diff --git a/pre_commit_hooks/check_yaml.py b/pre_commit_hooks/check_yaml.py index 250794e..fa75512 100644 --- a/pre_commit_hooks/check_yaml.py +++ b/pre_commit_hooks/check_yaml.py @@ -52,11 +52,29 @@ def main(argv: Sequence[str] | None = None) -> int: 'Implies --allow-multiple-documents' ), ) + parser.add_argument( + '--ignore-ansible-vault', action='store_true', + help=( + 'Ignore keys that look like ansible vault encrypted values. ' + 'This works by removing the "!" from the "!vault" value prefix.' + ), + ) parser.add_argument('filenames', nargs='*', help='Filenames to check.') args = parser.parse_args(argv) load_fn = LOAD_FNS[Key(multi=args.multi, unsafe=args.unsafe)] + if args.ignore_ansible_vault: + def ignore_ansible_vault(loader: ruamel.yaml.Loader, + node: ruamel.yaml.Node) -> Any: + if node.value.startswith('!vault'): + node.value = node.value[1:] + return loader.construct_yaml_str(node) + + ruamel.yaml.add_constructor(u'!vault', + ignore_ansible_vault, + constructor=ruamel.yaml.SafeConstructor) + retval = 0 for filename in args.filenames: try: diff --git a/tests/check_yaml_test.py b/tests/check_yaml_test.py index 54eb16e..21cd0da 100644 --- a/tests/check_yaml_test.py +++ b/tests/check_yaml_test.py @@ -51,3 +51,22 @@ def test_main_unsafe_still_fails_on_syntax_errors(tmpdir): f = tmpdir.join('test.yaml') f.write('[') assert main(('--unsafe', str(f))) + + +def test_main_ignore_ansible_vault(tmpdir): + f = tmpdir.join('test.yaml') + f.write( + 'some_foo: !vault |\n' + ' $ANSIBLE_VAULT;1.1;AES256\n' + ' deadbeefdeadbeefdeadbeef\n', + ) + # should fail "safe" check + assert main((str(f),)) + # should pass when we allow unsafe documents + assert not main(('--ignore-ansible-vault', str(f))) + + +def test_main_ignore_ansible_vault_still_fails_on_syntax_errors(tmpdir): + f = tmpdir.join('test.yaml') + f.write('[') + assert main(('--ignore-ansible-vault', str(f)))