1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
|
# -*- coding: utf-8 -*-
# Copyright: Contributors to the Ansible project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
author: 'Ansible Core Team (@ansible)'
short_description: 'Add and remove deb822 formatted repositories'
description:
- 'Add and remove deb822 formatted repositories in Debian based distributions'
module: deb822_repository
notes:
- This module will not automatically update caches, call the apt module based
on the changed state.
options:
allow_downgrade_to_insecure:
description:
- Allow downgrading a package that was previously authenticated but
is no longer authenticated
type: bool
allow_insecure:
description:
- Allow insecure repositories
type: bool
allow_weak:
description:
- Allow repositories signed with a key using a weak digest algorithm
type: bool
architectures:
description:
- 'Architectures to search within repository'
type: list
elements: str
by_hash:
description:
- Controls if APT should try to acquire indexes via a URI constructed
from a hashsum of the expected file instead of using the well-known
stable filename of the index.
type: bool
check_date:
description:
- Controls if APT should consider the machine's time correct and hence
perform time related checks, such as verifying that a Release file
is not from the future.
type: bool
check_valid_until:
description:
- Controls if APT should try to detect replay attacks.
type: bool
components:
description:
- Components specify different sections of one distribution version
present in a Suite.
type: list
elements: str
date_max_future:
description:
- Controls how far from the future a repository may be.
type: int
enabled:
description:
- Tells APT whether the source is enabled or not.
type: bool
inrelease_path:
description:
- Determines the path to the InRelease file, relative to the normal
position of an InRelease file.
type: str
languages:
description:
- Defines which languages information such as translated
package descriptions should be downloaded.
type: list
elements: str
name:
description:
- Name of the repo. Specifically used for C(X-Repolib-Name) and in
naming the repository and signing key files.
required: true
type: str
pdiffs:
description:
- Controls if APT should try to use PDiffs to update old indexes
instead of downloading the new indexes entirely
type: bool
signed_by:
description:
- Either a URL to a GPG key, absolute path to a keyring file, one or
more fingerprints of keys either in the C(trusted.gpg) keyring or in
the keyrings in the C(trusted.gpg.d/) directory, or an ASCII armored
GPG public key block.
type: str
suites:
description:
- >-
Suite can specify an exact path in relation to the URI(s) provided,
in which case the Components: must be omitted and suite must end
with a slash C( / ). Alternatively, it may take the form of a
distribution version (e.g. a version codename like disco or artful).
If the suite does not specify a path, at least one component must
be present.
type: list
elements: str
targets:
description:
- Defines which download targets apt will try to acquire from this
source.
type: list
elements: str
trusted:
description:
- Decides if a source is considered trusted or if warnings should be
raised before e.g. packages are installed from this source.
type: bool
types:
choices:
- deb
- deb-src
default:
- deb
type: list
elements: str
description:
- Which types of packages to look for from a given source; either
binary C(deb) or source code C(deb-src)
uris:
description:
- The URIs must specify the base of the Debian distribution archive,
from which APT finds the information it needs.
type: list
elements: str
mode:
description:
- The octal mode for newly created files in sources.list.d.
type: raw
default: '0644'
state:
description:
- A source string state.
type: str
choices:
- absent
- present
default: present
requirements:
- python3-debian / python-debian
version_added: '2.15'
'''
EXAMPLES = '''
- name: Add debian repo
deb822_repository:
name: debian
types: deb
uris: http://deb.debian.org/debian
suites: stretch
components:
- main
- contrib
- non-free
- name: Add debian repo with key
deb822_repository:
name: debian
types: deb
uris: https://deb.debian.org
suites: stable
components:
- main
- contrib
- non-free
signed_by: |-
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYCQjIxYJKwYBBAHaRw8BAQdAD/P5Nvvnvk66SxBBHDbhRml9ORg1WV5CvzKY
CuMfoIS0BmFiY2RlZoiQBBMWCgA4FiEErCIG1VhKWMWo2yfAREZd5NfO31cFAmAk
IyMCGyMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQREZd5NfO31fbOwD6ArzS
dM0Dkd5h2Ujy1b6KcAaVW9FOa5UNfJ9FFBtjLQEBAJ7UyWD3dZzhvlaAwunsk7DG
3bHcln8DMpIJVXht78sL
=IE0r
-----END PGP PUBLIC KEY BLOCK-----
- name: Add repo using key from URL
deb822_repository:
name: example
types: deb
uris: https://download.example.com/linux/ubuntu
suites: '{{ ansible_distribution_release }}'
components: stable
architectures: amd64
signed_by: https://download.example.com/linux/ubuntu/gpg
'''
RETURN = '''
repo:
description: A source string for the repository
returned: always
type: str
sample: |
X-Repolib-Name: debian
Types: deb
URIs: https://deb.debian.org
Suites: stable
Components: main contrib non-free
Signed-By:
-----BEGIN PGP PUBLIC KEY BLOCK-----
.
mDMEYCQjIxYJKwYBBAHaRw8BAQdAD/P5Nvvnvk66SxBBHDbhRml9ORg1WV5CvzKY
CuMfoIS0BmFiY2RlZoiQBBMWCgA4FiEErCIG1VhKWMWo2yfAREZd5NfO31cFAmAk
IyMCGyMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQREZd5NfO31fbOwD6ArzS
dM0Dkd5h2Ujy1b6KcAaVW9FOa5UNfJ9FFBtjLQEBAJ7UyWD3dZzhvlaAwunsk7DG
3bHcln8DMpIJVXht78sL
=IE0r
-----END PGP PUBLIC KEY BLOCK-----
dest:
description: Path to the repository file
returned: always
type: str
sample: /etc/apt/sources.list.d/focal-archive.sources
key_filename:
description: Path to the signed_by key file
returned: always
type: str
sample: /etc/apt/keyrings/debian.gpg
'''
import os
import re
import tempfile
import textwrap
import traceback
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.basic import missing_required_lib
from ansible.module_utils.common.collections import is_sequence
from ansible.module_utils.common.text.converters import to_bytes
from ansible.module_utils.common.text.converters import to_native
from ansible.module_utils.six import raise_from # type: ignore[attr-defined]
from ansible.module_utils.urls import generic_urlparse
from ansible.module_utils.urls import open_url
from ansible.module_utils.urls import urlparse
HAS_DEBIAN = True
DEBIAN_IMP_ERR = None
try:
from debian.deb822 import Deb822 # type: ignore[import]
except ImportError:
HAS_DEBIAN = False
DEBIAN_IMP_ERR = traceback.format_exc()
KEYRINGS_DIR = '/etc/apt/keyrings'
def ensure_keyrings_dir(module):
changed = False
if not os.path.isdir(KEYRINGS_DIR):
if not module.check_mode:
os.mkdir(KEYRINGS_DIR, 0o755)
changed |= True
changed |= module.set_fs_attributes_if_different(
{
'path': KEYRINGS_DIR,
'secontext': [None, None, None],
'owner': 'root',
'group': 'root',
'mode': '0755',
'attributes': None,
},
changed,
)
return changed
def make_signed_by_filename(slug, ext):
return os.path.join(KEYRINGS_DIR, '%s.%s' % (slug, ext))
def make_sources_filename(slug):
return os.path.join(
'/etc/apt/sources.list.d',
'%s.sources' % slug
)
def format_bool(v):
return 'yes' if v else 'no'
def format_list(v):
return ' '.join(v)
def format_multiline(v):
return '\n' + textwrap.indent(
'\n'.join(line.strip() or '.' for line in v.strip().splitlines()),
' '
)
def format_field_name(v):
if v == 'name':
return 'X-Repolib-Name'
elif v == 'uris':
return 'URIs'
return v.replace('_', '-').title()
def is_armored(b_data):
return b'-----BEGIN PGP PUBLIC KEY BLOCK-----' in b_data
def write_signed_by_key(module, v, slug):
changed = False
if os.path.isfile(v):
return changed, v, None
b_data = None
parts = generic_urlparse(urlparse(v))
if parts.scheme:
try:
r = open_url(v)
except Exception as exc:
raise_from(RuntimeError(to_native(exc)), exc)
else:
b_data = r.read()
else:
# Not a file, nor a URL, just pass it through
return changed, None, v
if not b_data:
return changed, v, None
tmpfd, tmpfile = tempfile.mkstemp(dir=module.tmpdir)
with os.fdopen(tmpfd, 'wb') as f:
f.write(b_data)
ext = 'asc' if is_armored(b_data) else 'gpg'
filename = make_signed_by_filename(slug, ext)
src_chksum = module.sha256(tmpfile)
dest_chksum = module.sha256(filename)
if src_chksum != dest_chksum:
changed |= ensure_keyrings_dir(module)
if not module.check_mode:
module.atomic_move(tmpfile, filename)
changed |= True
changed |= module.set_mode_if_different(filename, 0o0644, False)
return changed, filename, None
def main():
module = AnsibleModule(
argument_spec={
'allow_downgrade_to_insecure': {
'type': 'bool',
},
'allow_insecure': {
'type': 'bool',
},
'allow_weak': {
'type': 'bool',
},
'architectures': {
'elements': 'str',
'type': 'list',
},
'by_hash': {
'type': 'bool',
},
'check_date': {
'type': 'bool',
},
'check_valid_until': {
'type': 'bool',
},
'components': {
'elements': 'str',
'type': 'list',
},
'date_max_future': {
'type': 'int',
},
'enabled': {
'type': 'bool',
},
'inrelease_path': {
'type': 'str',
},
'languages': {
'elements': 'str',
'type': 'list',
},
'name': {
'type': 'str',
'required': True,
},
'pdiffs': {
'type': 'bool',
},
'signed_by': {
'type': 'str',
},
'suites': {
'elements': 'str',
'type': 'list',
},
'targets': {
'elements': 'str',
'type': 'list',
},
'trusted': {
'type': 'bool',
},
'types': {
'choices': [
'deb',
'deb-src',
],
'elements': 'str',
'type': 'list',
'default': [
'deb',
]
},
'uris': {
'elements': 'str',
'type': 'list',
},
# non-deb822 args
'mode': {
'type': 'raw',
'default': '0644',
},
'state': {
'type': 'str',
'choices': [
'present',
'absent',
],
'default': 'present',
},
},
supports_check_mode=True,
)
if not HAS_DEBIAN:
module.fail_json(msg=missing_required_lib("python3-debian"),
exception=DEBIAN_IMP_ERR)
check_mode = module.check_mode
changed = False
# Make a copy, so we don't mutate module.params to avoid future issues
params = module.params.copy()
# popped non-deb822 args
mode = params.pop('mode')
state = params.pop('state')
name = params['name']
slug = re.sub(
r'[^a-z0-9-]+',
'',
re.sub(
r'[_\s]+',
'-',
name.lower(),
),
)
sources_filename = make_sources_filename(slug)
if state == 'absent':
if os.path.exists(sources_filename):
if not check_mode:
os.unlink(sources_filename)
changed |= True
for ext in ('asc', 'gpg'):
signed_by_filename = make_signed_by_filename(slug, ext)
if os.path.exists(signed_by_filename):
if not check_mode:
os.unlink(signed_by_filename)
changed = True
module.exit_json(
repo=None,
changed=changed,
dest=sources_filename,
key_filename=signed_by_filename,
)
deb822 = Deb822()
signed_by_filename = None
for key, value in params.items():
if value is None:
continue
if isinstance(value, bool):
value = format_bool(value)
elif isinstance(value, int):
value = to_native(value)
elif is_sequence(value):
value = format_list(value)
elif key == 'signed_by':
try:
key_changed, signed_by_filename, signed_by_data = write_signed_by_key(module, value, slug)
value = signed_by_filename or signed_by_data
changed |= key_changed
except RuntimeError as exc:
module.fail_json(
msg='Could not fetch signed_by key: %s' % to_native(exc)
)
if value.count('\n') > 0:
value = format_multiline(value)
deb822[format_field_name(key)] = value
repo = deb822.dump()
tmpfd, tmpfile = tempfile.mkstemp(dir=module.tmpdir)
with os.fdopen(tmpfd, 'wb') as f:
f.write(to_bytes(repo))
sources_filename = make_sources_filename(slug)
src_chksum = module.sha256(tmpfile)
dest_chksum = module.sha256(sources_filename)
if src_chksum != dest_chksum:
if not check_mode:
module.atomic_move(tmpfile, sources_filename)
changed |= True
changed |= module.set_mode_if_different(sources_filename, mode, False)
module.exit_json(
repo=repo,
changed=changed,
dest=sources_filename,
key_filename=signed_by_filename,
)
if __name__ == '__main__':
main()
|
