nixpkgs/pkgs/development/python-modules/credstash/default.nix
Ivan ca8b128aa1 credstash: add standalone Python application (#51807)
credstash was only available as a library. Provide it as a standalone
application as well.

In order for this to work, I needed to remove the copy of
the library that's placed in $out/bin and marked executable
during the install phase. Other than the patched shebang and
executable bit, it's identical to the library that's installed to
$out/lib/python3.7/site-packages.

Before the postFixup has run `wrapPythonPrograms`, $out/bin contains
two Python files -- credstash and credstash.py -- where bin/credstash
is the executable you'd expect a user to invoke from the command-line
and bin/credstash.py contains the credstash module, which bin/credstash
imports.

After `wrapPythonPrograms` has run, bin/credstash is a shell
wrapper around the bin/.credstash-wrapped python entrypoint, and
bin/credstash.py is shell wrapper around bin/.credstash.py-wrapped.
Invoking bin/credstash execs bin/.credstash-wrapped, and that python
script attempts to import the credstash module from bin/credstash.py,
the shell wrapper, rather than either bin/.credstash.py-wrapped or
lib/python3.7/site-packages/credstash.py.

This leads to an error:

    $ credstash get mykey
    Traceback (most recent call last):
      File "/nix/store/hk6yma716w6141lcdh509d6qyyi7zm0i-python3.7-credstash-1.15.0/bin/.credstash-wrapped", line 8, in <module>
        from credstash import main
      File "/nix/store/hk6yma716w6141lcdh509d6qyyi7zm0i-python3.7-credstash-1.15.0/bin/credstash.py", line 2
        export PATH='/nix/store/6lm4gi5iv8fbf1b1mm6g3gfnnv63f1gn-python3-3.7.1/bin:/nix/store/hk6yma716w6141lcdh509d6qyyi7zm0i-python3.7-credstash-1.15.0/bin:/nix/store/2n13gf1zdr39ir5dynxlkqndxgy36g08-python3.7-setuptools-40.4.3/bin:/nix/store/mhnqwpa4y1l81zi4cwx989i8h8z9g67l-python3.7-jmespath-0.9.0/bin:/nix/store/qc6q3a2nv4211wyh7q319v6zzd3ab6pc-python3.7-docutils-0.14/bin'${PATH:+':'}$PATH
                  ^
    SyntaxError: invalid syntax

If we try using `dontWrapPythonPrograms` to resolve this, runtime
dependency lookups fail:

    $ credstash get mykey
    Traceback (most recent call last):
      File "/run/current-system/sw/bin/credstash", line 7, in <module>
        from credstash import main
      File "/nix/store/8rmldlvlv1z1xl7w02dy7f5qhkzdrg8z-python3.7-credstash-1.15.0/bin/credstash.py", line 26, in <module>
        import boto3
    ModuleNotFoundError: No module named 'boto3'

I was able to resolve things by simply removing bin/credstash.py before
the postFixup phase has a chance to wrap any executables. Now the
executable imports the library correctly:

 (shell wrapper)
  bin/credstash
        │      (python executable)
        └─> bin/.credstash-wrapped
                   │                        (python library)
                   └─> lib/python3.7/site-packages/credstash.py
2018-12-11 10:49:27 +01:00

33 lines
1.1 KiB
Nix

{ stdenv, buildPythonPackage, fetchPypi, cryptography, boto3, pyyaml, docutils, nose }:
buildPythonPackage rec {
pname = "credstash";
version = "1.15.0";
src = fetchPypi {
inherit pname version;
sha256 = "814560f99ae2409e2c6d906d878f9dadada5d1d0a950aafb6b2c0d535291bdfb";
};
# The install phase puts an executable and a copy of the library it imports in
# bin/credstash and bin/credstash.py, despite the fact that the library is also
# installed to lib/python<version>/site-packages/credstash.py.
# If we apply wrapPythonPrograms to bin/credstash.py then the executable will try
# to import the credstash module from the resulting shell script. Removing this
# file ensures that Python imports the module from site-packages library.
postInstall = "rm $out/bin/credstash.py";
nativeBuildInputs = [ nose ];
propagatedBuildInputs = [ cryptography boto3 pyyaml docutils ];
# No tests in archive
doCheck = false;
meta = with stdenv.lib; {
description = "A utility for managing secrets in the cloud using AWS KMS and DynamoDB";
homepage = https://github.com/LuminalOSS/credstash;
license = licenses.asl20;
};
}