LaunchDarkly Token Analyzer #3948
+1,589
−0
Next
Next commit
initial commit
- Loading branch information
commit 36e64afc3e8c0bf31a733da914ee89799ce08c8b
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| [ | ||
| { | ||
| "name": "caller-identity", | ||
| "endpoint": "/v2/caller-identity", | ||
| "valid_status_code": 200, | ||
| "invalid_status_codes": [ | ||
| 401, | ||
| 429 | ||
| ], | ||
| "permission": "" | ||
| }, | ||
| { | ||
| "name": "token", | ||
| "endpoint": "/v2/token/%s", | ||
| "valid_status_code": 200, | ||
| "invalid_status_codes": [ | ||
| 401, | ||
| 429 | ||
| ], | ||
| "permission": "" | ||
| } | ||
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| package launchdarkly | ||
|
|
||
| import ( | ||
| "github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers" | ||
| "github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/config" | ||
| "github.com/trufflesecurity/trufflehog/v3/pkg/context" | ||
| ) | ||
|
|
||
| var _ analyzers.Analyzer = (*Analyzer)(nil) | ||
|
|
||
| type Analyzer struct { | ||
| Cfg *config.Config | ||
| } | ||
|
|
||
| func (a Analyzer) Type() analyzers.AnalyzerType { | ||
| return analyzers.AnalyzerTypeLaunchDarkly | ||
| } | ||
|
|
||
| func (a Analyzer) Analyze(_ context.Context, credInfo map[string]string) (*analyzers.AnalyzerResult, error) { | ||
| return nil, nil | ||
| } | ||
|
|
||
| // AnalyzePermissions will collect all the scopes assigned to token along with resource it can access | ||
| func AnalyzePermissions(cfg *config.Config, token string) (*SecretInfo, error) { | ||
| // create the http client | ||
| client := analyzers.NewAnalyzeClient(cfg) | ||
|
|
||
| var secretInfo = &SecretInfo{} | ||
|
|
||
| return secretInfo, nil | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| package launchdarkly | ||
|
|
||
| import "sync" | ||
|
|
||
| type SecretInfo struct { | ||
| CallerIdentity CallerIdentity | ||
| Permissions []string | ||
| Resources []Resource | ||
| // to concurrently read and write | ||
| mu sync.RWMutex | ||
| } | ||
|
|
||
| // CallerIdentity is the information about the token | ||
| type CallerIdentity struct { | ||
| AccountID string // account id. It is the owner id of token as well | ||
| MemberID string | ||
| Name string | ||
| Role string // role of caller | ||
| Email string | ||
| Token struct { | ||
| ID string // id of the token | ||
| Name string // name of the token | ||
| CustomRoles []CustomRole // custom roles assigned to the token | ||
| InlineRole []Policy // any policy statements maybe used in place of a built-in custom role | ||
| Role string // role of token | ||
| IsServiceToken bool // is a service token or not | ||
| APIVersion int // default api version assigned to the token | ||
| } | ||
| } | ||
|
|
||
| // CustomRole is a flexible policies providing fine-grained access control to everything in launch darkly | ||
| type CustomRole struct { | ||
| ID string | ||
| Key string | ||
| Name string | ||
| Polices []Policy | ||
| BasePermission string | ||
| AssignedToMembers int | ||
| AssignedToTeams int | ||
| } | ||
|
|
||
| // policy is a set of statements | ||
| type Policy struct { | ||
| Resources []string | ||
| NotResources []string | ||
| Actions []string | ||
| NotActions []string | ||
| Effect string | ||
| } | ||
|
|
||
| type Resource struct { | ||
| ID string | ||
| Name string | ||
| Permission string | ||
| Type string | ||
| ParentResource *Resource | ||
| MetaData map[string]string | ||
| } | ||
|
|
||
| // addPermission add a new permission to secret info permissions list. | ||
| func (s *SecretInfo) addPermission(perm string) { | ||
| s.mu.Lock() | ||
| defer s.mu.Unlock() | ||
|
|
||
| s.Permissions = append(s.Permissions, perm) | ||
| } | ||
|
|
||
| // hasPermission checks if a particular permission exist in secret info permissions list. | ||
| func (s *SecretInfo) hasPermission(perm string) bool { | ||
| s.mu.Lock() | ||
| defer s.mu.Unlock() | ||
|
|
||
| for _, permission := range s.Permissions { | ||
| if permission == perm { | ||
| return true | ||
| } | ||
| } | ||
|
|
||
| return false | ||
| } | ||
|
|
||
| // appendResources append resource to secret info resources list | ||
| func (s *SecretInfo) appendResource(resource Resource) { | ||
| s.mu.Lock() | ||
| defer s.mu.Unlock() | ||
|
|
||
| s.Resources = append(s.Resources, resource) | ||
| } | ||
|
|
||
| // hasCustomRoles check if token has any custom roles assigned | ||
| func (c CallerIdentity) hasCustomRoles() bool { | ||
| return len(c.Token.CustomRoles) > 0 | ||
| } | ||
|
|
||
| // hasInlineRole check if token has any inline roles | ||
| func (c CallerIdentity) hasInlineRole() bool { | ||
| return len(c.Token.InlineRole) > 0 | ||
| } | ||
|
|
||
| // isAllowed check if policy allow the statement | ||
| func (p Policy) isAllowed() bool { | ||
| return p.Effect == "allow" | ||
| } | ||
|
|
||
| // setParentResource set parent resource for a resource | ||
| func (r Resource) setParentResource(resource, parent *Resource) { | ||
| resource.ParentResource = parent | ||
| } | ||
|
|
||
| // updateResourceMetadata | ||
| func (r Resource) updateResourceMetadata(key, value string) { | ||
| if r.MetaData == nil { | ||
| r.MetaData = make(map[string]string) | ||
| } | ||
|
|
||
| r.MetaData[key] = value | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I've found it helpful to use
mualmost like a "hat" for the resource(s) it protects by placing it directly above them. This makes it visually clear what it's guarding and can even replace the need for a comment.That said, I’m not entirely sure which resources
muis protecting in this case. 🤔 This is definitely an opinionated take, so feel free to ignore it! 🤣I forget where I first read about this, but here is a separate article about it. 😅
Ex: