Add check for encryption

2017-12-22 11:39:44 -05:00 · 2017-12-22 11:39:44 -05:00 · 5903e6b85a
commit 5903e6b85a
parent 9305b1e9a5
5 changed files with 36 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+tags
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@ -0,0 +1,6 @@
+- id: encryption-check
+  name: Ansible Vault Encryption Check
+  description: Checks that vault files are encrypted
+  entry: encryption-check.sh
+  files: ((^|/)vault|vault.y[a]{0,1}ml$|.vault$)
+  language: script
--- a/README.md
+++ b/README.md
@ -1,3 +1,8 @@
 # ansible-pre-commit

-Pre-commit hooks for working with Ansible
+A set of [pre-commit](http://pre-commit.com) hooks that help with Ansible
+
+## Hooks
+
+### encryption-check
+Verifies that vault files are encrypted. Defaults to checking files starting with `vault`, ending with `.vault.yml` or ending in `.vault`
--- a/encryption-check.sh
+++ b/encryption-check.sh
@ -0,0 +1,17 @@
+#! /bin/bash
+# Verifies that files passed in are encrypted
+set -e 
+
+has_error=0
+for file in $@ ; do
+    head -1 "$file" | grep --quiet '^\$ANSIBLE_VAULT;' || {
+        echo "ERROR: $file is not encrypted"
+        has_error=1
+    }
+done
+
+if [ $has_error ] ; then
+    echo "To ignore, use --no-verify"
+fi
+
+exit $has_error
--- a/hooks.yaml
+++ b/hooks.yaml
@ -0,0 +1,6 @@
+- id: encryption-check
+  name: Ansible Vault Encryption Check
+  description: Checks that vault files are encrypted
+  entry: encryption-check.sh
+  files: ((^|/)vault|vault.y[a]{0,1}ml$|.vault$)
+  language: script