diff --git a/README.md b/README.md index ef110d8..93b6360 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ Add this to your `.pre-commit-config.yaml` - `check-xml` - Attempts to load all xml files to verify syntax. - `check-yaml` - Attempts to load all yaml files to verify syntax. - `debug-statements` - Check for pdb / ipdb / pudb statements in code. +- `detect-aws-credentials` - Checks for the existence of AWS secrets that you have set up with the AWS CLI. - `detect-private-key` - Checks for the existence of private keys. - `double-quote-string-fixer` - This hook replaces double quoted strings with single quoted strings. diff --git a/hooks.yaml b/hooks.yaml index facee5f..bd0e724 100644 --- a/hooks.yaml +++ b/hooks.yaml @@ -62,6 +62,12 @@ entry: debug-statement-hook language: python files: \.py$ +- id: detect-aws-credentials + name: Detect AWS Credentials + description: Detects *your* aws credentials from the aws cli credentials file + entry: detect-aws-credentials + language: python + files: '' - id: detect-private-key name: Detect Private Key description: Detects the presence of private keys diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py new file mode 100644 index 0000000..55e83a1 --- /dev/null +++ b/pre_commit_hooks/detect_aws_credentials.py @@ -0,0 +1,58 @@ +from __future__ import print_function +from __future__ import unicode_literals + +import argparse +import os + +from six.moves import configparser # pylint: disable=import-error + + +def get_your_keys(credentials_file): + """ reads the secret keys in your credentials file in order to be able to look + for them in the submitted code. + """ + aws_credentials_file_path = os.path.expanduser(credentials_file) + if not os.path.exists(aws_credentials_file_path): + return None + + parser = configparser.ConfigParser() + parser.read(aws_credentials_file_path) + + keys = set() + for section in parser.sections(): + keys.add(parser.get(section, 'aws_secret_access_key')) + return keys + + +def check_file_for_aws_keys(filename, keys): + with open(filename, 'r') as content: + # naively match the entire file, chances be so slim + # of random characters matching your flipping key. + text_body = content.read() + if any(key in text_body for key in keys): + return 1 + return 0 + + +def main(argv=None): + parser = argparse.ArgumentParser() + parser.add_argument('filenames', nargs='*', help='Filenames to run') + parser.add_argument( + "--credentials-file", + default='~/.aws/credentials', + help="location of aws credentials file from which to get the secret " + "keys we're looking for", + ) + args = parser.parse_args(argv) + keys = get_your_keys(args.credentials_file) + if not keys: + return 2 + + retv = 0 + for filename in args.filenames: + retv |= check_file_for_aws_keys(filename, keys) + return retv + + +if __name__ == '__main__': + exit(main()) diff --git a/requirements-dev.txt b/requirements-dev.txt index 97343d5..a7dac81 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -7,3 +7,4 @@ mock pre-commit pylint<1.4 pytest +six==1.9.0 diff --git a/setup.py b/setup.py index d630a3d..f09e6d5 100644 --- a/setup.py +++ b/setup.py @@ -32,6 +32,7 @@ setup( 'autopep8>=1.1', 'pyyaml', 'simplejson', + 'six==1.9.0', ], entry_points={ 'console_scripts': [ @@ -44,6 +45,7 @@ setup( 'check-xml = pre_commit_hooks.check_xml:check_xml', 'check-yaml = pre_commit_hooks.check_yaml:check_yaml', 'debug-statement-hook = pre_commit_hooks.debug_statement_hook:debug_statement_hook', + 'detect-aws-credentials = pre_commit_hooks.detect_aws_credentials:main', 'detect-private-key = pre_commit_hooks.detect_private_key:detect_private_key', 'double-quote-string-fixer = pre_commit_hooks.string_fixer:main', 'end-of-file-fixer = pre_commit_hooks.end_of_file_fixer:end_of_file_fixer', diff --git a/testing/resources/nonsense.txt b/testing/resources/nonsense.txt new file mode 100644 index 0000000..6c7fe83 --- /dev/null +++ b/testing/resources/nonsense.txt @@ -0,0 +1,6 @@ +some nonsense text generated at https://baconipsum.com/ +Bacon ipsum dolor amet ipsum fugiat pastrami pork belly, non ball tip flank est short loin. Fatback landjaeger meatloaf flank. Sunt boudin duis occaecat mollit velit. Capicola lorem frankfurter doner strip steak jerky rump elit laborum mollit. Venison cupidatat laboris duis ut chuck proident mollit. Minim do rump, eu jerky ham turkey chuck in tempor venison pariatur voluptate landjaeger beef. + +Duis aliqua esse, exercitation in ball tip ut capicola sausage dolore frankfurter occaecat. Duis in nulla consequat salami. Est shoulder tempor commodo shankle short ribs. In meatball aliqua boudin tenderloin, meatloaf leberkas hamburger quis pig dolore ea eu. Ham hock ex laboris, filet mignon sunt doner cillum short loin prosciutto voluptate. + +Occaecat pork doner meatloaf nulla biltong ullamco tenderloin culpa brisket. Culpa jowl ea shank t-bone shankle voluptate nostrud incididunt leberkas pork loin. Bacon kevin jerky pork belly t-bone labore duis. Boudin corned beef adipisicing aute, fatback ribeye nulla pancetta anim venison. Short ribs kevin pastrami cow drumstick velit. Turkey exercitation jowl, fatback labore swine do voluptate. diff --git a/testing/resources/sample_aws_credentials b/testing/resources/sample_aws_credentials new file mode 100644 index 0000000..a79b021 --- /dev/null +++ b/testing/resources/sample_aws_credentials @@ -0,0 +1,10 @@ +# this is an aws credentials configuration file. obviously not real credentials :P +[default] +aws_access_key_id = AKIASLARTIBARTFAST11 +aws_secret_access_key = 7xebzorgm5143ouge9gvepxb2z70bsb2rtrh099e +[production] +aws_access_key_id = AKIAVOGONSVOGONS0042 +aws_secret_access_key = z2rpgs5uit782eapz5l1z0y2lurtsyyk6hcfozlb +[staging] +aws_access_key_id = AKIAJIMMINYCRICKET0A +aws_secret_access_key = ixswosj8gz3wuik405jl9k3vdajsnxfhnpui38ez diff --git a/testing/resources/with_no_secrets.txt b/testing/resources/with_no_secrets.txt new file mode 100644 index 0000000..d9ab505 --- /dev/null +++ b/testing/resources/with_no_secrets.txt @@ -0,0 +1,5 @@ +# file with an access key but no secrets +# you'll notice it is a redacted section of sample_aws_credentials + +[production] +aws_access_key_id = AKIASLARTIBARTFAST11 diff --git a/testing/resources/with_secrets.txt b/testing/resources/with_secrets.txt new file mode 100644 index 0000000..0018225 --- /dev/null +++ b/testing/resources/with_secrets.txt @@ -0,0 +1,5 @@ +#file with a secret key, you'll notice it is a section of sample_aws_credentials + +[production] +aws_access_key_id = AKIAVOGONSVOGONS0042 +aws_secret_access_key = z2rpgs5uit782eapz5l1z0y2lurtsyyk6hcfozlb diff --git a/tests/detect_aws_credentials_test.py b/tests/detect_aws_credentials_test.py new file mode 100644 index 0000000..495c574 --- /dev/null +++ b/tests/detect_aws_credentials_test.py @@ -0,0 +1,35 @@ +import pytest + +from pre_commit_hooks.detect_aws_credentials import main +from testing.util import get_resource_path + + +# Input filename, expected return value +TESTS = ( + ('with_no_secrets.txt', 0), + ('with_secrets.txt', 1), + ('nonsense.txt', 0), + ('ok_json.json', 0), +) + +NO_CREDENTIALS_TEST = ( + ('with_secrets.txt', 2), +) + + +@pytest.mark.parametrize(('filename', 'expected_retval'), TESTS) +def test_detect_aws_credentials(filename, expected_retval): + # with a valid credentials file + ret = main( + [get_resource_path(filename), "--credentials-file=testing/resources/sample_aws_credentials"] + ) + assert ret == expected_retval + + +@pytest.mark.parametrize(('filename', 'expected_retval'), NO_CREDENTIALS_TEST) +def test_non_existent_credentials(filename, expected_retval): + # with a non-existent credentials file + ret = main( + [get_resource_path(filename), "--credentials-file=testing/resources/credentailsfilethatdoesntexist"] + ) + assert ret == expected_retval