source-git / cloud-init

Clone
Source Code
GIT

Blame cloudinit/gpg.py

c8 c8s master
  1.   c8
  2.   cloudinit
  3.   gpg.py
Blob History Raw
Packit bc9a3a 
# Copyright (C) 2016 Canonical Ltd.
Packit bc9a3a 
#
Packit bc9a3a 
# Author: Scott Moser <scott.moser@canonical.com>
Packit bc9a3a 
# Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Packit bc9a3a 
#
Packit bc9a3a 
# This file is part of cloud-init. See LICENSE file for license information.
Packit bc9a3a
Packit bc9a3a 
"""gpg.py - Collection of gpg key related functions"""
Packit bc9a3a
Packit bc9a3a 
from cloudinit import log as logging
Packit bc9a3a 
from cloudinit import util
Packit bc9a3a
Packit bc9a3a 
import time
Packit bc9a3a
Packit bc9a3a 
LOG = logging.getLogger(__name__)
Packit bc9a3a
Packit bc9a3a
Packit bc9a3a 
def export_armour(key):
Packit bc9a3a 
    """Export gpg key, armoured key gets returned"""
Packit bc9a3a 
    try:
Packit bc9a3a 
        (armour, _) = util.subp(["gpg", "--export", "--armour", key],
Packit bc9a3a 
                                capture=True)
Packit bc9a3a 
    except util.ProcessExecutionError as error:
Packit bc9a3a 
        # debug, since it happens for any key not on the system initially
Packit bc9a3a 
        LOG.debug('Failed to export armoured key "%s": %s', key, error)
Packit bc9a3a 
        armour = None
Packit bc9a3a 
    return armour
Packit bc9a3a
Packit bc9a3a
Packit bc9a3a 
def recv_key(key, keyserver, retries=(1, 1)):
Packit bc9a3a 
    """Receive gpg key from the specified keyserver.
Packit bc9a3a
Packit bc9a3a 
    Retries are done by default because keyservers can be unreliable.
Packit bc9a3a 
    Additionally, there is no way to determine the difference between
Packit bc9a3a 
    a non-existant key and a failure.  In both cases gpg (at least 2.2.4)
Packit bc9a3a 
    exits with status 2 and stderr: "keyserver receive failed: No data"
Packit bc9a3a 
    It is assumed that a key provided to cloud-init exists on the keyserver
Packit bc9a3a 
    so re-trying makes better sense than failing.
Packit bc9a3a
Packit bc9a3a 
    @param key: a string key fingerprint (as passed to gpg --recv-keys).
Packit bc9a3a 
    @param keyserver: the keyserver to request keys from.
Packit bc9a3a 
    @param retries: an iterable of sleep lengths for retries.
Packit bc9a3a 
                    Use None to indicate no retries."""
Packit bc9a3a 
    LOG.debug("Importing key '%s' from keyserver '%s'", key, keyserver)
Packit bc9a3a 
    cmd = ["gpg", "--keyserver=%s" % keyserver, "--recv-keys", key]
Packit bc9a3a 
    if retries is None:
Packit bc9a3a 
        retries = []
Packit bc9a3a 
    trynum = 0
Packit bc9a3a 
    error = None
Packit bc9a3a 
    sleeps = iter(retries)
Packit bc9a3a 
    while True:
Packit bc9a3a 
        trynum += 1
Packit bc9a3a 
        try:
Packit bc9a3a 
            util.subp(cmd, capture=True)
Packit bc9a3a 
            LOG.debug("Imported key '%s' from keyserver '%s' on try %d",
Packit bc9a3a 
                      key, keyserver, trynum)
Packit bc9a3a 
            return
Packit bc9a3a 
        except util.ProcessExecutionError as e:
Packit bc9a3a 
            error = e
Packit bc9a3a 
        try:
Packit bc9a3a 
            naplen = next(sleeps)
Packit bc9a3a 
            LOG.debug(
Packit bc9a3a 
                "Import failed with exit code %d, will try again in %ss",
Packit bc9a3a 
                error.exit_code, naplen)
Packit bc9a3a 
            time.sleep(naplen)
Packit bc9a3a 
        except StopIteration:
Packit bc9a3a 
            raise ValueError(
Packit bc9a3a 
                ("Failed to import key '%s' from keyserver '%s' "
Packit bc9a3a 
                 "after %d tries: %s") % (key, keyserver, trynum, error))
Packit bc9a3a
Packit bc9a3a
Packit bc9a3a 
def delete_key(key):
Packit bc9a3a 
    """Delete the specified key from the local gpg ring"""
Packit bc9a3a 
    try:
Packit bc9a3a 
        util.subp(["gpg", "--batch", "--yes", "--delete-keys", key],
Packit bc9a3a 
                  capture=True)
Packit bc9a3a 
    except util.ProcessExecutionError as error:
Packit bc9a3a 
        LOG.warning('Failed delete key "%s": %s', key, error)
Packit bc9a3a
Packit bc9a3a
Packit bc9a3a 
def getkeybyid(keyid, keyserver='keyserver.ubuntu.com'):
Packit bc9a3a 
    """get gpg keyid from keyserver"""
Packit bc9a3a 
    armour = export_armour(keyid)
Packit bc9a3a 
    if not armour:
Packit bc9a3a 
        try:
Packit bc9a3a 
            recv_key(keyid, keyserver=keyserver)
Packit bc9a3a 
            armour = export_armour(keyid)
Packit bc9a3a 
        except ValueError:
Packit bc9a3a 
            LOG.exception('Failed to obtain gpg key %s', keyid)
Packit bc9a3a 
            raise
Packit bc9a3a 
        finally:
Packit bc9a3a 
            # delete just imported key to leave environment as it was before
Packit bc9a3a 
            delete_key(keyid)
Packit bc9a3a
Packit bc9a3a 
    return armour
Packit bc9a3a
Packit bc9a3a 
# vi: ts=4 expandtab

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation