trufflehog/pkg/detectors/azure/azure.go

package azure

import (
	"context"
	"fmt"
	"regexp"
	"strings"

	"github.com/Azure/go-autorest/autorest/azure/auth"

	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)

type Scanner struct{}

// Ensure the Scanner satisfies the interface at compile time.
var _ detectors.Detector = (*Scanner)(nil)

func mustFmtPat(id, pat string) *regexp.Regexp {
	combinedID := strings.ReplaceAll(id, "_", "") + "|" + id
	return regexp.MustCompile(fmt.Sprintf(pat, combinedID))
}

var (
	// TODO: Azure storage access keys and investigate other types of creds.

	// Azure App Oauth
	idPatFmt    = `(?i)(%s).{0,20}([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})`
	clientIDPat = mustFmtPat("client_id", idPatFmt)
	tenantIDPat = mustFmtPat("tenant_id", idPatFmt)

	// TODO: support old patterns
	secretPatFmt    = `(?i)(%s).{0,20}([a-z0-9_\.\-~]{34})`
	clientSecretPat = mustFmtPat("client_secret", secretPatFmt)
)

// Keywords are used for efficiently pre-filtering chunks.
// Use identifiers in the secret preferably, or the provider name.
func (s Scanner) Keywords() []string {
	return []string{"azure"}
}

// FromData will find and optionally verify Azure secrets in a given set of bytes.
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
	dataStr := string(data)

	clientSecretMatches := clientSecretPat.FindAllStringSubmatch(dataStr, -1)
	for _, clientSecret := range clientSecretMatches {
		tenantIDMatches := tenantIDPat.FindAllStringSubmatch(dataStr, -1)
		for _, tenantID := range tenantIDMatches {
			clientIDMatches := clientIDPat.FindAllStringSubmatch(dataStr, -1)
			for _, clientID := range clientIDMatches {
				s := detectors.Result{
					DetectorType: detectorspb.DetectorType_Azure,
					Raw:          []byte(clientSecret[2]),
					RawV2:        []byte(clientID[2] + clientSecret[2] + tenantID[2]),
					Redacted:     clientID[2],
				}
				// Set the RotationGuideURL in the ExtraData
				s.ExtraData = map[string]string{
					"rotation_guide": "https://howtorotate.com/docs/tutorials/azure/",
				}

				if verify {
					cred := auth.NewClientCredentialsConfig(clientID[2], clientSecret[2], tenantID[2])
					token, err := cred.ServicePrincipalToken()
					if err != nil {
						continue
					}
					err = token.Refresh()
					if err == nil {
						s.Verified = true
					}
				}

				if !s.Verified {
					if detectors.IsKnownFalsePositive(s.Redacted, detectors.DefaultFalsePositives, true) {
						continue
					}
					if detectors.IsKnownFalsePositive(string(s.Raw), detectors.DefaultFalsePositives, true) {
						continue
					}
				}

				results = append(results, s)
			}
		}
	}

	return results, nil
}

func (s Scanner) Type() detectorspb.DetectorType {
	return detectorspb.DetectorType_Azure
}
more detectors 2022-01-19 06:24:42 +00:00			`package azure`

			`import (`
			`"context"`
			`"fmt"`
			`"regexp"`
			`"strings"`

			`"github.com/Azure/go-autorest/autorest/azure/auth"`

module v3 2022-02-10 18:54:33 +00:00			`"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"`
			`"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"`
more detectors 2022-01-19 06:24:42 +00:00			`)`

			`type Scanner struct{}`

Clean up comments. (#562) 2022-05-16 16:03:10 +00:00			`// Ensure the Scanner satisfies the interface at compile time.`
more detectors 2022-01-19 06:24:42 +00:00			`var _ detectors.Detector = (*Scanner)(nil)`

			`func mustFmtPat(id, pat string) *regexp.Regexp {`
			`combinedID := strings.ReplaceAll(id, "_", "") + "\|" + id`
			`return regexp.MustCompile(fmt.Sprintf(pat, combinedID))`
			`}`

			`var (`
			`// TODO: Azure storage access keys and investigate other types of creds.`

			`// Azure App Oauth`
			idPatFmt = `(?i)(%s).{0,20}([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})`
			`clientIDPat = mustFmtPat("client_id", idPatFmt)`
			`tenantIDPat = mustFmtPat("tenant_id", idPatFmt)`

			`// TODO: support old patterns`
			secretPatFmt = `(?i)(%s).{0,20}([a-z0-9_\.\-~]{34})`
			`clientSecretPat = mustFmtPat("client_secret", secretPatFmt)`
			`)`

			`// Keywords are used for efficiently pre-filtering chunks.`
			`// Use identifiers in the secret preferably, or the provider name.`
			`func (s Scanner) Keywords() []string {`
			`return []string{"azure"}`
			`}`

			`// FromData will find and optionally verify Azure secrets in a given set of bytes.`
			`func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {`
			`dataStr := string(data)`

			`clientSecretMatches := clientSecretPat.FindAllStringSubmatch(dataStr, -1)`
			`for _, clientSecret := range clientSecretMatches {`
			`tenantIDMatches := tenantIDPat.FindAllStringSubmatch(dataStr, -1)`
			`for _, tenantID := range tenantIDMatches {`
			`clientIDMatches := clientIDPat.FindAllStringSubmatch(dataStr, -1)`
			`for _, clientID := range clientIDMatches {`
			`s := detectors.Result{`
			`DetectorType: detectorspb.DetectorType_Azure,`
			`Raw: []byte(clientSecret[2]),`
Add RawV2 Results to the JSON Output (#1273) * Add RawV2 to JSON Output * Adding RawV2 results to Azure, Datadog and GCP Detectors 2023-04-20 23:31:53 +00:00			`RawV2: []byte(clientID[2] + clientSecret[2] + tenantID[2]),`
more detectors 2022-01-19 06:24:42 +00:00			`Redacted: clientID[2],`
			`}`
Adding Howtorotate Guides to TruffleHog (#1839) * adding how to rotate guides * Adding project ID to metadata * update key name, remove comments, and ensure always present --------- Co-authored-by: counter <counter@counters-MacBook-Air.local> Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2023-10-02 20:45:17 +00:00			`// Set the RotationGuideURL in the ExtraData`
			`s.ExtraData = map[string]string{`
			`"rotation_guide": "https://howtorotate.com/docs/tutorials/azure/",`
			`}`
more detectors 2022-01-19 06:24:42 +00:00
			`if verify {`
			`cred := auth.NewClientCredentialsConfig(clientID[2], clientSecret[2], tenantID[2])`
			`token, err := cred.ServicePrincipalToken()`
			`if err != nil {`
			`continue`
			`}`
			`err = token.Refresh()`
			`if err == nil {`
			`s.Verified = true`
			`}`
			`}`

			`if !s.Verified {`
			`if detectors.IsKnownFalsePositive(s.Redacted, detectors.DefaultFalsePositives, true) {`
			`continue`
			`}`
			`if detectors.IsKnownFalsePositive(string(s.Raw), detectors.DefaultFalsePositives, true) {`
			`continue`
			`}`
			`}`

			`results = append(results, s)`
			`}`
			`}`
			`}`

[THOG-793] - Return all unverified results (#856) * Remove the check to filter and return only a single unverified result. * Revert "Remove the check to filter and return only a single unverified result." This reverts commit 494e432803e6389804d6f55b9444dcba62b81ffc. * Add new CLI flag to filter unverified results. 2022-10-31 16:36:10 +00:00			`return results, nil`
more detectors 2022-01-19 06:24:42 +00:00			`}`
Add Type() to detector interface (#1088) * Add Type() to detector interface The goal here is to allow the detector type information to be used without the need for reflection. This could possibly allow us to more easily inject information into detectors or filter them out if necessary. Co-authored-by: ahmed <ahmed.zahran@trufflesec.com> * remove test detector --------- Co-authored-by: ahmed <ahmed.zahran@trufflesec.com> 2023-02-09 22:46:03 +00:00
			`func (s Scanner) Type() detectorspb.DetectorType {`
			`return detectorspb.DetectorType_Azure`
			`}`