Fix keyring restore_ownership, cleanup

2025-04-17 10:10:20 +00:00 · 2022-12-05 14:25:29 +01:00 · 2022-12-05 14:25:29 +01:00 · 68c033dffe
commit 68c033dffe
parent 77da0dbf16
1 changed files with 26 additions and 30 deletions
--- a/salt/modules/gpg.py
+++ b/salt/modules/gpg.py
@ -156,10 +156,8 @@ def _restore_ownership(func):
        Wrap gpg function calls to fix permissions
        """
        user = kwargs.get("user")
-        gnupghome = kwargs.get("gnupghome")
-
-        if not gnupghome:
-            gnupghome = _get_user_gnupghome(user)
+        gnupghome = kwargs.get("gnupghome", _get_user_gnupghome(user))
+        keyring = kwargs.get("keyring")

        userinfo = _get_user_info(user)
        run_user = _get_user_info()
@ -172,10 +170,10 @@ def _restore_ownership(func):
                group = __salt__["file.gid_to_group"](run_user["gid"])
                for path in [gnupghome] + __salt__["file.find"](gnupghome):
                    __salt__["file.chown"](path, run_user["name"], group)
-            if "keyring" in kwargs and os.path.exists(kwargs["keyring"]):
+            if keyring and os.path.exists(keyring):
                if group is None:
                    group = __salt__["file.gid_to_group"](run_user["gid"])
-                __salt__["file.chown"](path, run_user["name"], group)
+                __salt__["file.chown"](keyring, run_user["name"], group)

        # Filter special kwargs
        for key in list(kwargs):
@ -188,8 +186,8 @@ def _restore_ownership(func):
            group = __salt__["file.gid_to_group"](userinfo["gid"])
            for path in [gnupghome] + __salt__["file.find"](gnupghome):
                __salt__["file.chown"](path, user, group)
-            if "keyring" in kwargs and os.path.exists(kwargs["keyring"]):
-                __salt__["file.chown"](path, user, group)
+            if keyring and os.path.exists(keyring):
+                __salt__["file.chown"](keyring, user, group)
        return ret

    return func_wrapper
@ -966,9 +964,7 @@ def export_key(
    if result:
        if not bare:
            if output:
-                ret["comment"] = "Exported key data has been written to {}".format(
-                    output
-                )
+                ret["comment"] = f"Exported key data has been written to {output}"
            else:
                ret["comment"] = result
        else:
@ -1114,20 +1110,24 @@ def trust_key(
            "ERROR: Valid trust levels - {}".format(",".join(NUM_TRUST_DICT.keys()))
        )

-    if not fingerprint:
-        key = get_key(keyid, user=user, gnupghome=gnupghome, keyring=keyring)
-        if key:
-            if "fingerprint" not in key:
-                ret["res"] = False
-                ret["message"] = f"Fingerprint not found for keyid {keyid}"
-                return ret
-            fingerprint = key["fingerprint"]
-        else:
-            ret["res"] = False
-            ret["message"] = f"KeyID {keyid} not in GPG keychain"
-            return ret
-
+    key = get_key(
+        keyid=keyid,
+        fingerprint=fingerprint,
+        user=user,
+        gnupghome=gnupghome,
+        keyring=keyring,
+    )
+    if not key:
+        ret["res"] = False
+        ret["message"] = f"KeyID {keyid} not in GPG keychain"
+        return ret
+    if not fingerprint and "fingerprint" not in key:
+        ret["res"] = False
+        ret["message"] = f"Fingerprint not found for keyid {keyid}"
+        return ret
+    fingerprint = fingerprint or key["fingerprint"]
    gpg = _create_gpg(user=user, gnupghome=gnupghome, keyring=keyring)
+
    try:
        res = gpg.trust_keys(fingerprint, TRUST_KEYS_TRUST_LEVELS[trust_level])
    except AttributeError:
@ -1573,9 +1573,7 @@ def encrypt(
    else:
        if not bare:
            ret["res"] = False
-            ret["comment"] = "{}.\nPlease check the salt-minion log.".format(
-                result.status
-            )
+            ret["comment"] = f"{result.status}.\nPlease check the salt-minion log."
        else:
            ret = False

@ -1669,9 +1667,7 @@ def decrypt(
    else:
        if not bare:
            ret["res"] = False
-            ret["comment"] = "{}.\nPlease check the salt-minion log.".format(
-                result.status
-            )
+            ret["comment"] = f"{result.status}.\nPlease check the salt-minion log."
        else:
            ret = False