From b59dcb2095b287d842bf2f2431ca0a168ea96024 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Mon, 30 Dec 2019 15:18:43 -0600 Subject: [PATCH 01/12] Add initial Secret Manager samples [(#2664)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/2664) --- samples/snippets/README.rst | 395 +++++++++++++++++++++ samples/snippets/README.rst.in | 52 +++ samples/snippets/access_secret_version.py | 61 ++++ samples/snippets/add_secret_version.py | 61 ++++ samples/snippets/create_secret.py | 61 ++++ samples/snippets/delete_secret.py | 50 +++ samples/snippets/destroy_secret_version.py | 56 +++ samples/snippets/disable_secret_version.py | 56 +++ samples/snippets/enable_secret_version.py | 56 +++ samples/snippets/get_secret.py | 65 ++++ samples/snippets/get_secret_version.py | 59 +++ samples/snippets/list_secret_versions.py | 52 +++ samples/snippets/list_secrets.py | 50 +++ samples/snippets/quickstart.py | 64 ++++ samples/snippets/requirements.txt | 1 + samples/snippets/snippets_test.py | 172 +++++++++ samples/snippets/update_secret.py | 54 +++ 17 files changed, 1365 insertions(+) create mode 100644 samples/snippets/README.rst create mode 100644 samples/snippets/README.rst.in create mode 100644 samples/snippets/access_secret_version.py create mode 100644 samples/snippets/add_secret_version.py create mode 100644 samples/snippets/create_secret.py create mode 100644 samples/snippets/delete_secret.py create mode 100644 samples/snippets/destroy_secret_version.py create mode 100644 samples/snippets/disable_secret_version.py create mode 100644 samples/snippets/enable_secret_version.py create mode 100644 samples/snippets/get_secret.py create mode 100644 samples/snippets/get_secret_version.py create mode 100644 samples/snippets/list_secret_versions.py create mode 100644 samples/snippets/list_secrets.py create mode 100644 samples/snippets/quickstart.py create mode 100644 samples/snippets/requirements.txt create mode 100644 samples/snippets/snippets_test.py create mode 100644 samples/snippets/update_secret.py diff --git a/samples/snippets/README.rst b/samples/snippets/README.rst new file mode 100644 index 0000000..865cab4 --- /dev/null +++ b/samples/snippets/README.rst @@ -0,0 +1,395 @@ +.. This file is automatically generated. Do not edit this file directly. + +Google Secret Manager Python Samples +=============================================================================== + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/README.rst + + +This directory contains samples for Google Secret Manager. `Google Secret Manager` is a service that allows you to store, manage, and secure access to application secrets. + + + + +.. _Google Secret Manager: https://cloud.google.com/secret-manager + +Setup +------------------------------------------------------------------------------- + + +Authentication +++++++++++++++ + +This sample requires you to have authentication setup. Refer to the +`Authentication Getting Started Guide`_ for instructions on setting up +credentials for applications. + +.. _Authentication Getting Started Guide: + https://cloud.google.com/docs/authentication/getting-started + +Install Dependencies +++++++++++++++++++++ + +#. Clone python-docs-samples and change directory to the sample directory you want to use. + + .. code-block:: bash + + $ git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git + +#. Install `pip`_ and `virtualenv`_ if you do not already have them. You may want to refer to the `Python Development Environment Setup Guide`_ for Google Cloud Platform for instructions. + + .. _Python Development Environment Setup Guide: + https://cloud.google.com/python/setup + +#. Create a virtualenv. Samples are compatible with Python 2.7 and 3.4+. + + .. code-block:: bash + + $ virtualenv env + $ source env/bin/activate + +#. Install the dependencies needed to run the samples. + + .. code-block:: bash + + $ pip install -r requirements.txt + +.. _pip: https://pip.pypa.io/ +.. _virtualenv: https://virtualenv.pypa.io/ + +Samples +------------------------------------------------------------------------------- + +Quickstart ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/quickstart.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python quickstart.py + + +Access Secret Version ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/access_secret_version.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python access_secret_version.py + + usage: access_secret_version.py [-h] project_id secret_id version_id + + command line application and sample code for accessing a secret version. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret to access + version_id version to access + + optional arguments: + -h, --help show this help message and exit + + + +Add Secret Version ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/add_secret_version.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python add_secret_version.py + + usage: add_secret_version.py [-h] project_id secret_id payload + + command line application and sample code for adding a secret version with the + specified payload to an existing secret. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret in which to add + payload secret material payload + + optional arguments: + -h, --help show this help message and exit + + + +Create Secret ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/create_secret.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python create_secret.py + + usage: create_secret.py [-h] project_id secret_id + + command line application and sample code for creating a new secret. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret to create + + optional arguments: + -h, --help show this help message and exit + + + +Delete Secret ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/delete_secret.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python delete_secret.py + + usage: delete_secret.py [-h] project_id secret_id + + command line application and sample code for deleting an existing secret. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret to delete + + optional arguments: + -h, --help show this help message and exit + + + +Destroy Secret Version ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/destroy_secret_version.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python destroy_secret_version.py + + usage: destroy_secret_version.py [-h] project_id secret_id version_id + + command line application and sample code for destroying a secret verison. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret from which to act + version_id id of the version to destroy + + optional arguments: + -h, --help show this help message and exit + + + +Enable Secret Version ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/enable_secret_version.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python enable_secret_version.py + + usage: enable_secret_version.py [-h] project_id secret_id version_id + + command line application and sample code for enabling a secret version. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret from which to act + version_id id of the version to enable + + optional arguments: + -h, --help show this help message and exit + + + +Get Secret Version ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/get_secret_version.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python get_secret_version.py + + usage: get_secret_version.py [-h] project_id secret_id version_id + + command line application and sample code for getting metdata about a secret + version, but not the secret payload. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret from which to act + version_id id of the version to get + + optional arguments: + -h, --help show this help message and exit + + + +Get Secret ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/get_secret.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python get_secret.py + + usage: get_secret.py [-h] project_id secret_id + + command line application and sample code for getting metadata about a secret. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret to get + + optional arguments: + -h, --help show this help message and exit + + + +List Secret Versions ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/list_secret_versions.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python list_secret_versions.py + + usage: list_secret_versions.py [-h] project_id secret_id + + command line application and sample code for listing secret versions of a + secret. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret in which to list + + optional arguments: + -h, --help show this help message and exit + + + +List Secrets ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/list_secrets.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python list_secrets.py + + usage: list_secrets.py [-h] project_id + + command line application and sample code for listing secrets in a project. + + positional arguments: + project_id id of the GCP project + + optional arguments: + -h, --help show this help message and exit + + + +Update Secret ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/update_secret.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python update_secret.py + + usage: update_secret.py [-h] --secret-id SECRET_ID project_id + + positional arguments: + project_id id of the GCP project + + optional arguments: + -h, --help show this help message and exit + --secret-id SECRET_ID + + + + + +.. _Google Cloud SDK: https://cloud.google.com/sdk/ \ No newline at end of file diff --git a/samples/snippets/README.rst.in b/samples/snippets/README.rst.in new file mode 100644 index 0000000..0671857 --- /dev/null +++ b/samples/snippets/README.rst.in @@ -0,0 +1,52 @@ +# This file is used to generate README.rst + +product: + name: Google Secret Manager + short_name: Secret Manager + url: https://cloud.google.com/secret-manager + description: > + `Google Secret Manager` is a service that allows you to store, manage, + and secure access to application secrets. + +setup: +- auth +- install_deps + +samples: +- name: Quickstart + file: quickstart.py +- name: Access Secret Version + file: access_secret_version.py + show_help: True +- name: Add Secret Version + file: add_secret_version.py + show_help: True +- name: Create Secret + file: create_secret.py + show_help: True +- name: Delete Secret + file: delete_secret.py + show_help: True +- name: Destroy Secret Version + file: destroy_secret_version.py + show_help: True +- name: Enable Secret Version + file: enable_secret_version.py + show_help: True +- name: Get Secret Version + file: get_secret_version.py + show_help: True +- name: Get Secret + file: get_secret.py + show_help: True +- name: List Secret Versions + file: list_secret_versions.py + show_help: True +- name: List Secrets + file: list_secrets.py + show_help: True +- name: Update Secret + file: update_secret.py + show_help: True + +folder: secretmanager/api-client diff --git a/samples/snippets/access_secret_version.py b/samples/snippets/access_secret_version.py new file mode 100644 index 0000000..ceaa9b4 --- /dev/null +++ b/samples/snippets/access_secret_version.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for accessing a secret version. +""" + +import argparse + + +# [START secretmanager_access_secret_version] +def access_secret_version(project_id, secret_id, version_id): + """ + Access the payload for the given secret version if one exists. The version + can be a version number as a string (e.g. "5") or an alias (e.g. "latest"). + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret version. + name = client.secret_version_path(project_id, secret_id, version_id) + + # Access the secret version. + response = client.access_secret_version(name) + + # Print the secret payload. + # + # WARNING: Do not print the secret in a production environment - this + # snippet is showing how to access the secret material. + payload = response.payload.data.decode('UTF-8') + print('Plaintext: {}'.format(payload)) +# [END secretmanager_access_secret_version] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret to access') + parser.add_argument('version_id', help='version to access') + args = parser.parse_args() + + access_secret_version(args.project_id, args.secret_id, args.version_id) diff --git a/samples/snippets/add_secret_version.py b/samples/snippets/add_secret_version.py new file mode 100644 index 0000000..147e2c3 --- /dev/null +++ b/samples/snippets/add_secret_version.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for adding a secret version with the +specified payload to an existing secret. +""" + +import argparse + + +# [START secretmanager_add_secret_version] +def add_secret_version(project_id, secret_id, payload): + """ + Add a new secret version to the given secret with the provided payload. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the parent secret. + parent = client.secret_path(project_id, secret_id) + + # Convert the string payload into a bytes. This step can be omitted if you + # pass in bytes instead of a str for the payload argument. + payload = payload.encode('UTF-8') + + # Add the secret version. + response = client.add_secret_version(parent, {'data': payload}) + + # Print the new secret version name. + print('Added secret version: {}'.format(response.name)) +# [END secretmanager_add_secret_version] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret in which to add') + parser.add_argument('payload', help='secret material payload') + args = parser.parse_args() + + add_secret_version(args.project_id, args.secret_id, args.payload) diff --git a/samples/snippets/create_secret.py b/samples/snippets/create_secret.py new file mode 100644 index 0000000..06ec1d5 --- /dev/null +++ b/samples/snippets/create_secret.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for creating a new secret. +""" + +import argparse + + +# [START secretmanager_create_secret] +def create_secret(project_id, secret_id): + """ + Create a new secret with the given name. A secret is a logical wrapper + around a collection of secret versions. Secret versions hold the actual + secret material. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the parent project. + parent = client.project_path(project_id) + + # Create the secret. + response = client.create_secret(parent, secret_id, { + 'replication': { + 'automatic': {}, + }, + }) + + # Print the new secret name. + print('Created secret: {}'.format(response.name)) +# [END secretmanager_create_secret] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret to create') + args = parser.parse_args() + + create_secret(args.project_id, args.secret_id) diff --git a/samples/snippets/delete_secret.py b/samples/snippets/delete_secret.py new file mode 100644 index 0000000..d6c0fb8 --- /dev/null +++ b/samples/snippets/delete_secret.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for deleting an existing secret. +""" + +import argparse + + +# [START secretmanager_delete_secret] +def delete_secret(project_id, secret_id): + """ + Delete the secret with the given name and all of its versions. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret. + name = client.secret_path(project_id, secret_id) + + # Delete the secret. + client.delete_secret(name) +# [END secretmanager_delete_secret] + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret to delete') + args = parser.parse_args() + + delete_secret(args.project_id, args.secret_id) diff --git a/samples/snippets/destroy_secret_version.py b/samples/snippets/destroy_secret_version.py new file mode 100644 index 0000000..f705417 --- /dev/null +++ b/samples/snippets/destroy_secret_version.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for destroying a secret verison. +""" + +import argparse + + +# [START secretmanager_destroy_secret_version] +def destroy_secret_version(project_id, secret_id, version_id): + """ + Destroy the given secret version, making the payload irrecoverable. Other + secrets versions are unaffected. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret version + name = client.secret_version_path(project_id, secret_id, version_id) + + # Destroy the secret version. + response = client.destroy_secret_version(name) + + print('Destroyed secret version: {}'.format(response.name)) +# [END secretmanager_destroy_secret_version] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret from which to act') + parser.add_argument('version_id', help='id of the version to destroy') + args = parser.parse_args() + + destroy_secret_version(args.project_id, args.secret_id, args.version_id) diff --git a/samples/snippets/disable_secret_version.py b/samples/snippets/disable_secret_version.py new file mode 100644 index 0000000..a656331 --- /dev/null +++ b/samples/snippets/disable_secret_version.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for disabling a secret version. +""" + +import argparse + + +# [START secretmanager_disable_secret_version] +def disable_secret_version(project_id, secret_id, version_id): + """ + Disable the given secret version. Future requests will throw an error until + the secret version is enabled. Other secrets versions are unaffected. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret version + name = client.secret_version_path(project_id, secret_id, version_id) + + # Disable the secret version. + response = client.disable_secret_version(name) + + print('Disabled secret version: {}'.format(response.name)) +# [END secretmanager_disable_secret_version] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret from which to act') + parser.add_argument('version_id', help='id of the version to disable') + args = parser.parse_args() + + disable_secret_version(args.project_id, args.secret_id, args.version_id) diff --git a/samples/snippets/enable_secret_version.py b/samples/snippets/enable_secret_version.py new file mode 100644 index 0000000..472157c --- /dev/null +++ b/samples/snippets/enable_secret_version.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for enabling a secret version. +""" + +import argparse + + +# [START secretmanager_enable_secret_version] +def enable_secret_version(project_id, secret_id, version_id): + """ + Enable the given secret version, enabling it to be accessed after + previously being disabled. Other secrets versions are unaffected. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret version + name = client.secret_version_path(project_id, secret_id, version_id) + + # Disable the secret version. + response = client.enable_secret_version(name) + + print('Enabled secret version: {}'.format(response.name)) +# [END secretmanager_enable_secret_version] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret from which to act') + parser.add_argument('version_id', help='id of the version to enable') + args = parser.parse_args() + + enable_secret_version(args.project_id, args.secret_id, args.version_id) diff --git a/samples/snippets/get_secret.py b/samples/snippets/get_secret.py new file mode 100644 index 0000000..3d9bf49 --- /dev/null +++ b/samples/snippets/get_secret.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for getting metadata about a secret. +""" + +import argparse + + +# [START secretmanager_get_secret] +def get_secret(project_id, secret_id): + """ + Get information about the given secret. This only returns metadata about + the secret container, not any secret material. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret. + name = client.secret_path(project_id, secret_id) + + # Delete the secret. + response = client.get_secret(name) + + # Get the replication policy. + if response.replication.automatic: + replication = 'AUTOMATIC' + elif response.replication.user_managed: + replication = 'MANAGED' + else: + raise 'Unknown replication {}'.format(response.replication) + + # Print data about the secret. + print('Got secret {} with replication policy {}'.format( + response.name, replication)) +# [END secretmanager_get_secret] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret to get') + args = parser.parse_args() + + get_secret(args.project_id, args.secret_id) diff --git a/samples/snippets/get_secret_version.py b/samples/snippets/get_secret_version.py new file mode 100644 index 0000000..ed4dd89 --- /dev/null +++ b/samples/snippets/get_secret_version.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for getting metdata about a secret +version, but not the secret payload. +""" + +import argparse + + +# [START secretmanager_get_secret_version] +def get_secret_version(project_id, secret_id, version_id): + """ + Get information about the given secret version. It does not include the + payload data. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret version. + name = client.secret_version_path(project_id, secret_id, version_id) + + # Get the secret version. + response = client.get_secret_version(name) + + # Print information about the secret version. + state = response.State.Name(response.state) + print('Got secret version {} with state {}'.format(response.name, state)) +# [END secretmanager_get_secret_version] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret from which to act') + parser.add_argument('version_id', help='id of the version to get') + args = parser.parse_args() + + get_secret_version(args.project_id, args.secret_id, args.version_id) diff --git a/samples/snippets/list_secret_versions.py b/samples/snippets/list_secret_versions.py new file mode 100644 index 0000000..d727d3c --- /dev/null +++ b/samples/snippets/list_secret_versions.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for listing secret versions of a +secret. +""" + +import argparse + + +# [START secretmanager_list_secret_versions] +def list_secret_versions(project_id, secret_id): + """ + List all secret versions in the given secret and their metadata. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the parent secret. + parent = client.secret_path(project_id, secret_id) + + # List all secret versions. + for version in client.list_secret_versions(parent): + print('Found secret version: {}'.format(version.name)) +# [END secretmanager_list_secret_versions] + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret in which to list') + args = parser.parse_args() + + list_secret_versions(args.project_id, args.secret_id) diff --git a/samples/snippets/list_secrets.py b/samples/snippets/list_secrets.py new file mode 100644 index 0000000..1d6981e --- /dev/null +++ b/samples/snippets/list_secrets.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for listing secrets in a project. +""" + +import argparse + + +# [START secretmanager_list_secrets] +def list_secrets(project_id): + """ + List all secrets in the given project. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the parent project. + parent = client.project_path(project_id) + + # List all secrets. + for secret in client.list_secrets(parent): + print('Found secret: {}'.format(secret.name)) +# [END secretmanager_list_secrets] + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + args = parser.parse_args() + + list_secrets(args.project_id) diff --git a/samples/snippets/quickstart.py b/samples/snippets/quickstart.py new file mode 100644 index 0000000..5ebaba9 --- /dev/null +++ b/samples/snippets/quickstart.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for creating an accessing a secret. +""" + + +def quickstart(_project_id=None, _secret_id=None): + # [START secretmanager_quickstart] + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # GCP project in which to store secrets in Secret Manager. + project_id = 'YOUR_PROJECT_ID' + + # ID of the secret to create. + secret_id = 'YOUR_SECRET_ID' + + # [END secretmanager_quickstart] + project_id = _project_id + secret_id = _secret_id + # [START secretmanager_quickstart] + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the parent name from the project. + parent = client.project_path(project_id) + + # Create the parent secret. + secret = client.create_secret(parent, secret_id, { + 'replication': { + 'automatic': {}, + }, + }) + + # Add the secret version. + version = client.add_secret_version(secret.name, {'data': b'hello world!'}) + + # Access the secret version. + response = client.access_secret_version(version.name) + + # Print the secret payload. + # + # WARNING: Do not print the secret in a production environment - this + # snippet is showing how to access the secret material. + payload = response.payload.data.decode('UTF-8') + print('Plaintext: {}'.format(payload)) + # [END secretmanager_quickstart] + + +if __name__ == '__main__': + quickstart() diff --git a/samples/snippets/requirements.txt b/samples/snippets/requirements.txt new file mode 100644 index 0000000..b4de702 --- /dev/null +++ b/samples/snippets/requirements.txt @@ -0,0 +1 @@ +google-cloud-secret-manager==0.1.0 diff --git a/samples/snippets/snippets_test.py b/samples/snippets/snippets_test.py new file mode 100644 index 0000000..6269286 --- /dev/null +++ b/samples/snippets/snippets_test.py @@ -0,0 +1,172 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and + +import os +import pytest +import uuid + +from quickstart import quickstart +from access_secret_version import access_secret_version +from add_secret_version import add_secret_version +from create_secret import create_secret +from delete_secret import delete_secret +from destroy_secret_version import destroy_secret_version +from disable_secret_version import disable_secret_version +from enable_secret_version import enable_secret_version +from get_secret_version import get_secret_version +from get_secret import get_secret +from list_secret_versions import list_secret_versions +from list_secrets import list_secrets +from update_secret import update_secret + +from google.api_core import exceptions +from google.cloud import secretmanager_v1beta1 as secretmanager + + +@pytest.fixture() +def client(): + return secretmanager.SecretManagerServiceClient() + + +@pytest.fixture() +def project_id(): + return os.environ['GCLOUD_PROJECT'] + + +@pytest.fixture() +def secret(client, project_id): + parent = client.project_path(project_id) + secret_id = 'python-secret-{}'.format(uuid.uuid4()) + + print('creating secret {}'.format(secret_id)) + secret = client.create_secret(parent, secret_id, { + 'replication': { + 'automatic': {}, + }, + }) + + yield project_id, secret_id + + print('deleting secret {}'.format(secret_id)) + try: + client.delete_secret(secret.name) + except exceptions.NotFound: + # Secret was already deleted, probably in the test + pass + + +another_secret = secret + + +@pytest.fixture() +def secret_version(client, secret): + project_id, secret_id = secret + + print('adding secret version to {}'.format(secret_id)) + parent = client.secret_path(project_id, secret_id) + payload = 'hello world!'.encode('UTF-8') + version = client.add_secret_version(parent, {'data': payload}) + + yield project_id, secret_id, version.name.rsplit('/', 1)[-1] + + +another_secret_version = secret_version + + +def test_quickstart(project_id): + secret_id = 'python-secret-{}'.format(uuid.uuid4()) + quickstart(project_id, secret_id) + + +def test_access_secret_version(secret_version): + project_id, secret_id, version_id = secret_version + version = access_secret_version(project_id, secret_id, version_id) + assert version.payload.data == b'hello world!' + + +def test_add_secret_version(secret): + project_id, secret_id = secret + payload = 'test123' + version = add_secret_version(project_id, secret_id, payload) + assert secret_id in version.name + + +def test_create_secret(client, project_id): + secret_id = 'python-secret-{}'.format(uuid.uuid4()) + secret = create_secret(project_id, secret_id) + assert secret_id in secret.name + client.delete_secret(secret.name) + + +def test_delete_secret(client, secret): + project_id, secret_id = secret + delete_secret(project_id, secret_id) + with pytest.raises(exceptions.NotFound): + print('{}'.format(client)) + name = client.secret_version_path(project_id, secret_id, 'latest') + client.access_secret_version(name) + + +def test_destroy_secret_version(client, secret_version): + project_id, secret_id, version_id = secret_version + version = destroy_secret_version(project_id, secret_id, version_id) + assert version.destroy_time + + +def test_enable_disable_secret_version(client, secret_version): + project_id, secret_id, version_id = secret_version + version = disable_secret_version(project_id, secret_id, version_id) + assert version.state == secretmanager.enums.SecretVersion.State.DISABLED + + version = enable_secret_version(project_id, secret_id, version_id) + assert version.state == secretmanager.enums.SecretVersion.State.ENABLED + + +def test_get_secret_version(client, secret_version): + project_id, secret_id, version_id = secret_version + version = get_secret_version(project_id, secret_id, version_id) + assert secret_id in version.name + assert version_id in version.name + + +def test_get_secret(client, secret): + project_id, secret_id = secret + snippet_secret = get_secret(project_id, secret_id) + assert secret_id in snippet_secret.name + + +def test_list_secret_versions(capsys, secret_version, another_secret_version): + project_id, secret_id, version_id = secret_version + _, _, another_version_id = another_secret_version + list_secret_versions(project_id, secret_id) + + out, _ = capsys.readouterr() + assert secret_id in out + assert version_id in out + assert another_version_id in out + + +def test_list_secrets(capsys, secret, another_secret): + project_id, secret_id = secret + _, another_secret_id = another_secret + list_secrets(project_id) + + out, _ = capsys.readouterr() + assert secret_id in out + assert another_secret_id in out + + +def test_update_secret(secret): + project_id, secret_id = secret + secret = update_secret(project_id, secret_id) + assert secret.labels['secretmanager'] == 'rocks' diff --git a/samples/snippets/update_secret.py b/samples/snippets/update_secret.py new file mode 100644 index 0000000..10e3241 --- /dev/null +++ b/samples/snippets/update_secret.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and + +import argparse + + +# [START secretmanager_update_secret] +def update_secret(project_id, secret_id): + """ + Update the metadata about an existing secret. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret. + name = client.secret_path(project_id, secret_id) + + # Update the secret. + secret = {'name': name, 'labels': {'secretmanager': 'rocks'}} + update_mask = {'paths': ['labels']} + response = client.update_secret(secret, update_mask) + + # Print the new secret name. + print('Updated secret: {}'.format(response.name)) + # [END secretmanager_update_secret] + + return response + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('--secret-id', required=True) + args = parser.parse_args() + + update_secret(args.project_id, args.secret_id) From 18918df401518c016512b6148b28565629e48af7 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Thu, 9 Jan 2020 10:27:41 -0600 Subject: [PATCH 02/12] Bump secretmanager version [(#2699)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/2699) This bumps to the version that doesn't have a bunch of deprecation warnings. --- samples/snippets/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/snippets/requirements.txt b/samples/snippets/requirements.txt index b4de702..2db3b70 100644 --- a/samples/snippets/requirements.txt +++ b/samples/snippets/requirements.txt @@ -1 +1 @@ -google-cloud-secret-manager==0.1.0 +google-cloud-secret-manager==0.1.1 From 89125c2959c62b0dbf74014c8c095dbf6b733842 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Mon, 13 Jan 2020 12:26:26 -0500 Subject: [PATCH 03/12] Fix a small comment typo [(#2714)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/2714) --- samples/snippets/get_secret.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/snippets/get_secret.py b/samples/snippets/get_secret.py index 3d9bf49..b7dc83c 100644 --- a/samples/snippets/get_secret.py +++ b/samples/snippets/get_secret.py @@ -35,7 +35,7 @@ def get_secret(project_id, secret_id): # Build the resource name of the secret. name = client.secret_path(project_id, secret_id) - # Delete the secret. + # Get the secret. response = client.get_secret(name) # Get the replication policy. From 6d688db2d41cfd3286d07a12294e2885f53859a3 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Thu, 30 Jan 2020 14:13:17 -0500 Subject: [PATCH 04/12] Add Secret Manager IAM samples [(#2749)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/2749) * Add Secret Manager IAM samples * Use an envvar for the iam user * Add env var to secrets. Co-authored-by: Kurtis Van Gent <31518063+kurtisvg@users.noreply.github.com> --- samples/snippets/README.rst | 58 ++++++++++++++++++++++++ samples/snippets/README.rst.in | 6 +++ samples/snippets/iam_grant_access.py | 64 ++++++++++++++++++++++++++ samples/snippets/iam_revoke_access.py | 65 +++++++++++++++++++++++++++ samples/snippets/snippets_test.py | 21 ++++++++- 5 files changed, 213 insertions(+), 1 deletion(-) create mode 100644 samples/snippets/iam_grant_access.py create mode 100644 samples/snippets/iam_revoke_access.py diff --git a/samples/snippets/README.rst b/samples/snippets/README.rst index 865cab4..af98fb3 100644 --- a/samples/snippets/README.rst +++ b/samples/snippets/README.rst @@ -280,6 +280,64 @@ To run this sample: +IAM Grant Access ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/iam_grant_access.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python iam_grant_access.py + + usage: iam_grant_access.py [-h] project_id secret_id member + + command line application and sample code for granting access to a secret. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret to get + member member to grant access + + optional arguments: + -h, --help show this help message and exit + + + +IAM Revoke Access ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +.. image:: https://gstatic.com/cloudssh/images/open-btn.png + :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=secretmanager/api-client/iam_revoke_access.py,secretmanager/api-client/README.rst + + + + +To run this sample: + +.. code-block:: bash + + $ python iam_revoke_access.py + + usage: iam_revoke_access.py [-h] project_id secret_id member + + command line application and sample code for revoking access to a secret. + + positional arguments: + project_id id of the GCP project + secret_id id of the secret to get + member member to revoke access + + optional arguments: + -h, --help show this help message and exit + + + Get Secret +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ diff --git a/samples/snippets/README.rst.in b/samples/snippets/README.rst.in index 0671857..ddd46a4 100644 --- a/samples/snippets/README.rst.in +++ b/samples/snippets/README.rst.in @@ -36,6 +36,12 @@ samples: - name: Get Secret Version file: get_secret_version.py show_help: True +- name: IAM Grant Access + file: iam_grant_access.py + show_help: True +- name: IAM Revoke Access + file: iam_revoke_access.py + show_help: True - name: Get Secret file: get_secret.py show_help: True diff --git a/samples/snippets/iam_grant_access.py b/samples/snippets/iam_grant_access.py new file mode 100644 index 0000000..1454d6d --- /dev/null +++ b/samples/snippets/iam_grant_access.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python + +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for granting access to a secret. +""" + +import argparse + + +# [START secretmanager_iam_grant_access] +def iam_grant_access(project_id, secret_id, member): + """ + Grant the given member access to a secret. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret. + name = client.secret_path(project_id, secret_id) + + # Get the current IAM policy. + policy = client.get_iam_policy(name) + + # Add the given member with access permissions. + policy.bindings.add( + role='roles/secretmanager.secretAccessor', + members=[member]) + + # Update the IAM Policy. + new_policy = client.set_iam_policy(name, policy) + + # Print data about the secret. + print('Updated IAM policy on {}'.format(secret_id)) +# [END secretmanager_iam_grant_access] + + return new_policy + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret to get') + parser.add_argument('member', help='member to grant access') + args = parser.parse_args() + + iam_grant_access(args.project_id, args.secret_id, args.member) diff --git a/samples/snippets/iam_revoke_access.py b/samples/snippets/iam_revoke_access.py new file mode 100644 index 0000000..5eb7fc0 --- /dev/null +++ b/samples/snippets/iam_revoke_access.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python + +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +""" +command line application and sample code for revoking access to a secret. +""" + +import argparse + + +# [START secretmanager_iam_revoke_access] +def iam_revoke_access(project_id, secret_id, member): + """ + Revoke the given member access to a secret. + """ + + # Import the Secret Manager client library. + from google.cloud import secretmanager_v1beta1 as secretmanager + + # Create the Secret Manager client. + client = secretmanager.SecretManagerServiceClient() + + # Build the resource name of the secret. + name = client.secret_path(project_id, secret_id) + + # Get the current IAM policy. + policy = client.get_iam_policy(name) + + # Remove the given member's access permissions. + accessRole = 'roles/secretmanager.secretAccessor' + for b in list(policy.bindings): + if b.role == accessRole and member in b.members: + b.members.remove(member) + + # Update the IAM Policy. + new_policy = client.set_iam_policy(name, policy) + + # Print data about the secret. + print('Updated IAM policy on {}'.format(secret_id)) +# [END secretmanager_iam_revoke_access] + + return new_policy + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument('project_id', help='id of the GCP project') + parser.add_argument('secret_id', help='id of the secret to get') + parser.add_argument('member', help='member to revoke access') + args = parser.parse_args() + + iam_revoke_access(args.project_id, args.secret_id, args.member) diff --git a/samples/snippets/snippets_test.py b/samples/snippets/snippets_test.py index 6269286..18f3634 100644 --- a/samples/snippets/snippets_test.py +++ b/samples/snippets/snippets_test.py @@ -23,8 +23,10 @@ from destroy_secret_version import destroy_secret_version from disable_secret_version import disable_secret_version from enable_secret_version import enable_secret_version -from get_secret_version import get_secret_version from get_secret import get_secret +from get_secret_version import get_secret_version +from iam_grant_access import iam_grant_access +from iam_revoke_access import iam_revoke_access from list_secret_versions import list_secret_versions from list_secrets import list_secrets from update_secret import update_secret @@ -43,6 +45,11 @@ def project_id(): return os.environ['GCLOUD_PROJECT'] +@pytest.fixture() +def iam_user(): + return 'serviceAccount:' + os.environ['GCLOUD_SECRETS_SERVICE_ACCOUNT'] + + @pytest.fixture() def secret(client, project_id): parent = client.project_path(project_id) @@ -145,6 +152,18 @@ def test_get_secret(client, secret): assert secret_id in snippet_secret.name +def test_iam_grant_access(client, secret, iam_user): + project_id, secret_id = secret + policy = iam_grant_access(project_id, secret_id, iam_user) + assert any(iam_user in b.members for b in policy.bindings) + + +def test_iam_revoke_access(client, secret, iam_user): + project_id, secret_id = secret + policy = iam_revoke_access(project_id, secret_id, iam_user) + assert not any(iam_user in b.members for b in policy.bindings) + + def test_list_secret_versions(capsys, secret_version, another_secret_version): project_id, secret_id, version_id = secret_version _, _, another_version_id = another_secret_version From 81f6685c003b3c3fcdfb42415721cef2a8ad3721 Mon Sep 17 00:00:00 2001 From: gwhitehawk Date: Tue, 17 Mar 2020 12:08:05 -0400 Subject: [PATCH 05/12] SecretManager update v1beta1->v1 [(#3065)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/3065) Client library has been updated: https://pypi.org/project/google-cloud-secret-manager/ --- samples/snippets/access_secret_version.py | 2 +- samples/snippets/add_secret_version.py | 2 +- samples/snippets/create_secret.py | 2 +- samples/snippets/delete_secret.py | 2 +- samples/snippets/destroy_secret_version.py | 2 +- samples/snippets/disable_secret_version.py | 2 +- samples/snippets/enable_secret_version.py | 2 +- samples/snippets/get_secret.py | 2 +- samples/snippets/get_secret_version.py | 2 +- samples/snippets/iam_grant_access.py | 2 +- samples/snippets/iam_revoke_access.py | 2 +- samples/snippets/list_secret_versions.py | 2 +- samples/snippets/list_secrets.py | 2 +- samples/snippets/quickstart.py | 2 +- samples/snippets/requirements.txt | 2 +- samples/snippets/snippets_test.py | 2 +- samples/snippets/update_secret.py | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/samples/snippets/access_secret_version.py b/samples/snippets/access_secret_version.py index ceaa9b4..c620ea3 100644 --- a/samples/snippets/access_secret_version.py +++ b/samples/snippets/access_secret_version.py @@ -27,7 +27,7 @@ def access_secret_version(project_id, secret_id, version_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/add_secret_version.py b/samples/snippets/add_secret_version.py index 147e2c3..51be871 100644 --- a/samples/snippets/add_secret_version.py +++ b/samples/snippets/add_secret_version.py @@ -27,7 +27,7 @@ def add_secret_version(project_id, secret_id, payload): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/create_secret.py b/samples/snippets/create_secret.py index 06ec1d5..23d9347 100644 --- a/samples/snippets/create_secret.py +++ b/samples/snippets/create_secret.py @@ -28,7 +28,7 @@ def create_secret(project_id, secret_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/delete_secret.py b/samples/snippets/delete_secret.py index d6c0fb8..3ee5a2b 100644 --- a/samples/snippets/delete_secret.py +++ b/samples/snippets/delete_secret.py @@ -26,7 +26,7 @@ def delete_secret(project_id, secret_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/destroy_secret_version.py b/samples/snippets/destroy_secret_version.py index f705417..1d03318 100644 --- a/samples/snippets/destroy_secret_version.py +++ b/samples/snippets/destroy_secret_version.py @@ -27,7 +27,7 @@ def destroy_secret_version(project_id, secret_id, version_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/disable_secret_version.py b/samples/snippets/disable_secret_version.py index a656331..a88f1a7 100644 --- a/samples/snippets/disable_secret_version.py +++ b/samples/snippets/disable_secret_version.py @@ -27,7 +27,7 @@ def disable_secret_version(project_id, secret_id, version_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/enable_secret_version.py b/samples/snippets/enable_secret_version.py index 472157c..c14e2bb 100644 --- a/samples/snippets/enable_secret_version.py +++ b/samples/snippets/enable_secret_version.py @@ -27,7 +27,7 @@ def enable_secret_version(project_id, secret_id, version_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/get_secret.py b/samples/snippets/get_secret.py index b7dc83c..5eea886 100644 --- a/samples/snippets/get_secret.py +++ b/samples/snippets/get_secret.py @@ -27,7 +27,7 @@ def get_secret(project_id, secret_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/get_secret_version.py b/samples/snippets/get_secret_version.py index ed4dd89..7ddb8a5 100644 --- a/samples/snippets/get_secret_version.py +++ b/samples/snippets/get_secret_version.py @@ -28,7 +28,7 @@ def get_secret_version(project_id, secret_id, version_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/iam_grant_access.py b/samples/snippets/iam_grant_access.py index 1454d6d..3c3a7e7 100644 --- a/samples/snippets/iam_grant_access.py +++ b/samples/snippets/iam_grant_access.py @@ -26,7 +26,7 @@ def iam_grant_access(project_id, secret_id, member): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/iam_revoke_access.py b/samples/snippets/iam_revoke_access.py index 5eb7fc0..385a52a 100644 --- a/samples/snippets/iam_revoke_access.py +++ b/samples/snippets/iam_revoke_access.py @@ -26,7 +26,7 @@ def iam_revoke_access(project_id, secret_id, member): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/list_secret_versions.py b/samples/snippets/list_secret_versions.py index d727d3c..2ff4434 100644 --- a/samples/snippets/list_secret_versions.py +++ b/samples/snippets/list_secret_versions.py @@ -27,7 +27,7 @@ def list_secret_versions(project_id, secret_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/list_secrets.py b/samples/snippets/list_secrets.py index 1d6981e..0d0e798 100644 --- a/samples/snippets/list_secrets.py +++ b/samples/snippets/list_secrets.py @@ -26,7 +26,7 @@ def list_secrets(project_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() diff --git a/samples/snippets/quickstart.py b/samples/snippets/quickstart.py index 5ebaba9..68b1b04 100644 --- a/samples/snippets/quickstart.py +++ b/samples/snippets/quickstart.py @@ -20,7 +20,7 @@ def quickstart(_project_id=None, _secret_id=None): # [START secretmanager_quickstart] # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # GCP project in which to store secrets in Secret Manager. project_id = 'YOUR_PROJECT_ID' diff --git a/samples/snippets/requirements.txt b/samples/snippets/requirements.txt index 2db3b70..566e5d4 100644 --- a/samples/snippets/requirements.txt +++ b/samples/snippets/requirements.txt @@ -1 +1 @@ -google-cloud-secret-manager==0.1.1 +google-cloud-secret-manager==0.2.0 diff --git a/samples/snippets/snippets_test.py b/samples/snippets/snippets_test.py index 18f3634..08f9244 100644 --- a/samples/snippets/snippets_test.py +++ b/samples/snippets/snippets_test.py @@ -32,7 +32,7 @@ from update_secret import update_secret from google.api_core import exceptions -from google.cloud import secretmanager_v1beta1 as secretmanager +from google.cloud import secretmanager @pytest.fixture() diff --git a/samples/snippets/update_secret.py b/samples/snippets/update_secret.py index 10e3241..8c97d91 100644 --- a/samples/snippets/update_secret.py +++ b/samples/snippets/update_secret.py @@ -23,7 +23,7 @@ def update_secret(project_id, secret_id): """ # Import the Secret Manager client library. - from google.cloud import secretmanager_v1beta1 as secretmanager + from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() From 2908455d664ca53ea9991f7879726781ee808360 Mon Sep 17 00:00:00 2001 From: Kurtis Van Gent <31518063+kurtisvg@users.noreply.github.com> Date: Wed, 1 Apr 2020 19:11:50 -0700 Subject: [PATCH 06/12] Simplify noxfile setup. [(#2806)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/2806) * chore(deps): update dependency requests to v2.23.0 * Simplify noxfile and add version control. * Configure appengine/standard to only test Python 2.7. * Update Kokokro configs to match noxfile. * Add requirements-test to each folder. * Remove Py2 versions from everything execept appengine/standard. * Remove conftest.py. * Remove appengine/standard/conftest.py * Remove 'no-sucess-flaky-report' from pytest.ini. * Add GAE SDK back to appengine/standard tests. * Fix typo. * Roll pytest to python 2 version. * Add a bunch of testing requirements. * Remove typo. * Add appengine lib directory back in. * Add some additional requirements. * Fix issue with flake8 args. * Even more requirements. * Readd appengine conftest.py. * Add a few more requirements. * Even more Appengine requirements. * Add webtest for appengine/standard/mailgun. * Add some additional requirements. * Add workaround for issue with mailjet-rest. * Add responses for appengine/standard/mailjet. Co-authored-by: Renovate Bot --- samples/snippets/requirements-test.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 samples/snippets/requirements-test.txt diff --git a/samples/snippets/requirements-test.txt b/samples/snippets/requirements-test.txt new file mode 100644 index 0000000..781d432 --- /dev/null +++ b/samples/snippets/requirements-test.txt @@ -0,0 +1 @@ +pytest==5.3.2 From 5018339a99da2054dd441715cf385fbef45230c1 Mon Sep 17 00:00:00 2001 From: Takashi Matsuo Date: Tue, 12 May 2020 17:57:14 -0700 Subject: [PATCH 07/12] chore: some lint fixes [(#3749)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/3749) --- samples/snippets/snippets_test.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/samples/snippets/snippets_test.py b/samples/snippets/snippets_test.py index 08f9244..2c16c13 100644 --- a/samples/snippets/snippets_test.py +++ b/samples/snippets/snippets_test.py @@ -12,10 +12,12 @@ # See the License for the specific language governing permissions and import os -import pytest import uuid -from quickstart import quickstart +from google.api_core import exceptions +from google.cloud import secretmanager +import pytest + from access_secret_version import access_secret_version from add_secret_version import add_secret_version from create_secret import create_secret @@ -29,11 +31,9 @@ from iam_revoke_access import iam_revoke_access from list_secret_versions import list_secret_versions from list_secrets import list_secrets +from quickstart import quickstart from update_secret import update_secret -from google.api_core import exceptions -from google.cloud import secretmanager - @pytest.fixture() def client(): From 66b3ab93bd5e550e835872d9351437cc7895004d Mon Sep 17 00:00:00 2001 From: WhiteSource Renovate Date: Wed, 20 May 2020 20:00:05 +0200 Subject: [PATCH 08/12] chore(deps): update dependency google-cloud-secret-manager to v1 [(#3846)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/3846) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [google-cloud-secret-manager](https://togithub.com/googleapis/python-secret-manager) | major | `==0.2.0` -> `==1.0.0` | --- ### Release Notes
googleapis/python-secret-manager ### [`v1.0.0`](https://togithub.com/googleapis/python-secret-manager/blob/master/CHANGELOG.md#​100-httpswwwgithubcomgoogleapispython-secret-managercomparev020v100-2020-05-20) [Compare Source](https://togithub.com/googleapis/python-secret-manager/compare/v0.2.0...v1.0.0) ##### Features - release as production/stable ([#​24](https://www.github.com/googleapis/python-secret-manager/issues/24)) ([39a8cc8](https://www.github.com/googleapis/python-secret-manager/commit/39a8cc8f631569c82d1cbffc6a9bbb440d380683))
--- ### Renovate configuration :date: **Schedule**: At any time (no schedule defined). :vertical_traffic_light: **Automerge**: Disabled by config. Please merge this manually once you are satisfied. :recycle: **Rebasing**: Never, or you tick the rebase/retry checkbox. :no_bell: **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [WhiteSource Renovate](https://renovate.whitesourcesoftware.com). View repository job log [here](https://app.renovatebot.com/dashboard#GoogleCloudPlatform/python-docs-samples). --- samples/snippets/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/snippets/requirements.txt b/samples/snippets/requirements.txt index 566e5d4..da667b1 100644 --- a/samples/snippets/requirements.txt +++ b/samples/snippets/requirements.txt @@ -1 +1 @@ -google-cloud-secret-manager==0.2.0 +google-cloud-secret-manager==1.0.0 From 7ce5196d34ea4bcf487d7b92d6d45f8ba9de892d Mon Sep 17 00:00:00 2001 From: Kurtis Van Gent <31518063+kurtisvg@users.noreply.github.com> Date: Tue, 9 Jun 2020 14:34:27 -0700 Subject: [PATCH 09/12] Replace GCLOUD_PROJECT with GOOGLE_CLOUD_PROJECT. [(#4022)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/4022) --- samples/snippets/snippets_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/snippets/snippets_test.py b/samples/snippets/snippets_test.py index 2c16c13..65f93be 100644 --- a/samples/snippets/snippets_test.py +++ b/samples/snippets/snippets_test.py @@ -42,7 +42,7 @@ def client(): @pytest.fixture() def project_id(): - return os.environ['GCLOUD_PROJECT'] + return os.environ['GOOGLE_CLOUD_PROJECT'] @pytest.fixture() From a4517455c5398be918274dabef13497f5d31fd00 Mon Sep 17 00:00:00 2001 From: WhiteSource Renovate Date: Mon, 13 Jul 2020 00:46:30 +0200 Subject: [PATCH 10/12] chore(deps): update dependency pytest to v5.4.3 [(#4279)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/4279) * chore(deps): update dependency pytest to v5.4.3 * specify pytest for python 2 in appengine Co-authored-by: Leah Cole --- samples/snippets/requirements-test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/snippets/requirements-test.txt b/samples/snippets/requirements-test.txt index 781d432..79738af 100644 --- a/samples/snippets/requirements-test.txt +++ b/samples/snippets/requirements-test.txt @@ -1 +1 @@ -pytest==5.3.2 +pytest==5.4.3 From b2f24f3cd0173b4be80601af0dc2992a676e358a Mon Sep 17 00:00:00 2001 From: WhiteSource Renovate Date: Sat, 1 Aug 2020 21:51:00 +0200 Subject: [PATCH 11/12] Update dependency pytest to v6 [(#4390)](https://github.com/GoogleCloudPlatform/python-docs-samples/issues/4390) --- samples/snippets/requirements-test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/snippets/requirements-test.txt b/samples/snippets/requirements-test.txt index 79738af..7e460c8 100644 --- a/samples/snippets/requirements-test.txt +++ b/samples/snippets/requirements-test.txt @@ -1 +1 @@ -pytest==5.4.3 +pytest==6.0.1 From 12d9e4faf292981a9e1c2b8fe4d274a7c3f154e5 Mon Sep 17 00:00:00 2001 From: arithmetic1728 Date: Sun, 13 Sep 2020 22:04:04 -0700 Subject: [PATCH 12/12] chore: update templates --- .github/CODEOWNERS | 8 + .github/snippet-bot.yml | 0 .gitignore | 3 +- .kokoro/build.sh | 8 +- .kokoro/docker/docs/Dockerfile | 98 ++++++ .kokoro/docker/docs/fetch_gpg_keys.sh | 45 +++ .kokoro/docs/common.cfg | 21 +- .kokoro/docs/docs-presubmit.cfg | 17 + .kokoro/publish-docs.sh | 39 ++- .kokoro/trampoline_v2.sh | 487 ++++++++++++++++++++++++++ .trampolinerc | 51 +++ docs/conf.py | 13 +- noxfile.py | 39 +++ samples/AUTHORING_GUIDE.md | 1 + samples/CONTRIBUTING.md | 1 + samples/snippets/README.rst | 59 +++- samples/snippets/noxfile.py | 224 ++++++++++++ scripts/decrypt-secrets.sh | 15 +- synth.metadata | 14 +- synth.py | 8 +- 20 files changed, 1115 insertions(+), 36 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/snippet-bot.yml create mode 100644 .kokoro/docker/docs/Dockerfile create mode 100755 .kokoro/docker/docs/fetch_gpg_keys.sh create mode 100644 .kokoro/docs/docs-presubmit.cfg create mode 100755 .kokoro/trampoline_v2.sh create mode 100644 .trampolinerc create mode 100644 samples/AUTHORING_GUIDE.md create mode 100644 samples/CONTRIBUTING.md create mode 100644 samples/snippets/noxfile.py diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..4e3558c --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,8 @@ +# Code owners file. +# This file controls who is tagged for review for any given pull request. +# +# For syntax help see: +# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners#codeowners-syntax + + +/samples/**/*.py @googleapis/python-samples-owners diff --git a/.github/snippet-bot.yml b/.github/snippet-bot.yml new file mode 100644 index 0000000..e69de29 diff --git a/.gitignore b/.gitignore index b87e1ed..b9daa52 100644 --- a/.gitignore +++ b/.gitignore @@ -46,6 +46,7 @@ pip-log.txt # Built documentation docs/_build bigquery/docs/generated +docs.metadata # Virtual environment env/ @@ -57,4 +58,4 @@ system_tests/local_test_setup # Make sure a generated file isn't accidentally committed. pylintrc -pylintrc.test \ No newline at end of file +pylintrc.test diff --git a/.kokoro/build.sh b/.kokoro/build.sh index 40c11f3..ac6c883 100755 --- a/.kokoro/build.sh +++ b/.kokoro/build.sh @@ -36,4 +36,10 @@ python3.6 -m pip uninstall --yes --quiet nox-automation python3.6 -m pip install --upgrade --quiet nox python3.6 -m nox --version -python3.6 -m nox +# If NOX_SESSION is set, it only runs the specified session, +# otherwise run all the sessions. +if [[ -n "${NOX_SESSION:-}" ]]; then + python3.6 -m nox -s "${NOX_SESSION:-}" +else + python3.6 -m nox +fi diff --git a/.kokoro/docker/docs/Dockerfile b/.kokoro/docker/docs/Dockerfile new file mode 100644 index 0000000..412b0b5 --- /dev/null +++ b/.kokoro/docker/docs/Dockerfile @@ -0,0 +1,98 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from ubuntu:20.04 + +ENV DEBIAN_FRONTEND noninteractive + +# Ensure local Python is preferred over distribution Python. +ENV PATH /usr/local/bin:$PATH + +# Install dependencies. +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + apt-transport-https \ + build-essential \ + ca-certificates \ + curl \ + dirmngr \ + git \ + gpg-agent \ + graphviz \ + libbz2-dev \ + libdb5.3-dev \ + libexpat1-dev \ + libffi-dev \ + liblzma-dev \ + libreadline-dev \ + libsnappy-dev \ + libssl-dev \ + libsqlite3-dev \ + portaudio19-dev \ + redis-server \ + software-properties-common \ + ssh \ + sudo \ + tcl \ + tcl-dev \ + tk \ + tk-dev \ + uuid-dev \ + wget \ + zlib1g-dev \ + && add-apt-repository universe \ + && apt-get update \ + && apt-get -y install jq \ + && apt-get clean autoclean \ + && apt-get autoremove -y \ + && rm -rf /var/lib/apt/lists/* \ + && rm -f /var/cache/apt/archives/*.deb + + +COPY fetch_gpg_keys.sh /tmp +# Install the desired versions of Python. +RUN set -ex \ + && export GNUPGHOME="$(mktemp -d)" \ + && echo "disable-ipv6" >> "${GNUPGHOME}/dirmngr.conf" \ + && /tmp/fetch_gpg_keys.sh \ + && for PYTHON_VERSION in 3.7.8 3.8.5; do \ + wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ + && wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ + && gpg --batch --verify python-${PYTHON_VERSION}.tar.xz.asc python-${PYTHON_VERSION}.tar.xz \ + && rm -r python-${PYTHON_VERSION}.tar.xz.asc \ + && mkdir -p /usr/src/python-${PYTHON_VERSION} \ + && tar -xJC /usr/src/python-${PYTHON_VERSION} --strip-components=1 -f python-${PYTHON_VERSION}.tar.xz \ + && rm python-${PYTHON_VERSION}.tar.xz \ + && cd /usr/src/python-${PYTHON_VERSION} \ + && ./configure \ + --enable-shared \ + # This works only on Python 2.7 and throws a warning on every other + # version, but seems otherwise harmless. + --enable-unicode=ucs4 \ + --with-system-ffi \ + --without-ensurepip \ + && make -j$(nproc) \ + && make install \ + && ldconfig \ + ; done \ + && rm -rf "${GNUPGHOME}" \ + && rm -rf /usr/src/python* \ + && rm -rf ~/.cache/ + +RUN wget -O /tmp/get-pip.py 'https://bootstrap.pypa.io/get-pip.py' \ + && python3.7 /tmp/get-pip.py \ + && python3.8 /tmp/get-pip.py \ + && rm /tmp/get-pip.py + +CMD ["python3.7"] diff --git a/.kokoro/docker/docs/fetch_gpg_keys.sh b/.kokoro/docker/docs/fetch_gpg_keys.sh new file mode 100755 index 0000000..d653dd8 --- /dev/null +++ b/.kokoro/docker/docs/fetch_gpg_keys.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A script to fetch gpg keys with retry. +# Avoid jinja parsing the file. +# + +function retry { + if [[ "${#}" -le 1 ]]; then + echo "Usage: ${0} retry_count commands.." + exit 1 + fi + local retries=${1} + local command="${@:2}" + until [[ "${retries}" -le 0 ]]; do + $command && return 0 + if [[ $? -ne 0 ]]; then + echo "command failed, retrying" + ((retries--)) + fi + done + return 1 +} + +# 3.6.9, 3.7.5 (Ned Deily) +retry 3 gpg --keyserver ha.pool.sks-keyservers.net --recv-keys \ + 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D + +# 3.8.0 (Łukasz Langa) +retry 3 gpg --keyserver ha.pool.sks-keyservers.net --recv-keys \ + E3FF2839C048B25C084DEBE9B26995E310250568 + +# diff --git a/.kokoro/docs/common.cfg b/.kokoro/docs/common.cfg index 259b717..0d55d5e 100644 --- a/.kokoro/docs/common.cfg +++ b/.kokoro/docs/common.cfg @@ -11,12 +11,12 @@ action { gfile_resources: "/bigstore/cloud-devrel-kokoro-resources/trampoline" # Use the trampoline script to run in docker. -build_file: "python-secret-manager/.kokoro/trampoline.sh" +build_file: "python-secret-manager/.kokoro/trampoline_v2.sh" # Configure the docker image for kokoro-trampoline. env_vars: { key: "TRAMPOLINE_IMAGE" - value: "gcr.io/cloud-devrel-kokoro-resources/python-multi" + value: "gcr.io/cloud-devrel-kokoro-resources/python-lib-docs" } env_vars: { key: "TRAMPOLINE_BUILD_FILE" @@ -28,6 +28,23 @@ env_vars: { value: "docs-staging" } +env_vars: { + key: "V2_STAGING_BUCKET" + value: "docs-staging-v2-staging" +} + +# It will upload the docker image after successful builds. +env_vars: { + key: "TRAMPOLINE_IMAGE_UPLOAD" + value: "true" +} + +# It will always build the docker image. +env_vars: { + key: "TRAMPOLINE_DOCKERFILE" + value: ".kokoro/docker/docs/Dockerfile" +} + # Fetch the token needed for reporting release status to GitHub before_action { fetch_keystore { diff --git a/.kokoro/docs/docs-presubmit.cfg b/.kokoro/docs/docs-presubmit.cfg new file mode 100644 index 0000000..1118107 --- /dev/null +++ b/.kokoro/docs/docs-presubmit.cfg @@ -0,0 +1,17 @@ +# Format: //devtools/kokoro/config/proto/build.proto + +env_vars: { + key: "STAGING_BUCKET" + value: "gcloud-python-test" +} + +env_vars: { + key: "V2_STAGING_BUCKET" + value: "gcloud-python-test" +} + +# We only upload the image in the main `docs` build. +env_vars: { + key: "TRAMPOLINE_IMAGE_UPLOAD" + value: "false" +} diff --git a/.kokoro/publish-docs.sh b/.kokoro/publish-docs.sh index f706ac9..8acb14e 100755 --- a/.kokoro/publish-docs.sh +++ b/.kokoro/publish-docs.sh @@ -18,26 +18,16 @@ set -eo pipefail # Disable buffering, so that the logs stream through. export PYTHONUNBUFFERED=1 -cd github/python-secret-manager - -# Remove old nox -python3.6 -m pip uninstall --yes --quiet nox-automation +export PATH="${HOME}/.local/bin:${PATH}" # Install nox -python3.6 -m pip install --upgrade --quiet nox -python3.6 -m nox --version +python3 -m pip install --user --upgrade --quiet nox +python3 -m nox --version # build docs nox -s docs -python3 -m pip install gcp-docuploader - -# install a json parser -sudo apt-get update -sudo apt-get -y install software-properties-common -sudo add-apt-repository universe -sudo apt-get update -sudo apt-get -y install jq +python3 -m pip install --user gcp-docuploader # create metadata python3 -m docuploader create-metadata \ @@ -52,4 +42,23 @@ python3 -m docuploader create-metadata \ cat docs.metadata # upload docs -python3 -m docuploader upload docs/_build/html --metadata-file docs.metadata --staging-bucket docs-staging +python3 -m docuploader upload docs/_build/html --metadata-file docs.metadata --staging-bucket "${STAGING_BUCKET}" + + +# docfx yaml files +nox -s docfx + +# create metadata. +python3 -m docuploader create-metadata \ + --name=$(jq --raw-output '.name // empty' .repo-metadata.json) \ + --version=$(python3 setup.py --version) \ + --language=$(jq --raw-output '.language // empty' .repo-metadata.json) \ + --distribution-name=$(python3 setup.py --name) \ + --product-page=$(jq --raw-output '.product_documentation // empty' .repo-metadata.json) \ + --github-repository=$(jq --raw-output '.repo // empty' .repo-metadata.json) \ + --issue-tracker=$(jq --raw-output '.issue_tracker // empty' .repo-metadata.json) + +cat docs.metadata + +# upload docs +python3 -m docuploader upload docs/_build/html/docfx_yaml --metadata-file docs.metadata --destination-prefix docfx --staging-bucket "${V2_STAGING_BUCKET}" diff --git a/.kokoro/trampoline_v2.sh b/.kokoro/trampoline_v2.sh new file mode 100755 index 0000000..719bcd5 --- /dev/null +++ b/.kokoro/trampoline_v2.sh @@ -0,0 +1,487 @@ +#!/usr/bin/env bash +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# trampoline_v2.sh +# +# This script does 3 things. +# +# 1. Prepare the Docker image for the test +# 2. Run the Docker with appropriate flags to run the test +# 3. Upload the newly built Docker image +# +# in a way that is somewhat compatible with trampoline_v1. +# +# To run this script, first download few files from gcs to /dev/shm. +# (/dev/shm is passed into the container as KOKORO_GFILE_DIR). +# +# gsutil cp gs://cloud-devrel-kokoro-resources/python-docs-samples/secrets_viewer_service_account.json /dev/shm +# gsutil cp gs://cloud-devrel-kokoro-resources/python-docs-samples/automl_secrets.txt /dev/shm +# +# Then run the script. +# .kokoro/trampoline_v2.sh +# +# These environment variables are required: +# TRAMPOLINE_IMAGE: The docker image to use. +# TRAMPOLINE_DOCKERFILE: The location of the Dockerfile. +# +# You can optionally change these environment variables: +# TRAMPOLINE_IMAGE_UPLOAD: +# (true|false): Whether to upload the Docker image after the +# successful builds. +# TRAMPOLINE_BUILD_FILE: The script to run in the docker container. +# TRAMPOLINE_WORKSPACE: The workspace path in the docker container. +# Defaults to /workspace. +# Potentially there are some repo specific envvars in .trampolinerc in +# the project root. + + +set -euo pipefail + +TRAMPOLINE_VERSION="2.0.5" + +if command -v tput >/dev/null && [[ -n "${TERM:-}" ]]; then + readonly IO_COLOR_RED="$(tput setaf 1)" + readonly IO_COLOR_GREEN="$(tput setaf 2)" + readonly IO_COLOR_YELLOW="$(tput setaf 3)" + readonly IO_COLOR_RESET="$(tput sgr0)" +else + readonly IO_COLOR_RED="" + readonly IO_COLOR_GREEN="" + readonly IO_COLOR_YELLOW="" + readonly IO_COLOR_RESET="" +fi + +function function_exists { + [ $(LC_ALL=C type -t $1)"" == "function" ] +} + +# Logs a message using the given color. The first argument must be one +# of the IO_COLOR_* variables defined above, such as +# "${IO_COLOR_YELLOW}". The remaining arguments will be logged in the +# given color. The log message will also have an RFC-3339 timestamp +# prepended (in UTC). You can disable the color output by setting +# TERM=vt100. +function log_impl() { + local color="$1" + shift + local timestamp="$(date -u "+%Y-%m-%dT%H:%M:%SZ")" + echo "================================================================" + echo "${color}${timestamp}:" "$@" "${IO_COLOR_RESET}" + echo "================================================================" +} + +# Logs the given message with normal coloring and a timestamp. +function log() { + log_impl "${IO_COLOR_RESET}" "$@" +} + +# Logs the given message in green with a timestamp. +function log_green() { + log_impl "${IO_COLOR_GREEN}" "$@" +} + +# Logs the given message in yellow with a timestamp. +function log_yellow() { + log_impl "${IO_COLOR_YELLOW}" "$@" +} + +# Logs the given message in red with a timestamp. +function log_red() { + log_impl "${IO_COLOR_RED}" "$@" +} + +readonly tmpdir=$(mktemp -d -t ci-XXXXXXXX) +readonly tmphome="${tmpdir}/h" +mkdir -p "${tmphome}" + +function cleanup() { + rm -rf "${tmpdir}" +} +trap cleanup EXIT + +RUNNING_IN_CI="${RUNNING_IN_CI:-false}" + +# The workspace in the container, defaults to /workspace. +TRAMPOLINE_WORKSPACE="${TRAMPOLINE_WORKSPACE:-/workspace}" + +pass_down_envvars=( + # TRAMPOLINE_V2 variables. + # Tells scripts whether they are running as part of CI or not. + "RUNNING_IN_CI" + # Indicates which CI system we're in. + "TRAMPOLINE_CI" + # Indicates the version of the script. + "TRAMPOLINE_VERSION" +) + +log_yellow "Building with Trampoline ${TRAMPOLINE_VERSION}" + +# Detect which CI systems we're in. If we're in any of the CI systems +# we support, `RUNNING_IN_CI` will be true and `TRAMPOLINE_CI` will be +# the name of the CI system. Both envvars will be passing down to the +# container for telling which CI system we're in. +if [[ -n "${KOKORO_BUILD_ID:-}" ]]; then + # descriptive env var for indicating it's on CI. + RUNNING_IN_CI="true" + TRAMPOLINE_CI="kokoro" + if [[ "${TRAMPOLINE_USE_LEGACY_SERVICE_ACCOUNT:-}" == "true" ]]; then + if [[ ! -f "${KOKORO_GFILE_DIR}/kokoro-trampoline.service-account.json" ]]; then + log_red "${KOKORO_GFILE_DIR}/kokoro-trampoline.service-account.json does not exist. Did you forget to mount cloud-devrel-kokoro-resources/trampoline? Aborting." + exit 1 + fi + # This service account will be activated later. + TRAMPOLINE_SERVICE_ACCOUNT="${KOKORO_GFILE_DIR}/kokoro-trampoline.service-account.json" + else + if [[ "${TRAMPOLINE_VERBOSE:-}" == "true" ]]; then + gcloud auth list + fi + log_yellow "Configuring Container Registry access" + gcloud auth configure-docker --quiet + fi + pass_down_envvars+=( + # KOKORO dynamic variables. + "KOKORO_BUILD_NUMBER" + "KOKORO_BUILD_ID" + "KOKORO_JOB_NAME" + "KOKORO_GIT_COMMIT" + "KOKORO_GITHUB_COMMIT" + "KOKORO_GITHUB_PULL_REQUEST_NUMBER" + "KOKORO_GITHUB_PULL_REQUEST_COMMIT" + # For Build Cop Bot + "KOKORO_GITHUB_COMMIT_URL" + "KOKORO_GITHUB_PULL_REQUEST_URL" + ) +elif [[ "${TRAVIS:-}" == "true" ]]; then + RUNNING_IN_CI="true" + TRAMPOLINE_CI="travis" + pass_down_envvars+=( + "TRAVIS_BRANCH" + "TRAVIS_BUILD_ID" + "TRAVIS_BUILD_NUMBER" + "TRAVIS_BUILD_WEB_URL" + "TRAVIS_COMMIT" + "TRAVIS_COMMIT_MESSAGE" + "TRAVIS_COMMIT_RANGE" + "TRAVIS_JOB_NAME" + "TRAVIS_JOB_NUMBER" + "TRAVIS_JOB_WEB_URL" + "TRAVIS_PULL_REQUEST" + "TRAVIS_PULL_REQUEST_BRANCH" + "TRAVIS_PULL_REQUEST_SHA" + "TRAVIS_PULL_REQUEST_SLUG" + "TRAVIS_REPO_SLUG" + "TRAVIS_SECURE_ENV_VARS" + "TRAVIS_TAG" + ) +elif [[ -n "${GITHUB_RUN_ID:-}" ]]; then + RUNNING_IN_CI="true" + TRAMPOLINE_CI="github-workflow" + pass_down_envvars+=( + "GITHUB_WORKFLOW" + "GITHUB_RUN_ID" + "GITHUB_RUN_NUMBER" + "GITHUB_ACTION" + "GITHUB_ACTIONS" + "GITHUB_ACTOR" + "GITHUB_REPOSITORY" + "GITHUB_EVENT_NAME" + "GITHUB_EVENT_PATH" + "GITHUB_SHA" + "GITHUB_REF" + "GITHUB_HEAD_REF" + "GITHUB_BASE_REF" + ) +elif [[ "${CIRCLECI:-}" == "true" ]]; then + RUNNING_IN_CI="true" + TRAMPOLINE_CI="circleci" + pass_down_envvars+=( + "CIRCLE_BRANCH" + "CIRCLE_BUILD_NUM" + "CIRCLE_BUILD_URL" + "CIRCLE_COMPARE_URL" + "CIRCLE_JOB" + "CIRCLE_NODE_INDEX" + "CIRCLE_NODE_TOTAL" + "CIRCLE_PREVIOUS_BUILD_NUM" + "CIRCLE_PROJECT_REPONAME" + "CIRCLE_PROJECT_USERNAME" + "CIRCLE_REPOSITORY_URL" + "CIRCLE_SHA1" + "CIRCLE_STAGE" + "CIRCLE_USERNAME" + "CIRCLE_WORKFLOW_ID" + "CIRCLE_WORKFLOW_JOB_ID" + "CIRCLE_WORKFLOW_UPSTREAM_JOB_IDS" + "CIRCLE_WORKFLOW_WORKSPACE_ID" + ) +fi + +# Configure the service account for pulling the docker image. +function repo_root() { + local dir="$1" + while [[ ! -d "${dir}/.git" ]]; do + dir="$(dirname "$dir")" + done + echo "${dir}" +} + +# Detect the project root. In CI builds, we assume the script is in +# the git tree and traverse from there, otherwise, traverse from `pwd` +# to find `.git` directory. +if [[ "${RUNNING_IN_CI:-}" == "true" ]]; then + PROGRAM_PATH="$(realpath "$0")" + PROGRAM_DIR="$(dirname "${PROGRAM_PATH}")" + PROJECT_ROOT="$(repo_root "${PROGRAM_DIR}")" +else + PROJECT_ROOT="$(repo_root $(pwd))" +fi + +log_yellow "Changing to the project root: ${PROJECT_ROOT}." +cd "${PROJECT_ROOT}" + +# To support relative path for `TRAMPOLINE_SERVICE_ACCOUNT`, we need +# to use this environment variable in `PROJECT_ROOT`. +if [[ -n "${TRAMPOLINE_SERVICE_ACCOUNT:-}" ]]; then + + mkdir -p "${tmpdir}/gcloud" + gcloud_config_dir="${tmpdir}/gcloud" + + log_yellow "Using isolated gcloud config: ${gcloud_config_dir}." + export CLOUDSDK_CONFIG="${gcloud_config_dir}" + + log_yellow "Using ${TRAMPOLINE_SERVICE_ACCOUNT} for authentication." + gcloud auth activate-service-account \ + --key-file "${TRAMPOLINE_SERVICE_ACCOUNT}" + log_yellow "Configuring Container Registry access" + gcloud auth configure-docker --quiet +fi + +required_envvars=( + # The basic trampoline configurations. + "TRAMPOLINE_IMAGE" + "TRAMPOLINE_BUILD_FILE" +) + +if [[ -f "${PROJECT_ROOT}/.trampolinerc" ]]; then + source "${PROJECT_ROOT}/.trampolinerc" +fi + +log_yellow "Checking environment variables." +for e in "${required_envvars[@]}" +do + if [[ -z "${!e:-}" ]]; then + log "Missing ${e} env var. Aborting." + exit 1 + fi +done + +# We want to support legacy style TRAMPOLINE_BUILD_FILE used with V1 +# script: e.g. "github/repo-name/.kokoro/run_tests.sh" +TRAMPOLINE_BUILD_FILE="${TRAMPOLINE_BUILD_FILE#github/*/}" +log_yellow "Using TRAMPOLINE_BUILD_FILE: ${TRAMPOLINE_BUILD_FILE}" + +# ignore error on docker operations and test execution +set +e + +log_yellow "Preparing Docker image." +# We only download the docker image in CI builds. +if [[ "${RUNNING_IN_CI:-}" == "true" ]]; then + # Download the docker image specified by `TRAMPOLINE_IMAGE` + + # We may want to add --max-concurrent-downloads flag. + + log_yellow "Start pulling the Docker image: ${TRAMPOLINE_IMAGE}." + if docker pull "${TRAMPOLINE_IMAGE}"; then + log_green "Finished pulling the Docker image: ${TRAMPOLINE_IMAGE}." + has_image="true" + else + log_red "Failed pulling the Docker image: ${TRAMPOLINE_IMAGE}." + has_image="false" + fi +else + # For local run, check if we have the image. + if docker images "${TRAMPOLINE_IMAGE}:latest" | grep "${TRAMPOLINE_IMAGE}"; then + has_image="true" + else + has_image="false" + fi +fi + + +# The default user for a Docker container has uid 0 (root). To avoid +# creating root-owned files in the build directory we tell docker to +# use the current user ID. +user_uid="$(id -u)" +user_gid="$(id -g)" +user_name="$(id -un)" + +# To allow docker in docker, we add the user to the docker group in +# the host os. +docker_gid=$(cut -d: -f3 < <(getent group docker)) + +update_cache="false" +if [[ "${TRAMPOLINE_DOCKERFILE:-none}" != "none" ]]; then + # Build the Docker image from the source. + context_dir=$(dirname "${TRAMPOLINE_DOCKERFILE}") + docker_build_flags=( + "-f" "${TRAMPOLINE_DOCKERFILE}" + "-t" "${TRAMPOLINE_IMAGE}" + "--build-arg" "UID=${user_uid}" + "--build-arg" "USERNAME=${user_name}" + ) + if [[ "${has_image}" == "true" ]]; then + docker_build_flags+=("--cache-from" "${TRAMPOLINE_IMAGE}") + fi + + log_yellow "Start building the docker image." + if [[ "${TRAMPOLINE_VERBOSE:-false}" == "true" ]]; then + echo "docker build" "${docker_build_flags[@]}" "${context_dir}" + fi + + # ON CI systems, we want to suppress docker build logs, only + # output the logs when it fails. + if [[ "${RUNNING_IN_CI:-}" == "true" ]]; then + if docker build "${docker_build_flags[@]}" "${context_dir}" \ + > "${tmpdir}/docker_build.log" 2>&1; then + if [[ "${TRAMPOLINE_VERBOSE:-}" == "true" ]]; then + cat "${tmpdir}/docker_build.log" + fi + + log_green "Finished building the docker image." + update_cache="true" + else + log_red "Failed to build the Docker image, aborting." + log_yellow "Dumping the build logs:" + cat "${tmpdir}/docker_build.log" + exit 1 + fi + else + if docker build "${docker_build_flags[@]}" "${context_dir}"; then + log_green "Finished building the docker image." + update_cache="true" + else + log_red "Failed to build the Docker image, aborting." + exit 1 + fi + fi +else + if [[ "${has_image}" != "true" ]]; then + log_red "We do not have ${TRAMPOLINE_IMAGE} locally, aborting." + exit 1 + fi +fi + +# We use an array for the flags so they are easier to document. +docker_flags=( + # Remove the container after it exists. + "--rm" + + # Use the host network. + "--network=host" + + # Run in priviledged mode. We are not using docker for sandboxing or + # isolation, just for packaging our dev tools. + "--privileged" + + # Run the docker script with the user id. Because the docker image gets to + # write in ${PWD} you typically want this to be your user id. + # To allow docker in docker, we need to use docker gid on the host. + "--user" "${user_uid}:${docker_gid}" + + # Pass down the USER. + "--env" "USER=${user_name}" + + # Mount the project directory inside the Docker container. + "--volume" "${PROJECT_ROOT}:${TRAMPOLINE_WORKSPACE}" + "--workdir" "${TRAMPOLINE_WORKSPACE}" + "--env" "PROJECT_ROOT=${TRAMPOLINE_WORKSPACE}" + + # Mount the temporary home directory. + "--volume" "${tmphome}:/h" + "--env" "HOME=/h" + + # Allow docker in docker. + "--volume" "/var/run/docker.sock:/var/run/docker.sock" + + # Mount the /tmp so that docker in docker can mount the files + # there correctly. + "--volume" "/tmp:/tmp" + # Pass down the KOKORO_GFILE_DIR and KOKORO_KEYSTORE_DIR + # TODO(tmatsuo): This part is not portable. + "--env" "TRAMPOLINE_SECRET_DIR=/secrets" + "--volume" "${KOKORO_GFILE_DIR:-/dev/shm}:/secrets/gfile" + "--env" "KOKORO_GFILE_DIR=/secrets/gfile" + "--volume" "${KOKORO_KEYSTORE_DIR:-/dev/shm}:/secrets/keystore" + "--env" "KOKORO_KEYSTORE_DIR=/secrets/keystore" +) + +# Add an option for nicer output if the build gets a tty. +if [[ -t 0 ]]; then + docker_flags+=("-it") +fi + +# Passing down env vars +for e in "${pass_down_envvars[@]}" +do + if [[ -n "${!e:-}" ]]; then + docker_flags+=("--env" "${e}=${!e}") + fi +done + +# If arguments are given, all arguments will become the commands run +# in the container, otherwise run TRAMPOLINE_BUILD_FILE. +if [[ $# -ge 1 ]]; then + log_yellow "Running the given commands '" "${@:1}" "' in the container." + readonly commands=("${@:1}") + if [[ "${TRAMPOLINE_VERBOSE:-}" == "true" ]]; then + echo docker run "${docker_flags[@]}" "${TRAMPOLINE_IMAGE}" "${commands[@]}" + fi + docker run "${docker_flags[@]}" "${TRAMPOLINE_IMAGE}" "${commands[@]}" +else + log_yellow "Running the tests in a Docker container." + docker_flags+=("--entrypoint=${TRAMPOLINE_BUILD_FILE}") + if [[ "${TRAMPOLINE_VERBOSE:-}" == "true" ]]; then + echo docker run "${docker_flags[@]}" "${TRAMPOLINE_IMAGE}" + fi + docker run "${docker_flags[@]}" "${TRAMPOLINE_IMAGE}" +fi + + +test_retval=$? + +if [[ ${test_retval} -eq 0 ]]; then + log_green "Build finished with ${test_retval}" +else + log_red "Build finished with ${test_retval}" +fi + +# Only upload it when the test passes. +if [[ "${update_cache}" == "true" ]] && \ + [[ $test_retval == 0 ]] && \ + [[ "${TRAMPOLINE_IMAGE_UPLOAD:-false}" == "true" ]]; then + log_yellow "Uploading the Docker image." + if docker push "${TRAMPOLINE_IMAGE}"; then + log_green "Finished uploading the Docker image." + else + log_red "Failed uploading the Docker image." + fi + # Call trampoline_after_upload_hook if it's defined. + if function_exists trampoline_after_upload_hook; then + trampoline_after_upload_hook + fi + +fi + +exit "${test_retval}" diff --git a/.trampolinerc b/.trampolinerc new file mode 100644 index 0000000..995ee29 --- /dev/null +++ b/.trampolinerc @@ -0,0 +1,51 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Template for .trampolinerc + +# Add required env vars here. +required_envvars+=( + "STAGING_BUCKET" + "V2_STAGING_BUCKET" +) + +# Add env vars which are passed down into the container here. +pass_down_envvars+=( + "STAGING_BUCKET" + "V2_STAGING_BUCKET" +) + +# Prevent unintentional override on the default image. +if [[ "${TRAMPOLINE_IMAGE_UPLOAD:-false}" == "true" ]] && \ + [[ -z "${TRAMPOLINE_IMAGE:-}" ]]; then + echo "Please set TRAMPOLINE_IMAGE if you want to upload the Docker image." + exit 1 +fi + +# Define the default value if it makes sense. +if [[ -z "${TRAMPOLINE_IMAGE_UPLOAD:-}" ]]; then + TRAMPOLINE_IMAGE_UPLOAD="" +fi + +if [[ -z "${TRAMPOLINE_IMAGE:-}" ]]; then + TRAMPOLINE_IMAGE="" +fi + +if [[ -z "${TRAMPOLINE_DOCKERFILE:-}" ]]; then + TRAMPOLINE_DOCKERFILE="" +fi + +if [[ -z "${TRAMPOLINE_BUILD_FILE:-}" ]]; then + TRAMPOLINE_BUILD_FILE="" +fi diff --git a/docs/conf.py b/docs/conf.py index df08df0..87ce545 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -20,12 +20,16 @@ # documentation root, use os.path.abspath to make it absolute, like shown here. sys.path.insert(0, os.path.abspath("..")) +# For plugins that can not read conf.py. +# See also: https://github.com/docascode/sphinx-docfx-yaml/issues/85 +sys.path.insert(0, os.path.abspath(".")) + __version__ = "" # -- General configuration ------------------------------------------------ # If your documentation needs a minimal Sphinx version, state it here. -needs_sphinx = "1.6.3" +needs_sphinx = "1.5.5" # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom @@ -90,7 +94,12 @@ # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. -exclude_patterns = ["_build"] +exclude_patterns = [ + "_build", + "samples/AUTHORING_GUIDE.md", + "samples/CONTRIBUTING.md", + "samples/snippets/README.rst", +] # The reST default role (used for this markup: `text`) to use for all # documents. diff --git a/noxfile.py b/noxfile.py index 35fd99b..39c3dc0 100644 --- a/noxfile.py +++ b/noxfile.py @@ -100,6 +100,10 @@ def system(session): """Run the system test suite.""" system_test_path = os.path.join("tests", "system.py") system_test_folder_path = os.path.join("tests", "system") + + # Check the value of `RUN_SYSTEM_TESTS` env var. It defaults to true. + if os.environ.get("RUN_SYSTEM_TESTS", "true") == "false": + session.skip("RUN_SYSTEM_TESTS is set to false, skipping") # Sanity check: Only run tests if the environment variable is set. if not os.environ.get("GOOGLE_APPLICATION_CREDENTIALS", ""): session.skip("Credentials must be set via environment variable") @@ -160,3 +164,38 @@ def docs(session): os.path.join("docs", ""), os.path.join("docs", "_build", "html", ""), ) + + +@nox.session(python=DEFAULT_PYTHON_VERSION) +def docfx(session): + """Build the docfx yaml files for this library.""" + + session.install("-e", ".") + # sphinx-docfx-yaml supports up to sphinx version 1.5.5. + # https://github.com/docascode/sphinx-docfx-yaml/issues/97 + session.install("sphinx==1.5.5", "alabaster", "recommonmark", "sphinx-docfx-yaml") + + shutil.rmtree(os.path.join("docs", "_build"), ignore_errors=True) + session.run( + "sphinx-build", + "-T", # show full traceback on exception + "-N", # no colors + "-D", + ( + "extensions=sphinx.ext.autodoc," + "sphinx.ext.autosummary," + "docfx_yaml.extension," + "sphinx.ext.intersphinx," + "sphinx.ext.coverage," + "sphinx.ext.napoleon," + "sphinx.ext.todo," + "sphinx.ext.viewcode," + "recommonmark" + ), + "-b", + "html", + "-d", + os.path.join("docs", "_build", "doctrees", ""), + os.path.join("docs", ""), + os.path.join("docs", "_build", "html", ""), + ) diff --git a/samples/AUTHORING_GUIDE.md b/samples/AUTHORING_GUIDE.md new file mode 100644 index 0000000..55c97b3 --- /dev/null +++ b/samples/AUTHORING_GUIDE.md @@ -0,0 +1 @@ +See https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/AUTHORING_GUIDE.md \ No newline at end of file diff --git a/samples/CONTRIBUTING.md b/samples/CONTRIBUTING.md new file mode 100644 index 0000000..34c882b --- /dev/null +++ b/samples/CONTRIBUTING.md @@ -0,0 +1 @@ +See https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/CONTRIBUTING.md \ No newline at end of file diff --git a/samples/snippets/README.rst b/samples/snippets/README.rst index af98fb3..141855b 100644 --- a/samples/snippets/README.rst +++ b/samples/snippets/README.rst @@ -1,3 +1,4 @@ + .. This file is automatically generated. Do not edit this file directly. Google Secret Manager Python Samples @@ -14,10 +15,12 @@ This directory contains samples for Google Secret Manager. `Google Secret Manage .. _Google Secret Manager: https://cloud.google.com/secret-manager + Setup ------------------------------------------------------------------------------- + Authentication ++++++++++++++ @@ -28,6 +31,9 @@ credentials for applications. .. _Authentication Getting Started Guide: https://cloud.google.com/docs/authentication/getting-started + + + Install Dependencies ++++++++++++++++++++ @@ -42,7 +48,7 @@ Install Dependencies .. _Python Development Environment Setup Guide: https://cloud.google.com/python/setup -#. Create a virtualenv. Samples are compatible with Python 2.7 and 3.4+. +#. Create a virtualenv. Samples are compatible with Python 3.6+. .. code-block:: bash @@ -58,9 +64,15 @@ Install Dependencies .. _pip: https://pip.pypa.io/ .. _virtualenv: https://virtualenv.pypa.io/ + + + + + Samples ------------------------------------------------------------------------------- + Quickstart +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -77,6 +89,8 @@ To run this sample: $ python quickstart.py + + Access Secret Version +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -92,6 +106,7 @@ To run this sample: $ python access_secret_version.py + usage: access_secret_version.py [-h] project_id secret_id version_id command line application and sample code for accessing a secret version. @@ -106,6 +121,8 @@ To run this sample: + + Add Secret Version +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -121,6 +138,7 @@ To run this sample: $ python add_secret_version.py + usage: add_secret_version.py [-h] project_id secret_id payload command line application and sample code for adding a secret version with the @@ -136,6 +154,8 @@ To run this sample: + + Create Secret +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -151,6 +171,7 @@ To run this sample: $ python create_secret.py + usage: create_secret.py [-h] project_id secret_id command line application and sample code for creating a new secret. @@ -164,6 +185,8 @@ To run this sample: + + Delete Secret +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -179,6 +202,7 @@ To run this sample: $ python delete_secret.py + usage: delete_secret.py [-h] project_id secret_id command line application and sample code for deleting an existing secret. @@ -192,6 +216,8 @@ To run this sample: + + Destroy Secret Version +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -207,6 +233,7 @@ To run this sample: $ python destroy_secret_version.py + usage: destroy_secret_version.py [-h] project_id secret_id version_id command line application and sample code for destroying a secret verison. @@ -221,6 +248,8 @@ To run this sample: + + Enable Secret Version +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -236,6 +265,7 @@ To run this sample: $ python enable_secret_version.py + usage: enable_secret_version.py [-h] project_id secret_id version_id command line application and sample code for enabling a secret version. @@ -250,6 +280,8 @@ To run this sample: + + Get Secret Version +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -265,6 +297,7 @@ To run this sample: $ python get_secret_version.py + usage: get_secret_version.py [-h] project_id secret_id version_id command line application and sample code for getting metdata about a secret @@ -280,6 +313,8 @@ To run this sample: + + IAM Grant Access +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -295,6 +330,7 @@ To run this sample: $ python iam_grant_access.py + usage: iam_grant_access.py [-h] project_id secret_id member command line application and sample code for granting access to a secret. @@ -309,6 +345,8 @@ To run this sample: + + IAM Revoke Access +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -324,6 +362,7 @@ To run this sample: $ python iam_revoke_access.py + usage: iam_revoke_access.py [-h] project_id secret_id member command line application and sample code for revoking access to a secret. @@ -338,6 +377,8 @@ To run this sample: + + Get Secret +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -353,6 +394,7 @@ To run this sample: $ python get_secret.py + usage: get_secret.py [-h] project_id secret_id command line application and sample code for getting metadata about a secret. @@ -366,6 +408,8 @@ To run this sample: + + List Secret Versions +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -381,6 +425,7 @@ To run this sample: $ python list_secret_versions.py + usage: list_secret_versions.py [-h] project_id secret_id command line application and sample code for listing secret versions of a @@ -395,6 +440,8 @@ To run this sample: + + List Secrets +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -410,6 +457,7 @@ To run this sample: $ python list_secrets.py + usage: list_secrets.py [-h] project_id command line application and sample code for listing secrets in a project. @@ -422,6 +470,8 @@ To run this sample: + + Update Secret +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -437,6 +487,7 @@ To run this sample: $ python update_secret.py + usage: update_secret.py [-h] --secret-id SECRET_ID project_id positional arguments: @@ -450,4 +501,8 @@ To run this sample: -.. _Google Cloud SDK: https://cloud.google.com/sdk/ \ No newline at end of file + + + + +.. _Google Cloud SDK: https://cloud.google.com/sdk/ diff --git a/samples/snippets/noxfile.py b/samples/snippets/noxfile.py new file mode 100644 index 0000000..ba55d7c --- /dev/null +++ b/samples/snippets/noxfile.py @@ -0,0 +1,224 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import print_function + +import os +from pathlib import Path +import sys + +import nox + + +# WARNING - WARNING - WARNING - WARNING - WARNING +# WARNING - WARNING - WARNING - WARNING - WARNING +# DO NOT EDIT THIS FILE EVER! +# WARNING - WARNING - WARNING - WARNING - WARNING +# WARNING - WARNING - WARNING - WARNING - WARNING + +# Copy `noxfile_config.py` to your directory and modify it instead. + + +# `TEST_CONFIG` dict is a configuration hook that allows users to +# modify the test configurations. The values here should be in sync +# with `noxfile_config.py`. Users will copy `noxfile_config.py` into +# their directory and modify it. + +TEST_CONFIG = { + # You can opt out from the test for specific Python versions. + 'ignored_versions': ["2.7"], + + # An envvar key for determining the project id to use. Change it + # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a + # build specific Cloud project. You can also use your own string + # to use your own Cloud project. + 'gcloud_project_env': 'GOOGLE_CLOUD_PROJECT', + # 'gcloud_project_env': 'BUILD_SPECIFIC_GCLOUD_PROJECT', + + # A dictionary you want to inject into your test. Don't put any + # secrets here. These values will override predefined values. + 'envs': {}, +} + + +try: + # Ensure we can import noxfile_config in the project's directory. + sys.path.append('.') + from noxfile_config import TEST_CONFIG_OVERRIDE +except ImportError as e: + print("No user noxfile_config found: detail: {}".format(e)) + TEST_CONFIG_OVERRIDE = {} + +# Update the TEST_CONFIG with the user supplied values. +TEST_CONFIG.update(TEST_CONFIG_OVERRIDE) + + +def get_pytest_env_vars(): + """Returns a dict for pytest invocation.""" + ret = {} + + # Override the GCLOUD_PROJECT and the alias. + env_key = TEST_CONFIG['gcloud_project_env'] + # This should error out if not set. + ret['GOOGLE_CLOUD_PROJECT'] = os.environ[env_key] + + # Apply user supplied envs. + ret.update(TEST_CONFIG['envs']) + return ret + + +# DO NOT EDIT - automatically generated. +# All versions used to tested samples. +ALL_VERSIONS = ["2.7", "3.6", "3.7", "3.8"] + +# Any default versions that should be ignored. +IGNORED_VERSIONS = TEST_CONFIG['ignored_versions'] + +TESTED_VERSIONS = sorted([v for v in ALL_VERSIONS if v not in IGNORED_VERSIONS]) + +INSTALL_LIBRARY_FROM_SOURCE = bool(os.environ.get("INSTALL_LIBRARY_FROM_SOURCE", False)) +# +# Style Checks +# + + +def _determine_local_import_names(start_dir): + """Determines all import names that should be considered "local". + + This is used when running the linter to insure that import order is + properly checked. + """ + file_ext_pairs = [os.path.splitext(path) for path in os.listdir(start_dir)] + return [ + basename + for basename, extension in file_ext_pairs + if extension == ".py" + or os.path.isdir(os.path.join(start_dir, basename)) + and basename not in ("__pycache__") + ] + + +# Linting with flake8. +# +# We ignore the following rules: +# E203: whitespace before ‘:’ +# E266: too many leading ‘#’ for block comment +# E501: line too long +# I202: Additional newline in a section of imports +# +# We also need to specify the rules which are ignored by default: +# ['E226', 'W504', 'E126', 'E123', 'W503', 'E24', 'E704', 'E121'] +FLAKE8_COMMON_ARGS = [ + "--show-source", + "--builtin=gettext", + "--max-complexity=20", + "--import-order-style=google", + "--exclude=.nox,.cache,env,lib,generated_pb2,*_pb2.py,*_pb2_grpc.py", + "--ignore=E121,E123,E126,E203,E226,E24,E266,E501,E704,W503,W504,I202", + "--max-line-length=88", +] + + +@nox.session +def lint(session): + session.install("flake8", "flake8-import-order") + + local_names = _determine_local_import_names(".") + args = FLAKE8_COMMON_ARGS + [ + "--application-import-names", + ",".join(local_names), + "." + ] + session.run("flake8", *args) + + +# +# Sample Tests +# + + +PYTEST_COMMON_ARGS = ["--junitxml=sponge_log.xml"] + + +def _session_tests(session, post_install=None): + """Runs py.test for a particular project.""" + if os.path.exists("requirements.txt"): + session.install("-r", "requirements.txt") + + if os.path.exists("requirements-test.txt"): + session.install("-r", "requirements-test.txt") + + if INSTALL_LIBRARY_FROM_SOURCE: + session.install("-e", _get_repo_root()) + + if post_install: + post_install(session) + + session.run( + "pytest", + *(PYTEST_COMMON_ARGS + session.posargs), + # Pytest will return 5 when no tests are collected. This can happen + # on travis where slow and flaky tests are excluded. + # See http://doc.pytest.org/en/latest/_modules/_pytest/main.html + success_codes=[0, 5], + env=get_pytest_env_vars() + ) + + +@nox.session(python=ALL_VERSIONS) +def py(session): + """Runs py.test for a sample using the specified version of Python.""" + if session.python in TESTED_VERSIONS: + _session_tests(session) + else: + session.skip("SKIPPED: {} tests are disabled for this sample.".format( + session.python + )) + + +# +# Readmegen +# + + +def _get_repo_root(): + """ Returns the root folder of the project. """ + # Get root of this repository. Assume we don't have directories nested deeper than 10 items. + p = Path(os.getcwd()) + for i in range(10): + if p is None: + break + if Path(p / ".git").exists(): + return str(p) + p = p.parent + raise Exception("Unable to detect repository root.") + + +GENERATED_READMES = sorted([x for x in Path(".").rglob("*.rst.in")]) + + +@nox.session +@nox.parametrize("path", GENERATED_READMES) +def readmegen(session, path): + """(Re-)generates the readme for a sample.""" + session.install("jinja2", "pyyaml") + dir_ = os.path.dirname(path) + + if os.path.exists(os.path.join(dir_, "requirements.txt")): + session.install("-r", os.path.join(dir_, "requirements.txt")) + + in_file = os.path.join(dir_, "README.rst.in") + session.run( + "python", _get_repo_root() + "/scripts/readme-gen/readme_gen.py", in_file + ) diff --git a/scripts/decrypt-secrets.sh b/scripts/decrypt-secrets.sh index ff599eb..21f6d2a 100755 --- a/scripts/decrypt-secrets.sh +++ b/scripts/decrypt-secrets.sh @@ -20,14 +20,27 @@ ROOT=$( dirname "$DIR" ) # Work from the project root. cd $ROOT +# Prevent it from overriding files. +# We recommend that sample authors use their own service account files and cloud project. +# In that case, they are supposed to prepare these files by themselves. +if [[ -f "testing/test-env.sh" ]] || \ + [[ -f "testing/service-account.json" ]] || \ + [[ -f "testing/client-secrets.json" ]]; then + echo "One or more target files exist, aborting." + exit 1 +fi + # Use SECRET_MANAGER_PROJECT if set, fallback to cloud-devrel-kokoro-resources. PROJECT_ID="${SECRET_MANAGER_PROJECT:-cloud-devrel-kokoro-resources}" gcloud secrets versions access latest --secret="python-docs-samples-test-env" \ + --project="${PROJECT_ID}" \ > testing/test-env.sh gcloud secrets versions access latest \ --secret="python-docs-samples-service-account" \ + --project="${PROJECT_ID}" \ > testing/service-account.json gcloud secrets versions access latest \ --secret="python-docs-samples-client-secrets" \ - > testing/client-secrets.json \ No newline at end of file + --project="${PROJECT_ID}" \ + > testing/client-secrets.json diff --git a/synth.metadata b/synth.metadata index 4896dcf..14039dd 100644 --- a/synth.metadata +++ b/synth.metadata @@ -4,29 +4,21 @@ "git": { "name": ".", "remote": "https://github.com/googleapis/python-secret-manager.git", - "sha": "5f8689c9a1d6001d2873158c13cbb9a95b33fb97" - } - }, - { - "git": { - "name": "googleapis", - "remote": "https://github.com/googleapis/googleapis.git", - "sha": "b882b8e6bfcd708042ff00f7adc67ce750817dd0", - "internalRef": "318028816" + "sha": "8e2ef9921c7af1c8bd3620c728413470c790a02f" } }, { "git": { "name": "synthtool", "remote": "https://github.com/googleapis/synthtool.git", - "sha": "303271797a360f8a439203413f13a160f2f5b3b4" + "sha": "fdd03c161003ab97657cc0218f25c82c89ddf4b6" } }, { "git": { "name": "synthtool", "remote": "https://github.com/googleapis/synthtool.git", - "sha": "303271797a360f8a439203413f13a160f2f5b3b4" + "sha": "fdd03c161003ab97657cc0218f25c82c89ddf4b6" } } ], diff --git a/synth.py b/synth.py index 7c72c51..089cbd4 100644 --- a/synth.py +++ b/synth.py @@ -98,8 +98,14 @@ # ---------------------------------------------------------------------------- # Add templated files # ---------------------------------------------------------------------------- -templated_files = common.py_library(cov_level=75) +templated_files = common.py_library(cov_level=75, samples=True) s.move(templated_files) + +# ---------------------------------------------------------------------------- +# Samples templates +# ---------------------------------------------------------------------------- +python.py_samples() + # TODO(busunkim): Use latest sphinx after microgenerator transition s.replace("noxfile.py", """['"]sphinx['"]""", '"sphinx<3.0.0"')