[Feat] Detector implementation for Azure API Management Direct Management Key #3938
Conversation
| s1 := detectors.Result{ | ||
| DetectorType: detectorspb.DetectorType_AzureDirectManagementKey, | ||
| Raw: []byte(baseUrl), | ||
| RawV2: []byte(baseUrl + primaryKey), |
There was a problem hiding this comment.
Can we start making RawV2 structured in new detectors? #3634 (comment)
There was a problem hiding this comment.
There was a problem hiding this comment.
... it is tightly coupled with Enterprise and (in future) if we need to restructure it, due to any reason, We wont be able to do it.
That is the case regardless. Making it structured at least makes it parseable and human-readable, unlike doing a simple concatenation.
| var ( | ||
| defaultClient = common.SaneHttpClient() | ||
| urlPat = regexp.MustCompile(`https://([a-z0-9][a-z0-9-]{0,48}[a-z0-9])\.management\.azure-api\.net`) // https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.Name/ | ||
| primaryKeyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure"}) + `\b([a-zA-Z0-9+\/-]{86,88}\b={0,2})`) // Base64-encoded primary key |
There was a problem hiding this comment.
@rgmz Initially I copied that regex from another detector, Azure Storage. After your comment, I generated 20 times a key and confidently say that all of them ended with [a-zA-Z0-9]==. Updated the regex.
code refactoring, remove unnecessary code. updated the description of detector. reduce the expiry to 5 seconds.
refactor variable name for better understanding.
abmussani
force-pushed
the
azuredirectmanagementapikey-detector-impl
branch
from
eb37f00 to
a76aa3d
Compare
| var ( | ||
| defaultClient = common.SaneHttpClient() | ||
| urlPat = regexp.MustCompile(`https://([a-z0-9][a-z0-9-]{0,48}[a-z0-9])\.management\.azure-api\.net`) // https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.Name/ | ||
| keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure", ".management.azure-api.net"}) + `\b([a-zA-Z0-9+\/]{83,85}[a-zA-Z0-9]==)`) // pattern for both Primary and secondary key |
There was a problem hiding this comment.
\b isn't valid when beside / or +.
There was a problem hiding this comment.
This has bitten me so many times... 😭
There was a problem hiding this comment.
Updated the regex but AzureContainerRegistry Detector has the similar issue. right ?
abmussani
changed the title
implemented host caching if host is not reachable to avoid unnecessary extra verification calls.
Description:
This PR implements a new Detector for Azure Direct management API key. This detector looks for direct manage url and keys (Primary or Secondary), generates a access token with expiry of 5 seconds (to avoid leakage) and verify the credentials based on generated values.
Test Output:
Checklist:
make test-community)?make lintthis requires golangci-lint)?