diff --git a/README.md b/README.md
index b6640d0353602aafe2240ead225cda26f3af2fb4..997b92400e16f973fb86f581a157264f8c5fdcd8 100644
--- a/README.md
+++ b/README.md
@@ -132,6 +132,7 @@ This is a define, that wrapps the native type `schleuder_list`, mainly for conve
* `ensure`: Whether list should be present or absent. Default: `present`
* `admin`: Emailaddress of the initial administrator of a list. Must be present if lists' ensure is set to `present`.
* `admin_publickey`: A source of a public key of the lists' admin. Used to subscribe the admin properly. Can be a string containing the armored public key, a full `puppet://` or local path. If not set, puppet will try to fetch it from `puppet:///${schleuder::adminkeys_path}/${admin}.pub`.
+* `admin_publickey_from_wkd`: If this boolean is true and the `admin_publickey` is missing, try to fetch the admin's public key from WKD. In this case the admin keyfile will not be managed by puppet once the list was created. The client is resposible to ensure that the key exists in WKD, otherwise creation will fail.
### schleuder_list
@@ -145,6 +146,7 @@ It is possible to purge all unmanaged schleuder lists using puppet's [resources-
* `ensure`: `present` or `absent`. Default: `present`
* `admin`: The initial adminaddress of a list. Won't be enforced, once the list is created.
* `admin_publickey`: A local path to a file containing an armored public key of the `admin`.
+* `admin_publickey_from_wkd`: If this boolean is true and the `admin_publickey` is missing, try to fetch the admin's public key from WKD.
### Facts
diff --git a/lib/puppet/provider/schleuder_list/base.rb b/lib/puppet/provider/schleuder_list/base.rb
index f3814c6b81cc8271a88fd370d1737ca2ad352361..3ec036d758849d5d3af6a49f6b3dccc5f6cd3202 100644
--- a/lib/puppet/provider/schleuder_list/base.rb
+++ b/lib/puppet/provider/schleuder_list/base.rb
@@ -1,5 +1,10 @@
require 'puppet/provider/parsedfile'
+require 'base32'
+require 'uri'
+require 'net/http'
+require 'tempfile'
+
Puppet::Type.type(:schleuder_list).provide(:base) do
has_command(:cli, '/usr/bin/schleuder-cli') do
environment({ 'HOME' => ENV['HOME'] })
@@ -35,6 +40,14 @@ Puppet::Type.type(:schleuder_list).provide(:base) do
end
if val = @resource[:admin_publickey]
args << val
+ elsif @resource[:admin_publickey_from_wkd]
+ if key = wkd_fetch(@resource[:admin])
+ file = Tempfile.new
+ File.write(file, key)
+ args << file.path
+ else
+ raise ArgumentError, "Public key of the admin is not published in WKD"
+ end
else
raise ArgumentError, "Schleuder lists require a public key of the admin"
end
@@ -78,5 +91,23 @@ Puppet::Type.type(:schleuder_list).provide(:base) do
end
nil
end
+
+ def wkd_fetch(email)
+ local, domain = email.split('@', 2)
+ wkd_fetch2("openpgpkey.#{domain}", "#{domain}/", local) || \
+ wkd_fetch2(domain, "", local)
+ end
+ def wkd_hash(string)
+ # Table for z-base-32 encoding.
+ Base32.table = "ybndrfg8ejkmcpqxot1uwisza345h769"
+ Base32.encode(Digest::SHA1.digest(string.downcase))
+ end
+ def wkd_fetch2(wkd_domain, domain, local)
+ uri = URI::HTTPS.build({
+ host: wkd_domain,
+ path: "/.well-known/openpgpkey/#{domain}hu/#{wkd_hash(local)}"})
+ response = Net::HTTP.get_response(uri)
+ response.body if response.code.to_i == 200
+ end
end
diff --git a/manifests/list.pp b/manifests/list.pp
index ccd38ee1eb0fd61eed5502a1083c2387820d16f7..b1d6a97bbfe748d2956538570907dca7bf49f1d0 100644
--- a/manifests/list.pp
+++ b/manifests/list.pp
@@ -1,9 +1,10 @@
# a small wrapper to manage init member keys and a schleuder_list
define schleuder::list(
- $ensure = present,
- $admin = undef,
- $admin_publickey = undef,
- $send_list_key = true,
+ $ensure = present,
+ $admin = undef,
+ $admin_publickey = undef,
+ $admin_publickey_from_wkd = false,
+ $send_list_key = true,
){
if ($ensure == 'present') and !$admin {
fail("Must pass adminaddress to Schleuder::List[${name}]")
@@ -28,33 +29,39 @@ define schleuder::list(
}
}
- if $admin_publickey and $admin_publickey =~ /^\// {
- $real_admin_publickey = $admin_publickey
- } else {
- $real_admin_publickey = "/var/lib/schleuder/adminkeys/${name}_${admin}.pub"
- file{$real_admin_publickey:
- owner => 'root',
- group => 'schleuder',
- mode => '0640',
- seltype => 'schleuder_data_t',
- }
- if !$admin_publickey {
- File[$real_admin_publickey]{
- source => "puppet:///${schleuder::adminkeys_path}/${admin}.pub",
- }
- } elsif $admin_publickey =~ /^puppet:\/\// {
- File[$real_admin_publickey]{
- source => $admin_publickey,
- }
+ if $admin_publickey {
+ if $admin_publickey =~ /^\// {
+ $real_admin_publickey = $admin_publickey
} else {
- File[$real_admin_publickey]{
- content => $admin_publickey,
+ $real_admin_publickey = "/var/lib/schleuder/adminkeys/${name}_${admin}.pub"
+ file{$real_admin_publickey:
+ owner => 'root',
+ group => 'schleuder',
+ mode => '0640',
+ seltype => 'schleuder_data_t',
+ }
+ if !$admin_publickey {
+ File[$real_admin_publickey]{
+ source => "puppet:///${schleuder::adminkeys_path}/${admin}.pub",
+ }
+ } elsif $admin_publickey =~ /^puppet:\/\// {
+ File[$real_admin_publickey]{
+ source => $admin_publickey,
+ }
+ } else {
+ File[$real_admin_publickey]{
+ content => $admin_publickey,
+ }
}
}
+ } elsif !$admin_publickey_from_wkd {
+ fail("no public key source for admin of $name")
}
+
Schleuder_list[$name]{
- admin_publickey => $real_admin_publickey,
- admin => $admin,
+ admin_publickey => $real_admin_publickey,
+ admin_publickey_from_wkd => $admin_publickey_from_wkd,
+ admin => $admin,
}
if $send_list_key {
exec{"schleuder-cli lists send-list-key-to-subscriptions ${name}":