diff --git a/pkg/detectors/persona/persona.go b/pkg/detectors/persona/persona.go new file mode 100644 index 000000000000..b0d0881f4fa4 --- /dev/null +++ b/pkg/detectors/persona/persona.go @@ -0,0 +1,150 @@ +package persona + +import ( + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + keyPat = regexp.MustCompile(`\b(persona_(?:sandbox|production)_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b`) +) + +func (s Scanner) Keywords() []string { + return []string{"persona_sandbox_", "persona_production_"} +} + +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + keys := keyPat.FindAllStringSubmatch(dataStr, -1) + + for _, key := range keys { + keyMatch := strings.TrimSpace(key[1]) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_Persona, + Raw: []byte(keyMatch), + ExtraData: make(map[string]string), + } + + if strings.Contains(keyMatch, "_sandbox_") { + s1.ExtraData["Type"] = "Sandbox Key" + } else { + s1.ExtraData["Type"] = "Production Key" + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + isVerified, extraData, err := verifyPersonaKey(ctx, client, keyMatch) + s1.Verified = isVerified + s1.SetVerificationError(err, keyMatch) + + if isVerified { + for k, v := range extraData { + s1.ExtraData[k] = v + } + s1.AnalysisInfo = map[string]string{"key": keyMatch} + } + } + + results = append(results, s1) + } + + return results, nil +} + +func verifyPersonaKey(ctx context.Context, client *http.Client, key string) (bool, map[string]string, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://withpersona.com/api/v1/api-keys/permissions", http.NoBody) + if err != nil { + return false, nil, nil + } + + req.Header.Set("Authorization", "Bearer "+key) + req.Header.Set("Persona-Version", "2023-01-05") + + res, err := client.Do(req) + if err != nil { + return false, nil, err + } + defer func() { _ = res.Body.Close() }() + + switch res.StatusCode { + case http.StatusOK: + extraData := make(map[string]string) + + if orgID := res.Header.Get("Persona-Organization-Id"); orgID != "" { + extraData["Organization"] = orgID + } + if envID := res.Header.Get("Persona-Environment-Id"); envID != "" { + extraData["Environment"] = envID + } + + body, err := io.ReadAll(res.Body) + if err == nil { + var resp apiKeyResponse + if json.Unmarshal(body, &resp) == nil { + if resp.Data.ID != "" { + extraData["ID"] = resp.Data.ID + } + if resp.Data.Attributes.Name != "" { + extraData["Name"] = resp.Data.Attributes.Name + } + if len(resp.Data.Attributes.Permissions) > 0 { + extraData["Permissions"] = strings.Join(resp.Data.Attributes.Permissions, ", ") + } + if resp.Data.Attributes.ExpiresAt != "" { + extraData["Expires_At"] = resp.Data.Attributes.ExpiresAt + } + } + } + + return true, extraData, nil + + case http.StatusUnauthorized, http.StatusForbidden: + return false, nil, nil + + default: + return false, nil, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +type apiKeyResponse struct { + Data struct { + ID string `json:"id"` + Attributes struct { + Name string `json:"name"` + Permissions []string `json:"permissions"` + ExpiresAt string `json:"expires_at"` + } `json:"attributes"` + } `json:"data"` +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_Persona +} + +func (s Scanner) Description() string { + return "Persona is an identity verification platform. API keys can be used to access their identity verification and management services." +} diff --git a/pkg/detectors/persona/persona_test.go b/pkg/detectors/persona/persona_test.go new file mode 100644 index 000000000000..746c1c96dfc1 --- /dev/null +++ b/pkg/detectors/persona/persona_test.go @@ -0,0 +1,216 @@ +package persona + +import ( + "context" + "io" + "net/http" + "strings" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestPersona_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + tests := []struct { + name string + input string + want []string + }{ + { + name: "valid sandbox key", + input: `persona_api_key = "persona_sandbox_550e8400-e29b-41d4-a716-446655440000"`, + want: []string{"persona_sandbox_550e8400-e29b-41d4-a716-446655440000"}, + }, + { + name: "valid production key", + input: `PERSONA_KEY=persona_production_abcdef01-2345-6789-abcd-ef0123456789`, + want: []string{"persona_production_abcdef01-2345-6789-abcd-ef0123456789"}, + }, + { + name: "both keys in same input", + input: ` + sandbox: persona_sandbox_550e8400-e29b-41d4-a716-446655440000 + production: persona_production_abcdef01-2345-6789-abcd-ef0123456789 + `, + want: []string{ + "persona_sandbox_550e8400-e29b-41d4-a716-446655440000", + "persona_production_abcdef01-2345-6789-abcd-ef0123456789", + }, + }, + { + name: "truncated UUID - invalid", + input: `key = persona_sandbox_550e8400-e29b-41d4-a716`, + want: nil, + }, + { + name: "uppercase hex - invalid", + input: `key = persona_sandbox_550E8400-E29B-41D4-A716-446655440000`, + want: nil, + }, + { + name: "wrong prefix - invalid", + input: `key = persona_staging_550e8400-e29b-41d4-a716-446655440000`, + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + if len(test.want) > 0 { + t.Errorf("test %q failed: expected keywords %v to be found in the input", test.name, d.Keywords()) + } + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + require.NoError(t, err) + + if len(results) != len(test.want) { + t.Errorf("mismatch in result count: expected %d, got %d", len(test.want), len(results)) + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} + +func TestPersona_Verification(t *testing.T) { + responseBody := `{"data":{"type":"api-key","id":"api_TvSRN76WJ6KsTzZFd4DEUDDF","attributes":{"name":"My Test Key","permissions":["account.read","inquiry.read","inquiry.write"],"expires_at":"2026-12-31T00:00:00.000Z"}}}` + + tests := []struct { + name string + input string + client *http.Client + wantVerified bool + wantExtraData map[string]string + wantErr bool + }{ + { + name: "verified with full response", + input: "persona_production_abcdef01-2345-6789-abcd-ef0123456789", + client: &http.Client{ + Transport: common.FakeTransport{ + CreateResponse: func(req *http.Request) (*http.Response, error) { + resp := &http.Response{ + Request: req, + StatusCode: http.StatusOK, + Body: io.NopCloser(strings.NewReader(responseBody)), + Header: make(http.Header), + } + resp.Header.Set("Persona-Organization-Id", "org_abc123") + resp.Header.Set("Persona-Environment-Id", "env_xyz789") + return resp, nil + }, + }, + }, + wantVerified: true, + wantExtraData: map[string]string{ + "Type": "Production Key", + "ID": "api_TvSRN76WJ6KsTzZFd4DEUDDF", + "Organization": "org_abc123", + "Environment": "env_xyz789", + "Name": "My Test Key", + "Permissions": "account.read, inquiry.read, inquiry.write", + "Expires_At": "2026-12-31T00:00:00.000Z", + }, + }, + { + name: "verified sandbox key with minimal response", + input: "persona_sandbox_abcdef01-2345-6789-abcd-ef0123456789", + client: &http.Client{ + Transport: common.FakeTransport{ + CreateResponse: func(req *http.Request) (*http.Response, error) { + return &http.Response{ + Request: req, + StatusCode: http.StatusOK, + Body: io.NopCloser(strings.NewReader(`{"data":{"type":"api-key","id":"api_min123","attributes":{"permissions":["account.read"]}}}`)), + Header: make(http.Header), + }, nil + }, + }, + }, + wantVerified: true, + wantExtraData: map[string]string{ + "Type": "Sandbox Key", + "ID": "api_min123", + "Permissions": "account.read", + }, + }, + { + name: "unverified - 401", + input: "persona_production_abcdef01-2345-6789-abcd-ef0123456789", + client: common.ConstantResponseHttpClient(http.StatusUnauthorized, `{"errors":[{"title":"Must be authenticated"}]}`), + wantVerified: false, + wantExtraData: map[string]string{ + "Type": "Production Key", + }, + }, + { + name: "unverified - 403", + input: "persona_production_abcdef01-2345-6789-abcd-ef0123456789", + client: common.ConstantResponseHttpClient(http.StatusForbidden, ""), + wantVerified: false, + wantExtraData: map[string]string{ + "Type": "Production Key", + }, + }, + { + name: "error - unexpected status", + input: "persona_production_abcdef01-2345-6789-abcd-ef0123456789", + client: common.ConstantResponseHttpClient(http.StatusInternalServerError, ""), + wantVerified: false, + wantExtraData: map[string]string{ + "Type": "Production Key", + }, + wantErr: true, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + d := Scanner{client: test.client} + + results, err := d.FromData(context.Background(), true, []byte(test.input)) + require.NoError(t, err) + require.Len(t, results, 1) + + r := results[0] + assert.Equal(t, test.wantVerified, r.Verified) + assert.Equal(t, test.wantExtraData, r.ExtraData) + + if test.wantErr { + assert.Error(t, r.VerificationError()) + } else { + assert.NoError(t, r.VerificationError()) + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index c3e76f3caed5..137894490213 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -553,6 +553,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/peopledatalabs" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/pepipost" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/percy" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/persona" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/photoroom" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/phraseaccesstoken" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/pinata" @@ -1436,6 +1437,7 @@ func buildDetectorList() []detectors.Detector { &peopledatalabs.Scanner{}, &pepipost.Scanner{}, &percy.Scanner{}, + &persona.Scanner{}, &photoroom.Scanner{}, &phraseaccesstoken.Scanner{}, &pinata.Scanner{}, diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 9dc30b110d3b..0d97a0d4eba7 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1150,6 +1150,7 @@ const ( DetectorType_GoogleGeminiAPIKey DetectorType = 1041 DetectorType_ArtifactoryReferenceToken DetectorType = 1042 DetectorType_DatadogApikey DetectorType = 1043 + DetectorType_Persona DetectorType = 1044 ) // Enum value maps for DetectorType. @@ -2195,6 +2196,7 @@ var ( 1041: "GoogleGeminiAPIKey", 1042: "ArtifactoryReferenceToken", 1043: "DatadogApikey", + 1044: "Persona", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3237,6 +3239,7 @@ var ( "GoogleGeminiAPIKey": 1041, "ArtifactoryReferenceToken": 1042, "DatadogApikey": 1043, + "Persona": 1044, } ) @@ -3690,7 +3693,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xa4, 0x87, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0xb2, 0x87, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4772,12 +4775,12 @@ var file_detectors_proto_rawDesc = []byte{ 0x4b, 0x65, 0x79, 0x10, 0x91, 0x08, 0x12, 0x1e, 0x0a, 0x19, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x92, 0x08, 0x12, 0x12, 0x0a, 0x0d, 0x44, 0x61, 0x74, 0x61, 0x64, 0x6f, - 0x67, 0x41, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x10, 0x93, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, - 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, - 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, - 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x33, + 0x67, 0x41, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x10, 0x93, 0x08, 0x12, 0x0c, 0x0a, 0x07, 0x50, 0x65, + 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x10, 0x94, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, + 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, + 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, + 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index bb7bbe69dcff..81733a38179a 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1053,6 +1053,7 @@ enum DetectorType { GoogleGeminiAPIKey = 1041; ArtifactoryReferenceToken = 1042; DatadogApikey = 1043; + Persona = 1044; } message Result {