Skip to content

Commit

Permalink
Verification for Artifactory tokens (Yelp#190)
Browse files Browse the repository at this point in the history 
* Verification for Artifactory tokens

Supports git-defenders/detect-secrets-discuss#173

* Remove 443

* Extract artifactory url

* Address @xianjun comments
  • Loading branch information
@justineyster
justineyster committed Jan 8, 2020
1 parent 47478f7 commit dc723ab
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 0 deletions.
23 changes: 23 additions & 0 deletions detect_secrets/plugins/artifactory.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@

import re

import requests

from .base import RegexBasedDetector
from detect_secrets.core.constants import VerifiedResult


class ArtifactoryDetector(RegexBasedDetector):
Expand All @@ -15,3 +18,23 @@ class ArtifactoryDetector(RegexBasedDetector):
# Artifactory encrypted passwords begin with AP[A-Z]
re.compile(r'(?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}'), # Password
]

artifactory_url = 'na.artifactory.swg-devops.com/artifactory'

def verify(self, token, **kwargs):
try:
if type(token) == bytes:
token = token.decode('UTF-8')
headers = {'X-JFrog-Art-API': token}
response = requests.get(
'https://%s/api/system/ping' % self.artifactory_url,
headers=headers,
)
if response.status_code == 200:
return VerifiedResult.VERIFIED_TRUE
elif response.status_code == 401:
return VerifiedResult.VERIFIED_FALSE
else:
return VerifiedResult.UNVERIFIED
except Exception:
return VerifiedResult.UNVERIFIED
61 changes: 61 additions & 0 deletions tests/plugins/artifactory_test.py
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
from __future__ import absolute_import

import pytest
import responses

from detect_secrets.core.constants import VerifiedResult
from detect_secrets.plugins.artifactory import ArtifactoryDetector


ARTIFACTORY_TOKEN = 'AKCxxxxxxxxxx'
ARTIFACTORY_TOKEN_BYTES = b'AKCxxxxxxxxxx'


class TestArtifactoryDetector(object):

@pytest.mark.parametrize(
Expand Down Expand Up @@ -42,3 +48,58 @@ def test_analyze_line(self, payload, should_flag):

output = logic.analyze_line(payload, 1, 'mock_filename')
assert len(output) == int(should_flag)

@responses.activate
def test_verify_invalid_secret(self):
responses.add(
responses.GET, 'https://%s/api/system/ping' % ArtifactoryDetector().artifactory_url,
status=401,
)

assert ArtifactoryDetector().verify(ARTIFACTORY_TOKEN) == VerifiedResult.VERIFIED_FALSE

@responses.activate
def test_verify_valid_secret(self):
responses.add(
responses.GET, 'https://%s/api/system/ping' % ArtifactoryDetector().artifactory_url,
status=200,
)
assert ArtifactoryDetector().verify(ARTIFACTORY_TOKEN) == VerifiedResult.VERIFIED_TRUE

@responses.activate
def test_verify_status_not_200_or_401(self):
responses.add(
responses.GET, 'https://%s/api/system/ping' % ArtifactoryDetector().artifactory_url,
status=500,
)
assert ArtifactoryDetector().verify(ARTIFACTORY_TOKEN) == VerifiedResult.UNVERIFIED

@responses.activate
def test_verify_invalid_secret_bytes(self):
responses.add(
responses.GET, 'https://%s/api/system/ping' % ArtifactoryDetector().artifactory_url,
status=401,
)

assert ArtifactoryDetector().verify(ARTIFACTORY_TOKEN_BYTES) == \
VerifiedResult.VERIFIED_FALSE

@responses.activate
def test_verify_valid_secret_bytes(self):
responses.add(
responses.GET, 'https://%s/api/system/ping' % ArtifactoryDetector().artifactory_url,
status=200,
)
assert ArtifactoryDetector().verify(ARTIFACTORY_TOKEN_BYTES) == VerifiedResult.VERIFIED_TRUE

@responses.activate
def test_verify_status_not_200_or_401_bytes(self):
responses.add(
responses.GET, 'https://%s/api/system/ping' % ArtifactoryDetector().artifactory_url,
status=500,
)
assert ArtifactoryDetector().verify(ARTIFACTORY_TOKEN_BYTES) == VerifiedResult.UNVERIFIED

@responses.activate
def test_verify_unverified_secret(self):
assert ArtifactoryDetector().verify(ARTIFACTORY_TOKEN) == VerifiedResult.UNVERIFIED

0 comments on commit dc723ab

Please sign in to comment.