2021-01-25 08:26:54 +00:00
|
|
|
{ lib, buildPythonPackage, fetchPypi, cryptography, boto3, pyyaml, docutils, pytest, fetchpatch }:
|
2017-09-14 02:30:40 +01:00
|
|
|
|
|
|
|
buildPythonPackage rec {
|
2018-03-18 11:53:48 +00:00
|
|
|
pname = "credstash";
|
2020-06-06 07:47:02 +01:00
|
|
|
version = "1.17.1";
|
2017-09-14 02:30:40 +01:00
|
|
|
|
|
|
|
src = fetchPypi {
|
|
|
|
inherit pname version;
|
2020-06-06 07:47:02 +01:00
|
|
|
sha256 = "6c04e8734ef556ab459018da142dd0b244093ef176b3be5583e582e9a797a120";
|
2017-09-14 02:30:40 +01:00
|
|
|
};
|
|
|
|
|
2020-08-31 16:18:27 +01:00
|
|
|
patches = [
|
|
|
|
(fetchpatch {
|
|
|
|
url = "https://github.com/fugue/credstash/commit/9c02ee43ed6e37596cafbca2fe80c532ec19d2d8.patch";
|
|
|
|
sha256 = "dlybrpfLK+PqwWWhH9iXgXHYysZGmcZAFGWNOwsG0xA=";
|
|
|
|
})
|
|
|
|
];
|
credstash: add standalone Python application (#51807)
credstash was only available as a library. Provide it as a standalone
application as well.
In order for this to work, I needed to remove the copy of
the library that's placed in $out/bin and marked executable
during the install phase. Other than the patched shebang and
executable bit, it's identical to the library that's installed to
$out/lib/python3.7/site-packages.
Before the postFixup has run `wrapPythonPrograms`, $out/bin contains
two Python files -- credstash and credstash.py -- where bin/credstash
is the executable you'd expect a user to invoke from the command-line
and bin/credstash.py contains the credstash module, which bin/credstash
imports.
After `wrapPythonPrograms` has run, bin/credstash is a shell
wrapper around the bin/.credstash-wrapped python entrypoint, and
bin/credstash.py is shell wrapper around bin/.credstash.py-wrapped.
Invoking bin/credstash execs bin/.credstash-wrapped, and that python
script attempts to import the credstash module from bin/credstash.py,
the shell wrapper, rather than either bin/.credstash.py-wrapped or
lib/python3.7/site-packages/credstash.py.
This leads to an error:
$ credstash get mykey
Traceback (most recent call last):
File "/nix/store/hk6yma716w6141lcdh509d6qyyi7zm0i-python3.7-credstash-1.15.0/bin/.credstash-wrapped", line 8, in <module>
from credstash import main
File "/nix/store/hk6yma716w6141lcdh509d6qyyi7zm0i-python3.7-credstash-1.15.0/bin/credstash.py", line 2
export PATH='/nix/store/6lm4gi5iv8fbf1b1mm6g3gfnnv63f1gn-python3-3.7.1/bin:/nix/store/hk6yma716w6141lcdh509d6qyyi7zm0i-python3.7-credstash-1.15.0/bin:/nix/store/2n13gf1zdr39ir5dynxlkqndxgy36g08-python3.7-setuptools-40.4.3/bin:/nix/store/mhnqwpa4y1l81zi4cwx989i8h8z9g67l-python3.7-jmespath-0.9.0/bin:/nix/store/qc6q3a2nv4211wyh7q319v6zzd3ab6pc-python3.7-docutils-0.14/bin'${PATH:+':'}$PATH
^
SyntaxError: invalid syntax
If we try using `dontWrapPythonPrograms` to resolve this, runtime
dependency lookups fail:
$ credstash get mykey
Traceback (most recent call last):
File "/run/current-system/sw/bin/credstash", line 7, in <module>
from credstash import main
File "/nix/store/8rmldlvlv1z1xl7w02dy7f5qhkzdrg8z-python3.7-credstash-1.15.0/bin/credstash.py", line 26, in <module>
import boto3
ModuleNotFoundError: No module named 'boto3'
I was able to resolve things by simply removing bin/credstash.py before
the postFixup phase has a chance to wrap any executables. Now the
executable imports the library correctly:
(shell wrapper)
bin/credstash
│ (python executable)
└─> bin/.credstash-wrapped
│ (python library)
└─> lib/python3.7/site-packages/credstash.py
2018-12-11 09:49:27 +00:00
|
|
|
# The install phase puts an executable and a copy of the library it imports in
|
|
|
|
# bin/credstash and bin/credstash.py, despite the fact that the library is also
|
|
|
|
# installed to lib/python<version>/site-packages/credstash.py.
|
|
|
|
# If we apply wrapPythonPrograms to bin/credstash.py then the executable will try
|
|
|
|
# to import the credstash module from the resulting shell script. Removing this
|
|
|
|
# file ensures that Python imports the module from site-packages library.
|
|
|
|
postInstall = "rm $out/bin/credstash.py";
|
|
|
|
|
2020-07-22 10:30:19 +01:00
|
|
|
nativeBuildInputs = [ pytest ];
|
2018-03-18 11:53:48 +00:00
|
|
|
|
2017-09-14 02:30:40 +01:00
|
|
|
propagatedBuildInputs = [ cryptography boto3 pyyaml docutils ];
|
|
|
|
|
|
|
|
# No tests in archive
|
|
|
|
doCheck = false;
|
|
|
|
|
2021-01-11 07:54:33 +00:00
|
|
|
meta = with lib; {
|
2017-09-14 02:30:40 +01:00
|
|
|
description = "A utility for managing secrets in the cloud using AWS KMS and DynamoDB";
|
2020-04-01 02:11:51 +01:00
|
|
|
homepage = "https://github.com/LuminalOSS/credstash";
|
2017-09-14 02:30:40 +01:00
|
|
|
license = licenses.asl20;
|
|
|
|
};
|
|
|
|
}
|