| from __future__ import print_function |
| from __future__ import unicode_literals |
| |
| import argparse |
| import os |
| |
| from six.moves import configparser # pylint: disable=import-error |
| |
| |
| def get_your_keys(credentials_file): |
| """ reads the secret keys in your credentials file in order to be able to look |
| for them in the submitted code. |
| """ |
| aws_credentials_file_path = os.path.expanduser(credentials_file) |
| if not os.path.exists(aws_credentials_file_path): |
| return None |
| |
| parser = configparser.ConfigParser() |
| parser.read(aws_credentials_file_path) |
| |
| keys = set() |
| for section in parser.sections(): |
| keys.add(parser.get(section, 'aws_secret_access_key')) |
| return keys |
| |
| |
| def check_file_for_aws_keys(filenames, keys): |
| bad_files = [] |
| |
| for filename in filenames: |
| with open(filename, 'r') as content: |
| text_body = content.read() |
| if any(key in text_body for key in keys): |
| # naively match the entire file, low chance of incorrect collision |
| bad_files.append(filename) |
| |
| return bad_files |
| |
| |
| def main(argv=None): |
| parser = argparse.ArgumentParser() |
| parser.add_argument('filenames', nargs='*', help='Filenames to run') |
| parser.add_argument( |
| "--credentials-file", |
| default='~/.aws/credentials', |
| help="location of aws credentials file from which to get the secret " |
| "keys we're looking for", |
| ) |
| args = parser.parse_args(argv) |
| keys = get_your_keys(args.credentials_file) |
| if not keys: |
| return 2 |
| |
| bad_filenames = check_file_for_aws_keys(args.filenames, keys) |
| if bad_filenames: |
| for bad_file in bad_filenames: |
| print('AWS secret key found: {0}'.format(bad_file)) |
| return 1 |
| else: |
| return 0 |
| |
| if __name__ == '__main__': |
| exit(main()) |
