git-secret-protector 0.1.0__tar.gz

git_secret_protector-0.1.0/PKG-INFO

@@ -0,0 +1,126 @@
+Metadata-Version: 2.1
+Name: git-secret-protector
+Version: 0.1.0
+Summary: A tool for managing secrets in Git with AWS KMS integration.
+Author: Duc Duong
+Author-email: duc.duong@c0x12c.com
+Requires-Python: >=3.10,<3.14
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Dist: boto3 (>=1.35.10,<2.0.0)
+Requires-Dist: pycryptodome (>=3.20.0,<4.0.0)
+Description-Content-Type: text/markdown
+
+# git-secret-protector
+
+`spartan-git_secret_protector` is a Python-based CLI tool designed to securely manage and protect sensitive files in your Git repositories. It integrates with AWS Parameter Store to encrypt and decrypt secrets, ensuring that your sensitive data remains secure throughout your development process.
+
+## Features
+
+- **AES Key Management**: Securely create, manage, and rotate AES data keys using AWS Parameter Store.
+- **File Encryption/Decryption**: Automatically encrypt and decrypt files in your repository based on patterns defined in the `.gitattributes` file.
+- **Cache Management**: Cache AES data keys locally to improve performance and reduce redundant calls to AWS Parameter Store.
+- **Git Hooks Integration**: Integrates with Git hooks to automatically manage secrets during Git operations.
+- **Logging**: Configurable logging for detailed tracking of operations and errors.
+
+## Installation
+
+You can install the `git_secret_protector` module via pip:
+
+```sh
+pip install git_secret_protector
+```
+
+## Usage
+
+### 1. Initial Setup
+
+Before using the tool, ensure you have the necessary AWS permissions to manage AWS MKS & SSM. Then, initialize your repository for secret protection by installing Git clean and smudge filter and setting up the module.
+
+```sh
+git_secret_protector install
+```
+
+### 2. Pull AES Key
+
+Before encrypting or decrypting files, you need to pull the relevant AES keys from AWS Parameter Store for a specific filter:
+
+```sh
+git_secret_protector pull-aes-key <filter_name>
+```
+
+This command will pull the latest AES data key from AWS Parameter Store for the specified filter and cache it locally.
+
+This command will decrypt the files in your working directory for the specified filter, making them available for editing.
+
+### 3. Key Rotation
+
+#### Command to Rotate Keys
+
+```sh
+git_secret_protector rotate-key <filter_name>
+```
+
+This command will generate a new AES data key in AWS Parameter Store, re-encrypt your files associated with the specified filter with the new key, and update the local cache.
+
+#### Post-Rotation Code Reset
+After rotating the keys, it is necessary to clear the Git cache and re-checkout all files. This step ensures that the smudge filters are triggered, allowing the files to be decrypted with the new key.
+
+```
+# Remove all files from the index to clear the Git cache
+git rm --cached -r .
+
+# Force Git to re-checkout all files, triggering smudge filters
+git reset --hard
+```
+
+### Configuration
+
+All configurations are managed through a `config.ini` file located in the `.git_secret_protector` directory. You can customize the following settings:
+
+- **AWS Configuration**: Set your AWS region, profile, and other credentials.
+- **Logging**: Configure the log file path and rotation settings.
+- **Module Name**: Specify a custom module name for organizing keys in AWS Parameter Store.
+
+### Example `.gitattributes` File
+
+Define which files to encrypt in your `.gitattributes` file:
+
+```
+secrets/*.tfstate filter=git-crypt-app diff=git-crypt-app
+config/**/credentials/* filter=git-crypt-shared diff=git-crypt-shared
+```
+
+### Logging
+
+Logs are stored in the `logs/` directory by default, and you can configure the log level and file rotation in the `config.ini` file.
+
+## Development
+
+### Running Tests
+
+- **Unit Tests**: Located in the `tests/unit` directory, run them using `pytest`.
+- **Integration Tests**: Located in the `tests/integration` directory, these tests interact with AWS Parameter Store and should be run manually.
+
+```sh
+poetry run pytest tests/unit
+```
+
+### Contributing
+
+We welcome contributions! Please read our [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on how to contribute.
+
+## License
+
+`git_secret_protector` is licensed under the MIT License. See the [LICENSE](LICENSE) file for more details.
+
+## Changelog
+
+See [CHANGELOG.md](CHANGELOG.md) for a history of changes and updates.
+
+## Support
+
+If you encounter any issues or have any questions, please open an issue on the GitHub repository or reach out to our support team.
+

git_secret_protector-0.1.0/README.md

@@ -0,0 +1,110 @@
+# git-secret-protector
+
+`spartan-git_secret_protector` is a Python-based CLI tool designed to securely manage and protect sensitive files in your Git repositories. It integrates with AWS Parameter Store to encrypt and decrypt secrets, ensuring that your sensitive data remains secure throughout your development process.
+
+## Features
+
+- **AES Key Management**: Securely create, manage, and rotate AES data keys using AWS Parameter Store.
+- **File Encryption/Decryption**: Automatically encrypt and decrypt files in your repository based on patterns defined in the `.gitattributes` file.
+- **Cache Management**: Cache AES data keys locally to improve performance and reduce redundant calls to AWS Parameter Store.
+- **Git Hooks Integration**: Integrates with Git hooks to automatically manage secrets during Git operations.
+- **Logging**: Configurable logging for detailed tracking of operations and errors.
+
+## Installation
+
+You can install the `git_secret_protector` module via pip:
+
+```sh
+pip install git_secret_protector
+```
+
+## Usage
+
+### 1. Initial Setup
+
+Before using the tool, ensure you have the necessary AWS permissions to manage AWS MKS & SSM. Then, initialize your repository for secret protection by installing Git clean and smudge filter and setting up the module.
+
+```sh
+git_secret_protector install
+```
+
+### 2. Pull AES Key
+
+Before encrypting or decrypting files, you need to pull the relevant AES keys from AWS Parameter Store for a specific filter:
+
+```sh
+git_secret_protector pull-aes-key <filter_name>
+```
+
+This command will pull the latest AES data key from AWS Parameter Store for the specified filter and cache it locally.
+
+This command will decrypt the files in your working directory for the specified filter, making them available for editing.
+
+### 3. Key Rotation
+
+#### Command to Rotate Keys
+
+```sh
+git_secret_protector rotate-key <filter_name>
+```
+
+This command will generate a new AES data key in AWS Parameter Store, re-encrypt your files associated with the specified filter with the new key, and update the local cache.
+
+#### Post-Rotation Code Reset
+After rotating the keys, it is necessary to clear the Git cache and re-checkout all files. This step ensures that the smudge filters are triggered, allowing the files to be decrypted with the new key.
+
+```
+# Remove all files from the index to clear the Git cache
+git rm --cached -r .
+
+# Force Git to re-checkout all files, triggering smudge filters
+git reset --hard
+```
+
+### Configuration
+
+All configurations are managed through a `config.ini` file located in the `.git_secret_protector` directory. You can customize the following settings:
+
+- **AWS Configuration**: Set your AWS region, profile, and other credentials.
+- **Logging**: Configure the log file path and rotation settings.
+- **Module Name**: Specify a custom module name for organizing keys in AWS Parameter Store.
+
+### Example `.gitattributes` File
+
+Define which files to encrypt in your `.gitattributes` file:
+
+```
+secrets/*.tfstate filter=git-crypt-app diff=git-crypt-app
+config/**/credentials/* filter=git-crypt-shared diff=git-crypt-shared
+```
+
+### Logging
+
+Logs are stored in the `logs/` directory by default, and you can configure the log level and file rotation in the `config.ini` file.
+
+## Development
+
+### Running Tests
+
+- **Unit Tests**: Located in the `tests/unit` directory, run them using `pytest`.
+- **Integration Tests**: Located in the `tests/integration` directory, these tests interact with AWS Parameter Store and should be run manually.
+
+```sh
+poetry run pytest tests/unit
+```
+
+### Contributing
+
+We welcome contributions! Please read our [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on how to contribute.
+
+## License
+
+`git_secret_protector` is licensed under the MIT License. See the [LICENSE](LICENSE) file for more details.
+
+## Changelog
+
+See [CHANGELOG.md](CHANGELOG.md) for a history of changes and updates.
+
+## Support
+
+If you encounter any issues or have any questions, please open an issue on the GitHub repository or reach out to our support team.

git_secret_protector-0.1.0/pyproject.toml

@@ -0,0 +1,29 @@
+[tool.poetry]
+name = "git-secret-protector"
+version = "0.1.0"
+description = "A tool for managing secrets in Git with AWS KMS integration."
+authors = ["Duc Duong <duc.duong@c0x12c.com>"]
+readme = "README.md"
+packages = [{ include = "git_secret_protector", from = "src" }]
+
+[tool.poetry.dependencies]
+python = ">=3.10,<3.14"
+boto3 = "^1.35.10"
+pycryptodome = "^3.20.0"
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^8.3.2"
+mock = "^5.1.0"
+pyinstaller = "^6.10.0"
+
+[tool.poetry.scripts]
+git-secret-protector = "git_secret_protector.main:main"
+
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.pytest.ini_options]
+testpaths = [
+    "tests",
+]

git_secret_protector-0.1.0/src/git_secret_protector/__init__.py

@@ -0,0 +1 @@
+# This file is typically empty but required for Python to treat the directory as a package.

git_secret_protector-0.1.0/src/git_secret_protector/aes_key_manager.py

@@ -0,0 +1,82 @@
+import os
+import base64
+import boto3
+import json
+from git_secret_protector.settings import get_settings
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class AesKeyManager:
+    def __init__(self):
+        self._ssm_client = None
+        self.cache_dir = get_settings().cache_dir
+        os.makedirs(self.cache_dir, exist_ok=True)
+
+    @property
+    def ssm_client(self):
+        if self._ssm_client is None:
+            self._ssm_client = boto3.client('ssm')
+        return self._ssm_client
+
+    def setup_aes_key_and_iv(self, filter_name):
+        aes_key = os.urandom(32)  # 256 bits for AES-256
+        iv = os.urandom(16)  # 128 bits (AES block size)
+
+        # Encode key and IV as base64 to serialize as JSON
+        data = {
+            'aes_key': base64.b64encode(aes_key).decode('utf-8'),
+            'iv': base64.b64encode(iv).decode('utf-8')
+        }
+        json_data = json.dumps(data)
+
+        # Store the serialized key and IV in AWS SSM Parameter Store
+        self.ssm_client.put_parameter(
+            Name=f"/encryption/{filter_name}/key_iv",
+            Value=json_data,
+            Type='SecureString',
+            Overwrite=True
+        )
+
+        logger.info(f"AES key and IV setup and stored in SSM for filter: {filter_name}")
+        self.cache_key_iv_locally(filter_name, json_data)
+
+    def retrieve_key_and_iv(self, filter_name):
+        local_data = self.load_key_iv_from_cache(filter_name)
+        if local_data:
+            return base64.b64decode(local_data['aes_key']), base64.b64decode(local_data['iv'])
+
+        response = self.ssm_client.get_parameter(
+            Name=f"/encryption/{filter_name}/key_iv",
+            WithDecryption=True
+        )
+        data = json.loads(response['Parameter']['Value'])
+        self.cache_key_iv_locally(filter_name, response['Parameter']['Value'])
+        return base64.b64decode(data['aes_key']), base64.b64decode(data['iv'])
+
+    def cache_key_iv_locally(self, filter_name, json_data):
+        cache_path = os.path.join(self.cache_dir, f"{filter_name}_key_iv.json")
+        with open(cache_path, 'w') as cache_file:
+            cache_file.write(json_data)
+        logger.debug("Cached AES key and IV locally for filter: %s", filter_name)
+
+    def load_key_iv_from_cache(self, filter_name):
+        cache_path = os.path.join(self.cache_dir, f"{filter_name}_key_iv.json")
+        if os.path.exists(cache_path):
+            with open(cache_path, 'r') as cache_file:
+                json_data = cache_file.read()
+                data = json.loads(json_data)
+                return data
+        logger.debug("No local cache found for filter: %s", filter_name)
+        return None
+
+    def destroy_aes_key_and_iv(self, filter_name):
+        """Destroy the AES key and IV for a specific filter name in AWS SSM."""
+        try:
+            parameter_name = f"/encryption/{filter_name}/key_iv"
+            self.ssm_client.delete_parameter(Name=parameter_name)
+            logging.info(f"Successfully destroyed AES key and IV in SSM for filter: {filter_name}")
+        except Exception as e:
+            logging.error(f"Failed to destroy AES key and IV for filter {filter_name}: {e}")
+            raise

git_secret_protector-0.1.0/src/git_secret_protector/encryption_manager.py

@@ -0,0 +1,96 @@
+import base64
+import logging
+import os
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad, unpad
+from git_secret_protector.git_attributes_parser import GitAttributesParser
+from git_secret_protector.aes_key_manager import AesKeyManager
+
+logger = logging.getLogger(__name__)
+MAGIC_HEADER = b'ENCRYPTED'  # Magic header to identify encrypted files
+
+
+class EncryptionManager:
+    def __init__(self, aes_key, iv, git_attributes_parser):
+        if aes_key is None or iv is None:
+            raise ValueError("AES key and IV must not be None")
+        self.aes_key = aes_key
+        self.iv = iv
+        self.git_attributes_parser = git_attributes_parser
+
+    def encrypt_data(self, data):
+        if data.startswith(MAGIC_HEADER):
+            logger.warning("Data already contains MAGIC_HEADER. Skipping encryption.")
+            return data
+
+        ciphertext = self._perform_encryption(data)
+        return MAGIC_HEADER + ciphertext
+
+    def decrypt_data(self, data):
+        if not data.startswith(MAGIC_HEADER):
+            logger.warning("Data does not start with MAGIC HEADER. Skipping decryption.")
+            return data
+
+        encrypted_data = data[len(MAGIC_HEADER):]
+        plaintext = self._perform_decryption(encrypted_data)
+        return plaintext
+
+    def encrypt(self, filter_name):
+        files_to_encrypt = self.git_attributes_parser.get_files_for_filter(filter_name=filter_name)
+
+        for file_path in files_to_encrypt:
+            encrypted_data = self.encrypt_file(file_path)
+            with open(file_path, 'wb') as f:
+                f.write(encrypted_data)
+            logger.info("File encrypted: %s", file_path)
+
+    def decrypt(self, filter_name):
+        files_to_decrypt = self.git_attributes_parser.get_files_for_filter(filter_name=filter_name)
+
+        for file_path in files_to_decrypt:
+            decrypted_data = self.decrypt_file(file_path)
+            with open(file_path, 'wb') as f:
+                f.write(decrypted_data)
+            logger.info("File decrypted: %s", file_path)
+
+    def encrypt_file(self, file_path):
+        logger.info("Encrypting file: %s", file_path)
+        with open(file_path, 'rb') as f:
+            data = f.read()
+
+        if data.startswith(MAGIC_HEADER):
+            logger.info("File already contains MAGIC_HEADER. Skipping encryption.")
+            return data
+
+        ciphertext = self._perform_encryption(data)
+        return MAGIC_HEADER + ciphertext
+
+    def decrypt_file(self, file_path):
+        logger.info("Decrypting file: %s", file_path)
+        with open(os.path.abspath(file_path), 'rb') as f:
+            data = f.read()
+
+        if not data.startswith(MAGIC_HEADER):
+            logger.warning("File does not start with MAGIC HEADER. Skipping decryption.")
+            return data
+
+        encrypted_data = data[len(MAGIC_HEADER):]
+        plaintext = self._perform_decryption(encrypted_data)
+        return plaintext
+
+    def _perform_encryption(self, plaintext: bytes) -> bytes:
+        cipher = AES.new(self.aes_key, AES.MODE_CBC, self.iv)
+        ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+        return base64.b64encode(ciphertext)  # Base64 encode the result
+
+    def _perform_decryption(self, encrypted_text: bytes) -> bytes:
+        ciphertext = base64.b64decode(encrypted_text)
+        cipher = AES.new(self.aes_key, AES.MODE_CBC, self.iv)
+        plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size)
+        return plaintext
+
+    @classmethod
+    def from_filter_name(cls, filter_name: str, git_attributes_parser: GitAttributesParser):
+        key_manager = AesKeyManager()
+        aes_key, iv = key_manager.retrieve_key_and_iv(filter_name)
+        return cls(aes_key, iv, git_attributes_parser)

git_secret_protector-0.1.0/src/git_secret_protector/git_attributes_parser.py

@@ -0,0 +1,56 @@
+import fnmatch
+import glob
+import os
+import re
+
+
+class GitAttributesParser:
+    def __init__(self, git_attributes_file='.gitattributes'):
+        self.git_attributes_file = git_attributes_file
+        self.patterns = self._parse_patterns()
+
+    def _parse_patterns(self):
+        """Parse the .gitattributes file to extract patterns associated with filters."""
+        patterns = {}
+        with open(self.git_attributes_file, 'r') as file:
+            for line in file:
+                match = re.search(r'(.+)\s+filter=(\S+)', line)
+                if match:
+                    pattern = match.group(1).strip()
+                    filter_name = match.group(2).strip()
+                    if filter_name not in patterns:
+                        patterns[filter_name] = []
+                    patterns[filter_name].append(pattern)
+        return patterns
+
+    def _find_files_matching_patterns(self, patterns, repo_root='.'):
+        """Helper method to find files matching given patterns using glob."""
+        matched_files = set()  # Using a set to avoid duplicates
+        for pattern in patterns:
+            files = glob.glob(os.path.join(repo_root, pattern), recursive=True)
+            matched_files.update(files)
+        return list(matched_files)
+
+    def get_secret_files(self, repo_root='.'):
+        """Return all files matching any of the filter patterns."""
+        secret_files = set()
+        for patterns in self.patterns.values():
+            secret_files.update(self._find_files_matching_patterns(patterns, repo_root))
+        return list(secret_files)
+
+    def get_files_for_filter(self, filter_name, repo_root='.'):
+        """Return all files matching the patterns for a specific filter name."""
+        patterns = self.patterns.get(filter_name, [])
+        return self._find_files_matching_patterns(patterns, repo_root)
+
+    def get_filter_names(self):
+        """Return a list of unique filter names from the .gitattributes file."""
+        return list(self.patterns.keys())
+
+    def get_filter_name_for_file(self, file_name, repo_root='.'):
+        """Return the filter name that matches the given file name based on .gitattributes patterns."""
+        for filter_name, patterns in self.patterns.items():
+            for pattern in patterns:
+                if fnmatch.fnmatch(os.path.relpath(file_name, repo_root), pattern):
+                    return filter_name
+        return None

git_secret_protector-0.1.0/src/git_secret_protector/git_hooks_installer.py

@@ -0,0 +1,38 @@
+import logging
+import os
+
+logger = logging.getLogger(__name__)
+
+
+class GitHooksInstaller:
+    def __init__(self, repo_path='.'):
+        self.repo_path = repo_path
+        self.hooks_path = os.path.join(self.repo_path, '.git', 'hooks')
+
+    def setup_hooks(self):
+        self._create_pre_commit_hook()
+        self._create_post_checkout_hook()
+        logger.info("Git hooks have been installed successfully.")
+
+    def _create_pre_commit_hook(self):
+        hook_script = """#!/bin/sh
+        # Pre-commit hook to encrypt files before commit
+        git_secret_protector encrypt
+        """
+
+        self._write_hook_script('pre-commit', hook_script)
+
+    def _create_post_checkout_hook(self):
+        hook_script = """#!/bin/sh
+        # Post-checkout hook to decrypt files after checkout
+        git_secret_protector decrypt
+        """
+
+        self._write_hook_script('post-checkout', hook_script)
+
+    def _write_hook_script(self, hook_name, script_content):
+        hook_file = os.path.join(self.hooks_path, hook_name)
+        with open(hook_file, 'w') as f:
+            f.write(script_content)
+        os.chmod(hook_file, 0o755)  # Make the script executable
+        logger.info(f"{hook_name} hook installed.")

git_secret_protector-0.1.0/src/git_secret_protector/key_rotator.py

@@ -0,0 +1,38 @@
+import logging
+from git_secret_protector.encryption_manager import EncryptionManager
+from git_secret_protector.git_attributes_parser import GitAttributesParser
+from git_secret_protector.aes_key_manager import AesKeyManager
+
+logger = logging.getLogger(__name__)
+
+
+class KeyRotator:
+    def __init__(self, key_manager: AesKeyManager, git_attributes_parser: GitAttributesParser):
+        self.aes_key_manager = key_manager
+        self.git_attributes_parser = git_attributes_parser
+
+    def rotate_key(self, filter_name: str):
+        try:
+            logger.info("Starting key and IV rotation for filter: %s", filter_name)
+
+            # Step 1: Retrieve the current AES key and IV
+            current_aes_key, current_iv = self.aes_key_manager.retrieve_key_and_iv(filter_name)
+
+            # Step 2: Decrypt all files using the current AES key and IV
+            decryption_manager = EncryptionManager(current_aes_key, current_iv, self.git_attributes_parser)
+            decryption_manager.decrypt(filter_name=filter_name)
+
+            # Step 3: Generate and store a new AES key and IV
+            self.aes_key_manager.setup_aes_key_and_iv(filter_name)
+
+            # Step 4: Retrieve the new AES key and IV
+            new_aes_key, new_iv = self.aes_key_manager.retrieve_key_and_iv(filter_name)
+
+            # Step 5: Encrypt all files using the new AES key and IV
+            encryption_manager = EncryptionManager(new_aes_key, new_iv, self.git_attributes_parser)
+            encryption_manager.encrypt(filter_name=filter_name)
+
+            logger.info("Key and IV rotation and re-encryption complete for filter: %s", filter_name)
+        except Exception as e:
+            logger.error("Failed to rotate key and IV for filter %s: %s", filter_name, e)
+            raise

git_secret_protector-0.1.0/src/git_secret_protector/logging.py

@@ -0,0 +1,24 @@
+import logging
+import logging.handlers
+import os
+
+from git_secret_protector.settings import get_settings
+
+
+def configure_logging():
+    settings = get_settings()
+    log_file = settings.log_file
+    log_level = settings.log_level
+    log_max_size = settings.log_max_size
+    log_backup_count = settings.log_backup_count
+
+    os.makedirs(os.path.dirname(log_file), exist_ok=True)
+
+    handler = logging.handlers.RotatingFileHandler(
+        log_file, maxBytes=log_max_size, backupCount=log_backup_count
+    )
+
+    formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+    handler.setFormatter(formatter)
+
+    logging.basicConfig(level=log_level, handlers=[handler])

git_secret_protector-0.1.0/src/git_secret_protector/main.py

@@ -0,0 +1,164 @@
+import argparse
+import logging
+import os
+import sys
+import time
+
+from git_secret_protector.encryption_manager import EncryptionManager
+from git_secret_protector.git_attributes_parser import GitAttributesParser
+from git_secret_protector.git_hooks_installer import GitHooksInstaller
+from git_secret_protector.key_rotator import KeyRotator
+from git_secret_protector.aes_key_manager import AesKeyManager
+from git_secret_protector.logging import configure_logging
+
+logger = logging.getLogger(__name__)
+
+
+def setup_aes_key(args):
+    logger.info("AES key setup complete for args: %s", args)
+    key_manager = AesKeyManager()
+    key_manager.setup_aes_key_and_iv(args.filter_name)
+    logger.info("AES key setup complete for filter: %s", args.filter_name)
+
+
+def pull_aes_key(args):
+    key_manager = AesKeyManager()
+    key_manager.retrieve_key_and_iv(args.filter_name)
+    logger.info("KMS key pulled and cached for filter: %s", args.filter_name)
+
+
+def rotate_key(args):
+    key_manager = AesKeyManager()
+    git_attributes_parser = GitAttributesParser()
+    rotator = KeyRotator(key_manager, git_attributes_parser)
+    rotator.rotate_key(args.filter_name)
+    logger.info("Key rotation complete for filter: %s", args.filter_name)
+
+
+def install(args):
+    installer = GitHooksInstaller()
+    installer.setup_hooks()
+    logger.info("Git hooks installed successfully.")
+
+
+def encrypt_files(args):
+    git_attributes_parser = GitAttributesParser()
+    filter_names = git_attributes_parser.get_filter_names()
+
+    for filter_name in filter_names:
+        encryption_manager = EncryptionManager.from_filter_name(filter_name)
+        encryption_manager.encrypt(filter_name)
+        logger.info("Files encrypted for filter: %s", filter_name)
+
+
+def decrypt_files(args):
+    git_attributes_parser = GitAttributesParser()
+    filter_names = git_attributes_parser.get_filter_names()
+
+    for filter_name in filter_names:
+        encryption_manager = EncryptionManager.from_filter_name(filter_name)
+        encryption_manager.decrypt(filter_name)
+        logger.info("Files decrypted for filter: %s", filter_name)
+
+
+def decrypt_stdin(args):
+    file_name = args.file_name  # Local variable to reduce duplication
+    logger.info("Decrypting data from stdin with file_name: %s", file_name)
+
+    # Read all data from stdin
+    encrypted_data = sys.stdin.buffer.read()
+
+    if not encrypted_data:
+        logger.error("No data provided on stdin")
+        return
+
+    git_attributes_parser = GitAttributesParser()
+    filter_name = git_attributes_parser.get_filter_name_for_file(file_name)
+    logger.debug("Found filter_name to decrypt: %s", filter_name)
+
+    if filter_name is None:
+        logger.error("No filter found for file: %s", args.file_name)
+        return
+
+    # Assuming you have a modified version of the EncryptionManager to handle data instead of file names
+    encryption_manager = EncryptionManager.from_filter_name(filter_name)
+    decrypted_data = encryption_manager.decrypt_data(
+        encrypted_data)  # This needs to be implemented in EncryptionManager
+
+    # Print the encrypted data to stdout
+    sys.stdout.buffer.write(decrypted_data)
+    sys.stdout.buffer.flush()
+
+
+def encrypt_stdin(args):
+    file_name = args.file_name  # Local variable to reduce duplication
+    logger.info("Encrypting data from stdin with file_name: %s", file_name)
+
+    # Read all data from stdin
+    input_data = sys.stdin.buffer.read()
+
+    if not input_data:
+        logger.error("No data provided on stdin")
+        return
+
+    git_attributes_parser = GitAttributesParser()
+    filter_name = git_attributes_parser.get_filter_name_for_file(file_name)
+    logger.debug("Found filter_name to decrypt: %s", filter_name)
+
+    if filter_name is None:
+        logger.error("No filter found for file: %s", args.file_name)
+        return
+
+    encryption_manager = EncryptionManager.from_filter_name(filter_name)
+    encrypted_data = encryption_manager.encrypt_data(input_data)
+
+    sys.stdout.buffer.write(encrypted_data)
+    sys.stdout.buffer.flush()
+
+
+def main():
+    configure_logging()
+
+    parser = argparse.ArgumentParser(description="Git Secret Protector CLI")
+
+    subparsers = parser.add_subparsers(help="Available commands")
+
+    # Command to setup AES key in KMS
+    parser_setup_aes_key = subparsers.add_parser('setup-aes-key', help="Setup AES key in KMS")
+    parser_setup_aes_key.add_argument('filter_name', type=str, help="The filter name for the AES key")
+    parser_setup_aes_key.set_defaults(func=setup_aes_key)
+
+    # Command to pull KMS keys
+    parser_pull_aes_key = subparsers.add_parser('pull-aes-key', help="Pull KMS key for a filter")
+    parser_pull_aes_key.add_argument('filter_name', type=str, help="The filter name for the KMS key")
+    parser_pull_aes_key.set_defaults(func=pull_aes_key)
+
+    # Command to rotate KMS keys
+    parser_rotate_key = subparsers.add_parser('rotate-key', help="Rotate KMS key and re-encrypt secrets")
+    parser_rotate_key.add_argument('filter_name', type=str, help="The filter name for the KMS key")
+    parser_rotate_key.set_defaults(func=rotate_key)
+
+    # Command to install Git hooks
+    parser_install = subparsers.add_parser('install', help="Install Git hooks and initialize the module")
+    parser_install.set_defaults(func=install)
+
+    # Command to decrypt data from stdin
+    parser_decrypt_stdin = subparsers.add_parser('decrypt', help="Decrypt data from stdin")
+    parser_decrypt_stdin.add_argument('file_name', type=str, help="Filename for logging/reference")
+    parser_decrypt_stdin.set_defaults(func=decrypt_stdin)
+
+    # Command to encrypt data from stdin
+    parser_encrypt_stdin = subparsers.add_parser('encrypt', help="Encrypt data from stdin")
+    parser_encrypt_stdin.add_argument('file_name', type=str, help="Filename for logging/reference")
+    parser_encrypt_stdin.set_defaults(func=encrypt_stdin)
+
+    args = parser.parse_args()
+
+    if hasattr(args, 'func'):
+        args.func(args)
+    else:
+        parser.print_help()
+
+
+if __name__ == '__main__':
+    main()

git_secret_protector-0.1.0/src/git_secret_protector/settings.py

@@ -0,0 +1,43 @@
+import configparser
+import os
+from dataclasses import dataclass, field
+
+BASE_DIR = '.git_secret_protector'
+
+@dataclass
+class Settings:
+    # Singleton instance variable
+    _instance: 'Settings' = field(default=None, init=False, repr=False)
+
+    config_file: str = os.path.join(BASE_DIR, 'config.ini')
+    cache_dir: str = os.path.join(BASE_DIR, 'cache')
+    log_dir: str = os.path.join(BASE_DIR, 'logs')
+    module_name: str = 'git-secret-protector'
+    log_file: str =  field(init=False)
+    log_level: str = 'INFO'
+    log_max_size: int = 10485760  # 10MB
+    log_backup_count: int = 3
+    config: configparser.ConfigParser = field(default_factory=configparser.ConfigParser, init=False)
+
+    def __post_init__(self):
+        self.log_file = os.path.join(self.log_dir, 'git_secret_protector.log')
+        self._load_config()
+
+    def _load_config(self):
+        if os.path.exists(self.config_file):
+            self.config.read(self.config_file)
+            self.module_name = self.config.get('DEFAULT', 'module_name', fallback=self.module_name)
+            self.log_file = self.config.get('DEFAULT', 'log_file', fallback=self.log_file)
+            self.log_level = self.config.get('DEFAULT', 'log_level', fallback=self.log_level)
+            self.log_max_size = self.config.getint('DEFAULT', 'log_max_size', fallback=self.log_max_size)
+            self.log_backup_count = self.config.getint('DEFAULT', 'log_backup_count', fallback=self.log_backup_count)
+
+    @classmethod
+    def get_instance(cls):
+        if cls._instance is None:
+            cls._instance = cls()
+        return cls._instance
+
+
+def get_settings():
+    return Settings.get_instance()