def build_option_parser(self, description, version):
parser = super(PythonSecretsApp,
self).build_option_parser(description, version)
parser.formatter_class = argparse.RawDescriptionHelpFormatter
# Global options
parser.add_argument('--elapsed',
action='store_true',
dest='elapsed',
default=False,
help='Print elapsed time on exit (default: False)')
_env = SecretsEnvironment()
parser.add_argument('-d',
'--secrets-basedir',
metavar='<secrets-basedir>',
dest='secrets_basedir',
default=_env.secrets_basedir(),
help="Root directory for holding secrets " +
"(Env: D2_SECRETS_BASEDIR; default: {})".format(
_env.secrets_basedir()))
default_env = default_environment()
parser.add_argument(
'-e',
'--environment',
metavar='<environment>',
dest='environment',
default=default_env,
help="Deployment environment selector " +
"(Env: D2_ENVIRONMENT; default: {})".format(default_env))
parser.add_argument('-s',
'--secrets-file',
metavar='<secrets-file>',
dest='secrets_file',
default=_env.secrets_basename(),
help="Secrets file (default: {})".format(
_env.secrets_basename()))
parser.add_argument('-P',
'--env-var-prefix',
metavar='<prefix>',
dest='env_var_prefix',
default=None,
help="Prefix string for environment variables " +
"(default: None)")
parser.add_argument('-E',
'--export-env-vars',
action='store_true',
dest='export_env_vars',
default=False,
help="Export secrets as environment variables " +
"(default: False)")
parser.add_argument(
'--preserve-existing',
action='store_true',
dest='preserve_existing',
default=False,
help=("Don't allow over-writing existing environment variables "
"(default: False)"))
parser.add_argument('--init',
action='store_true',
dest='init',
default=False,
help="Initialize directory for holding secrets.")
parser.add_argument('--umask',
metavar='<umask>',
type=umask,
dest='umask',
default=DEFAULT_UMASK,
help="Mask to apply during app execution " +
"(default: {:#05o})".format(DEFAULT_UMASK))
parser.epilog = textwrap.dedent("""\
For programs that inherit values through environment variables, you can
export secrets using the ``-E`` option to the ``run`` subcommand, e.g.
``psec -E run -- terraform plan -out=$(psec environments path --tmpdir)/tfplan``
To improve overall security when doing this, a default process umask of
{:#05o} is set when the app initializes. When running programs like the
example above where they create sensitive files in the environment
directory, this reduces the chance that secrets created during execution
will end up with overly broad permissions. If you need to relax these
permissions, use the ``--umask`` option to apply the desired mask.
Environment Variables:
D2_ENVIRONMENT Defaults the environment identifier.
D2_SECRETS_BASEDIR Defaults the base directory for storing secrets.
D2_SECRETS_BASENAME Defaults the base name for secrets storage files.
D2_NO_REDACT Defaults redaction setting for ``secrets show`` command.
""".format(DEFAULT_UMASK)) # noqa
return parser
def build_option_parser(self, description, version):
parser = super(PythonSecretsApp, self).build_option_parser(
description,
version
)
# OCD hack: Make ``help`` output report main program name,
# even if run as ``python -m psec.main`` or such.
if parser.prog.endswith('.py'):
parser.prog = self.command_manager.namespace
parser.formatter_class = argparse.RawDescriptionHelpFormatter
# Global options
parser.add_argument(
'--elapsed',
action='store_true',
dest='elapsed',
default=False,
help='Print elapsed time on exit (default: False)'
)
_env = SecretsEnvironment()
parser.add_argument(
'-d', '--secrets-basedir',
metavar='<secrets-basedir>',
dest='secrets_basedir',
default=_env.secrets_basedir(),
help="Root directory for holding secrets " +
"(Env: D2_SECRETS_BASEDIR; default: {})".format(
_env.secrets_basedir())
)
default_env = default_environment()
parser.add_argument(
'-e', '--environment',
metavar='<environment>',
dest='environment',
default=default_env,
help="Deployment environment selector " +
"(Env: D2_ENVIRONMENT; default: {})".format(
default_env
)
)
parser.add_argument(
'-s', '--secrets-file',
metavar='<secrets-file>',
dest='secrets_file',
default=_env.secrets_basename(),
help="Secrets file (default: {})".format(
_env.secrets_basename())
)
parser.add_argument(
'-P', '--env-var-prefix',
metavar='<prefix>',
dest='env_var_prefix',
default=None,
help="Prefix string for environment variables " +
"(default: None)"
)
parser.add_argument(
'-E', '--export-env-vars',
action='store_true',
dest='export_env_vars',
default=False,
help="Export secrets as environment variables " +
"(default: False)"
)
parser.add_argument(
'--preserve-existing',
action='store_true',
dest='preserve_existing',
default=False,
help=("Don't allow over-writing existing environment variables "
"(default: False)")
)
parser.add_argument(
'--init',
action='store_true',
dest='init',
default=False,
help="Initialize directory for holding secrets."
)
parser.add_argument(
'--umask',
metavar='<umask>',
type=umask,
dest='umask',
default=DEFAULT_UMASK,
help="Mask to apply during app execution " +
"(default: {:#05o})".format(DEFAULT_UMASK)
)
parser.add_argument(
'--rtd',
action='store_true',
dest='rtd',
default=False,
help=('Open ReadTheDocs documentation on '
'"help" command (default: False)')
)
parser.epilog = textwrap.dedent(f"""\
For programs that inherit values through environment variables, you can
export secrets using the ``-E`` option to the ``run`` subcommand, e.g.
``psec -E run -- terraform plan -out=$(psec environments path --tmpdir)/tfplan``
The environment variable ``PYTHON_SECRETS_ENVIRONMENT`` will also be exported
with the identifier of the associated source environment.
To improve overall security when doing this, a default process umask of
{DEFAULT_UMASK:#05o} is set when the app initializes. When running programs like the
example above where they create sensitive files in the environment
directory, this reduces the chance that secrets created during execution
will end up with overly broad permissions. If you need to relax these
permissions, use the ``--umask`` option to apply the desired mask.
To control the browser that is used with the ``help --rtd`` command,
set the BROWSER environment variable (e.g., ``BROWSER=lynx``).
See: https://github.com/python/cpython/blob/3.8/Lib/webbrowser.py
Current working dir: {os.getcwd()}
Python interpreter: {sys.executable} (v{sys.version.split()[0]})
Environment variables consumed:
BROWSER Default browser for use by webbrowser.open().{show_current_value('BROWSER')}
D2_ENVIRONMENT Default environment identifier.{show_current_value('D2_ENVIRONMENT')}
D2_SECRETS_BASEDIR Default base directory for storing secrets.{show_current_value('D2_SECRETS_BASEDIR')}
D2_SECRETS_BASENAME Default base name for secrets storage files.{show_current_value('D2_SECRETS_BASENAME')}
D2_NO_REDACT Default redaction setting for ``secrets show`` command.{show_current_value('D2_NO_REDACT')}
""") # noqa
return parser