def _create_baseline():
base64_secret = 'c3VwZXIgbG9uZyBzdHJpbmcgc2hvdWxkIGNhdXNlIGVub3VnaCBlbnRyb3B5'
baseline = {
'generated_at': 'does_not_matter',
'exclude_regex': '',
'plugins_used': [
{
'name': 'HexHighEntropyString',
'hex_limit': 3,
},
{
'name': 'PrivateKeyDetector',
},
],
'results': {
'test_data/files/file_with_secrets.py': [
{
'type': 'Base64 High Entropy String',
'line_number': 3,
'hashed_secret': PotentialSecret.hash_secret(base64_secret),
},
],
},
'version': VERSION,
}
return json.dumps(
baseline,
indent=2,
sort_keys=True,
)
def get_secret():
"""Generates a random secret, used for testing.
:rtype: dict
"""
random_number = random.randint(0, 500)
return {
'hashed_secret': PotentialSecret.hash_secret(str(random_number)),
'line_number': random_number,
'type': 'Test Type',
}
def get_baseline_dict(self, gmtime):
# They are all the same secret, so they should all have the same secret hash.
secret_hash = PotentialSecret.hash_secret('secret')
return {
'generated_at': strftime('%Y-%m-%dT%H:%M:%SZ', gmtime),
'exclude_regex': '',
'plugins_used': [
{
'name': 'HexHighEntropyString',
'hex_limit': 3,
},
{
'name': 'PrivateKeyDetector',
},
],
'results': {
'fileA': [
# Line numbers should be sorted, for better readability
{
'type': 'B',
'line_number': 2,
'hashed_secret': secret_hash,
},
{
'type': 'A',
'line_number': 3,
'hashed_secret': secret_hash,
},
],
'fileB': [
{
'type': 'C',
'line_number': 1,
'hashed_secret': secret_hash,
},
],
},
'version': VERSION,
}
def test_rolled_creds(self):
"""Same line, different secret"""
new_findings = secrets_collection_factory([
{
'secret': 'secret_new',
},
])
baseline = secrets_collection_factory([
{
'secret': 'secret',
},
])
backup_baseline = baseline.data.copy()
results = get_secrets_not_in_baseline(new_findings, baseline)
assert len(results.data['filename']) == 1
secretA = PotentialSecret('type', 'filename', 1, 'secret_new')
assert results.data['filename'][secretA].secret_hash == \
PotentialSecret.hash_secret('secret_new')
assert baseline.data == backup_baseline
def _create_baseline_template(has_result, use_private_key_scan):
base64_secret = 'c3VwZXIgbG9uZyBzdHJpbmcgc2hvdWxkIGNhdXNlIGVub3VnaCBlbnRyb3B5'
baseline = {
'generated_at': 'does_not_matter',
'plugins_used': [
{
'name': 'HexHighEntropyString',
'hex_limit': 3,
},
{
'name': 'Base64HighEntropyString',
'base64_limit': 4.5,
},
{
'name': 'PrivateKeyDetector',
},
],
'results': {
'test_data/files/file_with_secrets.py': [
{
'type': 'Base64 High Entropy String',
'is_secret': True,
'is_verified': False,
'line_number': 3,
'hashed_secret': PotentialSecret.hash_secret(base64_secret),
},
],
},
'version': VERSION,
}
if not use_private_key_scan:
baseline['plugins_used'].pop(-1)
if not has_result:
baseline['results'] = {}
return baseline
def get_baseline_dict(self, gmtime):
# They are all the same secret, so they should all have the same secret hash.
secret_hash = PotentialSecret.hash_secret('secret')
return {
'generated_at':
strftime('%Y-%m-%dT%H:%M:%SZ', gmtime),
'exclude_regex':
'',
'plugins_used': [{
'name': 'HexHighEntropyString',
'limit': 3,
}, {
'name': 'PrivateKeyDetector',
}],
'results': {
'fileA': [
# Line numbers should be sorted, for better readability
{
'type': 'B',
'line_number': 2,
'hashed_secret': secret_hash,
},
{
'type': 'A',
'line_number': 3,
'hashed_secret': secret_hash,
},
],
'fileB': [
{
'type': 'C',
'line_number': 1,
'hashed_secret': secret_hash,
},
],
}
}
def test_new_secret_line_old_file(self):
"""Same file, new line with potential secret"""
new_findings = secrets_collection_factory([
{
'secret': 'secret1',
'lineno': 1,
},
])
baseline = secrets_collection_factory([
{
'secret': 'secret2',
'lineno': 2,
},
])
backup_baseline = baseline.data.copy()
results = get_secrets_not_in_baseline(new_findings, baseline)
assert len(results.data['filename']) == 1
secretA = PotentialSecret('type', 'filename', 'secret1', 1)
assert results.data['filename'][secretA].secret_hash == \
PotentialSecret.hash_secret('secret1')
assert baseline.data == backup_baseline
def test_new_secret_line_old_file(self):
"""Same file, new line with potential secret"""
new_findings = secrets_collection_factory([
{
'secret': 'secret1',
'lineno': 1,
},
])
baseline = secrets_collection_factory([
{
'secret': 'secret2',
'lineno': 2,
},
])
backup_baseline = baseline.data.copy()
results = get_secrets_not_in_baseline(new_findings, baseline)
assert len(results.data['filename']) == 1
secretA = PotentialSecret('type', 'filename', 1, 'secret1')
assert results.data['filename'][secretA].secret_hash == \
PotentialSecret.hash_secret('secret1')
assert baseline.data == backup_baseline
def _create_baseline():
base64_secret = 'c3VwZXIgbG9uZyBzdHJpbmcgc2hvdWxkIGNhdXNlIGVub3VnaCBlbnRyb3B5'
baseline = {
'generated_at': 'does_not_matter',
'exclude_regex': '',
'results': {
'test_data/files/file_with_secrets.py': [
{
'type':
'Base64 High Entropy String',
'line_number':
3,
'hashed_secret':
PotentialSecret.hash_secret(base64_secret),
},
],
},
}
return json.dumps(
baseline,
indent=2,
sort_keys=True,
)
def _create_baseline():
base64_secret = 'c3VwZXIgbG9uZyBzdHJpbmcgc2hvdWxkIGNhdXNlIGVub3VnaCBlbnRyb3B5'
baseline = {
'generated_at':
'does_not_matter',
'exclude_regex':
'',
'plugins_used': [
{
'name': 'HexHighEntropyString',
'hex_limit': 3,
},
{
'name': 'PrivateKeyDetector',
},
],
'results': {
'test_data/files/file_with_secrets.py': [
{
'type': 'Base64 High Entropy String',
'is_secret': True,
'line_number': 3,
'hashed_secret':
PotentialSecret.hash_secret(base64_secret),
},
],
},
'version':
VERSION,
}
return json.dumps(
baseline,
indent=2,
sort_keys=True,
)