diff --git a/pkg/detectors/azureactivedirectoryapplicationsecret/azureactivedirectoryapplicationsecret.go b/pkg/detectors/azureactivedirectoryapplicationsecret/azureactivedirectoryapplicationsecret.go new file mode 100644 index 000000000..c9578c521 --- /dev/null +++ b/pkg/detectors/azureactivedirectoryapplicationsecret/azureactivedirectoryapplicationsecret.go @@ -0,0 +1,133 @@ +package azureactivedirectoryapplicationsecret + +import ( + "context" + "fmt" + "io" + "net/http" + "net/url" + "strconv" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure"}) + `\b([a-zA-Z0-9_+.=~-]{40})\b`) + clientPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure client"}) + common.BuildRegex(common.RegexPattern, "-", 36)) + tenantPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure tenant"}) + common.BuildRegex(common.RegexPattern, "-", 36)) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"azure"} +} + +// FromData will find and optionally verify AzureActiveDirectoryApplicationSecret secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + uniqueMatches := make(map[string]struct{}) + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + uniqueClientMatches := make(map[string]struct{}) + for _, clientMatch := range clientPat.FindAllStringSubmatch(dataStr, -1) { + uniqueClientMatches[clientMatch[1]] = struct{}{} + } + uniqueTenantMatches := make(map[string]struct{}) + for _, tenantMatch := range tenantPat.FindAllStringSubmatch(dataStr, -1) { + uniqueTenantMatches[tenantMatch[1]] = struct{}{} + } + + for match := range uniqueMatches { + for clientMatch := range uniqueClientMatches { + for tenantMatch := range uniqueTenantMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_AzureActiveDirectoryApplicationSecret, + Raw: []byte(match), + RawV2: []byte(match + clientMatch + tenantMatch), + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + isVerified, extraData, verificationErr := verifyMatch(ctx, client, match, clientMatch, tenantMatch) + s1.Verified = isVerified + s1.ExtraData = extraData + s1.SetVerificationError(verificationErr, match) + } + + // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key. + if !s1.Verified && detectors.IsKnownFalsePositive(match, detectors.DefaultFalsePositives, true) { + continue + } + if !s1.Verified && detectors.IsKnownFalsePositive(match, detectors.DefaultFalsePositives, true) { + continue + } + if !s1.Verified && detectors.IsKnownFalsePositive(match, detectors.DefaultFalsePositives, true) { + continue + } + + results = append(results, s1) + } + } + } + + return +} + +func verifyMatch(ctx context.Context, client *http.Client, token, clientId, tenantId string) (bool, map[string]string, error) { + data := url.Values{} + data.Set("client_id", clientId) + data.Set("grant_type", "client_credentials") + data.Set("scope", "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default") + data.Set("client_secret", token) + encodedData := data.Encode() + req, err := http.NewRequestWithContext(ctx, http.MethodPost, "https://login.microsoftonline.com/"+tenantId+"/oauth2/v2.0/token", strings.NewReader(encodedData)) + if err != nil { + return false, nil, nil + } + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + req.Header.Add("Content-Length", strconv.Itoa(len(data.Encode()))) + + res, err := client.Do(req) + if err != nil { + return false, nil, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + if res.StatusCode >= 200 && res.StatusCode < 300 { + // If the endpoint returns useful information, we can return it as a map. + return true, nil, nil + } else if res.StatusCode == 401 { + // The secret is determinately not verified (nothing to do) + return false, nil, nil + } else { + err = fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + return false, nil, err + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_AzureActiveDirectoryApplicationSecret +} diff --git a/pkg/detectors/azureactivedirectoryapplicationsecret/azureactivedirectoryapplicationsecret_test.go b/pkg/detectors/azureactivedirectoryapplicationsecret/azureactivedirectoryapplicationsecret_test.go new file mode 100644 index 000000000..d5ff1b294 --- /dev/null +++ b/pkg/detectors/azureactivedirectoryapplicationsecret/azureactivedirectoryapplicationsecret_test.go @@ -0,0 +1,170 @@ +//go:build detectors +// +build detectors + +package azureactivedirectoryapplicationsecret + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestAzureActiveDirectoryApplicationSecret_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("AZURE_ACTIVE_DIRECTORY_APPLICATION_SECRET") + inactiveSecret := testSecrets.MustGetField("AZURE_ACTIVE_DIRECTORY_APPLICATION_SECRET_INACTIVE") + tenantId := testSecrets.MustGetField("AZURE_ACTIVE_DIRECTORY_APPLICATION_TENANT_ID") + clientId := testSecrets.MustGetField("AZURE_ACTIVE_DIRECTORY_APPLICATION_CLIENT_ID") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a azure secret %s azure client %s azure tenant %s within", secret, clientId, tenantId)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_AzureActiveDirectoryApplicationSecret, + Verified: true, + RawV2: []byte(secret + clientId + tenantId), + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a azure secret %s azure client %s azure tenant %s within but not valid", inactiveSecret, clientId, tenantId)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_AzureActiveDirectoryApplicationSecret, + Verified: false, + RawV2: []byte(inactiveSecret + clientId + tenantId), + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a azure secret %s azure client %s azure tenant %s within", secret, clientId, tenantId)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_AzureActiveDirectoryApplicationSecret, + Verified: false, + RawV2: []byte(secret + clientId + tenantId), + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(404, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a azure secret %s azure client %s azure tenant %s within", secret, clientId, tenantId)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_AzureActiveDirectoryApplicationSecret, + Verified: false, + RawV2: []byte(secret + clientId + tenantId), + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("AzureActiveDirectoryApplicationSecret.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if len(got[i].RawV2) == 0 { + t.Fatalf("no rawV2 secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "RawV2", "verificationError") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("AzureActiveDirectoryApplicationSecret.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +}