2022-01-16 08:24:05 +08:00
|
|
|
from __future__ import annotations
|
|
|
|
|
|
2015-06-01 03:50:49 +08:00
|
|
|
import argparse
|
2020-02-06 03:10:42 +08:00
|
|
|
import configparser
|
2015-06-01 03:50:49 +08:00
|
|
|
import os
|
2024-10-12 07:30:07 +08:00
|
|
|
from collections.abc import Sequence
|
2020-02-06 03:10:42 +08:00
|
|
|
from typing import NamedTuple
|
2015-06-12 23:20:56 +08:00
|
|
|
|
2020-02-06 03:10:42 +08:00
|
|
|
|
|
|
|
|
class BadFile(NamedTuple):
|
|
|
|
|
filename: str
|
|
|
|
|
key: str
|
2015-06-01 03:50:49 +08:00
|
|
|
|
|
|
|
|
|
2022-01-16 08:24:05 +08:00
|
|
|
def get_aws_cred_files_from_env() -> set[str]:
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
"""Extract credential file paths from environment variables."""
|
2019-02-12 11:56:15 +08:00
|
|
|
return {
|
|
|
|
|
os.environ[env_var]
|
|
|
|
|
for env_var in (
|
|
|
|
|
'AWS_CONFIG_FILE', 'AWS_CREDENTIAL_FILE',
|
|
|
|
|
'AWS_SHARED_CREDENTIALS_FILE', 'BOTO_CONFIG',
|
|
|
|
|
)
|
|
|
|
|
if env_var in os.environ
|
|
|
|
|
}
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
|
|
|
|
|
|
2022-01-16 08:24:05 +08:00
|
|
|
def get_aws_secrets_from_env() -> set[str]:
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
"""Extract AWS secrets from environment variables."""
|
|
|
|
|
keys = set()
|
2017-01-04 02:05:49 +08:00
|
|
|
for env_var in (
|
2017-07-13 09:35:24 +08:00
|
|
|
'AWS_SECRET_ACCESS_KEY', 'AWS_SECURITY_TOKEN', 'AWS_SESSION_TOKEN',
|
2017-01-04 02:05:49 +08:00
|
|
|
):
|
2020-02-14 01:12:45 +08:00
|
|
|
if os.environ.get(env_var):
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
keys.add(os.environ[env_var])
|
|
|
|
|
return keys
|
|
|
|
|
|
|
|
|
|
|
2022-01-16 08:24:05 +08:00
|
|
|
def get_aws_secrets_from_file(credentials_file: str) -> set[str]:
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
"""Extract AWS secrets from configuration files.
|
|
|
|
|
|
|
|
|
|
Read an ini-style configuration file and return a set with all found AWS
|
|
|
|
|
secret access keys.
|
2015-06-01 03:50:49 +08:00
|
|
|
"""
|
|
|
|
|
aws_credentials_file_path = os.path.expanduser(credentials_file)
|
|
|
|
|
if not os.path.exists(aws_credentials_file_path):
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
return set()
|
2015-06-01 03:50:49 +08:00
|
|
|
|
2015-06-12 20:24:01 +08:00
|
|
|
parser = configparser.ConfigParser()
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
try:
|
|
|
|
|
parser.read(aws_credentials_file_path)
|
|
|
|
|
except configparser.MissingSectionHeaderError:
|
|
|
|
|
return set()
|
2015-06-01 03:50:49 +08:00
|
|
|
|
|
|
|
|
keys = set()
|
|
|
|
|
for section in parser.sections():
|
2017-01-04 02:05:49 +08:00
|
|
|
for var in (
|
|
|
|
|
'aws_secret_access_key', 'aws_security_token',
|
2017-07-13 09:35:24 +08:00
|
|
|
'aws_session_token',
|
2017-01-04 02:05:49 +08:00
|
|
|
):
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
try:
|
2018-01-26 16:28:39 +08:00
|
|
|
key = parser.get(section, var).strip()
|
|
|
|
|
if key:
|
|
|
|
|
keys.add(key)
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
except configparser.NoOptionError:
|
|
|
|
|
pass
|
2015-06-01 03:50:49 +08:00
|
|
|
return keys
|
|
|
|
|
|
|
|
|
|
|
2020-02-06 03:10:42 +08:00
|
|
|
def check_file_for_aws_keys(
|
|
|
|
|
filenames: Sequence[str],
|
2022-01-16 08:24:05 +08:00
|
|
|
keys: set[bytes],
|
|
|
|
|
) -> list[BadFile]:
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
"""Check if files contain AWS secrets.
|
|
|
|
|
|
|
|
|
|
Return a list of all files containing AWS secrets and keys found, with all
|
|
|
|
|
but the first four characters obfuscated to ease debugging.
|
|
|
|
|
"""
|
2015-10-28 13:13:37 +08:00
|
|
|
bad_files = []
|
|
|
|
|
|
|
|
|
|
for filename in filenames:
|
2020-02-19 02:24:17 +08:00
|
|
|
with open(filename, 'rb') as content:
|
2015-10-28 13:13:37 +08:00
|
|
|
text_body = content.read()
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
for key in keys:
|
|
|
|
|
# naively match the entire file, low chance of incorrect
|
|
|
|
|
# collision
|
2020-02-13 20:01:38 +08:00
|
|
|
if key in text_body:
|
2020-02-19 02:24:17 +08:00
|
|
|
key_hidden = key.decode()[:4].ljust(28, '*')
|
|
|
|
|
bad_files.append(BadFile(filename, key_hidden))
|
2015-10-28 13:13:37 +08:00
|
|
|
return bad_files
|
2015-06-01 03:50:49 +08:00
|
|
|
|
|
|
|
|
|
2022-01-16 08:24:05 +08:00
|
|
|
def main(argv: Sequence[str] | None = None) -> int:
|
2015-06-01 03:50:49 +08:00
|
|
|
parser = argparse.ArgumentParser()
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
parser.add_argument('filenames', nargs='+', help='Filenames to run')
|
2015-06-01 03:50:49 +08:00
|
|
|
parser.add_argument(
|
2016-02-09 09:05:39 +08:00
|
|
|
'--credentials-file',
|
2018-10-29 06:58:14 +08:00
|
|
|
dest='credentials_file',
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
action='append',
|
2017-01-04 05:13:44 +08:00
|
|
|
default=[
|
|
|
|
|
'~/.aws/config', '~/.aws/credentials', '/etc/boto.cfg', '~/.boto',
|
|
|
|
|
],
|
2016-02-09 09:05:39 +08:00
|
|
|
help=(
|
2018-10-29 06:59:39 +08:00
|
|
|
'Location of additional AWS credential file from which to get '
|
|
|
|
|
'secret keys. Can be passed multiple times.'
|
2017-07-13 09:35:24 +08:00
|
|
|
),
|
2015-06-01 03:50:49 +08:00
|
|
|
)
|
2017-02-10 21:26:26 +08:00
|
|
|
parser.add_argument(
|
|
|
|
|
'--allow-missing-credentials',
|
|
|
|
|
dest='allow_missing_credentials',
|
|
|
|
|
action='store_true',
|
2017-07-13 09:35:24 +08:00
|
|
|
help='Allow hook to pass when no credentials are detected.',
|
2017-02-10 21:26:26 +08:00
|
|
|
)
|
2015-06-01 03:50:49 +08:00
|
|
|
args = parser.parse_args(argv)
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
|
2018-10-29 06:58:14 +08:00
|
|
|
credential_files = set(args.credentials_file)
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
|
|
|
|
|
# Add the credentials files configured via environment variables to the set
|
|
|
|
|
# of files to to gather AWS secrets from.
|
2019-02-12 11:56:15 +08:00
|
|
|
credential_files |= get_aws_cred_files_from_env()
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
|
2022-01-16 08:24:05 +08:00
|
|
|
keys: set[str] = set()
|
Improve searching for configured AWS credentials
The previous approach for finding AWS credentials was pretty naive and
only covered contents of a single file (~/.aws/credentials by
default).
The AWS CLI documentation states various other ways to configure
credentials which weren't covered:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#credentials
Even that aren't all ways, a look into the code shows:
https://github.com/boto/botocore/blob/develop/botocore/credentials.py
This commit changes the behavior so the hook will behave in a way
that if the AWS CLI is able to obtain credentials from local files,
the hook will find them as well.
The changes in detail are:
- detect AWS session tokens and handle them like secret keys.
- always search credentials in the default AWS CLI file locations
( ~/.aws/config, ~/.aws/credentials, /etc/boto.cfg and ~/.boto)
- detect AWS credentials configured via environment variables in
AWS_SECRET_ACCESS_KEY, AWS_SECURITY_TOKEN and AWS_SESSION_TOKEN
- check additional configuration files configured via environment
variables (AWS_CREDENTIAL_FILE, AWS_SHARED_CREDENTIALS_FILE and
BOTO_CONFIG)
- print out the first four characters of each secret found in files to
be checked in, to make it easier to figure out, what the secrets
were, which were going to be checked in
- improve error handling for parsing ini-files
- improve tests
There is a major functional change introduced by this commit:
Locations the AWS CLI gets credentials from are always searched and
there is no way to disable them. --credentials-file is still there to
specify one or more additional files to search credentials in. It's
the purpose of this hook to find and check files for found
credentials, so it should work in any case. As this commit also
improves error handling for not-existing or malformed configuration
files, it should be no big deal.
Receiving credentials via the EC2 and ECS meta data services is not
covered intentionally, to not further increase the amount of changes
in this commit and as it's probably an edge case anyway to have this
hook running in such an environment.
2016-12-30 15:41:24 +08:00
|
|
|
for credential_file in credential_files:
|
|
|
|
|
keys |= get_aws_secrets_from_file(credential_file)
|
|
|
|
|
|
|
|
|
|
# Secrets might be part of environment variables, so add such secrets to
|
|
|
|
|
# the set of keys.
|
|
|
|
|
keys |= get_aws_secrets_from_env()
|
|
|
|
|
|
2017-02-10 21:26:26 +08:00
|
|
|
if not keys and args.allow_missing_credentials:
|
|
|
|
|
return 0
|
|
|
|
|
|
2015-06-12 23:20:56 +08:00
|
|
|
if not keys:
|
2017-01-04 02:05:49 +08:00
|
|
|
print(
|
|
|
|
|
'No AWS keys were found in the configured credential files and '
|
|
|
|
|
'environment variables.\nPlease ensure you have the correct '
|
2017-07-13 09:35:24 +08:00
|
|
|
'setting for --credentials-file',
|
2017-01-04 02:05:49 +08:00
|
|
|
)
|
2015-06-12 23:20:56 +08:00
|
|
|
return 2
|
2015-06-01 03:50:49 +08:00
|
|
|
|
2020-02-19 02:24:17 +08:00
|
|
|
keys_b = {key.encode() for key in keys}
|
|
|
|
|
bad_filenames = check_file_for_aws_keys(args.filenames, keys_b)
|
2015-10-28 13:13:37 +08:00
|
|
|
if bad_filenames:
|
|
|
|
|
for bad_file in bad_filenames:
|
2020-02-06 03:10:42 +08:00
|
|
|
print(f'AWS secret found in {bad_file.filename}: {bad_file.key}')
|
2015-10-28 13:13:37 +08:00
|
|
|
return 1
|
|
|
|
|
else:
|
|
|
|
|
return 0
|
2015-06-01 03:50:49 +08:00
|
|
|
|
2016-12-01 01:56:42 +08:00
|
|
|
|
2015-06-01 03:50:49 +08:00
|
|
|
if __name__ == '__main__':
|
2021-10-24 01:23:50 +08:00
|
|
|
raise SystemExit(main())
|