feat: enhance cloudant (Yelp#219)

XIANJUN ZHU · justineyster · commit 4ab60098f7eb · 2020-06-24T10:54:57.000-04:00
* feat: enhance cloudant

* address comment

* fix broken buid
diff --git a/detect_secrets/plugins/cloudant.py b/detect_secrets/plugins/cloudant.py
@@ -11,17 +11,11 @@ class CloudantDetector(RegexBasedDetector):
     secret_type = 'Cloudant Credentials'
 
     # opt means optional
-    opt_quote = r'(?:"|\'|)'
-    opt_dashes = r'(?:--|)'
-    opt_dot = r'(?:\.|)'
     dot = r'\.'
-    cl_account = r'[0-9a-z\-\_]+'
+    cl_account = r'[\w\-]+'
     cl = r'(?:cloudant|cl|clou)'
-    opt_dash_undrscr = r'(?:_|-|)'
     opt_api = r'(?:api|)'
     cl_key_or_pass = opt_api + r'(?:key|pwd|pw|password|pass|token)'
-    opt_space = r'(?: |)'
-    assignment = r'(?:=|:|:=|=>)'
     cl_pw = r'([0-9a-f]{64})'
     cl_api_key = r'([a-z]{24})'
     colon = r'\:'
@@ -67,7 +61,7 @@ class CloudantDetector(RegexBasedDetector):
 
     def verify(self, token, content, potential_secret=None):
 
-        hosts = find_host(content)
+        hosts = find_account(content)
         if not hosts:
             return VerifiedResult.UNVERIFIED
 
@@ -77,20 +71,35 @@ def verify(self, token, content, potential_secret=None):
         return VerifiedResult.VERIFIED_FALSE
 
 
-def find_host(content):
+def find_account(content):
     opt_hostname_keyword = r'(?:hostname|host|username|id|user|userid|user-id|user-name|' \
-        'name|user_id|user_name|uname)'
-    hostname = r'(\w(?:\w|_|-)+)'
+        'name|user_id|user_name|uname|account)'
+    account = r'(\w[\w\-]*)'
+    opt_basic_auth = r'(?:[\w\-:%]*\@)?'
 
-    regex = RegexBasedDetector.assign_regex_generator(
-        prefix_regex=CloudantDetector.cl,
-        password_keyword_regex=opt_hostname_keyword,
-        password_regex=hostname,
+    regexes = (
+        RegexBasedDetector.assign_regex_generator(
+            prefix_regex=CloudantDetector.cl,
+            password_keyword_regex=opt_hostname_keyword,
+            password_regex=account,
+        ),
+        re.compile(
+            r'{http}{opt_basic_auth}{cl_account}{dot}{cloudant_api_url}'.format(
+                http=CloudantDetector.http,
+                opt_basic_auth=opt_basic_auth,
+                cl_account=account,
+                cl_api_key=CloudantDetector.cl_api_key,
+                dot=CloudantDetector.dot,
+                cloudant_api_url=CloudantDetector.cloudant_api_url,
+            ),
+            flags=re.IGNORECASE,
+        ),
     )
 
     return [
         match
         for line in content.splitlines()
+        for regex in regexes
         for match in regex.findall(line)
     ]
 
diff --git a/tests/plugins/cloudant_test.py b/tests/plugins/cloudant_test.py
@@ -6,9 +6,9 @@
 from detect_secrets.core.constants import VerifiedResult
 from detect_secrets.core.potential_secret import PotentialSecret
 from detect_secrets.plugins.cloudant import CloudantDetector
-from detect_secrets.plugins.cloudant import find_host
+from detect_secrets.plugins.cloudant import find_account
 
-CL_HOST = 'testy_test'  # also called user
+CL_ACCOUNT = 'testy_-test'  # also called user
 # only detecting 64 hex CL generated password
 CL_PW = 'abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234'
 
@@ -22,33 +22,33 @@ class TestCloudantDetector:
         'payload, should_flag',
         [
             (
-                'https://{cl_host}:{cl_pw}@{cl_host}.cloudant.com"'.format(
-                    cl_host=CL_HOST, cl_pw=CL_PW,
+                'https://{cl_account}:{cl_pw}@{cl_account}.cloudant.com"'.format(
+                    cl_account=CL_ACCOUNT, cl_pw=CL_PW,
                 ), True,
             ),
             (
-                'https://{cl_host}:{cl_pw}@{cl_host}.cloudant.com/_api/v2/'.format(
-                    cl_host=CL_HOST, cl_pw=CL_PW,
+                'https://{cl_account}:{cl_pw}@{cl_account}.cloudant.com/_api/v2/'.format(
+                    cl_account=CL_ACCOUNT, cl_pw=CL_PW,
                 ), True,
             ),
             (
-                'https://{cl_host}:{cl_pw}@{cl_host}.cloudant.com/_api/v2/'.format(
-                    cl_host=CL_HOST, cl_pw=CL_PW,
+                'https://{cl_account}:{cl_pw}@{cl_account}.cloudant.com/_api/v2/'.format(
+                    cl_account=CL_ACCOUNT, cl_pw=CL_PW,
                 ), True,
             ),
             (
-                'https://{cl_host}:{cl_pw}@{cl_host}.cloudant.com'.format(
-                    cl_host=CL_HOST, cl_pw=CL_PW,
+                'https://{cl_account}:{cl_pw}@{cl_account}.cloudant.com'.format(
+                    cl_account=CL_ACCOUNT, cl_pw=CL_PW,
                 ), True,
             ),
             (
-                'https://{cl_host}:{cl_api_key}@{cl_host}.cloudant.com'.format(
-                    cl_host=CL_HOST, cl_api_key=CL_API_KEY,
+                'https://{cl_account}:{cl_api_key}@{cl_account}.cloudant.com'.format(
+                    cl_account=CL_ACCOUNT, cl_api_key=CL_API_KEY,
                 ), True,
             ),
             (
-                'https://{cl_host}:{cl_pw}.cloudant.com'.format(
-                    cl_host=CL_HOST, cl_pw=CL_PW,
+                'https://{cl_account}:{cl_pw}.cloudant.com'.format(
+                    cl_account=CL_ACCOUNT, cl_pw=CL_PW,
                 ), False,
             ),
             ('cloudant_password=\'{cl_pw}\''.format(cl_pw=CL_PW), True),
@@ -68,8 +68,8 @@ def test_analyze_string(self, payload, should_flag):
 
     @responses.activate
     def test_verify_invalid_secret(self):
-        cl_api_url = 'https://{cl_host}:{cl_pw}@{cl_host}.cloudant.com'.format(
-            cl_host=CL_HOST, cl_pw=CL_PW,
+        cl_api_url = 'https://{cl_account}:{cl_pw}@{cl_account}.cloudant.com'.format(
+            cl_account=CL_ACCOUNT, cl_pw=CL_PW,
         )
         responses.add(
             responses.GET, cl_api_url,
@@ -78,13 +78,13 @@ def test_verify_invalid_secret(self):
 
         assert CloudantDetector().verify(
             CL_PW,
-            'cloudant_host={}'.format(CL_HOST),
+            'cloudant_host={}'.format(CL_ACCOUNT),
         ) == VerifiedResult.VERIFIED_FALSE
 
     @responses.activate
     def test_verify_valid_secret(self):
-        cl_api_url = 'https://{cl_host}:{cl_pw}@{cl_host}.cloudant.com'.format(
-            cl_host=CL_HOST, cl_pw=CL_PW,
+        cl_api_url = 'https://{cl_account}:{cl_pw}@{cl_account}.cloudant.com'.format(
+            cl_account=CL_ACCOUNT, cl_pw=CL_PW,
         )
         responses.add(
             responses.GET, cl_api_url,
@@ -93,22 +93,22 @@ def test_verify_valid_secret(self):
         potential_secret = PotentialSecret('test cloudant', 'test filename', CL_PW)
         assert CloudantDetector().verify(
             CL_PW,
-            'cloudant_host={}'.format(CL_HOST),
+            'cloudant_host={}'.format(CL_ACCOUNT),
             potential_secret,
         ) == VerifiedResult.VERIFIED_TRUE
-        assert potential_secret.other_factors['hostname'] == CL_HOST
+        assert potential_secret.other_factors['hostname'] == CL_ACCOUNT
 
     @responses.activate
     def test_verify_unverified_secret(self):
         assert CloudantDetector().verify(
             CL_PW,
-            'cloudant_host={}'.format(CL_HOST),
+            'cloudant_host={}'.format(CL_ACCOUNT),
         ) == VerifiedResult.UNVERIFIED
 
     def test_verify_no_secret(self):
         assert CloudantDetector().verify(
             CL_PW,
-            'no_un={}'.format(CL_HOST),
+            'no_un={}'.format(CL_ACCOUNT),
         ) == VerifiedResult.UNVERIFIED
 
     @pytest.mark.parametrize(
@@ -118,19 +118,19 @@ def test_verify_no_secret(self):
                 textwrap.dedent("""
                     --cloudant-hostname = {}
                 """)[1:-1].format(
-                    CL_HOST,
+                    CL_ACCOUNT,
                 ),
-                [CL_HOST],
+                [CL_ACCOUNT],
             ),
 
             # With quotes
             (
                 textwrap.dedent("""
-                    cl_host = "{}"
+                    cl_account = "{}"
                 """)[1:-1].format(
-                    CL_HOST,
+                    CL_ACCOUNT,
                 ),
-                [CL_HOST],
+                [CL_ACCOUNT],
             ),
 
             # multiple candidates
@@ -141,19 +141,33 @@ def test_verify_no_secret(self):
                     CLOUDANT_USERID = '{}'
                     cloudant-uname: {}
                 """)[1:-1].format(
-                    CL_HOST,
+                    CL_ACCOUNT,
                     'test2_testy_test',
                     'test3-testy-testy',
                     'notanemail',
                 ),
                 [
-                    CL_HOST,
+                    CL_ACCOUNT,
                     'test2_testy_test',
                     'test3-testy-testy',
                     'notanemail',
                 ],
             ),
+
+            # In URL
+            (
+                'https://{cl_account}:{cl_api_key}@{cl_account}.cloudant.com'.format(
+                    cl_account=CL_ACCOUNT, cl_api_key=CL_API_KEY,
+                ),
+                [CL_ACCOUNT],
+            ),
+            (
+                'https://{cl_account}.cloudant.com'.format(
+                    cl_account=CL_ACCOUNT,
+                ),
+                [CL_ACCOUNT],
+            ),
         ),
     )
-    def test_find_host(self, content, expected_output):
-        assert find_host(content) == expected_output
+    def test_find_account(self, content, expected_output):
+        assert find_account(content) == expected_output
