#!/bin/sh
#
# Post-commit hook that decrypts files containing '$ANSIBLE_VAULT'
#
# File should be .git/hooks/post-commit and executable

CRYPT_TAG='^\$ANSIBLE_VAULT'

EXIT_STATUS=0
wipe="\033[1m\033[0m"
yellow='\033[1;33m'
red='\e[0;31m'
green='\e[0;32m'
# carriage return hack. Leave it on 2 lines.
cr='
'

if [ ! -r '.vault_password_hooks' ]; then
  exit 0
fi

for f in $(git diff --name-only HEAD^ HEAD)
do
  # test for the presence of the required bit.
  MATCH=`head -n4 $f | grep --no-messages -- "$CRYPT_TAG"`
  if [ ! -z "$MATCH" ] ; then
    # Build the list of unencrypted files if any
    UNENCRYPTED_FILES="$f$cr$UNENCRYPTED_FILES"
    EXIT_STATUS=1
  fi
done
if [ ! $EXIT_STATUS = 0 ] ; then
  echo '# POST-COMMIT'
  echo '# Looks like crypted ansible files are in repos.'
  echo '#'
  while read -r line; do
    if [ -n "$line" ]; then
      echo -e "#\t${yellow}unencrypted:   $line${wipe}"
    fi
  done <<< "$UNENCRYPTED_FILES"
  echo '#'
  echo "# Decrypting these files now."
  echo "#"

  while read -r line; do
    if [ -n "$line" ]; then
      echo -ne "#\t${yellow}decrypting: $line${wipe} => "
      if ansible-vault decrypt ${line} --vault-password-file=.vault_password_hooks > /dev/null 2>&1; then
        echo -e " ${green}success${wipe}"
      else
        echo -e " ${red}error${wipe}"
        exit 1
      fi
    fi
  done <<< "$UNENCRYPTED_FILES"

  echo "#"
  echo "# Files decrypted"
  echo "#"

  echo "# Remove .vault_password_hooks from .gitgnore to prevent transparent decryption"
  echo

  exit 0
fi
exit $EXIT_STATUS