Skip to content

Commit

Permalink
Add ability to import keys via keyserver
Browse files Browse the repository at this point in the history 
Signed-off-by: Dan Webb <[email protected]>
  • Loading branch information
@damacus
damacus committed Oct 24, 2023
1 parent 9f3b3be commit a295908
Show file tree
Hide file tree
Showing 6 changed files with 60 additions and 30 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ This file is used to list changes made in each version of the gpg cookbook.

## Unreleased

- Add support for adding keys via --keyserver and --recv-keys

## 2.0.11 - *2023-09-28*

## 2.0.10 - *2023-09-04*
Expand Down
43 changes: 22 additions & 21 deletions documentation/resource/key.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,28 @@

## Properties

| Property | Ruby Type | Default | Description |
| -------------------------- | ---------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
| `batch_name` | String | | Name of the key/batch to generate. |
| `override_default_keyring` | [true, false] | `false` | Set to true if you want to override the pubring_file and secring_file locations. |
| `pubring_file` | String | | Public keyring file location (override_default_keyring must be set to true or this option will be ignored) |
| `secring_file` | String | | Secret keyring file location (override_default_keyring must be set to true or this option will be ignored) |
| `user` | String | `root` | User to generate the key for |
| `group` | String | `user` | Group to run the generate command as |
| `key_type` | String | `1` (RSA) | Corresponds to GPG option: Key-Type (RSA or DSA) |
| `key_length` | String | `2048` | Corresponds to GPG option: Key-Length (2048 or 4096) |
| `name_real` | String | Chef Generated Default (#{batch_name}) | Corresponds to GPG option: Name-Real |
| `name_comment` | String | generated by Chef | Corresponds to GPG option: Name-Comment |
| `name_email` | String | #{node.name}@example.com | Corresponds to GPG option: Name-Email |
| `expire_date` | String | 0 | Corresponds to GPG option: Expire-Date. |
| `home_dir` | String | ~#{user}/.gnupg | Location to store the keyring. Defaults to ~/.gnupg |
| `batch_config_file` | String | gpg_batch_config_#{batch_name} | Batch config file name |
| `passphrase` | String | | Passphrase for key |
| `key_file` | String | | Keyfile name |
| `key_fingerprint` | String | | Key finger print. Used to identify when deleting keys using the :delete action |
| `pinentry_mode` | [String, false] | `loopback` if Ubuntu or False | Pinentry mode. Set to loopback on Ubuntu and False (off) for all other platforms. |
| `batch` | [true, false] | true | Turn batch mode on or off when genrating keys |
| Property | Ruby Type | Default | Description |
|----------------------------|-----------------|----------------------------------------|------------------------------------------------------------------------------------------------------------|
| `batch_name` | String | | Name of the key/batch to generate. |
| `override_default_keyring` | [true, false] | `false` | Set to true if you want to override the pubring_file and secring_file locations. |
| `pubring_file` | String | | Public keyring file location (override_default_keyring must be set to true or this option will be ignored) |
| `secring_file` | String | | Secret keyring file location (override_default_keyring must be set to true or this option will be ignored) |
| `user` | String | `root` | User to generate the key for |
| `group` | String | `user` | Group to run the generate command as |
| `key_type` | String | `1` (RSA) | Corresponds to GPG option: Key-Type (RSA or DSA) |
| `key_length` | String | `2048` | Corresponds to GPG option: Key-Length (2048 or 4096) |
| `name_real` | String | Chef Generated Default (#{batch_name}) | Corresponds to GPG option: Name-Real |
| `name_comment` | String | generated by Chef | Corresponds to GPG option: Name-Comment |
| `name_email` | String | #{node.name}@example.com | Corresponds to GPG option: Name-Email |
| `expire_date` | String | 0 | Corresponds to GPG option: Expire-Date. |
| `home_dir` | String | ~#{user}/.gnupg | Location to store the keyring. Defaults to ~/.gnupg |
| `batch_config_file` | String | gpg_batch_config_#{batch_name} | Batch config file name |
| `passphrase` | String | | Passphrase for key |
| `key_file` | String | | Keyfile name |
| `key_fingerprint` | [String, Array] | | Key fingerprint. Used to identify keys |
| `pinentry_mode` | [String, false] | `loopback` if Ubuntu or False | Pinentry mode. Set to loopback on Ubuntu and False (off) for all other platforms. |
| `batch` | [true, false] | true | Turn batch mode on or off when genrating keys |
| `keyserver` | String | | Keyserver to use when importing keys |

## Actions

Expand Down
2 changes: 2 additions & 0 deletions kitchen.dokken.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ driver:
name: dokken
privileged: true
chef_version: <%= ENV['CHEF_VERSION'] || 'current' %>
multiple_converge: 2
enforce_idempotency: true

transport: { name: dokken }
provisioner: { name: dokken }
Expand Down
10 changes: 7 additions & 3 deletions libraries/helpers.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,15 @@ module Gpg
module Helpers
include Chef::Mixin::ShellOut

def key_exists(new_resource)
def key_exists(new_resource, key = nil)
gpg_check = gpg_cmd
gpg_check << gpg_opts if new_resource.override_default_keyring
gpg_check << "--list-keys | grep '#{new_resource.name_real}'"

gpg_check << if new_resource.keyserver
"--list-keys #{key}"
else
"--list-keys | grep #{new_resource.name_real}"
end

cmd = Mixlib::ShellOut.new(
gpg_check,
Expand All @@ -14,7 +19,6 @@ def key_exists(new_resource)
)

cmd.run_command

cmd.exitstatus == 0
end

Expand Down
26 changes: 20 additions & 6 deletions resources/key.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
property :key_file, String,
description: 'Keyfile name'

property :key_fingerprint, String,
property :key_fingerprint, [String, Array],
description: 'Key finger print. Used to identify when deleting keys using the :delete action'

# Only Ubuntu > 16.04 supports the pinetree_mode. And requires it
Expand All @@ -73,6 +73,9 @@
default: true,
description: 'Turn batch mode on or off when genrating keys'

property :keyserver, String,
description: 'Keyserver to receive keys from'

action :generate do
unless key_exists(new_resource)

Expand Down Expand Up @@ -126,11 +129,22 @@
end

action :import do
execute 'gpg2: import key' do
command "#{gpg_cmd} --import #{new_resource.key_file}"
user new_resource.user
group new_resource.group
not_if { key_exists(new_resource) }
Array(new_resource.key_fingerprint).each do |key|
# If a keyserver is specified, use that to import the key
if new_resource.keyserver
cmd = "#{gpg_cmd} --keyserver #{new_resource.keyserver} --recv-keys #{key}"
title = "Receive Key #{key}"
else
cmd = "#{gpg_cmd} --import #{new_resource.key_file}"
title = "Import Key from #{new_resource.key_file}"
end

execute "gpg2: #{title}" do
command cmd
user new_resource.user
group new_resource.group
not_if { key_exists(new_resource, key) }
end
end
end

Expand Down
7 changes: 7 additions & 0 deletions test/fixtures/cookbooks/test/recipes/default.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,5 +54,12 @@
action :import
end

# Importing the specified key
gpg_key 'Import Ubuntu Key' do
keyserver 'keyserver.ubuntu.com'
key_fingerprint %w(409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB)
action :import
end

# Dummy key for deleting
include_recipe 'test::dummy_key'

0 comments on commit a295908

Please sign in to comment.