add aws credential checking ONLY FOR YOUR OWN credentials if they're set in a configurable credentials file (AWS CLI tools' native format)
diff --git a/README.md b/README.md index 7a919e6..6795320 100644 --- a/README.md +++ b/README.md
@@ -37,6 +37,7 @@ - `check-xml` - Attempts to load all xml files to verify syntax. - `check-yaml` - Attempts to load all yaml files to verify syntax. - `debug-statements` - Check for pdb / ipdb / pudb statements in code. +- `detect-aws-credentials` - Checks for the existence of aws access keys and secrets that you have set up with the AWS cli. - `detect-private-key` - Checks for the existence of private keys. - `double-quote-string-fixer` - This hook replaces double quoted strings with single quoted strings.
diff --git a/hooks.yaml b/hooks.yaml index 13fef85..3bac5ae 100644 --- a/hooks.yaml +++ b/hooks.yaml
@@ -56,6 +56,12 @@ entry: debug-statement-hook language: python files: \.py$ +- id: detect-aws-credentials + name: Detect AWS Credentials + description: Detects *your* aws credentials from the aws cli credentials file + entry: detect-aws-credentials + language: python + files: '' - id: detect-private-key name: Detect Private Key description: Detects the presence of private keys
diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py new file mode 100644 index 0000000..77c1991 --- /dev/null +++ b/pre_commit_hooks/detect_aws_credentials.py
@@ -0,0 +1,65 @@ +from __future__ import print_function +from __future__ import unicode_literals + +import argparse +import ConfigParser +import os + + +def get_your_keys(credentials_file, ignore_access_key=False): + """ reads the keys in your credentials file in order to be able to look + for them in the submitted code. + """ + aws_credentials_file_path = os.path.expanduser(credentials_file) + if not os.path.exists(aws_credentials_file_path): + exit(2) + + parser = ConfigParser.ConfigParser() + parser.read(aws_credentials_file_path) + + keys = set() + for section in parser.sections(): + if not ignore_access_key: + keys.add(parser.get(section, 'aws_access_key_id')) + keys.add(parser.get(section, 'aws_secret_access_key')) + return keys + + +def check_file_for_aws_keys(filename, keys): + with open(filename, 'r') as content: + # naively match the entire file, chances be so slim + # of random characters matching your flipping key. + for line in content: + if any(key in line for key in keys): + return 1 + return 0 + + +def main(argv=None): + parser = argparse.ArgumentParser() + parser.add_argument('filenames', nargs='*', help='Filenames to run') + parser.add_argument( + "--credentials-file", + default='~/.aws/credentials', + help="location of aws credentials file from which to get the keys " + "we're looking for", + ) + parser.add_argument( + "--ignore-access-key", + action='store_true', + help="if you would like to ignore access keys, as there is " + "occasionally legitimate use for these.", + ) + args = parser.parse_args(argv) + ignore_access_key = args.ignore_access_key + keys = get_your_keys(args.credentials_file, + ignore_access_key=ignore_access_key) + + retv = 0 + for filename in args.filenames: + retv |= check_file_for_aws_keys(filename, keys) + return retv + + +if __name__ == '__main__': + exit(main())
diff --git a/setup.py b/setup.py index b24c05e..3050118 100644 --- a/setup.py +++ b/setup.py
@@ -44,6 +44,7 @@ 'check-xml = pre_commit_hooks.check_xml:check_xml', 'check-yaml = pre_commit_hooks.check_yaml:check_yaml', 'debug-statement-hook = pre_commit_hooks.debug_statement_hook:debug_statement_hook', + 'detect-aws-credentials = pre_commit_hooks.detect_aws_credentials:main', 'detect-private-key = pre_commit_hooks.detect_private_key:detect_private_key', 'end-of-file-fixer = pre_commit_hooks.end_of_file_fixer:end_of_file_fixer', 'name-tests-test = pre_commit_hooks.tests_should_end_in_test:validate_files',