"""Parses the arguments passed to the bash script and returns them back to the bash script.""" from __future__ import absolute_import from __future__ import print_function from __future__ import unicode_literals import argparse import re import sys # Technique for printing custom error and help # Source: https://stackoverflow.com/a/4042861/862857 class CustomParser(argparse.ArgumentParser): def error(self, message): print('{}: error: {}'.format(self.prog, message), file=sys.stderr) self.print_help() sys.exit(1) parser = CustomParser(prog='create_binauthz_attestation') # By default, arguments with "--" are optional, so we have # to make our own argument group so they are required required_arguments = parser.add_argument_group('required arguments') required_arguments.add_argument( '--artifact-url', type=str, help='Registry URL for container image', required=True) attestor_args = parser.add_argument_group('Attestor arguments') attestor_args.add_argument( '--attestor', type=str, help='Fully qualified attestor name or just the attestor name', required=True) attestor_args.add_argument( '--attestor-project', type=str, help='The project that the attestor is a part of') pgp_args = parser.add_argument_group('PGP key arguments') pgp_args.add_argument( '--pgp-key-fingerprint', type=str, help='The fingerprint of the PGP key you plan to use') # If the user is using KMS, they should provide: kms_args = parser.add_argument_group('KMS key arguments') kms_args.add_argument( '--keyversion', type=str, help='The fully qualified keyversion or the version number of the KMS key') kms_args.add_argument( '--keyversion-key', type=str, help='The name of the KMS key') kms_args.add_argument( '--keyversion-keyring', type=str, help='The keyring for the KMS key') kms_args.add_argument( '--keyversion-location', type=str, help='The location of the KMS key') kms_args.add_argument( '--keyversion-project', type=str, help='The project that the KMS key belongs to') args = parser.parse_args() # Validate and parse attestor resource flags. if '/' not in args.attestor: if not args.attestor_project: parser.error('The --attestor-project option is required if ' '--attestor is not a fully qualified ' 'Attestor resource identifier') else: args.attestor = 'projects/{project}/attestors/{attestor}'.format( project=args.attestor_project, attestor=args.attestor) attestor_regex = re.compile(r'^projects/[a-z0-9-]*/attestors/[a-zA-Z0-9-_]*$') if not attestor_regex.search(args.attestor): parser.error('Attestor "{attestor}" is not ' 'a valid attestor name'.format(attestor=args.attestor)) # Enforce mutual exclusion of key flag types. keyversion_args = [ args.keyversion, args.keyversion_key, args.keyversion_keyring, args.keyversion_location, args.keyversion_project ] if args.pgp_key_fingerprint and any(keyversion_args): parser.error('You cannot set --pgp-key-fingerprint and --keyversion related' ' options at the same time.') if not args.pgp_key_fingerprint and not any(keyversion_args): parser.error('Either --pgp-key-fingerprint or --keyversion related' ' options must be set.') # Validate and parse keyversion resource flags. if args.keyversion is not None and '/' not in args.keyversion: if not all(keyversion_args): parser.error( 'The --keyversion-key, --keyversion-keyring, --keyversion-location, ' 'and --keyversion-project options are required if --keyversion ' 'is not a fully qualified KMS key resource identifier.') else: args.keyversion = ( 'projects/{project}/locations/{location}/keyRings/{keyRing}/' 'cryptoKeys/{cryptoKey}/cryptoKeyVersions/{keyversion}').format( project=args.keyversion_project, location=args.keyversion_location, keyRing=args.keyversion_keyring, cryptoKey=args.keyversion_key, keyversion=args.keyversion) keyversion_regex = re.compile(r'^projects/[a-z0-9-]*/locations/[a-z0-9-]*' r'/keyRings/[a-zA-Z0-9-_]*/cryptoKeys/' r'[a-zA-Z0-9-_]*/cryptoKeyVersions/[1-9][0-9]*$') if args.keyversion is not None and not keyversion_regex.search(args.keyversion): parser.error('"{}" is not a valid fully qualified KMS key identifier.'.format( args.keyversion)) arguments_list = [] for arg_name, value in args.__dict__.items(): arguments_list.append('[{name}]="{value}"'.format( name=arg_name, value=value or '')) print('\n'.join(arguments_list))