Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixed gpg.decrypt function #62977

Merged
merged 8 commits into from
Nov 4, 2022
Merged

fixed gpg.decrypt function #62977

merged 8 commits into from
Nov 4, 2022

Conversation

leifliddy
Copy link
Contributor

What does this PR do?

gpg.decrypt now works when use_passphrase=True

What issues does this PR fix or reference?

Fixes: #62806

Previous Behavior

gpg.decrypt did not function correctly when use_passphrase=True was passed

New Behavior

gpg.decrypt now functions correctly when use_passphrase=True was passed

Merge requirements satisfied?

Commits signed with GPG?

Yes

@leifliddy leifliddy requested a review from a team as a code owner October 29, 2022 12:07
@leifliddy leifliddy requested review from MKLeb and removed request for a team October 29, 2022 12:07
@leifliddy
Copy link
Contributor Author

leifliddy commented Oct 29, 2022
edited
Loading

I'll rework the gpg.encrypt function (when use_passphrase=True) once this PR is approved #62896
so we can remove those GPG_1_3_1 checks.
Those version checks reference the unsupported (and dead) gnupg library -- and it's really confusing trying to code around that
especially considering that the salt gpg unit tests don't support the gnupg library.
That PR has already been approved, someone just needs to merge it.

@MKLeb
Copy link
Contributor

MKLeb commented Oct 31, 2022

Hi @leifliddy, it seems like there was some discussion on the fix in #62896. If this PR depends on that one, I will ask to get more eyes on the other one to see how we want to handle it.

@leifliddy
Copy link
Contributor Author

leifliddy commented Oct 31, 2022
edited
Loading

@MKLeb Cool, thanks! It seems to be a bit of a divisive topic. If Gareth wants to "follow our normal deprecation path" I'd just like some clarification on what that means. There's no salt documentation that lists gnupg as a supported library so I'm sure how to deprecate something that's not supported. Could you please see what you can do?

@MKLeb
Copy link
Contributor

MKLeb commented Nov 1, 2022

@leifliddy The GPG version check PR has been merged... were you planning on adding the encryption changes to this PR or a separate one?

@leifliddy
Copy link
Contributor Author

I can do it on this one. I just need a day or so to rebase the current changes and to add the encryption changes.

@leifliddy leifliddy closed this Nov 2, 2022
@leifliddy
reworked encrypt function
035b514 
1. don't query pillar for passphrase when we're not signing a message
2. allow a text message to be encrypted, signed and written to disk
3. removed gpg_passphrase dict line
@leifliddy leifliddy reopened this Nov 2, 2022
@leifliddy
Copy link
Contributor Author

leifliddy commented Nov 2, 2022
edited
Loading

I realize that this PR is all over the place. It's technically resolving an issue with the decrypt and encrypt functions. But, it also introduces the new argument always_trust
So without always_trust, gpg.encrypt will not encrypt a message with a key that's not ultimately trusted without prompting the user. So it's not possible to automate that without always_trust=True or by trusting the key via the trust_key function
So I needed that always_trust in order for the unit test to complete. Plus, it's a useful argument to have anyway.

I couldn't for the life of me develop a unit test that ran through the trust_key function --which uses cmd.run_all to run gpg to trust a key

res = __salt__["cmd.run_all"](cmd, stdin=stdin, runas=_user, python_shell=False)

I just didn't know how to mock that -- in any case it's probably better testing-wise to isolate functions as much as possible (in the unit tests) to avoid the need for dependent functions.

On another note, I don't see why we can't just use the trust_keys function from the python-gnupg module
https://github.com/vsajip/python-gnupg/blob/master/gnupg.py
That function exists for a reason ; )

That would provide the added functionality of being able to process multiple keys at once while not relying on cmd.run_all to do that.
I'll save that for a future update though...

Anyways, let me know what you think...

@leifliddy leifliddy mentioned this pull request Nov 2, 2022
Merged
3 tasks
MKLeb
MKLeb previously approved these changes Nov 2, 2022
View reviewed changes
twangboy
twangboy previously approved these changes Nov 2, 2022
View reviewed changes
whytewolf
whytewolf previously approved these changes Nov 2, 2022
View reviewed changes
dmurphy18
dmurphy18 previously approved these changes Nov 2, 2022
View reviewed changes
@leifliddy
remove output check
d6180f2 
If output=None, then key will be outputted to stdout
@leifliddy
Copy link
Contributor Author

leifliddy commented Nov 3, 2022
edited
Loading

I see that four people had already approved this...and so I really hate to do this, but I needed to make one last change.

    if output:
        result = gpg.encrypt_file(
            _fp,
            recipients,
            passphrase=gpg_passphrase,
            sign=sign,
            always_trust=always_trust,
        )

There's no need to do a conditional check on output here. If output=None then it's ignored by gpg.encrypt.
I just happened to miss that. We just need this

    elif filename:
        with salt.utils.files.flopen(filename, "rb") as _fp:
            result = gpg.encrypt_file(
                _fp,
                recipients,
                sign=sign,
                passphrase=gpg_passphrase,
                always_trust=always_trust,
                output=output,
            )

@Ch3LL
Copy link
Contributor

Ch3LL commented Nov 3, 2022

No worries. We will wait to re-review after you push your changes

@Ch3LL Ch3LL added the Sulfur v3006.0 release code name and version label Nov 3, 2022
@leifliddy
Copy link
Contributor Author

Thanks. The change has already been pushed.

@Ch3LL
Copy link
Contributor

Ch3LL commented Nov 3, 2022

Oh I see, The commit was before your comment. Thanks, i'll review right now

Ch3LL
Ch3LL suggested changes Nov 3, 2022
View reviewed changes
Copy link
Contributor

@Ch3LL Ch3LL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor request

salt/modules/gpg.py Show resolved Hide resolved
@Ch3LL Ch3LL merged commit 76d47e7 into saltstack:master Nov 4, 2022
@leifliddy leifliddy deleted the gpg_decrypt branch November 12, 2022 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whytewolf whytewolf whytewolf approved these changes

@Ch3LL Ch3LL Ch3LL approved these changes

@MKLeb MKLeb MKLeb approved these changes

@twangboy twangboy twangboy left review comments

@dmurphy18 dmurphy18 dmurphy18 left review comments

Assignees
No one assigned
Labels
Sulfur v3006.0 release code name and version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] gpg.decrypt not working when use_passphrase=True
6 participants
@leifliddy @MKLeb @Ch3LL @whytewolf @twangboy @dmurphy18