(MODULES-10831) key is expired if all subkeys are expired

Previously, subkeys were not considered at all in the determination of whether a key was expired. Now this looks at all of the subkeys, and if they are all expired, considers the whole key expired.
puppetlabs · Apr 24, 2023 · 42681d2 · 42681d2
1 parent f31900e
commit 42681d2
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 35 deletions.
diff --git a/lib/puppet/provider/apt_key/apt_key.rb b/lib/puppet/provider/apt_key/apt_key.rb
@@ -17,43 +17,37 @@
   commands   gpg: '/usr/bin/gpg'
 
   def self.instances
+    key_array = []
+
     cli_args = ['adv', '--no-tty', '--list-keys', '--with-colons', '--fingerprint', '--fixed-list-mode']
 
     key_output = apt_key(cli_args).encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
 
-    pub_line, sub_line, fpr_line = nil
-
-    key_array = key_output.split("\n").map do |line|
-      if line.start_with?('pub')
-        pub_line = line
-        # reset fpr_line, to skip any previous subkeys which were collected
-        fpr_line = nil
-        sub_line = nil
-      elsif line.start_with?('sub')
-        sub_line = line
-      elsif line.start_with?('fpr')
-        fpr_line = line
-      end
-
-      if sub_line && fpr_line
-        sub_line, fpr_line = nil
-        next
+    pub_line = nil
+    fpr_lines = []
+    sub_lines = []
+
+    lines = key_output.split("\n")
+
+    lines.each_index do |i|
+      if lines[i].start_with?('pub')
+        pub_line = lines[i]
+        # starting a new public key, so reset fpr_lines and sub_lines
+        fpr_lines = []
+        sub_lines = []
+      elsif lines[i].start_with?('fpr')
+        fpr_lines << lines[i]
+      elsif lines[i].start_with?('sub')
+        sub_lines << lines[i]
       end
 
-      next unless pub_line && fpr_line
+      next unless (pub_line && !fpr_lines.empty?) && (!lines[i + 1] || lines[i + 1].start_with?('pub'))
 
-      line_hash = key_line_hash(pub_line, fpr_line)
+      line_hash = key_line_hash(pub_line, fpr_lines)
 
-      # reset everything
-      pub_line, fpr_line = nil
+      expired = line_hash[:key_expired] || subkeys_all_expired(sub_lines)
 
-      expired = false
-
-      if line_hash[:key_expiry]
-        expired = Time.now >= line_hash[:key_expiry]
-      end
-
-      new(
+      key_array << new(
         name: line_hash[:key_fingerprint],
         id: line_hash[:key_long],
         fingerprint: line_hash[:key_fingerprint],
@@ -67,7 +61,7 @@ def self.instances
         created: line_hash[:key_created].strftime('%Y-%m-%d'),
       )
     end
-    key_array.compact!
+    key_array
   end
 
   def self.prefetch(resources)
@@ -86,9 +80,16 @@ def self.prefetch(resources)
     end
   end
 
-  def self.key_line_hash(pub_line, fpr_line)
+  def self.subkeys_all_expired(sub_lines)
+    sub_lines.each do |line|
+      return false if line.split(':')[1] == '-'
+    end
+    true
+  end
+
+  def self.key_line_hash(pub_line, fpr_lines)
     pub_split = pub_line.split(':')
-    fpr_split = fpr_line.split(':')
+    fpr_split = fpr_lines.first.split(':')
 
     fingerprint = fpr_split.last
     return_hash = {
@@ -98,6 +99,7 @@ def self.key_line_hash(pub_line, fpr_line)
       key_size: pub_split[2],
       key_type: nil,
       key_created: Time.at(pub_split[5].to_i),
+      key_expired: pub_split[1] == 'e',
       key_expiry: pub_split[6].empty? ? nil : Time.at(pub_split[6].to_i),
     }
 

diff --git a/spec/unit/puppet/provider/apt_key_spec.rb b/spec/unit/puppet/provider/apt_key_spec.rb
@@ -172,7 +172,7 @@
 
   context 'key_line_hash function' do
     it 'matches rsa' do
-      expect(described_class.key_line_hash('pub:-:1024:1:40976EAF437D05B5:1095016255:::-:::scESC:', 'fpr:::::::::630239CC130E1A7FD81A27B140976EAF437D05B5:')).to include(
+      expect(described_class.key_line_hash('pub:-:1024:1:40976EAF437D05B5:1095016255:::-:::scESC:', ['fpr:::::::::630239CC130E1A7FD81A27B140976EAF437D05B5:'])).to include(
         key_expiry: nil,
         key_fingerprint: '630239CC130E1A7FD81A27B140976EAF437D05B5',
         key_long: '40976EAF437D05B5',
@@ -183,7 +183,7 @@
     end
 
     it 'matches dsa' do
-      expect(described_class.key_line_hash('pub:-:1024:17:40976EAF437D05B5:1095016255:::-:::scESC:', 'fpr:::::::::630239CC130E1A7FD81A27B140976EAF437D05B5:')).to include(
+      expect(described_class.key_line_hash('pub:-:1024:17:40976EAF437D05B5:1095016255:::-:::scESC:', ['fpr:::::::::630239CC130E1A7FD81A27B140976EAF437D05B5:'])).to include(
         key_expiry: nil,
         key_fingerprint: '630239CC130E1A7FD81A27B140976EAF437D05B5',
         key_long: '40976EAF437D05B5',
@@ -194,7 +194,7 @@
     end
 
     it 'matches ecc' do
-      expect(described_class.key_line_hash('pub:-:1024:18:40976EAF437D05B5:1095016255:::-:::scESC:', 'fpr:::::::::630239CC130E1A7FD81A27B140976EAF437D05B5:')).to include(
+      expect(described_class.key_line_hash('pub:-:1024:18:40976EAF437D05B5:1095016255:::-:::scESC:', ['fpr:::::::::630239CC130E1A7FD81A27B140976EAF437D05B5:'])).to include(
         key_expiry: nil,
         key_fingerprint: '630239CC130E1A7FD81A27B140976EAF437D05B5',
         key_long: '40976EAF437D05B5',
@@ -205,7 +205,7 @@
     end
 
     it 'matches ecdsa' do
-      expect(described_class.key_line_hash('pub:-:1024:19:40976EAF437D05B5:1095016255:::-:::scESC:', 'fpr:::::::::630239CC130E1A7FD81A27B140976EAF437D05B5:')).to include(
+      expect(described_class.key_line_hash('pub:-:1024:19:40976EAF437D05B5:1095016255:::-:::scESC:', ['fpr:::::::::630239CC130E1A7FD81A27B140976EAF437D05B5:'])).to include(
         key_expiry: nil,
         key_fingerprint: '630239CC130E1A7FD81A27B140976EAF437D05B5',
         key_long: '40976EAF437D05B5',