trufflehog/pkg/detectors/sentrytoken/sentrytoken_test.go

//go:build detectors
// +build detectors

package sentrytoken

import (
	"context"
	"fmt"
	"testing"
	"time"

	"github.com/google/go-cmp/cmp"
	"github.com/google/go-cmp/cmp/cmpopts"

	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"

	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)

func TestSentryToken_FromChunk(t *testing.T) {
	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
	defer cancel()
	testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors3")
	if err != nil {
		t.Fatalf("could not get test secrets from GCP: %s", err)
	}
	secret := testSecrets.MustGetField("SENTRYTOKEN_TOKEN")
	inactiveSecret := testSecrets.MustGetField("SENTRYTOKEN_INACTIVE")

	type args struct {
		ctx    context.Context
		data   []byte
		verify bool
	}
	tests := []struct {
		name                string
		s                   Scanner
		args                args
		want                []detectors.Result
		wantErr             bool
		wantVerificationErr bool
	}{
		{
			name: "found, verified",
			s:    Scanner{},
			args: args{
				ctx:    context.Background(),
				data:   []byte(fmt.Sprintf("You can find a sentry secret %s within", secret)),
				verify: true,
			},
			want: []detectors.Result{
				{
					DetectorType: detectorspb.DetectorType_SentryToken,
					Verified:     true,
				},
			},
			wantErr: false,
		},
		{
			name: "found, unverified",
			s:    Scanner{},
			args: args{
				ctx:    context.Background(),
				data:   []byte(fmt.Sprintf("You can find a sentry secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation
				verify: true,
			},
			want: []detectors.Result{
				{
					DetectorType: detectorspb.DetectorType_SentryToken,
					Verified:     false,
				},
			},
			wantErr: false,
		},
		{
			name: "found, would be verified but for timeout",
			s:    Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)},
			args: args{
				ctx:    context.Background(),
				data:   []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),
				verify: true,
			},
			want: []detectors.Result{
				{
					DetectorType: detectorspb.DetectorType_SentryToken,
					Verified:     false,
				},
			},
			wantErr:             false,
			wantVerificationErr: true,
		},
		{
			name: "found and valid but unexpected api response",
			s:    Scanner{client: common.ConstantResponseHttpClient(500, "")},
			args: args{
				ctx:    context.Background(),
				data:   []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),
				verify: true,
			},
			want: []detectors.Result{
				{
					DetectorType: detectorspb.DetectorType_SentryToken,
					Verified:     false,
				},
			},
			wantErr:             false,
			wantVerificationErr: true,
		},
		{
			name: "found, good key but wrong scope",
			s:    Scanner{client: common.ConstantResponseHttpClient(403, responseBody403)},
			args: args{
				ctx:    context.Background(),
				data:   []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),
				verify: true,
			},
			want: []detectors.Result{
				{
					DetectorType: detectorspb.DetectorType_SentryToken,
					Verified:     true,
				},
			},
			wantErr: false,
		},
		{
			name: "found, account deactivated",
			s:    Scanner{client: common.ConstantResponseHttpClient(200, reponseAccountDeactivated)},
			args: args{
				ctx:    context.Background(),
				data:   []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),
				verify: true,
			},
			want: []detectors.Result{
				{
					DetectorType: detectorspb.DetectorType_SentryToken,
					Verified:     false,
				},
			},
			wantErr:             false,
			wantVerificationErr: true,
		},
		{
			name: "found, account deactivated",
			s:    Scanner{client: common.ConstantResponseHttpClient(200, responseEnmpty)},
			args: args{
				ctx:    context.Background(),
				data:   []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),
				verify: true,
			},
			want: []detectors.Result{
				{
					DetectorType: detectorspb.DetectorType_SentryToken,
					Verified:     false,
				},
			},
			wantErr:             false,
			wantVerificationErr: true,
		},
		{
			name: "not found",
			s:    Scanner{},
			args: args{
				ctx:    context.Background(),
				data:   []byte("You cannot find the secret within"),
				verify: true,
			},
			want:    nil,
			wantErr: false,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)
			if (err != nil) != tt.wantErr {
				t.Errorf("Gitlab.FromData() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			for i := range got {
				if len(got[i].Raw) == 0 {
					t.Fatal("no raw secret present")
				}
				if (got[i].VerificationError() != nil) != tt.wantVerificationErr {
					t.Fatalf("wantVerificationError = %v, verification error = %v,", tt.wantVerificationErr, got[i].VerificationError())
				}
			}
			opts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError")
			if diff := cmp.Diff(got, tt.want, opts); diff != "" {
				t.Errorf("Gitlab.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
			}
		})
	}
}

const (
	responseBody403 = `
[
  {
    "organization": {
      "id": "911964",
      "slug": "wigslap",
      "status": {
        "id": "active",
        "name": "active"
      },
      "name": "wigslap"
    }
  }
]
`
	reponseAccountDeactivated = `{"detail": "Authentication credentials were not provided"}`
	responseEnmpty            = `[]`
)

func BenchmarkFromData(benchmark *testing.B) {
	ctx := context.Background()
	s := Scanner{}
	for name, data := range detectors.MustGetBenchmarkData() {
		benchmark.Run(name, func(b *testing.B) {
			b.ResetTimer()
			for n := 0; n < b.N; n++ {
				_, err := s.FromData(ctx, false, data)
				if err != nil {
					b.Fatal(err)
				}
			}
		})
	}
}
Mark detector tests with a build flag (#613) 2022-07-07 17:27:21 +00:00			`//go:build detectors`
			`// +build detectors`

added sentrytoken detector 2022-01-19 06:19:13 +00:00			`package sentrytoken`

			`import (`
			`"context"`
			`"fmt"`
			`"testing"`
			`"time"`

[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00			`"github.com/google/go-cmp/cmp"`
			`"github.com/google/go-cmp/cmp/cmpopts"`

module v3 2022-02-10 18:54:33 +00:00			`"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"`
added sentrytoken detector 2022-01-19 06:19:13 +00:00
module v3 2022-02-10 18:54:33 +00:00			`"github.com/trufflesecurity/trufflehog/v3/pkg/common"`
			`"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`)`

			`func TestSentryToken_FromChunk(t *testing.T) {`
			`ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)`
			`defer cancel()`
Adding detectors (#46) * rename secret * Add supporting docs and tooling for adding new detectors 2022-02-16 03:19:09 +00:00			`testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors3")`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`if err != nil {`
			`t.Fatalf("could not get test secrets from GCP: %s", err)`
			`}`
			`secret := testSecrets.MustGetField("SENTRYTOKEN_TOKEN")`
			`inactiveSecret := testSecrets.MustGetField("SENTRYTOKEN_INACTIVE")`

			`type args struct {`
			`ctx context.Context`
			`data []byte`
			`verify bool`
			`}`
			`tests := []struct {`
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00			`name string`
			`s Scanner`
			`args args`
			`want []detectors.Result`
			`wantErr bool`
			`wantVerificationErr bool`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`}{`
			`{`
			`name: "found, verified",`
			`s: Scanner{},`
			`args: args{`
			`ctx: context.Background(),`
			`data: []byte(fmt.Sprintf("You can find a sentry secret %s within", secret)),`
			`verify: true,`
			`},`
			`want: []detectors.Result{`
			`{`
			`DetectorType: detectorspb.DetectorType_SentryToken,`
			`Verified: true,`
			`},`
			`},`
			`wantErr: false,`
			`},`
			`{`
			`name: "found, unverified",`
			`s: Scanner{},`
			`args: args{`
			`ctx: context.Background(),`
			`data: []byte(fmt.Sprintf("You can find a sentry secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation`
			`verify: true,`
			`},`
			`want: []detectors.Result{`
			`{`
			`DetectorType: detectorspb.DetectorType_SentryToken,`
			`Verified: false,`
			`},`
			`},`
			`wantErr: false,`
			`},`
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00			`{`
			`name: "found, would be verified but for timeout",`
			`s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)},`
			`args: args{`
			`ctx: context.Background(),`
			`data: []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),`
			`verify: true,`
			`},`
			`want: []detectors.Result{`
			`{`
			`DetectorType: detectorspb.DetectorType_SentryToken,`
			`Verified: false,`
			`},`
			`},`
			`wantErr: false,`
			`wantVerificationErr: true,`
			`},`
			`{`
			`name: "found and valid but unexpected api response",`
			`s: Scanner{client: common.ConstantResponseHttpClient(500, "")},`
			`args: args{`
			`ctx: context.Background(),`
			`data: []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),`
			`verify: true,`
			`},`
			`want: []detectors.Result{`
			`{`
			`DetectorType: detectorspb.DetectorType_SentryToken,`
			`Verified: false,`
			`},`
			`},`
			`wantErr: false,`
			`wantVerificationErr: true,`
			`},`
			`{`
			`name: "found, good key but wrong scope",`
			`s: Scanner{client: common.ConstantResponseHttpClient(403, responseBody403)},`
			`args: args{`
			`ctx: context.Background(),`
			`data: []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),`
			`verify: true,`
			`},`
			`want: []detectors.Result{`
			`{`
			`DetectorType: detectorspb.DetectorType_SentryToken,`
			`Verified: true,`
			`},`
			`},`
			`wantErr: false,`
			`},`
[chore] - Sentry detector update (#1746) * add test case for account deactivated. * Handle empty case. 2023-09-11 14:26:09 +00:00			`{`
			`name: "found, account deactivated",`
			`s: Scanner{client: common.ConstantResponseHttpClient(200, reponseAccountDeactivated)},`
			`args: args{`
			`ctx: context.Background(),`
			`data: []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),`
			`verify: true,`
			`},`
			`want: []detectors.Result{`
			`{`
			`DetectorType: detectorspb.DetectorType_SentryToken,`
			`Verified: false,`
			`},`
			`},`
			`wantErr: false,`
			`wantVerificationErr: true,`
			`},`
			`{`
			`name: "found, account deactivated",`
			`s: Scanner{client: common.ConstantResponseHttpClient(200, responseEnmpty)},`
			`args: args{`
			`ctx: context.Background(),`
			`data: []byte(fmt.Sprintf("You can find a sentry super secret %s within", secret)),`
			`verify: true,`
			`},`
			`want: []detectors.Result{`
			`{`
			`DetectorType: detectorspb.DetectorType_SentryToken,`
			`Verified: false,`
			`},`
			`},`
			`wantErr: false,`
			`wantVerificationErr: true,`
			`},`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`{`
			`name: "not found",`
			`s: Scanner{},`
			`args: args{`
			`ctx: context.Background(),`
			`data: []byte("You cannot find the secret within"),`
			`verify: true,`
			`},`
			`want: nil,`
			`wantErr: false,`
			`},`
			`}`
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00			`got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`if (err != nil) != tt.wantErr {`
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00			`t.Errorf("Gitlab.FromData() error = %v, wantErr %v", err, tt.wantErr)`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`return`
			`}`
			`for i := range got {`
			`if len(got[i].Raw) == 0 {`
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00			`t.Fatal("no raw secret present")`
			`}`
[thog-1548] add auto redaction for verification errors (#2106) * Updating VerificationError to have auto redaction logic * find/replace error 2023-12-05 13:57:52 +00:00			`if (got[i].VerificationError() != nil) != tt.wantVerificationErr {`
			`t.Fatalf("wantVerificationError = %v, verification error = %v,", tt.wantVerificationErr, got[i].VerificationError())`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`}`
			`}`
[thog-1548] add auto redaction for verification errors (#2106) * Updating VerificationError to have auto redaction logic * find/replace error 2023-12-05 13:57:52 +00:00			`opts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError")`
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00			`if diff := cmp.Diff(got, tt.want, opts); diff != "" {`
			`t.Errorf("Gitlab.FromData() %s diff: (-got +want)\n%s", tt.name, diff)`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`}`
			`})`
			`}`
			`}`

[chore] - Sentry detector update (#1746) * add test case for account deactivated. * Handle empty case. 2023-09-11 14:26:09 +00:00			`const (`
			responseBody403 = `
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00			`[`
			`{`
			`"organization": {`
			`"id": "911964",`
			`"slug": "wigslap",`
			`"status": {`
			`"id": "active",`
			`"name": "active"`
			`},`
			`"name": "wigslap"`
			`}`
			`}`
			`]`
			`
[chore] - Sentry detector update (#1746) * add test case for account deactivated. * Handle empty case. 2023-09-11 14:26:09 +00:00			reponseAccountDeactivated = `{"detail": "Authentication credentials were not provided"}`
			responseEnmpty = `[]`
			`)`
[chore] - fix sentry detector (#1738) * fix sentry detector to check response. * use err. * address comments. 2023-09-01 17:33:21 +00:00
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`func BenchmarkFromData(benchmark *testing.B) {`
			`ctx := context.Background()`
			`s := Scanner{}`
			`for name, data := range detectors.MustGetBenchmarkData() {`
			`benchmark.Run(name, func(b *testing.B) {`
[chore] - update benchmarks. (#1641) * update benchmarks. * remove dupe timer reset. 2023-08-23 21:34:10 +00:00			`b.ResetTimer()`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`for n := 0; n < b.N; n++ {`
Fix linting and dogfood in CI 2022-03-01 04:38:13 +00:00			`_, err := s.FromData(ctx, false, data)`
			`if err != nil {`
			`b.Fatal(err)`
			`}`
added sentrytoken detector 2022-01-19 06:19:13 +00:00			`}`
			`})`
			`}`
			`}`