NRPE Charm

Merge ~xavpaice/charm-nrpe:lp1712977 into ~nrpe-charmers/charm-nrpe:master

  1. Git
  2. lp:~xavpaice/charm-nrpe
  3. lp1712977
  4. Merge into master
Proposed by Xav Paice
Status: Merged
Approved by: James Hebden
Approved revision: 4b841891743e1be7d6c009b237e4f9a58c736f60
Merge reported by: Stuart Bishop
Merged at revision: 4b841891743e1be7d6c009b237e4f9a58c736f60
Proposed branch: ~xavpaice/charm-nrpe:lp1712977
Merge into: ~nrpe-charmers/charm-nrpe:master
Diff against target: 107 lines (+42/-23)
2 files modified
hooks/charmhelpers/core/hookenv.py (+6/-1)
hooks/charmhelpers/fetch/ubuntu.py (+36/-22)
Reviewer Review Type Date Requested Status
James Hebden (community) Approve
Review via email: mp+329767@code.launchpad.net
To post a comment you must log in.
Revision history for this message
James Hebden (ec0) wrote :

LGTM, thanks

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/hooks/charmhelpers/core/hookenv.py b/hooks/charmhelpers/core/hookenv.py
2index 12f37b2..899722f 100644
3--- a/hooks/charmhelpers/core/hookenv.py
4+++ b/hooks/charmhelpers/core/hookenv.py
5@@ -218,6 +218,8 @@ def principal_unit():
6 for rid in relation_ids(reltype):
7 for unit in related_units(rid):
8 md = _metadata_unit(unit)
9+ if not md:
10+ continue
11 subordinate = md.pop('subordinate', None)
12 if not subordinate:
13 return unit
14@@ -511,7 +513,10 @@ def _metadata_unit(unit):
15 """
16 basedir = os.sep.join(charm_dir().split(os.sep)[:-2])
17 unitdir = 'unit-{}'.format(unit.replace(os.sep, '-'))
18- with open(os.path.join(basedir, unitdir, 'charm', 'metadata.yaml')) as md:
19+ joineddir = os.path.join(basedir, unitdir, 'charm', 'metadata.yaml')
20+ if not os.path.exists(joineddir):
21+ return None
22+ with open(joineddir) as md:
23 return yaml.safe_load(md)
24
25
26diff --git a/hooks/charmhelpers/fetch/ubuntu.py b/hooks/charmhelpers/fetch/ubuntu.py
27index 545348f..40e1cb5 100644
28--- a/hooks/charmhelpers/fetch/ubuntu.py
29+++ b/hooks/charmhelpers/fetch/ubuntu.py
30@@ -27,6 +27,7 @@ from charmhelpers.core.host import (
31 from charmhelpers.core.hookenv import (
32 log,
33 DEBUG,
34+ WARNING,
35 )
36 from charmhelpers.fetch import SourceConfigError, GPGKeyError
37
38@@ -261,34 +262,47 @@ def apt_unhold(packages, fatal=False):
39 return apt_mark(packages, 'unhold', fatal=fatal)
40
41
42-def import_key(keyid):
43- """Import a key in either ASCII Armor or Radix64 format.
44+def import_key(key):
45+ """Import an ASCII Armor key.
46
47- `keyid` is either the keyid to fetch from a PGP server, or
48- the key in ASCII armor foramt.
49+ /!\ A Radix64 format keyid is also supported for backwards
50+ compatibility, but should never be used; the key retrieval
51+ mechanism is insecure and subject to man-in-the-middle attacks
52+ voiding all signature checks using that key.
53
54- :param keyid: String of key (or key id).
55+ :param keyid: The key in ASCII armor format,
56+ including BEGIN and END markers.
57 :raises: GPGKeyError if the key could not be imported
58 """
59- key = keyid.strip()
60- if (key.startswith('-----BEGIN PGP PUBLIC KEY BLOCK-----') and
61- key.endswith('-----END PGP PUBLIC KEY BLOCK-----')):
62+ key = key.strip()
63+ if '-' in key or '\n' in key:
64+ # Send everything not obviously a keyid to GPG to import, as
65+ # we trust its validation better than our own. eg. handling
66+ # comments before the key.
67 log("PGP key found (looks like ASCII Armor format)", level=DEBUG)
68- log("Importing ASCII Armor PGP key", level=DEBUG)
69- with NamedTemporaryFile() as keyfile:
70- with open(keyfile.name, 'w') as fd:
71- fd.write(key)
72- fd.write("\n")
73- cmd = ['apt-key', 'add', keyfile.name]
74- try:
75- subprocess.check_call(cmd)
76- except subprocess.CalledProcessError:
77- error = "Error importing PGP key '{}'".format(key)
78- log(error)
79- raise GPGKeyError(error)
80+ if ('-----BEGIN PGP PUBLIC KEY BLOCK-----' in key and
81+ '-----END PGP PUBLIC KEY BLOCK-----' in key):
82+ log("Importing ASCII Armor PGP key", level=DEBUG)
83+ with NamedTemporaryFile() as keyfile:
84+ with open(keyfile.name, 'w') as fd:
85+ fd.write(key)
86+ fd.write("\n")
87+ cmd = ['apt-key', 'add', keyfile.name]
88+ try:
89+ subprocess.check_call(cmd)
90+ except subprocess.CalledProcessError:
91+ error = "Error importing PGP key '{}'".format(key)
92+ log(error)
93+ raise GPGKeyError(error)
94+ else:
95+ raise GPGKeyError("ASCII armor markers missing from GPG key")
96 else:
97- log("PGP key found (looks like Radix64 format)", level=DEBUG)
98- log("Importing PGP key from keyserver", level=DEBUG)
99+ # We should only send things obviously not a keyid offsite
100+ # via this unsecured protocol, as it may be a secret or part
101+ # of one.
102+ log("PGP key found (looks like Radix64 format)", level=WARNING)
103+ log("INSECURLY importing PGP key from keyserver; "
104+ "full key not provided.", level=WARNING)
105 cmd = ['apt-key', 'adv', '--keyserver',
106 'hkp://keyserver.ubuntu.com:80', '--recv-keys', key]
107 try:

Subscribers

People subscribed via source and target branches