Merge pull request #1 from viaduct-ai/secrets_check_hook

YAML Secret verification pre-commit-hook

.pre-commit-hooks.yaml

@@ -4,3 +4,17 @@
   entry: nbstripout
   language: script
   files: (^|/).+\.ipynb$
+
+- id: validate_secrets_are_encrypted
+  name: Check that secret files are formatted correctly
+  description: Check yaml secret have data in the 'sops' field
+  entry: validate_secrets_are_encrypted 
+  language: python
+  types: [yaml]
+
+- id: validate_encrypted_secret_name
+  name: Check secret files for correct ending
+  description: Check yaml secret files end in .enc.yaml
+  entry: validate_encrypted_secret_name
+  language: python
+  types: [yaml]

pre_commit_hooks/validate_encrypted_secret_name.py

@@ -0,0 +1,41 @@
+from __future__ import print_function
+
+import argparse
+import io
+import sys
+
+import yaml
+
+
+def main(argv=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        '-m',
+        '--multi',
+        '--allow-multiple-documents',
+        action='store_true',
+    )
+
+    parser.add_argument('filenames', nargs='*', help='Filenames to check.')
+    args = parser.parse_args(argv)
+
+    retval = 0
+    for filename in args.filenames:
+
+        with io.open(filename, encoding='UTF-8') as f:
+            try:
+                data = yaml.safe_load(f)
+
+                kind = data.get("kind", None)
+                if kind == 'Secret':
+                    if not filename.endswith('enc.yaml'):
+                        print(f"Secret file doesn't end correctly: {filename}")
+                        retval = 1
+            except:
+                continue
+
+    return retval
+
+
+if __name__ == '__main__':
+    sys.exit(main())

pre_commit_hooks/validate_secrets_are_encrypted.py

@@ -0,0 +1,41 @@
+from __future__ import print_function
+
+import argparse
+import io
+import sys
+
+import yaml
+
+
+def main(argv=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        '-m',
+        '--multi',
+        '--allow-multiple-documents',
+        action='store_true',
+    )
+
+    parser.add_argument('filenames', nargs='*', help='Filenames to check.')
+    args = parser.parse_args(argv)
+
+    retval = 0
+    for filename in args.filenames:
+
+        with io.open(filename, encoding='UTF-8') as f:
+            try:
+                data = yaml.safe_load(f)
+
+                kind = data.get("kind", None)
+                if kind == 'Secret':
+                    if 'sops' not in data:
+                        print(f'Sops not defined: {filename}')
+                        retval = 1
+            except:
+                continue
+
+    return retval
+
+
+if __name__ == '__main__':
+    sys.exit(main())

setup.cfg

@@ -0,0 +1,31 @@
+[metadata]
+name = pre_commit_hooks
+long_description = file: README.md
+long_description_content_type = text/markdown
+url = https://github.com/viaduct-ai/pre-commit-hooks
+author = Viaduct.ai
+author_email = [email protected]
+
+classifiers =
+    License :: OSI Approved :: MIT License
+    Programming Language :: Python :: 2
+    Programming Language :: Python :: 2.7
+    Programming Language :: Python :: 3
+    Programming Language :: Python :: 3.4
+    Programming Language :: Python :: 3.5
+    Programming Language :: Python :: 3.6
+    Programming Language :: Python :: 3.7
+    Programming Language :: Python :: Implementation :: CPython
+    Programming Language :: Python :: Implementation :: PyPy
+
+[options]
+packages = find:
+install_requires =
+    flake8
+    pyyaml
+python_requires = >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*
+
+[options.entry_points]
+console_scripts =
+    validate_secrets_are_encrypted = pre_commit_hooks.validate_secrets_are_encrypted:main
+    validate_encrypted_secret_name = pre_commit_hooks.validate_encrypted_secret_name:main

setup.py

@@ -0,0 +1,2 @@
+from setuptools import setup
+setup()