add plugin to look for AWS key IDs (#100)

Author: calvinli

detect_secrets/core/usage.py

@@ -244,6 +244,11 @@ class PluginOptions(object):
             disable_flag_text='--no-keyword-scan',
             disable_help_text='Disables scanning for secret keywords.',
         ),
+        PluginDescriptor(
+            classname='AWSKeyDetector',
+            disable_flag_text='--no-aws-key-scan',
+            disable_help_text='Disables scanning for AWS keys.',
+        ),
     ]
 
     def __init__(self, parser):

detect_secrets/plugins/aws.py

@@ -0,0 +1,15 @@
+"""
+This plugin searches for AWS key IDs
+"""
+from __future__ import absolute_import
+
+import re
+
+from .base import RegexBasedDetector
+
+
+class AWSKeyDetector(RegexBasedDetector):
+    secret_type = 'AWS key'
+    blacklist = (
+        re.compile(r'AKIA[0-9A-Z]{16}'),
+    )

detect_secrets/plugins/base.py

@@ -1,6 +1,8 @@
 from abc import ABCMeta
 from abc import abstractmethod
+from abc import abstractproperty
 
+from detect_secrets.core.potential_secret import PotentialSecret
 from detect_secrets.plugins.core.constants import WHITELIST_REGEX
 
 
@@ -83,3 +85,46 @@ def __dict__(self):
         return {
             'name': self.__class__.__name__,
         }
+
+
+class RegexBasedDetector(BasePlugin):
+    """Base class for regular-expressed based detectors.
+
+    To create a new regex-based detector, subclass this and set
+    `secret_type` with a description and `blacklist`
+    with a sequence of regular expressions, like:
+
+    class FooDetector(RegexBasedDetector):
+        secret_type = "foo"
+        blacklist = (
+            re.compile(r'foo'),
+        )
+    """
+    __metaclass__ = ABCMeta
+
+    @abstractproperty
+    def secret_type(self):
+        return NotImplementedError
+
+    @abstractproperty
+    def blacklist(self):
+        return NotImplementedError
+
+    def analyze_string(self, string, line_num, filename):
+        output = {}
+
+        for identifier in self.secret_generator(string):
+            secret = PotentialSecret(
+                self.secret_type,
+                filename,
+                identifier,
+                line_num,
+            )
+            output[secret] = secret
+
+        return output
+
+    def secret_generator(self, string):
+        for regex in self.blacklist:
+            if regex.search(string):
+                yield regex.pattern

detect_secrets/plugins/core/initialize.py

@@ -4,6 +4,7 @@
 except ImportError:
     from functools32 import lru_cache
 
+from ..aws import AWSKeyDetector                            # noqa: F401
 from ..base import BasePlugin
 from ..basic_auth import BasicAuthDetector                  # noqa: F401
 from ..high_entropy_strings import Base64HighEntropyString  # noqa: F401

tests/core/usage_test.py

@@ -33,6 +33,7 @@ def test_consolidates_output_basic(self):
                 'base64_limit': 4.5,
             },
             'PrivateKeyDetector': {},
+            'AWSKeyDetector': {},
         }
         assert not hasattr(args, 'no_private_key_scan')
 

tests/main_test.py

@@ -87,6 +87,7 @@ def test_scan_string_basic(self, mock_baseline_initialize):
         ) as printer_shim:
             assert main('scan --string'.split()) == 0
             assert printer_shim.message == textwrap.dedent("""
+                AWSKeyDetector         : False
                 Base64HighEntropyString: False (3.459)
                 BasicAuthDetector      : False
                 HexHighEntropyString   : True  (3.459)
@@ -103,6 +104,7 @@ def test_scan_string_cli_overrides_stdin(self):
         ) as printer_shim:
             assert main('scan --string 012345'.split()) == 0
             assert printer_shim.message == textwrap.dedent("""
+                AWSKeyDetector         : False
                 Base64HighEntropyString: False (2.585)
                 BasicAuthDetector      : False
                 HexHighEntropyString   : False (2.121)

tests/plugins/aws_key_test.py

@@ -0,0 +1,36 @@
+from __future__ import absolute_import
+from __future__ import unicode_literals
+
+import pytest
+
+from detect_secrets.plugins.aws import AWSKeyDetector
+from testing.mocks import mock_file_object
+
+
+class TestAWSKeyDetector(object):
+
+    @pytest.mark.parametrize(
+        'file_content,should_flag',
+        [
+            (
+                'AKIAZZZZZZZZZZZZZZZZ',
+                True,
+            ),
+            (
+                'akiazzzzzzzzzzzzzzzz',
+                False,
+            ),
+            (
+                'AKIAZZZ',
+                False,
+            ),
+        ],
+    )
+    def test_analyze(self, file_content, should_flag):
+        logic = AWSKeyDetector()
+
+        f = mock_file_object(file_content)
+        output = logic.analyze(f, 'mock_filename')
+        assert len(output) == (1 if should_flag else 0)
+        for potential_secret in output:
+            assert 'mock_filename' == potential_secret.filename

tests/pre_commit_hook_test.py

@@ -131,6 +131,9 @@ def test_that_baseline_gets_updated(
             # See that we updated the plugins and version
             assert current_version == baseline_written['version']
             assert baseline_written['plugins_used'] == [
+                {
+                    'name': 'AWSKeyDetector',
+                },
                 {
                     'base64_limit': 4.5,
                     'name': 'Base64HighEntropyString',