SoftLayerDetector (Yelp#169)

justineyster · justineyster · commit d700108806e1 · 2020-06-24T10:41:28.000-04:00
* SoftLayerDetector

Detects Softlayer API Keys

Supports git-defenders/detect-secrets-discuss#120

* Lines were too long

* Address PR comments 1

* Address PR comments 2
diff --git a/detect_secrets/plugins/softlayer.py b/detect_secrets/plugins/softlayer.py
@@ -1,79 +1,39 @@
 import re
 
-import requests
-
 from .base import RegexBasedDetector
-from detect_secrets.core.constants import VerifiedResult
 
 
-class SoftlayerDetector(RegexBasedDetector):
-    """Scans for Softlayer credentials."""
+class SoftLayerDetector(RegexBasedDetector):
 
     secret_type = 'SoftLayer Credentials'
 
     # opt means optional
-    sl = r'(?:softlayer|sl)(?:_|-|)(?:api|)'
-    key_or_pass = r'(?:key|pwd|password|pass|token)'
+    opt_quote = r'(?:"|)'
+    opt_dashes = r'(?:--|)'
+    sl = r'(?:softlayer|sl)'
+    opt_dash_undrscr = r'(?:_|-|)'
+    opt_api = r'(?:api|)'
+    key = r'key'
+    opt_space = r'(?: |)'
+    opt_equals = r'(?:=|:|:=|)'
     secret = r'([a-z0-9]{64})'
     denylist = [
-        RegexBasedDetector.assign_regex_generator(
-            prefix_regex=sl,
-            secret_keyword_regex=key_or_pass,
-            secret_regex=secret,
+        re.compile(
+            r'{opt_quote}{opt_dashes}{sl}{opt_dash_undrscr}{opt_api}{opt_dash_undrscr}{key}'
+            '{opt_quote}{opt_space}{opt_equals}{opt_space}{opt_quote}{secret}{opt_quote}'.format(
+                opt_quote=opt_quote,
+                opt_dashes=opt_dashes,
+                sl=sl,
+                opt_dash_undrscr=opt_dash_undrscr,
+                opt_api=opt_api,
+                key=key,
+                opt_space=opt_space,
+                opt_equals=opt_equals,
+                secret=secret,
+            ), flags=re.IGNORECASE,
         ),
-
         re.compile(
             r'(?:http|https)://api.softlayer.com/soap/(?:v3|v3.1)/([a-z0-9]{64})',
             flags=re.IGNORECASE,
         ),
     ]
-
-    def verify(self, token, content):
-        usernames = find_username(content)
-        if not usernames:
-            return VerifiedResult.UNVERIFIED
-
-        for username in usernames:
-            return verify_softlayer_key(username, token)
-
-        return VerifiedResult.VERIFIED_FALSE
-
-
-def find_username(content):
-    # opt means optional
-    username_keyword = (
-        r'(?:'
-        r'username|id|user|userid|user-id|user-name|'
-        r'name|user_id|user_name|uname'
-        r')'
-    )
-    username = r'(\w(?:\w|_|@|\.|-)+)'
-    regex = re.compile(
-        RegexBasedDetector.assign_regex_generator(
-            prefix_regex=SoftlayerDetector.sl,
-            secret_keyword_regex=username_keyword,
-            secret_regex=username,
-        ),
-    )
-
-    return [
-        match
-        for line in content.splitlines()
-        for match in regex.findall(line)
-    ]
-
-
-def verify_softlayer_key(username, token):
-    headers = {'Content-type': 'application/json'}
-    try:
-        response = requests.get(
-            'https://api.softlayer.com/rest/v3/SoftLayer_Account.json',
-            auth=(username, token), headers=headers,
-        )
-    except requests.exceptions.RequestException:
-        return VerifiedResult.UNVERIFIED
-
-    if response.status_code == 200:
-        return VerifiedResult.VERIFIED_TRUE
-    else:
-        return VerifiedResult.VERIFIED_FALSE
diff --git a/tests/plugins/softlayer_test.py b/tests/plugins/softlayer_test.py
@@ -1,72 +1,65 @@
-import textwrap
+from __future__ import absolute_import
 
 import pytest
-import responses
 
-from detect_secrets.core.constants import VerifiedResult
-from detect_secrets.plugins.softlayer import find_username
-from detect_secrets.plugins.softlayer import SoftlayerDetector
+from detect_secrets.plugins.softlayer import SoftLayerDetector
 
-SL_USERNAME = 'test@testy.test'
-SL_TOKEN = 'abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234'
 
+class TestSoftLayerDetector(object):
 
-class TestSoftlayerDetector:
+    sl_token = 'abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234'
 
     @pytest.mark.parametrize(
         'payload, should_flag',
         [
-            ('--softlayer-api-key "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('--softlayer-api-key="{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('--softlayer-api-key {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('--softlayer-api-key={sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('http://api.softlayer.com/soap/v3/{sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('http://api.softlayer.com/soap/v3.1/{sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_api_key: {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('softlayer-key : {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('SOFTLAYER-API-KEY : "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"softlayer_api_key" : "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('softlayer-api-key: "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"softlayer_api_key": "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('SOFTLAYER_API_KEY:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('softlayer-key:{sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_key:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"softlayer_api_key":"{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('softlayerapikey= {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_api_key= "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('SOFTLAYERAPIKEY={sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_api_key="{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl_api_key: {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('SLAPIKEY : {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('sl_apikey : "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"sl_api_key" : "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl-key: "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"sl_api_key": "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl_api_key:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl_api_key:{sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('sl-api-key:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"sl_api_key":"{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl_key= {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('sl_api_key= "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl-api-key={sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('slapi_key="{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('slapikey:= {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_api_key := {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('sl_api_key := "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"softlayer_key" := "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl_api_key: "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"softlayer_api_key":= "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl-api-key:="{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_api_key:={sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('slapikey:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('"softlayer_api_key":="{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl-api-key:= {sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_key:= "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl_api_key={sl_token}'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_api_key:="{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('softlayer_password = "{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('sl_pass="{sl_token}"'.format(sl_token=SL_TOKEN), True),
-            ('softlayer-pwd = {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('--softlayer-api-key "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('--softlayer-api-key="{sl_token}"'.format(sl_token=sl_token), True,),
+            ('--softlayer-api-key {sl_token}'.format(sl_token=sl_token), True,),
+            ('--softlayer-api-key={sl_token}'.format(sl_token=sl_token), True,),
+            ('http://api.softlayer.com/soap/v3/{sl_token}'.format(sl_token=sl_token), True,),
+            ('http://api.softlayer.com/soap/v3.1/{sl_token}'.format(sl_token=sl_token), True,),
+            ('softlayer_api_key: {sl_token}'.format(sl_token=sl_token), True,),
+            ('softlayer-key : {sl_token}'.format(sl_token=sl_token), True,),
+            ('SOFTLAYER-API-KEY : "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"softlayer_api_key" : "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('softlayer-api-key: "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"softlayer_api_key": "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('SOFTLAYER_API_KEY:"{sl_token}"'.format(sl_token=sl_token), True,),
+            ('softlayer-key:{sl_token}'.format(sl_token=sl_token), True,),
+            ('softlayer_key:"{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"softlayer_api_key":"{sl_token}"'.format(sl_token=sl_token), True,),
+            ('softlayerapikey= {sl_token}'.format(sl_token=sl_token), True,),
+            ('softlayer_api_key= "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('SOFTLAYERAPIKEY={sl_token}'.format(sl_token=sl_token), True,),
+            ('softlayer_api_key="{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl_api_key: {sl_token}'.format(sl_token=sl_token), True,),
+            ('SLAPIKEY : {sl_token}'.format(sl_token=sl_token), True,),
+            ('sl_apikey : "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"sl_api_key" : "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl-key: "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"sl_api_key": "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl_api_key:"{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl_api_key:{sl_token}'.format(sl_token=sl_token), True,),
+            ('sl-api-key:"{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"sl_api_key":"{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl_key= {sl_token}'.format(sl_token=sl_token), True,),
+            ('sl_api_key= "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl-api-key={sl_token}'.format(sl_token=sl_token), True,),
+            ('slapi_key="{sl_token}"'.format(sl_token=sl_token), True,),
+            ('slapikey:= {sl_token}'.format(sl_token=sl_token), True,),
+            ('softlayer_api_key := {sl_token}'.format(sl_token=sl_token), True,),
+            ('sl_api_key := "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"softlayer_key" := "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl_api_key: "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"softlayer_api_key":= "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl-api-key:="{sl_token}"'.format(sl_token=sl_token), True,),
+            ('softlayer_api_key:={sl_token}'.format(sl_token=sl_token), True,),
+            ('slapikey:"{sl_token}"'.format(sl_token=sl_token), True,),
+            ('"softlayer_api_key":="{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl-api-key:= {sl_token}'.format(sl_token=sl_token), True,),
+            ('softlayer_key:= "{sl_token}"'.format(sl_token=sl_token), True,),
+            ('sl_api_key={sl_token}'.format(sl_token=sl_token), True),
+            ('softlayer_api_key:="{sl_token}"'.format(sl_token=sl_token), True),
             ('softlayer_api_key="%s" % SL_API_KEY_ENV', False),
             ('sl_api_key: "%s" % <softlayer_api_key>', False),
             ('SOFTLAYER_APIKEY: "insert_key_here"', False),
@@ -75,91 +68,8 @@ class TestSoftlayerDetector:
             ('fake-softlayer-key= "not_long_enough"', False),
         ],
     )
-    def test_analyze_line(self, payload, should_flag):
-        logic = SoftlayerDetector()
+    def test_analyze_string(self, payload, should_flag):
+        logic = SoftLayerDetector()
 
-        output = logic.analyze_line(payload, 1, 'mock_filename')
+        output = logic.analyze_string(payload, 1, 'mock_filename')
         assert len(output) == (1 if should_flag else 0)
-
-    @responses.activate
-    def test_verify_invalid_secret(self):
-        responses.add(
-            responses.GET, 'https://api.softlayer.com/rest/v3/SoftLayer_Account.json',
-            json={'error': 'Access denied. '}, status=401,
-        )
-
-        assert SoftlayerDetector().verify(
-            SL_TOKEN,
-            'softlayer_username={}'.format(SL_USERNAME),
-        ) == VerifiedResult.VERIFIED_FALSE
-
-    @responses.activate
-    def test_verify_valid_secret(self):
-        responses.add(
-            responses.GET, 'https://api.softlayer.com/rest/v3/SoftLayer_Account.json',
-            json={'id': 1}, status=200,
-        )
-        assert SoftlayerDetector().verify(
-            SL_TOKEN,
-            'softlayer_username={}'.format(SL_USERNAME),
-        ) == VerifiedResult.VERIFIED_TRUE
-
-    @responses.activate
-    def test_verify_unverified_secret(self):
-        assert SoftlayerDetector().verify(
-            SL_TOKEN,
-            'softlayer_username={}'.format(SL_USERNAME),
-        ) == VerifiedResult.UNVERIFIED
-
-    def test_verify_no_secret(self):
-        assert SoftlayerDetector().verify(
-            SL_TOKEN,
-            'no_un={}'.format(SL_USERNAME),
-        ) == VerifiedResult.UNVERIFIED
-
-    @pytest.mark.parametrize(
-        'content, expected_output',
-        (
-            (
-                textwrap.dedent("""
-                    --softlayer-username = {}
-                """)[1:-1].format(
-                    SL_USERNAME,
-                ),
-                [SL_USERNAME],
-            ),
-
-            # With quotes
-            (
-                textwrap.dedent("""
-                    sl_user_id = "{}"
-                """)[1:-1].format(
-                    SL_USERNAME,
-                ),
-                [SL_USERNAME],
-            ),
-
-            # multiple candidates
-            (
-                textwrap.dedent("""
-                    softlayer_id = '{}'
-                    sl-user = '{}'
-                    SOFTLAYER_USERID = '{}'
-                    softlayer-uname: {}
-                """)[1:-1].format(
-                    SL_USERNAME,
-                    'test2@testy.test',
-                    'test3@testy.testy',
-                    'notanemail',
-                ),
-                [
-                    SL_USERNAME,
-                    'test2@testy.test',
-                    'test3@testy.testy',
-                    'notanemail',
-                ],
-            ),
-        ),
-    )
-    def test_find_username(self, content, expected_output):
-        assert find_username(content) == expected_output
