Merge branch 'key_from_wkd' into 'master'

support fetching initial admin key from WKD

See merge request immerda/puppet-modules/schleuder!1

README.md

@@ -132,6 +132,7 @@ This is a define, that wrapps the native type `schleuder_list`, mainly for conve
 * `ensure`: Whether list should be present or absent. Default: `present`
 * `admin`: Emailaddress of the initial administrator of a list. Must be present if lists' ensure is set to `present`.
 * `admin_publickey`: A source of a public key of the lists' admin. Used to subscribe the admin properly. Can be a string containing the armored public key, a full `puppet://` or local path. If not set, puppet will try to fetch it from `puppet:///${schleuder::adminkeys_path}/${admin}.pub`.
+* `admin_publickey_from_wkd`: If this boolean is true and the `admin_publickey` is missing, try to fetch the admin's public key from WKD. In this case the admin keyfile will not be managed by puppet once the list was created. The client is resposible to ensure that the key exists in WKD, otherwise creation will fail.
 
 ### schleuder_list
 
@@ -145,6 +146,7 @@ It is possible to purge all unmanaged schleuder lists using puppet's [resources-
 * `ensure`: `present` or `absent`. Default: `present`
 * `admin`: The initial adminaddress of a list. Won't be enforced, once the list is created.
 * `admin_publickey`: A local path to a file containing an armored public key of the `admin`.
+* `admin_publickey_from_wkd`: If this boolean is true and the `admin_publickey` is missing, try to fetch the admin's public key from WKD.
 
 ### Facts
 

lib/puppet/provider/schleuder_list/base.rb

 require 'puppet/provider/parsedfile'
 
+require 'base32'
+require 'uri'
+require 'net/http'
+require 'tempfile'
+
 Puppet::Type.type(:schleuder_list).provide(:base) do
   has_command(:cli, '/usr/bin/schleuder-cli') do
     environment({ 'HOME' => ENV['HOME'] })
@@ -35,6 +40,14 @@ Puppet::Type.type(:schleuder_list).provide(:base) do
     end
     if val = @resource[:admin_publickey]
       args << val
+    elsif @resource[:admin_publickey_from_wkd]
+      if key = wkd_fetch(@resource[:admin])
+        file = Tempfile.new
+        File.write(file, key)
+        args << file.path
+      else
+        raise ArgumentError, "Public key of the admin is not published in WKD"
+      end
     else
       raise ArgumentError, "Schleuder lists require a public key of the admin"
     end
@@ -78,5 +91,23 @@ Puppet::Type.type(:schleuder_list).provide(:base) do
     end
     nil
   end
+
+  def wkd_fetch(email)
+    local, domain = email.split('@', 2)
+    wkd_fetch2("openpgpkey.#{domain}", "#{domain}/", local) || \
+      wkd_fetch2(domain, "", local)
+  end
+  def wkd_hash(string)
+    # Table for z-base-32 encoding.
+    Base32.table = "ybndrfg8ejkmcpqxot1uwisza345h769"
+    Base32.encode(Digest::SHA1.digest(string.downcase))
+  end
+  def wkd_fetch2(wkd_domain, domain, local)
+    uri = URI::HTTPS.build({
+      host: wkd_domain,
+      path: "/.well-known/openpgpkey/#{domain}hu/#{wkd_hash(local)}"})
+    response = Net::HTTP.get_response(uri)
+    response.body if response.code.to_i == 200
+  end
 end
 

manifests/list.pp

@@ -3,6 +3,7 @@ define schleuder::list(
   $ensure                   = present,
   $admin                    = undef,
   $admin_publickey          = undef,
+  $admin_publickey_from_wkd = false,
   $send_list_key            = true,
 ){
   if ($ensure == 'present') and !$admin {
@@ -28,7 +29,8 @@ define schleuder::list(
       }
     }
 
-    if $admin_publickey and $admin_publickey =~ /^\// {
+    if $admin_publickey {
+      if $admin_publickey =~ /^\// {
         $real_admin_publickey = $admin_publickey
       } else {
         $real_admin_publickey = "/var/lib/schleuder/adminkeys/${name}_${admin}.pub"
@@ -52,8 +54,13 @@ define schleuder::list(
           }
         }
       }
+    } elsif !$admin_publickey_from_wkd {
+      fail("no public key source for admin of $name")
+    }
+
     Schleuder_list[$name]{
       admin_publickey          => $real_admin_publickey,
+      admin_publickey_from_wkd => $admin_publickey_from_wkd,
       admin                    => $admin,
     }
     if $send_list_key {