From 1dc44278f418589efca37cb5702fe992cbe3bb71 Mon Sep 17 00:00:00 2001
From: Devin Stein <devstein@seas.upenn.edu>
Date: Tue, 19 Nov 2019 17:54:29 -0800
Subject: [PATCH] Only check suffix of SOPS encrypted secrets

---
 .pre-commit-hooks.yaml                             |  4 ++--
 pre_commit_hooks/validate_encrypted_secret_name.py | 14 ++++++++++----
 pre_commit_hooks/validate_secrets_are_encrypted.py |  8 ++++----
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index ca51d11..f0da925 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -8,13 +8,13 @@
 - id: validate_secrets_are_encrypted
   name: Check that secret files are formatted correctly
   description: Check yaml secret have data in the 'sops' field
-  entry: validate_secrets_are_encrypted 
+  entry: validate_secrets_are_encrypted
   language: python
   types: [yaml]
 
 - id: validate_encrypted_secret_name
   name: Check secret files for correct ending
-  description: Check yaml secret files end in .enc.yaml
+  description: Check yaml SOPS encrypted secret files end in .enc.yaml
   entry: validate_encrypted_secret_name
   language: python
   types: [yaml]
diff --git a/pre_commit_hooks/validate_encrypted_secret_name.py b/pre_commit_hooks/validate_encrypted_secret_name.py
index 19a9feb..cf48254 100644
--- a/pre_commit_hooks/validate_encrypted_secret_name.py
+++ b/pre_commit_hooks/validate_encrypted_secret_name.py
@@ -7,6 +7,8 @@
 import yaml
 
 
+ENC_SUFFIX =  ".enc.yaml"
+
 def main(argv=None):
     parser = argparse.ArgumentParser()
     parser.add_argument(
@@ -27,10 +29,14 @@ def main(argv=None):
                 data = yaml.safe_load(f)
 
                 kind = data.get("kind", None)
-                if kind == 'Secret':
-                    if not filename.endswith('enc.yaml'):
-                        print(f"Secret file doesn't end correctly: {filename}")
-                        retval = 1
+
+                # Only check encrypted secrets
+                if kind != 'Secret' or 'sops' not in data:
+                    continue
+
+                if not filename.endswith(ENC_SUFFIX):
+                    print(f"SOPS encrypted secrets should end with {ENC_SUFFIX}: {filename}")
+                    retval = 1
             except:
                 continue
 
diff --git a/pre_commit_hooks/validate_secrets_are_encrypted.py b/pre_commit_hooks/validate_secrets_are_encrypted.py
index fd856e3..75c829e 100644
--- a/pre_commit_hooks/validate_secrets_are_encrypted.py
+++ b/pre_commit_hooks/validate_secrets_are_encrypted.py
@@ -27,10 +27,10 @@ def main(argv=None):
                 data = yaml.safe_load(f)
 
                 kind = data.get("kind", None)
-                if kind == 'Secret':
-                    if 'sops' not in data:
-                        print(f'Sops not defined: {filename}')
-                        retval = 1
+
+                if kind == 'Secret' and 'sops' not in data:
+                    print(f'Secret is not encrypted with SOPS: {filename}')
+                    retval = 1
             except:
                 continue