#!/bin/sh## Verifies that all files in provisioning/group_vars are encrypted w

1. #!/bin/sh
2. #
3. # Verifies that all files in provisioning/group_vars are encrypted with ansible-vault.
4. # If not, commit will fail with an error message
5. #
6. # File should be .git/hooks/pre-commit and executable
7. FILES_PATTERN='.*vault.*\.yml$'
8. REQUIRED='ANSIBLE_VAULT'
9.  
10. EXIT_STATUS=0
11. wipe="\033[1m\033[0m"
12. yellow='\033[1;33m'
13. # carriage return hack. Leave it on 2 lines.
14. cr='
15. '
16. for f in $(git diff HEAD --name-only | grep -E $FILES_PATTERN)
17. do
18. MATCH=`head -n1 $f | grep $REQUIRED`
19. if [ -z $MATCH ] ; then
20. UNENCRYPTED_FILES="$f$cr$UNENCRYPTED_FILES"
21. EXIT_STATUS=1
22. fi
23. done
24.  
25. if [ $EXIT_STATUS != 0 ] ; then
26. echo '# COMMIT REJECTED'
27. echo '# Looks like unencrypted ansible-vault files are part of the commit:'
28. echo '#'
29. while read -r line; do
30. if [ -n "$line" ]; then
31. echo "#\t${yellow}unencrypted: $line${wipe}"
32. fi
33. done <<< "$UNENCRYPTED_FILES"
34. echo '#'
35. echo "# Please encrypt them with 'ansible-vault encrypt <file>'"
36. echo "# (or force the commit with '--no-verify')."
37. fi
38.  
39. exit $EXIT_STATUS