| commit | b0d4cdb1eeeff04fabe2196c05089bbdefa26047 | [log] [tgz] |
|---|---|---|
| author | Daniel Roschka <danielroschka@phoenitydawn.de> | Fri Dec 30 08:41:24 2016 +0100 |
| committer | Daniel Roschka <danielroschka@phoenitydawn.de> | Fri Dec 30 08:41:24 2016 +0100 |
| tree | 71435491c5e8ffde413ff0b512ab7115b0796201 | |
| parent | 9573c13884bdfd563c989311e432dcb11e6a1830 [diff] |
Improve searching for configured AWS credentials The previous approach for finding AWS credentials was pretty naive and only covered contents of a single file (~/.aws/credentials by default). The AWS CLI documentation states various other ways to configure credentials which weren't covered: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials Even that aren't all ways, a look into the code shows: https://github.com/boto/botocore/blob/develop/botocore/credentials.py This commit changes the behavior so the hook will behave in a way that if the AWS CLI is able to obtain credentials from local files, the hook will find them as well. The changes in detail are: - detect AWS session tokens and handle them like secret keys. - always search credentials in the default AWS CLI file locations ( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto) - detect AWS credentials configured via environment variables in AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN - check additional configuration files configured via environment variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and BOTO_CONFIG) - print out the first four characters of each secret found in files to be checked in, to make it easier to figure out, what the secrets were, which were going to be checked in - improve error handling for parsing ini-files - improve tests There is a major functional change introduced by this commit: Locations the AWS CLI gets credentials from are always searched and there is no way to disable them. --credentials-file is still there to specify one or more additional files to search credentials in. It's the purpose of this hook to find and check files for found credentials, so it should work in any case. As this commit also improves error handling for not-existing or malformed configuration files, it should be no big deal. Receiving credentials via the EC2 and ECS meta data services is not covered intentionally, to not further increase the amount of changes in this commit and as it's probably an edge case anyway to have this hook running in such an environment.
Some out-of-the-box hooks for pre-commit.
See also: https://github.com/pre-commit/pre-commit
Add this to your .pre-commit-config.yaml
- repo: git://github.com/pre-commit/pre-commit-hooks
sha: '' # Use the sha you want to point at
hooks:
- id: trailing-whitespace
# - id: ...
autopep8-wrapper - Runs autopep8 over python source.args: ['-i', '--ignore=E000,...'] or through configuration of the [pep8] section in setup.cfg / tox.ini.check-added-large-files - Prevent giant files from being committed.args: ['--maxkb=123'] (default=500kB).check-ast - Simply check whether files parse as valid python.check-byte-order-marker - Forbid files which have a UTF-8 byte-order markercheck-case-conflict - Check for files with names that would conflict on a case-insensitive filesystem like MacOS HFS+ or Windows FAT.check-docstring-first - Checks for a common error of placing code before the docstring.check-json - Attempts to load all json files to verify syntax.check-merge-conflict - Check for files that contain merge conflict strings.check-symlinks - Checks for symlinks which do not point to anything.check-xml - Attempts to load all xml files to verify syntax.check-yaml - Attempts to load all yaml files to verify syntax.debug-statements - Check for pdb / ipdb / pudb statements in code.detect-aws-credentials - Checks for the existence of AWS secrets that you have set up with the AWS CLI. The following arguments are available:--credential-file - additional AWS CLI style configuration file in a non-standard location to fetch configured credentials from. Can be repeated multiple times.detect-private-key - Checks for the existence of private keys.double-quote-string-fixer - This hook replaces double quoted strings with single quoted strings.end-of-file-fixer - Makes sure files end in a newline and only a newline.fix-encoding-pragma - Add # -*- coding: utf-8 -*- to the top of python files.--remove (useful in a python3-only codebase)flake8 - Run flake8 on your python files.forbid-new-submodules - Prevent addition of new git submodules.name-tests-test - Assert that files in tests/ end in _test.py.args: ['--django'] to match test*.py instead.pyflakes - Run pyflakes on your python files.pretty-format-json - Checks that all your JSON files are pretty. “Pretty” here means that keys are sorted and indented. You can configure this with the following commandline options:--autofix - automatically format json files--indent ... - Control the indentation (either a number for a number of spaces or a string of whitespace). Defaults to 4 spaces.--no-sort-keys - when autofixing, retain the original key ordering (instead of sorting the keys)--top-keys comma,separated,keys - Keys to keep at the top of mappings.requirements-txt-fixer - Sorts entries in requirements.txttrailing-whitespace - Trims trailing whitespace..md and.markdown; use args: ['--markdown-linebreak-ext=txt,text'] to add other extensions, args: ['--markdown-linebreak-ext=*'] to preserve them for all files, or args: ['--no-markdown-linebreak-ext'] to disable and always trim.If you‘d like to use these hooks, they’re also available as a standalone package.
Simply pip install pre-commit-hooks