def __call__(self, parser: configargparse.ArgumentParser, namespace: configargparse.Namespace,
values: Union[str, Sequence[Any], None], option_string: str=None) -> None:
from gopythongo.stores import get_stores
stores = get_stores()
if values in stores.keys():
stores[cast(str, values)].print_help()
else:
print("Stores\n"
"======\n"
"\n")
parser.exit(0)
python类ArgumentParser()的实例源码
def add_args(parser: configargparse.ArgumentParser) -> None:
parser.add_argument("--help-store", action=StoreHelpAction, choices=_stores.keys(), default=None)
for s in _stores.values():
s.add_args(parser)
def add_shared_args(parser: configargparse.ArgumentParser) -> None:
global _aptly_shared_args_added
if not _aptly_shared_args_added:
gr_aptly_shared = parser.add_argument_group("Aptly shared options (Store and Versioners)")
gr_aptly_shared.add_argument("--use-aptly", dest="aptly_executable", default="/usr/bin/aptly",
env_var="APTLY_EXECUTABLE",
help="The full path to the aptly executable to use")
gr_aptly_shared.add_argument("--aptly-config", dest="aptly_config", default=None, env_var="APTLY_CONFIG",
help="Path to the aptly config file to use")
gr_aptly_shared.add_argument("--repo", dest="aptly_repo", default=None, env_var="REPO",
help="Name of the aptly repository to place the package in.")
_aptly_shared_args_added = True
def __call__(self, parser: configargparse.ArgumentParser, namespace: configargparse.Namespace,
values: Union[str, Sequence[Any], None], option_string: str=None) -> None:
from gopythongo.versioners import get_version_parsers
version_parsers = get_version_parsers()
if values in version_parsers.keys():
version_parsers[cast(str, values)].print_help()
else:
print("Version Parsers\n"
"===============\n"
"\n"
"Version Parsers take a version string read by a Versioner in one format and\n"
"convert it into a transformable object. Most versioning systems are\n"
"incompatible with each other (e.g. SemVer 2.0.0 and PEP-440). But for some a\n"
"lossless transformation can be defined. Version Parsers can tell GoPythonGo\n"
"when they are able to convert losslessly between from another versioning\n"
"system. Most built-in Version Parsers can, for example, transform SemVer\n"
"conformant version strings into their format without loss of information.\n"
"\n"
"Built-in Version Parsers\n"
"------------------------\n"
"\n"
"GoPythonGo has a number of built-in version parsers which you can use to\n"
"process version strings read by a Versioner:\n"
"\n"
" %s - parses Debian version strings as described in the Debian Policy\n"
" Manual https://www.debian.org/doc/debian-policy/\n"
"\n"
" %s - parses SemVer version strings adhering fo the format defined by\n"
" http://semver.org/\n"
"\n"
" %s - allows you to define a regular expression with named groups based\n"
" on SemVer to easily read arbitrary version strings. Internally\n"
" those are treated like SemVer versions after matching the\n"
" regular expression.\n"
"\n"
"Use %s\n"
"to learn more about the available Version Parsers.\n"
"\n"
"You can find information on writing and plugging your own Version Parsers into\n"
"GoPythonGo on http://gopythongo.com/.\n" %
(highlight("debian"), highlight("semver"), highlight("regex"),
highlight("--help-versionparser=[%s]" % ", ".join(version_parsers.keys()))))
parser.exit()
def __call__(self, parser: configargparse.ArgumentParser, namespace: configargparse.Namespace,
values: Union[str, Sequence[Any], None], option_string: str=None) -> None:
print("Vault Integration\n"
"=================\n"
"\n"
"When signing packages, GoPythonGo/Aptly must know the passphrase to use for GPG,\n"
"especially when GoPythonGo is invoked on a build server without user\n"
"interaction. A good way to manage secret information such as GPG passphrases for\n"
"automated jobs or SSL keys is Hashicorp's Vault (https://vaultproject.io/).\n"
"Using aptly_vault_wrapper as a replacement for the aptly executable allows you\n"
"to query Vault for the GPG passphrase to use when signing packages.\n"
"\n"
"Once you have a configured, initialized and unsealed Vault installation in your\n"
"network, you must set up a policy for aptly_vault_wrapper to use and define a\n"
"way for aptly_vault_wrapper to authenticate. Currently aptly_vault_wrapper\n"
"allows you to pass in a Vault auth token or use the app-id authentication\n"
"backend.\n"
"\n"
"Here is an example for how I use Vault to store the GnuPG package signature\n"
"passphrase for GoPythonGo packages:\n"
"\n"
"Let's set up a read policy, assuming that you have already authenticated to\n"
"Vault:\n"
"\n"
" vault policy-write r_pkg_sign -\n"
"path \"secret/gpg/package_sign_passphrase\" {\n"
" capabilities = [\"read\"]\n"
"}\n"
"\n"
"Then store the passphrase there:\n"
"\n"
" vault write secret/gpg/package_sign_passphrase value=-\n"
"[send passphrase from stdin so as to not save it in your shell history!]\n"
"\n"
"And finally set up app-id for aptly_vault_wrapper. Make sure you set cidr_block\n"
"to an appropriate value for your network:\n"
"\n"
" # Make sure you are authenticated with Vault, then run something like the\n"
" # following commands:\n"
" vault auth-enable app-id\n"
" APPID=$(python3 -c \"import uuid; print(str(uuid.uuid4()), end='')\")\n"
" vault write auth/app-id/map/app-id/$APPID value=r_pkg_sign \\\n"
" display_name=vaultwrapper\n"
" USERID=$(python3 -c \"import uuid; print(str(uuid.uuid4()), end='')\")\n"
" vault write auth/app-id/map/user-id/$USERID value=$APPID \\\n"
" cidr_block=192.168.56.0/24\n"
" echo 'App-id (put this in your .gopythongo settings):'\n"
" echo $APPID\n"
"\n"
" echo 'User-id (put this in the VAULT_USERID environment variable on your'\n"
" echo 'build server, or in your build job config):'\n"
" echo $USERID\n"
"\n"
"Security notice: THe documentation only states this implicitly, but you should\n"
"only use 'hard to guess' UUIDs here. On most systems Python uses os.urandom, so\n"
"this should be fine, but it doesn't hurt to check.\n")
parser.exit(0)
def get_parser() -> configargparse.ArgumentParser:
parser = configargparse.ArgumentParser(
description="Use this program as a replacement for the any binary that needs to read a passphrase from STDIN, "
"be it GnuPG or SSL. This was initially built for GoPythonGo/Aptly. It allows you to load a key "
"passphrase from Hashicorp Vault (https://vaultproject.io/), thereby increasing security on your "
"servers. To configure GoPythonGo specifically to use vault_wrapper, simply set "
"'--aptly-use-vault-wrapper' on your GoPythonGo command-line. All parameters not recognized by "
"vault_wrapper are passed directly to the wrapped program, so all other command-line options "
"work as expected. If you use '--mode=aptly' vault_wrapper will always append "
"'-passphrase-file /dev/stdin' to the final aptly command-line and send the passphrase twice "
"(for both signing operations).",
prog="gopythongo.vaultwrapper",
args_for_setting_config_path=args_for_setting_config_path,
config_arg_help_message="Use this path instead of the default (.gopythongo/vaultwrapper)",
default_config_files=default_config_files
)
parser.add_argument("--wrap-program", dest="wrap_program", default=None, env_var="VAULTWRAPPER_PROGRAM",
help="Path to the executable to wrap and provide a passphrase to.")
parser.add_argument("--address", dest="vault_address", default="https://vault.local:8200",
env_var="VAULT_URL", help="Vault URL")
parser.add_argument("--wrap-mode", dest="wrap_mode", choices=["aptly", "stdin"], default="stdin",
help="Select a mode of operation. 'aptly' will append '-passphrase-file /dev/stdin' to the "
"wrapped program's parameters and output the passphrase twice, because aptly requires "
"that for package signing.")
parser.add_argument("--read-path", dest="read_path", default=None, required=True,
env_var="VAULTWRAPPER_READ_PATH",
help="The path to read from Vault. By default, vaultwrapper will look for a key 'passphrase' "
"under this path (see --field).")
parser.add_argument("--field", dest="read_field", default="passphrase", env_var="VAULTWRAPPER_FIELD",
help="The key to read from the specified path. (Default: 'passphrase')")
parser.add_argument("--help-policies", action=HelpAction,
help="Show additional information about how to set up Vault for using vaultwrapper.")
parser.add_argument("--debug-config", action=DebugConfigAction)
parser.add_argument("--gpg-homedir", dest="gpg_homedir", default=None,
help="Set $GNUPGHOME before executing the wrapped program, which helps to run aptly with "
"gpg2.")
gp_https = parser.add_argument_group("HTTPS options")
gp_https.add_argument("--pin-cacert", dest="pin_cacert", default="/etc/ssl/certs/ca-certificates.crt",
env_var="VAULT_CACERT",
help="Set the CA certificate for Vault (i.e. the server certificate MUST be signed by a CA "
"in this file). The file should contain a list of CA certificates. The default is the "
"location of the Debian Linux CA bundle (Default: '/etc/ssl/certs/ca-certificates.crt')")
gp_https.add_argument("--tls-skip-verify", dest="verify", default=True, action="store_false",
help="Skip SSL verification (only use this during debugging or development!)")
gp_auth = parser.add_argument_group("Vault authentication options")
gp_auth.add_argument("--token", dest="vault_token", env_var="VAULT_TOKEN", default=None,
help="A Vault access token with a valid lease. This is one way of authenticating the wrapper "
"to Vault. This is mutually exclusive with --app-id/--user-id.")
gp_auth.add_argument("--app-id", dest="vault_appid", env_var="VAULT_APPID", default=None,
help="Set the app-id for Vault app-id authentication.")
gp_auth.add_argument("--user-id", dest="vault_userid", env_var="VAULT_USERID", default=None,
help="Set the user-id for Vault app-id authentication.")
gp_auth.add_argument("--client-cert", dest="client_cert", default=None, env_var="VAULT_CLIENTCERT",
help="Use a HTTPS client certificate to connect.")
gp_auth.add_argument("--client-key", dest="client_key", default=None, env_var="VAULT_CLIENTKEY",
help="Set the HTTPS client certificate private key.")
return parser
def add_args(self, parser: configargparse.ArgumentParser) -> None:
_aptly_args.add_shared_args(parser)
gp_ast = parser.add_argument_group("Aptly Store options")
gp_ast.add_argument("--aptly-distribution", dest="aptly_distribution", default="", env_var="APTLY_DISTRIBUTION",
help="Set the target distribution for aptly builds.")
gp_ast.add_argument("--aptly-repo-opts", dest="aptly_repo_opts", default="", env_var="APTLY_REPO_OPTS",
help="Specify additional command-line parameters which will be appended to every "
"'aptly repo' command executed by the Aptly Store.")
gp_ast.add_argument("--aptly-publish-opts", dest="aptly_publish_opts", default="", env_var="APTLY_PUBLISH_OPTS",
help="Specify additional command-line parameters which will be appended to every "
"'aptly publish' command executed by the Aptly Store.")
gp_ast.add_argument("--aptly-publish-endpoint", dest="aptly_publish_endpoint", metavar="ENDPOINT", default=None,
env_var="APTLY_PUBLISH_ENDPOINT",
help="Publish the Aply repo to the specified endpoint after generated packages have been "
"added to the repo. Please note that you will have to add additional configuration to "
"the aptly config file, for example when you want to publish to S3. It's also likely "
"that you want to set --aptly-publish-opts and pass aptly -passphrase-file, -keyring "
"and other necessary arguments for signing the repo. Please note: You will probably "
"want to set these arguments using environment variables on your build server if "
"you're using a CI environment.")
gp_ast.add_argument("--aptly-dont-remove", dest="aptly_dont_remove", action="store_true", default=False,
env_var="APTLY_DONT_REMOVE",
help="By default, if a created package already exists in the repo specified by --repo, "
"the aptly store will overwrite it. Setting --aptly-dont-remove will instead lead "
"to an error if the package already exists.")
gp_ast.add_argument("--aptly-overwrite-newer", dest="aptly_overwrite_newer", action="store_true", default=False,
env_var="APTLY_OVERWRITE_NEWER",
help="If set, the aptly Store will store newly generated packages in the repo which are "
"older than the packages already there. By default, it will raise an error message "
"instead.")
gp_ast.add_argument("--aptly-passphrase", dest="aptly_passphrase", env_var="APTLY_PASSPHRASE", default=None,
help="Set this to pass the GPG signing passphrase to the aptly Store. This is primarily "
"useful when you use the environment variable. This way your build server can read "
"the passphrase from secure storage it pass it to GoPythonGo with a modicum of "
"protection. Using the command-line parameter however will expose the passphrase to "
"every user on the system. You're better of passing --passphrase-file to aptly via "
"--aptly-publish-opts in that case. The most secure option would be to use "
"--use-aptly-vault-wrapper.")
gp_ast.add_argument("--use-aptly-vault-wrapper", dest="use_aptly_wrapper", env_var="APTLY_USE_WRAPPER",
default=False, action="store_true",
help="When you set this, GoPythonGo will not directly invoke aptly to publish or update "
"aptly-managed repos. Instead it will call GoPythonGo's vault_wrapper program in"
"'aptly' mode, which can be configured by environment variables or its own "
"configuration file or both (Default: .gopythongo/vaultwrapper). This program will "
"load the GnuPG signing passphrase for aptly-managed repos from Hashicorp Vault. You "
"can find out more by running 'vaultwrapper --help'.")
