commit 95bf20d52d5daea2ee493622498cb2299db0781e
author Ara Hayrabedian <ara.hayrabedian@gmail.com> Sun May 31 23:50:49 2015 +0400
committer Ara Hayrabedian <ara.hayrabedian@gmail.com> Mon Jun 01 23:16:51 2015 +0400
tree 428f561a5bca32a3255e3020905bb52ab53b8e69
parent cf550fcab3f12015f8676b8278b30e1a5bc10e70

add aws credential checking ONLY FOR YOUR OWN credentials if they're set in a configurable credentials file (AWS CLI tools' native format)

pre_commit_hooks/detect_aws_credentials.py

diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py
new file mode 100644
index 0000000..77c1991
--- /dev/null
+++ b/pre_commit_hooks/detect_aws_credentials.py
@@ -0,0 +1,65 @@
+from __future__ import print_function
+from __future__ import unicode_literals
+
+import argparse
+import ConfigParser
+import os
+
+
+def get_your_keys(credentials_file, ignore_access_key=False):
+    """ reads the keys in your credentials file in order to be able to look
+    for them in the submitted code.
+    """
+    aws_credentials_file_path = os.path.expanduser(credentials_file)
+    if not os.path.exists(aws_credentials_file_path):
+        exit(2)
+
+    parser = ConfigParser.ConfigParser()
+    parser.read(aws_credentials_file_path)
+
+    keys = set()
+    for section in parser.sections():
+        if not ignore_access_key:
+            keys.add(parser.get(section, 'aws_access_key_id'))
+        keys.add(parser.get(section, 'aws_secret_access_key'))
+    return keys
+
+
+def check_file_for_aws_keys(filename, keys):
+    with open(filename, 'r') as content:
+        # naively match the entire file, chances be so slim
+        # of random characters matching your flipping key.
+        for line in content:
+            if any(key in line for key in keys):
+                return 1
+    return 0
+
+
+def main(argv=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument('filenames', nargs='*', help='Filenames to run')
+    parser.add_argument(
+        "--credentials-file", 
+        default='~/.aws/credentials',
+        help="location of aws credentials file from which to get the keys "
+              "we're looking for",
+    )
+    parser.add_argument(
+        "--ignore-access-key", 
+        action='store_true',
+        help="if you would like to ignore access keys, as there is "
+        "occasionally legitimate use for these.",
+    )
+    args = parser.parse_args(argv)
+    ignore_access_key = args.ignore_access_key
+    keys = get_your_keys(args.credentials_file,
+                         ignore_access_key=ignore_access_key)
+
+    retv = 0
+    for filename in args.filenames:
+        retv |= check_file_for_aws_keys(filename, keys)
+    return retv
+
+
+if __name__ == '__main__':
+    exit(main())