From 5903e6b85af7d59f1cb5266d2d5eb416d3ae967f Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Fri, 22 Dec 2017 11:39:44 -0500
Subject: [PATCH] Add check for encryption

---
 .gitignore             |  1 +
 .pre-commit-hooks.yaml |  6 ++++++
 README.md              |  7 ++++++-
 encryption-check.sh    | 17 +++++++++++++++++
 hooks.yaml             |  6 ++++++
 5 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 .gitignore
 create mode 100644 .pre-commit-hooks.yaml
 create mode 100755 encryption-check.sh
 create mode 100644 hooks.yaml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6e92f57
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+tags
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
new file mode 100644
index 0000000..0b2b260
--- /dev/null
+++ b/.pre-commit-hooks.yaml
@@ -0,0 +1,6 @@
+- id: encryption-check
+  name: Ansible Vault Encryption Check
+  description: Checks that vault files are encrypted
+  entry: encryption-check.sh
+  files: ((^|/)vault|vault.y[a]{0,1}ml$|.vault$)
+  language: script
diff --git a/README.md b/README.md
index ae819c2..6bbc11d 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,8 @@
 # ansible-pre-commit
 
-Pre-commit hooks for working with Ansible
\ No newline at end of file
+A set of [pre-commit](http://pre-commit.com) hooks that help with Ansible
+
+## Hooks
+
+### encryption-check
+Verifies that vault files are encrypted. Defaults to checking files starting with `vault`, ending with `.vault.yml` or ending in `.vault`
diff --git a/encryption-check.sh b/encryption-check.sh
new file mode 100755
index 0000000..f3eedc1
--- /dev/null
+++ b/encryption-check.sh
@@ -0,0 +1,17 @@
+#! /bin/bash
+# Verifies that files passed in are encrypted
+set -e 
+
+has_error=0
+for file in $@ ; do
+    head -1 "$file" | grep --quiet '^\$ANSIBLE_VAULT;' || {
+        echo "ERROR: $file is not encrypted"
+        has_error=1
+    }
+done
+
+if [ $has_error ] ; then
+    echo "To ignore, use --no-verify"
+fi
+
+exit $has_error
diff --git a/hooks.yaml b/hooks.yaml
new file mode 100644
index 0000000..0b2b260
--- /dev/null
+++ b/hooks.yaml
@@ -0,0 +1,6 @@
+- id: encryption-check
+  name: Ansible Vault Encryption Check
+  description: Checks that vault files are encrypted
+  entry: encryption-check.sh
+  files: ((^|/)vault|vault.y[a]{0,1}ml$|.vault$)
+  language: script