add aws credential checking ONLY FOR YOUR OWN credentials if they're set in a configurable credentials file (AWS CLI tools' native format)
diff --git a/README.md b/README.md
index 7a919e6..6795320 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,7 @@
- `check-xml` - Attempts to load all xml files to verify syntax.
- `check-yaml` - Attempts to load all yaml files to verify syntax.
- `debug-statements` - Check for pdb / ipdb / pudb statements in code.
+- `detect-aws-credentials` - Checks for the existence of aws access keys and secrets that you have set up with the AWS cli.
- `detect-private-key` - Checks for the existence of private keys.
- `double-quote-string-fixer` - This hook replaces double quoted strings
with single quoted strings.
diff --git a/hooks.yaml b/hooks.yaml
index 13fef85..3bac5ae 100644
--- a/hooks.yaml
+++ b/hooks.yaml
@@ -56,6 +56,12 @@
entry: debug-statement-hook
language: python
files: \.py$
+- id: detect-aws-credentials
+ name: Detect AWS Credentials
+ description: Detects *your* aws credentials from the aws cli credentials file
+ entry: detect-aws-credentials
+ language: python
+ files: ''
- id: detect-private-key
name: Detect Private Key
description: Detects the presence of private keys
diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py
new file mode 100644
index 0000000..77c1991
--- /dev/null
+++ b/pre_commit_hooks/detect_aws_credentials.py
@@ -0,0 +1,65 @@
+from __future__ import print_function
+from __future__ import unicode_literals
+
+import argparse
+import ConfigParser
+import os
+
+
+def get_your_keys(credentials_file, ignore_access_key=False):
+ """ reads the keys in your credentials file in order to be able to look
+ for them in the submitted code.
+ """
+ aws_credentials_file_path = os.path.expanduser(credentials_file)
+ if not os.path.exists(aws_credentials_file_path):
+ exit(2)
+
+ parser = ConfigParser.ConfigParser()
+ parser.read(aws_credentials_file_path)
+
+ keys = set()
+ for section in parser.sections():
+ if not ignore_access_key:
+ keys.add(parser.get(section, 'aws_access_key_id'))
+ keys.add(parser.get(section, 'aws_secret_access_key'))
+ return keys
+
+
+def check_file_for_aws_keys(filename, keys):
+ with open(filename, 'r') as content:
+ # naively match the entire file, chances be so slim
+ # of random characters matching your flipping key.
+ for line in content:
+ if any(key in line for key in keys):
+ return 1
+ return 0
+
+
+def main(argv=None):
+ parser = argparse.ArgumentParser()
+ parser.add_argument('filenames', nargs='*', help='Filenames to run')
+ parser.add_argument(
+ "--credentials-file",
+ default='~/.aws/credentials',
+ help="location of aws credentials file from which to get the keys "
+ "we're looking for",
+ )
+ parser.add_argument(
+ "--ignore-access-key",
+ action='store_true',
+ help="if you would like to ignore access keys, as there is "
+ "occasionally legitimate use for these.",
+ )
+ args = parser.parse_args(argv)
+ ignore_access_key = args.ignore_access_key
+ keys = get_your_keys(args.credentials_file,
+ ignore_access_key=ignore_access_key)
+
+ retv = 0
+ for filename in args.filenames:
+ retv |= check_file_for_aws_keys(filename, keys)
+ return retv
+
+
+if __name__ == '__main__':
+ exit(main())
diff --git a/setup.py b/setup.py
index b24c05e..3050118 100644
--- a/setup.py
+++ b/setup.py
@@ -44,6 +44,7 @@
'check-xml = pre_commit_hooks.check_xml:check_xml',
'check-yaml = pre_commit_hooks.check_yaml:check_yaml',
'debug-statement-hook = pre_commit_hooks.debug_statement_hook:debug_statement_hook',
+ 'detect-aws-credentials = pre_commit_hooks.detect_aws_credentials:main',
'detect-private-key = pre_commit_hooks.detect_private_key:detect_private_key',
'end-of-file-fixer = pre_commit_hooks.end_of_file_fixer:end_of_file_fixer',
'name-tests-test = pre_commit_hooks.tests_should_end_in_test:validate_files',
