) unless File.exist?(value)
+
       # Because the tempfile method has to return a live object to prevent GC
       # of the underlying file from occuring too early, we also have to return
       # a file object here.  The caller can still call the #path method on the
@@ -122,17 +134,24 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
       f.close
       f
     else
+      exceptions = [OpenURI::HTTPError]
+      exceptions << Net::FTPPermError if defined?(Net::FTPPermError)
+
       begin
         # Only send basic auth if URL contains userinfo
         # Some webservers (e.g. Amazon S3) return code 400 if empty basic auth is sent
         if parsed_value.userinfo.nil?
-          key = parsed_value.read
+          key = if parsed_value.scheme == 'https' && resource[:weak_ssl] == true
+                  URI.open(parsed_value, ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE).read
+                else
+                  parsed_value.read
+                end
         else
           user_pass = parsed_value.userinfo.split(':')
           parsed_value.userinfo = ''
-          key = open(parsed_value, http_basic_authentication: user_pass).read
+          key = URI.open(parsed_value, http_basic_authentication: user_pass).read
         end
-      rescue OpenURI::HTTPError, Net::FTPPermError => e
+      rescue *exceptions => e
         raise(_('%{_e} for %{_resource}') % { _e: e.message, _resource: resource[:source] })
       rescue SocketError
         raise(_('could not resolve %{_resource}') % { _resource: resource[:source] })
@@ -157,12 +176,10 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
 
         found_match = false
         extracted_key.each_line do |line|
-          if line.chomp == name
-            found_match = true
-          end
+          found_match = true if line.chomp == name
         end
         unless found_match
-          raise(_('The id in your manifest %{_resource} and the fingerprint from content/source don\'t match. Check for an error in the id and content/source is legitimate.') % { _resource: resource[:name] }) # rubocop:disable Metrics/LineLength
+          raise(_('The id in your manifest %{_resource} and the fingerprint from content/source don\'t match. Check for an error in the id and content/source is legitimate.') % { _resource: resource[:name] }) # rubocop:disable Layout/LineLength
         end
       else
         warning('/usr/bin/gpg cannot be found for verification of the id.')
@@ -171,29 +188,7 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
     file
   end
 
-  # Update a key if it is expired
-  def update_expired_key
-    # Return without doing anything if refresh or expired is false
-    return unless resource[:refresh] == true && resource[:expired] == true
-
-    # Execute command to update key
-    command = []
-
-    unless resource[:source].nil? && resource[:content].nil?
-      raise(_('an unexpected condition occurred while trying to add the key: %{_resource}') % { _resource: resource[:id] })
-    end
-
-    # Breaking up the command like this is needed because it blows up
-    # if --recv-keys isn't the last argument.
-    command.push('adv', '--no-tty', '--keyserver', resource[:server])
-    unless resource[:options].nil?
-      command.push('--keyserver-options', resource[:options])
-    end
-    command.push('--recv-keys', resource[:id])
-  end
-
   def exists?
-    update_expired_key
     # report expired keys as non-existing when refresh => true
     @property_hash[:ensure] == :present && !(resource[:refresh] && @property_hash[:expired])
   end
@@ -204,9 +199,7 @@ Puppet::Type.type(:apt_key).provide(:apt_key) do
       # Breaking up the command like this is needed because it blows up
       # if --recv-keys isn't the last argument.
       command.push('adv', '--no-tty', '--keyserver', resource[:server])
-      unless resource[:options].nil?
-        command.push('--keyserver-options', resource[:options])
-      end
+      command.push('--keyserver-options', resource[:options]) unless resource[:options].nil?
       command.push('--recv-keys', resource[:id])
     elsif resource[:content]
       key_file = tempfile(resource[:content])