From d47cce7c9a2a2812a019a8feb5aafffdc4bd31a9 Mon Sep 17 00:00:00 2001
From: "lukasz.widera@vshn.ch" <lukasz.widera@vshn.ch>
Date: Fri, 15 Mar 2024 16:18:10 +0100
Subject: [PATCH] add GIT hook and Makefile target

---
 .githooks/pre-commit | 43 +++++++++++++++++++++++++++++++++++++++++++
 component/Makefile   | 12 ++++++++----
 2 files changed, 51 insertions(+), 4 deletions(-)
 create mode 100755 .githooks/pre-commit

diff --git a/.githooks/pre-commit b/.githooks/pre-commit
new file mode 100755
index 000000000..1cc23867a
--- /dev/null
+++ b/.githooks/pre-commit
@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+
+
+# detect if specific yaml key exists in file ../../component/class/defaults.yaml
+# specifically find existing passwords and fail if they're non empty
+
+import yaml
+import sys
+import os
+
+def yaml_path_recursion(yaml_dict, path):
+    if len(path) == 1:
+        return len(yaml_dict[path[0]]) > 0 and not yaml_dict[path[0]].startswith("?{vaultkv")
+    else:
+        return yaml_path_recursion(yaml_dict.get(path[0], {}), path[1:])
+
+current_dir = os.path.dirname(os.path.realpath(__file__))
+tests_vshn_file = os.path.join(current_dir, '../../component/tests/vshn.yml')
+defaults_file = os.path.join(current_dir, '../../component/class/defaults.yml')
+
+
+keys_to_check_yaml = [
+    'parameters.appcat.services.vshn.keycloak.additionalInputs.registry_password',
+    'parameters.appcat.services.vshn.keycloak.additionalInputs.registry_username'
+    ]
+
+with open(tests_vshn_file, 'r') as f:
+    defaults = yaml.safe_load(f)
+    for key in keys_to_check_yaml:
+        splitted = key.split(".")
+        if yaml_path_recursion(defaults, splitted):
+            print(f'password is not empty in or broken vault declaration in {tests_vshn_file} for key {key}')
+            sys.exit(1)
+
+with open(defaults_file, 'r') as f:
+    defaults = yaml.safe_load(f)
+    for key in keys_to_check_yaml:
+        splitted = key.split(".")
+        if yaml_path_recursion(defaults, splitted):
+            print(f'password is not empty in or broken vault declaration in {defaults_file} for key {key}')
+            sys.exit(1)
+
+exit(0)
diff --git a/component/Makefile b/component/Makefile
index 23c14c4a6..e77e23fdc 100644
--- a/component/Makefile
+++ b/component/Makefile
@@ -49,28 +49,32 @@ docs-serve: ## Preview the documentation
 	mkdir -p dependencies
 	$(COMPILE_CMD)
 
+.PHONY: ensure_git_hook
+ensure_git_hook: ## Ensure the git hook is installed
+	cp ../.githooks/pre-commit ../.git/hooks/pre-commit
+
 .PHONY: test
 test: commodore_args += -f tests/$(instance).yml
 test: .compile ## Compile the component
 .PHONY: gen-golden
 gen-golden: commodore_args += -f tests/$(instance).yml
-gen-golden: clean .compile ## Update the reference version for target `golden-diff`.
+gen-golden: clean .compile ensure_git_hook ## Update the reference version for target `golden-diff`.
 	@rm -rf tests/golden/$(instance)
 	@mkdir -p tests/golden/$(instance)
 	@cp -R compiled/. tests/golden/$(instance)/.
 
 .PHONY: golden-diff
 golden-diff: commodore_args += -f tests/$(instance).yml
-golden-diff: clean .compile ## Diff compile output against the reference version. Review output and run `make gen-golden golden-diff` if this target fails.
+golden-diff: clean .compile ensure_git_hook ## Diff compile output against the reference version. Review output and run `make gen-golden golden-diff` if this target fails.
 	@git diff --exit-code --minimal --no-index -- tests/golden/$(instance) compiled/
 
 .PHONY: golden-diff-all
 golden-diff-all: recursive_target=golden-diff
-golden-diff-all: $(test_instances) ## Run golden-diff for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).
+golden-diff-all: ensure_git_hook $(test_instances) ## Run golden-diff for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).
 
 .PHONY: gen-golden-all
 gen-golden-all: recursive_target=gen-golden
-gen-golden-all: $(test_instances) ## Run gen-golden for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).
+gen-golden-all: ensure_git_hook $(test_instances) ## Run gen-golden for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).
 
 .PHONY: lint_kubent_all
 lint_kubent_all: recursive_target=lint_kubent