Yelp · KevinHock · Oct 24, 2019 · Aug 12, 2019 · Aug 12, 2019 · Aug 13, 2019
diff --git a/README.md b/README.md
@@ -164,6 +164,8 @@ The current heuristic searches we implement out of the box include:
 
 * **JwtTokenDetector**: checks for formally correct JWTs.
 
+* **SoftlayerDetector**: checks for Softlayer tokens.
+
 See [detect_secrets/
 plugins](https://github.com/Yelp/detect-secrets/tree/master/detect_secrets/plugins)
 for more details.

diff --git a/detect_secrets/plugins/base.py b/detect_secrets/plugins/base.py
@@ -260,6 +260,39 @@ class FooDetector(RegexBasedDetector):
     def denylist(self):
         raise NotImplementedError
 
+    @staticmethod
+    def assign_regex_generator(prefix_regex, secret_keyword_regex, secret_regex):
+        """Generate assignment regex
+        It reads 3 input parameters, each stands for regex. The return regex would look for
+        secret in following format.
+        <prefix_regex>(-|_|)<secret_keyword_regex> <assignment> <secret_regex>
+        assignment would include =,:,:=,::
+        keyname and value supports optional quotes
+        """
+        begin = r'(?:(?<=\W)|(?<=^))'
+        opt_quote = r'(?:"|\'|)'
+        opt_open_square_bracket = r'(?:\[|)'
+        opt_close_square_bracket = r'(?:\]|)'
+        opt_dash_undrscr = r'(?:_|-|)'
+        opt_space = r'(?: *)'
+        assignment = r'(?:=|:|:=|=>| +|::)'
+        return re.compile(
+            r'{begin}{opt_open_square_bracket}{opt_quote}{prefix_regex}{opt_dash_undrscr}'
+            '{secret_keyword_regex}{opt_quote}{opt_close_square_bracket}{opt_space}'
+            '{assignment}{opt_space}{opt_quote}{secret_regex}{opt_quote}'.format(
+                begin=begin,
+                opt_open_square_bracket=opt_open_square_bracket,
+                opt_quote=opt_quote,
+                prefix_regex=prefix_regex,
+                opt_dash_undrscr=opt_dash_undrscr,
+                secret_keyword_regex=secret_keyword_regex,
+                opt_close_square_bracket=opt_close_square_bracket,
+                opt_space=opt_space,
+                assignment=assignment,
+                secret_regex=secret_regex,
+            ), flags=re.IGNORECASE,
+        )
+
     def analyze_string_content(self, string, line_num, filename):
         output = {}
 

diff --git a/detect_secrets/plugins/softlayer.py b/detect_secrets/plugins/softlayer.py
@@ -0,0 +1,81 @@
+from __future__ import absolute_import
+
+import re
+
+import requests
+
+from .base import RegexBasedDetector
+from detect_secrets.core.constants import VerifiedResult
+
+
+class SoftlayerDetector(RegexBasedDetector):
+    """Scans for Softlayer credentials."""
+
+    secret_type = 'SoftLayer Credentials'
+
+    # opt means optional
+    sl = r'(?:softlayer|sl)(?:_|-|)(?:api|)'
+    key_or_pass = r'(?:key|pwd|password|pass|token)'
+    secret = r'([a-z0-9]{64})'
+    denylist = [
+        RegexBasedDetector.assign_regex_generator(
+            prefix_regex=sl,
+            secret_keyword_regex=key_or_pass,
+            secret_regex=secret,
+        ),
+
+        re.compile(
+            r'(?:http|https)://api.softlayer.com/soap/(?:v3|v3.1)/([a-z0-9]{64})',
+            flags=re.IGNORECASE,
+        ),
+    ]
+
+    def verify(self, token, content):
+        usernames = find_username(content)
+        if not usernames:
+            return VerifiedResult.UNVERIFIED
+
+        for username in usernames:
+            return verify_softlayer_key(username, token)
+
+        return VerifiedResult.VERIFIED_FALSE
+
+
+def find_username(content):
+    # opt means optional
+    username_keyword = (
+        r'(?:'
+        r'username|id|user|userid|user-id|user-name|'
+        r'name|user_id|user_name|uname'
+        r')'
+    )
+    username = r'(\w(?:\w|_|@|\.|-)+)'
+    regex = re.compile(
+        RegexBasedDetector.assign_regex_generator(
+            prefix_regex=SoftlayerDetector.sl,
+            secret_keyword_regex=username_keyword,
+            secret_regex=username,
+        ),
+    )
+
+    return [
+        match
+        for line in content.splitlines()
+        for match in regex.findall(line)
+    ]
+
+
+def verify_softlayer_key(username, token):
+    headers = {'Content-type': 'application/json'}
+    try:
+        response = requests.get(
+            'https://api.softlayer.com/rest/v3/SoftLayer_Account.json',
+            auth=(username, token), headers=headers,
+        )
+    except requests.exceptions.RequestException:
+        return VerifiedResult.UNVERIFIED
+
+    if response.status_code == 200:
+        return VerifiedResult.VERIFIED_TRUE
+    else:
+        return VerifiedResult.VERIFIED_FALSE
diff --git a/detect_secrets/util.py b/detect_secrets/util.py
@@ -29,7 +29,7 @@ def build_automaton(word_list):
     word_list_hash = hashlib.sha1()
 
     with open(word_list) as f:
-        for line in f:
+        for line in f.readlines():
             # .lower() to make everything case-insensitive
             line = line.lower().strip()
             if len(line) > 3:

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -6,6 +6,7 @@ pre-commit==1.11.2
 pyahocorasick
 pytest
 pyyaml
-tox>=3.8
+responses
 tox-pip-extensions
+tox>=3.8
 unidiff
diff --git a/tests/plugins/softlayer_test.py b/tests/plugins/softlayer_test.py
@@ -0,0 +1,167 @@
+from __future__ import absolute_import
+
+import textwrap
+
+import pytest
+import responses
+
+from detect_secrets.core.constants import VerifiedResult
+from detect_secrets.plugins.softlayer import find_username
+from detect_secrets.plugins.softlayer import SoftlayerDetector
+
+SL_USERNAME = '[email protected]'
+SL_TOKEN = 'abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234'
+
+
+class TestSoftlayerDetector(object):
+
+    @pytest.mark.parametrize(
+        'payload, should_flag',
+        [
+            ('--softlayer-api-key "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('--softlayer-api-key="{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('--softlayer-api-key {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('--softlayer-api-key={sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('http://api.softlayer.com/soap/v3/{sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('http://api.softlayer.com/soap/v3.1/{sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_api_key: {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer-key : {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('SOFTLAYER-API-KEY : "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"softlayer_api_key" : "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('softlayer-api-key: "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"softlayer_api_key": "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('SOFTLAYER_API_KEY:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('softlayer-key:{sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_key:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"softlayer_api_key":"{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('softlayerapikey= {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_api_key= "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('SOFTLAYERAPIKEY={sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_api_key="{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl_api_key: {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('SLAPIKEY : {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('sl_apikey : "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"sl_api_key" : "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl-key: "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"sl_api_key": "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl_api_key:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl_api_key:{sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('sl-api-key:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"sl_api_key":"{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl_key= {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('sl_api_key= "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl-api-key={sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('slapi_key="{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('slapikey:= {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_api_key := {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('sl_api_key := "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"softlayer_key" := "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl_api_key: "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"softlayer_api_key":= "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl-api-key:="{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_api_key:={sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('slapikey:"{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('"softlayer_api_key":="{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl-api-key:= {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_key:= "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl_api_key={sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_api_key:="{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_password = "{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('sl_pass="{sl_token}"'.format(sl_token=SL_TOKEN), True),
+            ('softlayer-pwd = {sl_token}'.format(sl_token=SL_TOKEN), True),
+            ('softlayer_api_key="%s" % SL_API_KEY_ENV', False),
+            ('sl_api_key: "%s" % <softlayer_api_key>', False),
+            ('SOFTLAYER_APIKEY: "insert_key_here"', False),
+            ('sl-apikey: "insert_key_here"', False),
+            ('softlayer-key:=afakekey', False),
+            ('fake-softlayer-key= "not_long_enough"', False),
+        ],
+    )
+    def test_analyze_string(self, payload, should_flag):
+        logic = SoftlayerDetector()
+
+        output = logic.analyze_string(payload, 1, 'mock_filename')
+        assert len(output) == (1 if should_flag else 0)
+
+    @responses.activate
+    def test_verify_invalid_secret(self):
+        responses.add(
+            responses.GET, 'https://api.softlayer.com/rest/v3/SoftLayer_Account.json',
+            json={'error': 'Access denied. '}, status=401,
+        )
+
+        assert SoftlayerDetector().verify(
+            SL_TOKEN,
+            'softlayer_username={}'.format(SL_USERNAME),
+        ) == VerifiedResult.VERIFIED_FALSE
+
+    @responses.activate
+    def test_verify_valid_secret(self):
+        responses.add(
+            responses.GET, 'https://api.softlayer.com/rest/v3/SoftLayer_Account.json',
+            json={'id': 1}, status=200,
+        )
+        assert SoftlayerDetector().verify(
+            SL_TOKEN,
+            'softlayer_username={}'.format(SL_USERNAME),
+        ) == VerifiedResult.VERIFIED_TRUE
+
+    @responses.activate
+    def test_verify_unverified_secret(self):
+        assert SoftlayerDetector().verify(
+            SL_TOKEN,
+            'softlayer_username={}'.format(SL_USERNAME),
+        ) == VerifiedResult.UNVERIFIED
+
+    def test_verify_no_secret(self):
+        assert SoftlayerDetector().verify(
+            SL_TOKEN,
+            'no_un={}'.format(SL_USERNAME),
+        ) == VerifiedResult.UNVERIFIED
+
+    @pytest.mark.parametrize(
+        'content, expected_output',
+        (
+            (
+                textwrap.dedent("""
+                    --softlayer-username = {}
+                """)[1:-1].format(
+                    SL_USERNAME,
+                ),
+                [SL_USERNAME],
+            ),
+
+            # With quotes
+            (
+                textwrap.dedent("""
+                    sl_user_id = "{}"
+                """)[1:-1].format(
+                    SL_USERNAME,
+                ),
+                [SL_USERNAME],
+            ),
+
+            # multiple candidates
+            (
+                textwrap.dedent("""
+                    softlayer_id = '{}'
+                    sl-user = '{}'
+                    SOFTLAYER_USERID = '{}'
+                    softlayer-uname: {}
+                """)[1:-1].format(
+                    SL_USERNAME,
+                    '[email protected]',
+                    '[email protected]',
+                    'notanemail',
+                ),
+                [
+                    SL_USERNAME,
+                    '[email protected]',
+                    '[email protected]',
+                    'notanemail',
+                ],
+            ),
+        ),
+    )
+    def test_find_username(self, content, expected_output):
+        assert find_username(content) == expected_output