Coverage for certbot/cli.py : 94%

"""Certbot command line argument & config processing.""" 

# pylint: disable=too-many-lines 

from __future__ import print_function 

import argparse 

import copy 

import glob 

import logging 

import logging.handlers 

import os 

import sys 

import configargparse 

import six 

import zope.component 

import zope.interface 

from zope.interface import interfaces as zope_interfaces 

from acme import challenges 

# pylint: disable=unused-import, no-name-in-module 

from acme.magic_typing import Any, Dict, Optional 

# pylint: enable=unused-import, no-name-in-module 

import certbot 

from certbot import constants 

from certbot import crypto_util 

from certbot import errors 

from certbot import hooks 

from certbot import interfaces 

from certbot import util 

from certbot.display import util as display_util 

from certbot.plugins import disco as plugins_disco 

import certbot.plugins.enhancements as enhancements 

import certbot.plugins.selection as plugin_selection 

logger = logging.getLogger(__name__) 

# Global, to save us from a lot of argument passing within the scope of this module 

helpful_parser = None # type: Optional[HelpfulArgumentParser] 

# For help strings, figure out how the user ran us. 

# When invoked from letsencrypt-auto, sys.argv[0] is something like: 

# "/home/user/.local/share/certbot/bin/certbot" 

# Note that this won't work if the user set VENV_PATH or XDG_DATA_HOME before 

# running letsencrypt-auto (and sudo stops us from seeing if they did), so it 

# should only be used for purposes where inability to detect letsencrypt-auto 

# fails safely 

LEAUTO = "letsencrypt-auto" 

if "CERTBOT_AUTO" in os.environ: 

# if we're here, this is probably going to be certbot-auto, unless the 

# user saved the script under a different name 

LEAUTO = os.path.basename(os.environ["CERTBOT_AUTO"]) 

old_path_fragment = os.path.join(".local", "share", "letsencrypt") 

new_path_prefix = os.path.abspath(os.path.join(os.sep, "opt", 

"eff.org", "certbot", "venv")) 

if old_path_fragment in sys.argv[0] or sys.argv[0].startswith(new_path_prefix): 

cli_command = LEAUTO 

else: 

cli_command = "certbot" 

# Argparse's help formatting has a lot of unhelpful peculiarities, so we want 

# to replace as much of it as we can... 

# This is the stub to include in help generated by argparse 

SHORT_USAGE = """ 

{0} [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... 

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, 

it will attempt to use a webserver both for obtaining and installing the 

certificate. """.format(cli_command) 

# This section is used for --help and --help all ; it needs information 

# about installed plugins to be fully formatted 

COMMAND_OVERVIEW = """The most common SUBCOMMANDS and flags are: 

obtain, install, and renew certificates: 

(default) run Obtain & install a certificate in your current webserver 

certonly Obtain or renew a certificate, but do not install it 

renew Renew all previously obtained certificates that are near expiry 

enhance Add security enhancements to your existing configuration 

-d DOMAINS Comma-separated list of domains to obtain a certificate for 

%s 

--standalone Run a standalone webserver for authentication 

%s 

--webroot Place files in a server's webroot folder for authentication 

--manual Obtain certificates interactively, or using shell script hooks 

-n Run non-interactively 

--test-cert Obtain a test certificate from a staging server 

--dry-run Test "renew" or "certonly" without saving any certificates to disk 

manage certificates: 

certificates Display information about certificates you have from Certbot 

revoke Revoke a certificate (supply --cert-path or --cert-name) 

delete Delete a certificate 

manage your account with Let's Encrypt: 

register Create a Let's Encrypt ACME account 

update_account Update a Let's Encrypt ACME account 

--agree-tos Agree to the ACME server's Subscriber Agreement 

-m EMAIL Email address for important account notifications 

""" 

# This is the short help for certbot --help, where we disable argparse 

# altogether 

HELP_AND_VERSION_USAGE = """ 

More detailed help: 

-h, --help [TOPIC] print this message, or detailed help on a topic; 

the available TOPICS are: 

all, automation, commands, paths, security, testing, or any of the 

subcommands or plugins (certonly, renew, install, register, nginx, 

apache, standalone, webroot, etc.) 

--version print the version number 

""" 

# These argparse parameters should be removed when detecting defaults. 

ARGPARSE_PARAMS_TO_REMOVE = ("const", "nargs", "type",) 

# These sets are used when to help detect options set by the user. 

EXIT_ACTIONS = set(("help", "version",)) 

ZERO_ARG_ACTIONS = set(("store_const", "store_true", 

"store_false", "append_const", "count",)) 

# Maps a config option to a set of config options that may have modified it. 

# This dictionary is used recursively, so if A modifies B and B modifies C, 

# it is determined that C was modified by the user if A was modified. 

VAR_MODIFIERS = {"account": set(("server",)), 

"renew_hook": set(("deploy_hook",)), 

"server": set(("dry_run", "staging",)), 

"webroot_map": set(("webroot_path",))} 

def report_config_interaction(modified, modifiers): 

"""Registers config option interaction to be checked by set_by_cli. 

This function can be called by during the __init__ or 

add_parser_arguments methods of plugins to register interactions 

between config options. 

:param modified: config options that can be modified by modifiers 

:type modified: iterable or str (string_types) 

:param modifiers: config options that modify modified 

:type modifiers: iterable or str (string_types) 

""" 

if isinstance(modified, six.string_types): 

modified = (modified,) 

if isinstance(modifiers, six.string_types): 

modifiers = (modifiers,) 

for var in modified: 

VAR_MODIFIERS.setdefault(var, set()).update(modifiers) 

def possible_deprecation_warning(config): 

"A deprecation warning for users with the old, not-self-upgrading letsencrypt-auto." 

if cli_command != LEAUTO: 

return 

if config.no_self_upgrade: 

# users setting --no-self-upgrade might be hanging on a client version like 0.3.0 

# or 0.5.0 which is the new script, but doesn't set CERTBOT_AUTO; they don't 

# need warnings 

return 

if "CERTBOT_AUTO" not in os.environ: 

logger.warning("You are running with an old copy of letsencrypt-auto" 

" that does not receive updates, and is less reliable than more" 

" recent versions. The letsencrypt client has also been renamed" 

" to Certbot. We recommend upgrading to the latest certbot-auto" 

" script, or using native OS packages.") 

logger.debug("Deprecation warning circumstances: %s / %s", sys.argv[0], os.environ) 

class _Default(object): 

"""A class to use as a default to detect if a value is set by a user""" 

def __bool__(self): 

return False 

def __eq__(self, other): 

return isinstance(other, _Default) 

def __hash__(self): 

return id(_Default) 

def __nonzero__(self): 

return self.__bool__() 

def set_by_cli(var): 

""" 

Return True if a particular config variable has been set by the user 

(CLI or config file) including if the user explicitly set it to the 

default. Returns False if the variable was assigned a default value. 

""" 

detector = set_by_cli.detector # type: ignore 

if detector is None and helpful_parser is not None: 

# Setup on first run: `detector` is a weird version of config in which 

# the default value of every attribute is wrangled to be boolean-false 

plugins = plugins_disco.PluginsRegistry.find_all() 

# reconstructed_args == sys.argv[1:], or whatever was passed to main() 

reconstructed_args = helpful_parser.args + [helpful_parser.verb] 

detector = set_by_cli.detector = prepare_and_parse_args( # type: ignore 

plugins, reconstructed_args, detect_defaults=True) 

# propagate plugin requests: eg --standalone modifies config.authenticator 

detector.authenticator, detector.installer = ( # type: ignore 

plugin_selection.cli_plugin_requests(detector)) 

if not isinstance(getattr(detector, var), _Default): 

logger.debug("Var %s=%s (set by user).", var, getattr(detector, var)) 

return True 

for modifier in VAR_MODIFIERS.get(var, []): 

if set_by_cli(modifier): 

logger.debug("Var %s=%s (set by user).", 

var, VAR_MODIFIERS.get(var, [])) 

return True 

return False 

# static housekeeping var 

# functions attributed are not supported by mypy 

# https://github.com/python/mypy/issues/2087 

set_by_cli.detector = None # type: ignore 

def has_default_value(option, value): 

"""Does option have the default value? 

If the default value of option is not known, False is returned. 

:param str option: configuration variable being considered 

:param value: value of the configuration variable named option 

:returns: True if option has the default value, otherwise, False 

:rtype: bool 

""" 

if helpful_parser is not None: 

return (option in helpful_parser.defaults and 

helpful_parser.defaults[option] == value) 

return False 

def option_was_set(option, value): 

"""Was option set by the user or does it differ from the default? 

:param str option: configuration variable being considered 

:param value: value of the configuration variable named option 

:returns: True if the option was set, otherwise, False 

:rtype: bool 

""" 

return set_by_cli(option) or not has_default_value(option, value) 

def argparse_type(variable): 

"""Return our argparse type function for a config variable (default: str)""" 

# pylint: disable=protected-access 

if helpful_parser is not None: 

for action in helpful_parser.parser._actions: 

if action.type is not None and action.dest == variable: 

return action.type 

return str 

def read_file(filename, mode="rb"): 

"""Returns the given file's contents. 

:param str filename: path to file 

:param str mode: open mode (see `open`) 

:returns: absolute path of filename and its contents 

:rtype: tuple 

:raises argparse.ArgumentTypeError: File does not exist or is not readable. 

""" 

try: 

filename = os.path.abspath(filename) 

with open(filename, mode) as the_file: 

contents = the_file.read() 

return filename, contents 

except IOError as exc: 

raise argparse.ArgumentTypeError(exc.strerror) 

def flag_default(name): 

"""Default value for CLI flag.""" 

# XXX: this is an internal housekeeping notion of defaults before 

# argparse has been set up; it is not accurate for all flags. Call it 

# with caution. Plugin defaults are missing, and some things are using 

# defaults defined in this file, not in constants.py :( 

return copy.deepcopy(constants.CLI_DEFAULTS[name]) 

def config_help(name, hidden=False): 

"""Extract the help message for an `.IConfig` attribute.""" 

# pylint: disable=no-member 

if hidden: 

return argparse.SUPPRESS 

else: 

field = interfaces.IConfig.__getitem__(name) # type: zope.interface.interface.Attribute 

return field.__doc__ 

class HelpfulArgumentGroup(object): 

"""Emulates an argparse group for use with HelpfulArgumentParser. 

This class is used in the add_group method of HelpfulArgumentParser. 

Command line arguments can be added to the group, but help 

suppression and default detection is applied by 

HelpfulArgumentParser when necessary. 

""" 

def __init__(self, helpful_arg_parser, topic): 

self._parser = helpful_arg_parser 

self._topic = topic 

def add_argument(self, *args, **kwargs): 

"""Add a new command line argument to the argument group.""" 

self._parser.add(self._topic, *args, **kwargs) 

class CustomHelpFormatter(argparse.HelpFormatter): 

"""This is a clone of ArgumentDefaultsHelpFormatter, with bugfixes. 

In particular we fix https://bugs.python.org/issue28742 

""" 

def _get_help_string(self, action): 

helpstr = action.help 

if '%(default)' not in action.help and '(default:' not in action.help: 

if action.default != argparse.SUPPRESS: 

defaulting_nargs = [argparse.OPTIONAL, argparse.ZERO_OR_MORE] 

if action.option_strings or action.nargs in defaulting_nargs: 

helpstr += ' (default: %(default)s)' 

return helpstr 

# The attributes here are: 

# short: a string that will be displayed by "certbot -h commands" 

# opts: a string that heads the section of flags with which this command is documented, 

# both for "certbot -h SUBCOMMAND" and "certbot -h all" 

# usage: an optional string that overrides the header of "certbot -h SUBCOMMAND" 

VERB_HELP = [ 

("run (default)", { 

"short": "Obtain/renew a certificate, and install it", 

"opts": "Options for obtaining & installing certificates", 

"usage": SHORT_USAGE.replace("[SUBCOMMAND]", ""), 

"realname": "run" 

}), 

("certonly", { 

"short": "Obtain or renew a certificate, but do not install it", 

"opts": "Options for modifying how a certificate is obtained", 

"usage": ("\n\n certbot certonly [options] [-d DOMAIN] [-d DOMAIN] ...\n\n" 

"This command obtains a TLS/SSL certificate without installing it anywhere.") 

}), 

("renew", { 

"short": "Renew all certificates (or one specified with --cert-name)", 

"opts": ("The 'renew' subcommand will attempt to renew all" 

" certificates (or more precisely, certificate lineages) you have" 

" previously obtained if they are close to expiry, and print a" 

" summary of the results. By default, 'renew' will reuse the options" 

" used to create obtain or most recently successfully renew each" 

" certificate lineage. You can try it with `--dry-run` first. For" 

" more fine-grained control, you can renew individual lineages with" 

" the `certonly` subcommand. Hooks are available to run commands" 

" before and after renewal; see" 

" https://certbot.eff.org/docs/using.html#renewal for more" 

" information on these."), 

"usage": "\n\n certbot renew [--cert-name CERTNAME] [options]\n\n" 

}), 

("certificates", { 

"short": "List certificates managed by Certbot", 

"opts": "List certificates managed by Certbot", 

"usage": ("\n\n certbot certificates [options] ...\n\n" 

"Print information about the status of certificates managed by Certbot.") 

}), 

("delete", { 

"short": "Clean up all files related to a certificate", 

"opts": "Options for deleting a certificate", 

"usage": "\n\n certbot delete --cert-name CERTNAME\n\n" 

}), 

("revoke", { 

"short": "Revoke a certificate specified with --cert-path or --cert-name", 

"opts": "Options for revocation of certificates", 

"usage": "\n\n certbot revoke [--cert-path /path/to/fullchain.pem | " 

"--cert-name example.com] [options]\n\n" 

}), 

("register", { 

"short": "Register for account with Let's Encrypt / other ACME server", 

"opts": "Options for account registration", 

"usage": "\n\n certbot register --email user@example.com [options]\n\n" 

}), 

("update_account", { 

"short": "Update existing account with Let's Encrypt / other ACME server", 

"opts": "Options for account modification", 

"usage": "\n\n certbot update_account --email updated_email@example.com [options]\n\n" 

}), 

("unregister", { 

"short": "Irrevocably deactivate your account", 

"opts": "Options for account deactivation.", 

"usage": "\n\n certbot unregister [options]\n\n" 

}), 

("install", { 

"short": "Install an arbitrary certificate in a server", 

"opts": "Options for modifying how a certificate is deployed", 

"usage": "\n\n certbot install --cert-path /path/to/fullchain.pem " 

" --key-path /path/to/private-key [options]\n\n" 

}), 

("config_changes", { 

"short": "Show changes that Certbot has made to server configurations", 

"opts": "Options for controlling which changes are displayed", 

"usage": "\n\n certbot config_changes --num NUM [options]\n\n" 

}), 

("rollback", { 

"short": "Roll back server conf changes made during certificate installation", 

"opts": "Options for rolling back server configuration changes", 

"usage": "\n\n certbot rollback --checkpoints 3 [options]\n\n" 

}), 

("plugins", { 

"short": "List plugins that are installed and available on your system", 

"opts": 'Options for for the "plugins" subcommand', 

"usage": "\n\n certbot plugins [options]\n\n" 

}), 

("update_symlinks", { 

"short": "Recreate symlinks in your /etc/letsencrypt/live/ directory", 

"opts": ("Recreates certificate and key symlinks in {0}, if you changed them by hand " 

"or edited a renewal configuration file".format( 

os.path.join(flag_default("config_dir"), "live"))), 

"usage": "\n\n certbot update_symlinks [options]\n\n" 

}), 

("enhance", { 

"short": "Add security enhancements to your existing configuration", 

"opts": ("Helps to harden the TLS configuration by adding security enhancements " 

"to already existing configuration."), 

"usage": "\n\n certbot enhance [options]\n\n" 

}), 

] 

# VERB_HELP is a list in order to preserve order, but a dict is sometimes useful 

VERB_HELP_MAP = dict(VERB_HELP) 

class HelpfulArgumentParser(object): 

"""Argparse Wrapper. 

This class wraps argparse, adding the ability to make --help less 

verbose, and request help on specific subcategories at a time, eg 

'certbot --help security' for security options. 

""" 

def __init__(self, args, plugins, detect_defaults=False): 

from certbot import main 

self.VERBS = { 

"auth": main.certonly, 

"certonly": main.certonly, 

"config_changes": main.config_changes, 

"run": main.run, 

"install": main.install, 

"plugins": main.plugins_cmd, 

"register": main.register, 

"update_account": main.update_account, 

"unregister": main.unregister, 

"renew": main.renew, 

"revoke": main.revoke, 

"rollback": main.rollback, 

"everything": main.run, 

"update_symlinks": main.update_symlinks, 

"certificates": main.certificates, 

"delete": main.delete, 

"enhance": main.enhance, 

} 

# Get notification function for printing 

try: 

self.notify = zope.component.getUtility( 

interfaces.IDisplay).notification 

except zope_interfaces.ComponentLookupError: 

self.notify = display_util.NoninteractiveDisplay( 

sys.stdout).notification 

# List of topics for which additional help can be provided 

HELP_TOPICS = ["all", "security", "paths", "automation", "testing"] 

HELP_TOPICS += list(self.VERBS) + self.COMMANDS_TOPICS + ["manage"] 

plugin_names = list(plugins) 

self.help_topics = HELP_TOPICS + plugin_names + [None] # type: ignore 

self.detect_defaults = detect_defaults 

self.args = args 

if self.args and self.args[0] == 'help': 

self.args[0] = '--help' 

self.determine_verb() 

help1 = self.prescan_for_flag("-h", self.help_topics) 

help2 = self.prescan_for_flag("--help", self.help_topics) 

if isinstance(help1, bool) and isinstance(help2, bool): 

self.help_arg = help1 or help2 

else: 

self.help_arg = help1 if isinstance(help1, six.string_types) else help2 

short_usage = self._usage_string(plugins, self.help_arg) 

self.visible_topics = self.determine_help_topics(self.help_arg) 

# elements are added by .add_group() 

self.groups = {} # type: Dict[str, argparse._ArgumentGroup] 

# elements are added by .parse_args() 

self.defaults = {} # type: Dict[str, Any] 

self.parser = configargparse.ArgParser( 

prog="certbot", 

usage=short_usage, 

formatter_class=CustomHelpFormatter, 

args_for_setting_config_path=["-c", "--config"], 

default_config_files=flag_default("config_files"), 

config_arg_help_message="path to config file (default: {0})".format( 

" and ".join(flag_default("config_files")))) 

# This is the only way to turn off overly verbose config flag documentation 

self.parser._add_config_file_help = False # pylint: disable=protected-access 

# Help that are synonyms for --help subcommands 

COMMANDS_TOPICS = ["command", "commands", "subcommand", "subcommands", "verbs"] 

def _list_subcommands(self): 

longest = max(len(v) for v in VERB_HELP_MAP.keys()) 

text = "The full list of available SUBCOMMANDS is:\n\n" 

for verb, props in sorted(VERB_HELP): 

doc = props.get("short", "") 

text += '{0:<{length}} {1}\n'.format(verb, doc, length=longest) 

text += "\nYou can get more help on a specific subcommand with --help SUBCOMMAND\n" 

return text 

def _usage_string(self, plugins, help_arg): 

"""Make usage strings late so that plugins can be initialised late 

:param plugins: all discovered plugins 

:param help_arg: False for none; True for --help; "TOPIC" for --help TOPIC 

:rtype: str 

:returns: a short usage string for the top of --help TOPIC) 

""" 

if "nginx" in plugins: 

nginx_doc = "--nginx Use the Nginx plugin for authentication & installation" 

else: 

nginx_doc = "(the certbot nginx plugin is not installed)" 

if "apache" in plugins: 

apache_doc = "--apache Use the Apache plugin for authentication & installation" 

else: 

apache_doc = "(the certbot apache plugin is not installed)" 

usage = SHORT_USAGE 

if help_arg == True: 

self.notify(usage + COMMAND_OVERVIEW % (apache_doc, nginx_doc) + HELP_AND_VERSION_USAGE) 

sys.exit(0) 

elif help_arg in self.COMMANDS_TOPICS: 

self.notify(usage + self._list_subcommands()) 

sys.exit(0) 

elif help_arg == "all": 

# if we're doing --help all, the OVERVIEW is part of the SHORT_USAGE at 

# the top; if we're doing --help someothertopic, it's OT so it's not 

usage += COMMAND_OVERVIEW % (apache_doc, nginx_doc) 

else: 

custom = VERB_HELP_MAP.get(help_arg, {}).get("usage", None) 

usage = custom if custom else usage 

return usage 

def remove_config_file_domains_for_renewal(self, parsed_args): 

"""Make "certbot renew" safe if domains are set in cli.ini.""" 

# Works around https://github.com/certbot/certbot/issues/4096 

if self.verb == "renew": 

for source, flags in self.parser._source_to_settings.items(): # pylint: disable=protected-access 

if source.startswith("config_file") and "domains" in flags: 

parsed_args.domains = _Default() if self.detect_defaults else [] 

def parse_args(self): 

"""Parses command line arguments and returns the result. 

:returns: parsed command line arguments 

:rtype: argparse.Namespace 

""" 

parsed_args = self.parser.parse_args(self.args) 

parsed_args.func = self.VERBS[self.verb] 

parsed_args.verb = self.verb 

self.remove_config_file_domains_for_renewal(parsed_args) 

if self.detect_defaults: 

return parsed_args 

self.defaults = dict((key, copy.deepcopy(self.parser.get_default(key))) 

for key in vars(parsed_args)) 

# Do any post-parsing homework here 

if self.verb == "renew": 

if parsed_args.force_interactive: 

raise errors.Error( 

"{0} cannot be used with renew".format( 

constants.FORCE_INTERACTIVE_FLAG)) 

parsed_args.noninteractive_mode = True 

if parsed_args.force_interactive and parsed_args.noninteractive_mode: 

raise errors.Error( 

"Flag for non-interactive mode and {0} conflict".format( 

constants.FORCE_INTERACTIVE_FLAG)) 

if parsed_args.staging or parsed_args.dry_run: 

self.set_test_server(parsed_args) 

if parsed_args.csr: 

self.handle_csr(parsed_args) 

if parsed_args.must_staple: 

parsed_args.staple = True 

if parsed_args.validate_hooks: 

hooks.validate_hooks(parsed_args) 

if parsed_args.allow_subset_of_names: 

if any(util.is_wildcard_domain(d) for d in parsed_args.domains): 

raise errors.Error("Using --allow-subset-of-names with a" 

" wildcard domain is not supported.") 

if parsed_args.hsts and parsed_args.auto_hsts: 

raise errors.Error( 

"Parameters --hsts and --auto-hsts cannot be used simultaneously.") 

possible_deprecation_warning(parsed_args) 

return parsed_args 

def set_test_server(self, parsed_args): 

"""We have --staging/--dry-run; perform sanity check and set config.server""" 

if parsed_args.server not in (flag_default("server"), constants.STAGING_URI): 

conflicts = ["--staging"] if parsed_args.staging else [] 

conflicts += ["--dry-run"] if parsed_args.dry_run else [] 

raise errors.Error("--server value conflicts with {0}".format( 

" and ".join(conflicts))) 

parsed_args.server = constants.STAGING_URI 

if parsed_args.dry_run: 

if self.verb not in ["certonly", "renew"]: 

raise errors.Error("--dry-run currently only works with the " 

"'certonly' or 'renew' subcommands (%r)" % self.verb) 

parsed_args.break_my_certs = parsed_args.staging = True 

if glob.glob(os.path.join(parsed_args.config_dir, constants.ACCOUNTS_DIR, "*")): 

# The user has a prod account, but might not have a staging 

# one; we don't want to start trying to perform interactive registration 

parsed_args.tos = True 

parsed_args.register_unsafely_without_email = True 

def handle_csr(self, parsed_args): 

"""Process a --csr flag.""" 

if parsed_args.verb != "certonly": 

raise errors.Error("Currently, a CSR file may only be specified " 

"when obtaining a new or replacement " 

"via the certonly command. Please try the " 

"certonly command instead.") 

if parsed_args.allow_subset_of_names: 

raise errors.Error("--allow-subset-of-names cannot be used with --csr") 

csrfile, contents = parsed_args.csr[0:2] 

typ, csr, domains = crypto_util.import_csr_file(csrfile, contents) 

# This is not necessary for webroot to work, however, 

# obtain_certificate_from_csr requires parsed_args.domains to be set 

for domain in domains: 

add_domains(parsed_args, domain) 

if not domains: 

# TODO: add CN to domains instead: 

raise errors.Error( 

"Unfortunately, your CSR %s needs to have a SubjectAltName for every domain" 

% parsed_args.csr[0]) 

parsed_args.actual_csr = (csr, typ) 

csr_domains = set([d.lower() for d in domains]) 

config_domains = set(parsed_args.domains) 

if csr_domains != config_domains: 

raise errors.ConfigurationError( 

"Inconsistent domain requests:\nFrom the CSR: {0}\nFrom command line/config: {1}" 

.format(", ".join(csr_domains), ", ".join(config_domains))) 

def determine_verb(self): 

"""Determines the verb/subcommand provided by the user. 

This function works around some of the limitations of argparse. 

""" 

if "-h" in self.args or "--help" in self.args: 

# all verbs double as help arguments; don't get them confused 

self.verb = "help" 

return 

for i, token in enumerate(self.args): 

if token in self.VERBS: 

verb = token 

if verb == "auth": 

verb = "certonly" 

if verb == "everything": 

verb = "run" 

self.verb = verb 

self.args.pop(i) 

return 

self.verb = "run" 

def prescan_for_flag(self, flag, possible_arguments): 

"""Checks cli input for flags. 

Check for a flag, which accepts a fixed set of possible arguments, in 

the command line; we will use this information to configure argparse's 

help correctly. Return the flag's argument, if it has one that matches 

the sequence @possible_arguments; otherwise return whether the flag is 

present. 

""" 

if flag not in self.args: 

return False 

pos = self.args.index(flag) 

try: 

nxt = self.args[pos + 1] 

if nxt in possible_arguments: 

return nxt 

except IndexError: 

pass 

return True 

def add(self, topics, *args, **kwargs): 

"""Add a new command line argument. 

:param topics: str or [str] help topic(s) this should be listed under, 

or None for "always documented". The first entry 

determines where the flag lives in the "--help all" 

output (None -> "optional arguments"). 

:param list *args: the names of this argument flag 

:param dict **kwargs: various argparse settings for this argument 

""" 

if isinstance(topics, list): 

# if this flag can be listed in multiple sections, try to pick the one 

# that the user has asked for help about 

topic = self.help_arg if self.help_arg in topics else topics[0] 

else: 

topic = topics # there's only one 

if self.detect_defaults: 

kwargs = self.modify_kwargs_for_default_detection(**kwargs) 

if self.visible_topics[topic]: 

if topic in self.groups: 

group = self.groups[topic] 

group.add_argument(*args, **kwargs) 

else: 

self.parser.add_argument(*args, **kwargs) 

else: 

kwargs["help"] = argparse.SUPPRESS 

self.parser.add_argument(*args, **kwargs) 

def modify_kwargs_for_default_detection(self, **kwargs): 

"""Modify an arg so we can check if it was set by the user. 

Changes the parameters given to argparse when adding an argument 

so we can properly detect if the value was set by the user. 

:param dict kwargs: various argparse settings for this argument 

:returns: a modified versions of kwargs 

:rtype: dict 

""" 

action = kwargs.get("action", None) 

if action not in EXIT_ACTIONS: 

kwargs["action"] = ("store_true" if action in ZERO_ARG_ACTIONS else 

"store") 

kwargs["default"] = _Default() 

for param in ARGPARSE_PARAMS_TO_REMOVE: 

kwargs.pop(param, None) 

return kwargs 

def add_deprecated_argument(self, argument_name, num_args): 

"""Adds a deprecated argument with the name argument_name. 

Deprecated arguments are not shown in the help. If they are used 

on the command line, a warning is shown stating that the 

argument is deprecated and no other action is taken. 

:param str argument_name: Name of deprecated argument. 

:param int nargs: Number of arguments the option takes. 

""" 

util.add_deprecated_argument( 

self.parser.add_argument, argument_name, num_args) 

def add_group(self, topic, verbs=(), **kwargs): 

"""Create a new argument group. 

This method must be called once for every topic, however, calls 

to this function are left next to the argument definitions for 

clarity.