feat: python refactor

Author: onedr0p

.pre-commit-config.yaml

@@ -1,14 +1,21 @@
 # vim:ff=unix ts=2 sw=2 ai expandtab
 ---
 repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.3.0
-    hooks:
-      - id: check-added-large-files
-      - id: check-merge-conflict
-      - id: detect-private-key
-      - id: trailing-whitespace
-  - repo: https://github.com/adrienverge/yamllint
-    rev: v1.25.0
-    hooks:
-      - id: yamllint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v3.3.0
+  hooks:
+  - id: check-added-large-files
+  - id: check-merge-conflict
+  - id: detect-private-key
+  - id: trailing-whitespace
+- repo: https://github.com/adrienverge/yamllint
+  rev: v1.26.1
+  hooks:
+    - id: yamllint
+- repo: git://github.com/Lucas-C/pre-commit-hooks
+  rev: v1.1.9
+  hooks:
+  - id: forbid-crlf
+  - id: remove-crlf
+  - id: forbid-tabs
+  - id: remove-tabs

.pre-commit-hooks.yaml

@@ -1,7 +1,6 @@
----
-- id: sops-encrypted-check
-  name: Verify sops files
-  description: Verify that sops files are encrypted.
-  language: script
+- id: forbid-secrets
+  name: Check for unencrypted Kubernetes secrets in manifest files
+  description: "Forbid files containing unencrypted Kubernetes secrets to be commited"
+  entry: forbid_secrets
+  language: python
   files: ((^|/)*.(ya?ml)$)
-  entry: find-unencrypted-secrets.sh

.pylintrc

@@ -0,0 +1,5 @@
+[MESSAGES CONTROL]
+disable = bad-continuation, duplicate-code, import-error, missing-docstring, multiple-imports
+
+[FORMAT]
+max-line-length = 150

dev-requirements.txt

@@ -0,0 +1,4 @@
+pre-commit
+pytest
+pytest-cov
+coverage

hooks/forbid_secrets.py

@@ -0,0 +1,32 @@
+from __future__ import print_function
+
+import argparse
+import re
+import sys
+
+SECRET_REGEX = r"kind:\ssecret"
+SOPS_REGEX = r"ENC.AES256"
+
+def contains_secret(filename):
+    with open(filename, mode="r") as file_checked:
+        lines = file_checked.read()
+        kubernetes_secret = re.findall(SECRET_REGEX, lines, re.IGNORECASE)
+        if kubernetes_secret:
+            sops_secret = re.findall(SOPS_REGEX, lines, re.IGNORECASE)
+            if not sops_secret:
+                return True
+    return False
+
+def main(argv=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument('filenames', nargs='*', help='filenames to check')
+    args = parser.parse_args(argv)
+    files_with_secrets = [f for f in args.filenames if contains_secret(f)]
+    return_code = 0
+    for file_with_secrets in files_with_secrets:
+        print('Unencrypted Kubernetes secret detected in file: {0}'.format(file_with_secrets))
+        return_code = 1
+    return return_code
+
+if __name__ == '__main__':
+    sys.exit(main(sys.argv[1:]))

pytest.ini

@@ -0,0 +1,2 @@
+[pytest]
+addopts = --cov=pre_commit_hooks --cov-report term-missing

setup.py

@@ -0,0 +1,31 @@
+from setuptools import find_packages, setup
+
+setup(
+    name='sops-pre-commit',
+    description='Check for unencrypted Kubernetes secrets in manifest files',
+    url='https://github.com/k8s-at-home/sops-pre-commit',
+    version='1.2.0',
+
+    author='Devin Buhl',
+    author_email='[email protected]',
+
+    platforms='linux',
+    classifiers=[
+        'License :: OSI Approved :: MIT License',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.6',
+        'Programming Language :: Python :: 2.7',
+        'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.3',
+        'Programming Language :: Python :: 3.4',
+        'Programming Language :: Python :: Implementation :: CPython',
+        'Programming Language :: Python :: Implementation :: PyPy',
+    ],
+
+    packages=find_packages('.'),
+    entry_points={
+        'console_scripts': [
+            'forbid_secrets = hooks.forbid_secrets:main',
+        ],
+    },
+)