zuul/zuul-jobs
Code Issues Proposed changes

encrypt-file: always import expiring keys

Browse Source 
If a key is in our existing keyring has an expiry date (or, has
expired), always import the provided value again as it may be
refreshing the value.

Add an expiring key to test the matching; although on an ephemeral
node we're importing always anyway.

Also update the file test to a stat -- this is better than a weird
error from gpg later.

Change-Id: I8e7bc38c68c224795630b90a1b989098a7661491
This commit is contained in:
Ian Wienand 2022-02-18 17:27:11 +11:00
parent ad7093c17b
commit f2cfa6c356
3 changed files with 66 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
roles/encrypt-file/tasks/import-key.yaml
View File

@ -1,3 +1,5 @@
# On a static node, this saves us having to re-import the key
# constantly
- name: Check for existing key
command: |
gpg --list-keys {{ zj_encrypt_file.key_id }}
@ -5,8 +7,18 @@
# A found key returns 0, a missing key returns 2
failed_when: _key_exists.rc != 0 and _key_exists.rc != 2
# If the key may expire, we need to always import it because we can't
# be sure if the key hasn't changed to have a new expiration date.
# GPG outputs this in a string:
# [expires: YYYY-DD-MM] or [expired: YYYY-DD-MM]
- name: Check for expiry string
set_fact:
_key_has_expiry: "{{ _key_exists.stdout | regex_search(regexp) }}"
vars:
regexp: '\[expire[sd]: '
- name: Install key
when: _key_exists.rc != 0
when: _key_exists.rc != 0 or _key_has_expiry != ''
block:
- name: Create temporary keyfile
tempfile:

9
roles/encrypt-file/tasks/main.yaml
View File

@ -1,7 +1,12 @@
- name: Stat input file
stat:
path: '{{ encrypt_file }}'
register: _stat_result
- name: Validate input file
fail:
msg: 'Must define "encrypt_file"'
when: encrypt_file is undefined
msg: '{{ encrypt_file }} : file does not exist'
when: not _stat_result.stat.exists
- name: Ensure gpg2 installed
package:

53
test-playbooks/encrypt-file.yaml
View File

@ -65,6 +65,27 @@
=CRYD
-----END PGP PUBLIC KEY BLOCK-----
# NOTE(ianw): This key expires 2106-01-01 which is the
# maximum I seem to be able to convince gpg to do ATM.
# Someone else will have to regenerate it then because I am
# not likely to be available to do it.
- name: 'zuul-jobs-test-4'
key_id: '4A8C7A2A7E55816E'
gpg_asc: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYg9K5BYJKwYBBAHaRw8BAQdAIIezhOWTs9ggMpfePn/6B5sNY5/Bn9CguDcy
gKrjoIC0EHp1dWwtam9icy10ZXN0LTSImgQTFgoAQhYhBJZPfDNqTyma/Ekg0kqM
eip+VYFuBQJiD0rkAhsDBQmdv6CsBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIX
gAAKCRBKjHoqflWBbnOPAP9kJgpMbHh83haH7o+O1jJTbsW9XVX7Aq196ZbEiUhx
5QD9FFfKnDQ7q8XX6rOK6joLG9Cq8pX5q6tSouqygKKicQm4OARiD0rkEgorBgEE
AZdVAQUBAQdAJ2oXpzmh5vUKhWr7PCT6y4nhIcs9bdnKFiIWfEinGVMDAQgHiHgE
GBYKACAWIQSWT3wzak8pmvxJINJKjHoqflWBbgUCYg9K5AIbDAAKCRBKjHoqflWB
btm1AQC+lvLW8iLbsKde5cqHlGAKgY7KPi5BKxSCzwdRuX3qGAEAvFKGNoEjmUzF
7SUjadUXXizJoeJ9feocDzfBiaH53w8=
=XCeq
-----END PGP PUBLIC KEY BLOCK-----
- name: Encrypt file
include_role:
name: encrypt-file
@ -73,12 +94,7 @@
encrypt_file_recipients:
- zuul-jobs-test-2
- zuul-jobs-test-3
- name: Remove temporary file
file:
path: '{{ _tempfile.path }}'
state: absent
when: _tempfile.path is defined
- zuul-jobs-test-4
- name: Check output file
stat:
@ -107,8 +123,31 @@
- "'zuul-jobs-test-1' not in _gpg_output.stdout"
- "'zuul-jobs-test-2' in _gpg_output.stdout"
- "'zuul-jobs-test-3' in _gpg_output.stdout"
- "'zuul-jobs-test-4' in _gpg_output.stdout"
- name: Remove output file
- name: Remove encrypted output file
file:
path: '{{ _tempfile.path }}.gpg'
state: absent
# Do it again to exercise already imported keys path
- name: Encrypt file
include_role:
name: encrypt-file
vars:
encrypt_file: '{{ _tempfile.path }}'
encrypt_file_recipients:
- zuul-jobs-test-2
- zuul-jobs-test-3
- zuul-jobs-test-4
- name: Remove temporary file
file:
path: '{{ _tempfile.path }}'
state: absent
when: _tempfile.path is defined
- name: Remove encrypted output file
file:
path: '{{ _tempfile.path }}.gpg'
state: absent