Make sure _decrypt_key output file is not also the input.

Fixed bug which would cause the key file to be truncated, if you pass the same input and output files to gpg.
2025-04-16 17:50:20 +00:00 · 2022-08-28 12:30:32 -07:00 · 2022-08-28 12:30:32 -07:00 · 692b2624cc
commit 692b2624cc
parent a36bdf14b9
3 changed files with 50 additions and 12 deletions
--- a/salt/modules/aptpkg.py
+++ b/salt/modules/aptpkg.py
@ -2297,13 +2297,11 @@ def _decrypt_key(key):
                        key,
                    )
                    return False
-                encrypted_key = key
-                if not pathlib.Path(key).suffix:
-                    encrypted_key = key + ".gpg"
-                cmd = ["gpg", "--yes", "--output", encrypted_key, "--dearmor", key]
+                decrypted_key = str(key) + ".decrypted"
+                cmd = ["gpg", "--yes", "--output", decrypted_key, "--dearmor", key]
                if not __salt__["cmd.run_all"](cmd)["retcode"] == 0:
                    log.error("Failed to decrypt the key %s", key)
-                return encrypted_key
+                return decrypted_key
    except UnicodeDecodeError:
        log.debug("Key is not ASCII Armored. Do not need to decrypt")
    return key
@ -2393,7 +2391,11 @@ def add_repo_key(
            if not key:
                return False
            key = pathlib.Path(str(key))
-            shutil.copyfile(key, keydir / key.name)
+            if not keyfile:
+                keyfile = key.name
+                if keyfile.endswith(".decrypted"):
+                    keyfile = keyfile[:-10]
+            shutil.copyfile(key, keydir / keyfile)
            return True
        else:
            cmd.extend(["add", cached_source_path])
--- a/tests/pytests/functional/files/SALTSTACK-GPG-KEY.pub
+++ b/tests/pytests/functional/files/SALTSTACK-GPG-KEY.pub
@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQENBFOpvpgBCADkP656H41i8fpplEEB8IeLhugyC2rTEwwSclb8tQNYtUiGdna9
+m38kb0OS2DDrEdtdQb2hWCnswxaAkUunb2qq18vd3dBvlnI+C4/xu5ksZZkRj+fW
+tArNR18V+2jkwcG26m8AxIrT+m4M6/bgnSfHTBtT5adNfVcTHqiT1JtCbQcXmwVw
+WbqS6v/LhcsBE//SHne4uBCK/GHxZHhQ5jz5h+3vWeV4gvxS3Xu6v1IlIpLDwUts
+kT1DumfynYnnZmWTGc6SYyIFXTPJLtnoWDb9OBdWgZxXfHEcBsKGha+bXO+m2tHA
+gNneN9i5f8oNxo5njrL8jkCckOpNpng18BKXABEBAAG0MlNhbHRTdGFjayBQYWNr
+YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQE4BBMBAgAiBQJT
+qb6YAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAOCKFJ3le/vhkqB/0Q
+WzELZf4d87WApzolLG+zpsJKtt/ueXL1W1KA7JILhXB1uyvVORt8uA9FjmE083o1
+yE66wCya7V8hjNn2lkLXboOUd1UTErlRg1GYbIt++VPscTxHxwpjDGxDB1/fiX2o
+nK5SEpuj4IeIPJVE/uLNAwZyfX8DArLVJ5h8lknwiHlQLGlnOu9ulEAejwAKt9CU
+4oYTszYM4xrbtjB/fR+mPnYh2fBoQO4d/NQiejIEyd9IEEMd/03AJQBuMux62tjA
+/NwvQ9eqNgLw9NisFNHRWtP4jhAOsshv1WW+zPzu3ozoO+lLHixUIz7fqRk38q8Q
+9oNR31KvrkSNrFbA3D89uQENBFOpvpgBCADJ79iH10AfAfpTBEQwa6vzUI3Eltqb
+9aZ0xbZV8V/8pnuU7rqM7Z+nJgldibFk4gFG2bHCG1C5aEH/FmcOMvTKDhJSFQUx
+uhgxttMArXm2c22OSy1hpsnVG68G32Nag/QFEJ++3hNnbyGZpHnPiYgej3FrerQJ
+zv456wIsxRDMvJ1NZQB3twoCqwapC6FJE2hukSdWB5yCYpWlZJXBKzlYz/gwD/Fr
+GL578WrLhKw3UvnJmlpqQaDKwmV2s7MsoZogC6wkHE92kGPG2GmoRD3ALjmCvN1E
+PsIsQGnwpcXsRpYVCoW7e2nW4wUf7IkFZ94yOCmUq6WreWI4NggRcFC5ABEBAAGJ
+AR8EGAECAAkFAlOpvpgCGwwACgkQDgihSd5Xv74/NggA08kEdBkiWWwJZUZEy7cK
+WWcgjnRuOHd4rPeT+vQbOWGu6x4bxuVf9aTiYkf7ZjVF2lPn97EXOEGFWPZeZbH4
+vdRFH9jMtP+rrLt6+3c9j0M8SIJYwBL1+CNpEC/BuHj/Ra/cmnG5ZNhYebm76h5f
+T9iPW9fFww36FzFka4VPlvA4oB7ebBtquFg3sdQNU/MmTVV4jPFWXxh4oRDDR+8N
+1bcPnbB11b5ary99F/mqr7RgQ+YFF0uKRE3SKa7a+6cIuHEZ7Za+zhPaQlzAOZlx
+fuBmScum8uQTrEF5+Um5zkwC7EXTdH1co/+/V/fpOtxIg4XO4kcugZefVm5ERfVS
+MA==
+=dtMN
+-----END PGP PUBLIC KEY BLOCK-----
--- a/tests/pytests/functional/modules/test_aptpkg.py
+++ b/tests/pytests/functional/modules/test_aptpkg.py
@ -35,13 +35,13 @@ class Key:


@pytest.fixture
-def get_key_file(state_tree, functional_files_dir):
+def get_key_file(request, state_tree, functional_files_dir):
    """
-    Create the key file used for the repo
+    Create the key file used for the repo by file name passed to the test
    """
-    key = Key()
-    shutil.copy(str(functional_files_dir / key.keyname), str(state_tree))
-    yield key.keyname
+    keyname = request.param
+    shutil.copy(str(functional_files_dir / keyname), str(state_tree))
+    yield keyname


@pytest.fixture
@ -266,7 +266,7 @@ def test_mod_repo_no_file(tmp_path, revert_repo_file):


@pytest.fixture()
-def add_key(request, get_key_file):
+def add_key(request):
    """ """
    key = Key(request.param)
    key.add_key()
@ -301,11 +301,15 @@ def test_get_repo_keys_keydir_not_exist(key):
        assert ret


+@pytest.mark.parametrize(
+    "get_key_file", ["salt-archive-keyring.gpg", "SALTSTACK-GPG-KEY.pub"], indirect=True
+)
@pytest.mark.parametrize("aptkey", [False, True])
 def test_add_del_repo_key(get_key_file, aptkey):
    """
    Test both add_repo_key and del_repo_key when
    aptkey is both False and True
+    and using both binary and armored gpg keys
    """
    try:
        assert aptpkg.add_repo_key("salt://{}".format(get_key_file), aptkey=aptkey)
@ -313,6 +317,7 @@ def test_add_del_repo_key(get_key_file, aptkey):
        if not aptkey:
            assert keyfile.is_file()
            assert oct(keyfile.stat().st_mode)[-3:] == "644"
+            assert keyfile.read_bytes()
        query_key = aptpkg.get_repo_keys(aptkey=aptkey)
        assert (
            query_key["0E08A149DE57BFBE"]["uid"]