github.com/google/osv-scalibr@v0.4.1/veles/secrets/onepasswordkeys/detector.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package onepasswordkeys
    16  
    17  import (
    18  	"regexp"
    19  
    20  	"github.com/google/osv-scalibr/veles"
    21  	"github.com/google/osv-scalibr/veles/secrets/common/simpletoken"
    22  )
    23  
    24  var (
    25  	// Ensure constructors satisfy the interface at compile time.
    26  	_ veles.Detector = NewSecretKeyDetector()
    27  	_ veles.Detector = NewServiceTokenDetector()
    28  	_ veles.Detector = NewRecoveryTokenDetector()
    29  )
    30  
    31  const (
    32  	secretKeyMaxLen     = 64
    33  	serviceTokenMaxLen  = 300
    34  	recoveryTokenMaxLen = 69
    35  )
    36  
    37  // secretKeyRe matches 1Password Secret Keys in the format:
    38  // A3-<6 alphanum>-<11 alphanum OR 6 alphanum-5 alphanum>-<5 alphanum group x3>
    39  var secretKeyRe = regexp.MustCompile(`A3-[A-Z0-9]{6}-(?:(?:[A-Z0-9]{11})|(?:[A-Z0-9]{6}-[A-Z0-9]{5}))-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}`)
    40  
    41  // serviceTokenRe matches 1Password Service Account Tokens, which:
    42  // - Start with "ops_eyJ"
    43  // - Followed by at least 250 base64 characters (a-zA-Z0-9+/)
    44  // - Optionally end with up to 3 '=' padding characters
    45  var serviceTokenRe = regexp.MustCompile(`ops_eyJ[a-zA-Z0-9+/]{250,}={0,3}`)
    46  
    47  // recoveryTokenRe matches 1Password Recovery Keys in the format:
    48  // - Start with "1PRK"
    49  // - Followed by 13 groups of 4 alphanum characters, each separated by '-'
    50  var recoveryTokenRe = regexp.MustCompile(`1PRK(?:-[A-Z0-9]{4}){13}`)
    51  
    52  // NewSecretKeyDetector returns a detector for 1Password Secret Keys.
    53  func NewSecretKeyDetector() veles.Detector {
    54  	return simpletoken.Detector{
    55  		MaxLen: secretKeyMaxLen,
    56  		Re:     secretKeyRe,
    57  		FromMatch: func(b []byte) (veles.Secret, bool) {
    58  			return OnePasswordSecretKey{Key: string(b)}, true
    59  		},
    60  	}
    61  }
    62  
    63  // NewServiceTokenDetector returns a detector for 1Password Service Account Tokens.
    64  func NewServiceTokenDetector() veles.Detector {
    65  	return simpletoken.Detector{
    66  		MaxLen: serviceTokenMaxLen,
    67  		Re:     serviceTokenRe,
    68  		FromMatch: func(b []byte) (veles.Secret, bool) {
    69  			return OnePasswordServiceToken{Key: string(b)}, true
    70  		},
    71  	}
    72  }
    73  
    74  // NewRecoveryTokenDetector returns a detector for 1Password Recovery Keys.
    75  func NewRecoveryTokenDetector() veles.Detector {
    76  	return simpletoken.Detector{
    77  		MaxLen: recoveryTokenMaxLen,
    78  		Re:     recoveryTokenRe,
    79  		FromMatch: func(b []byte) (veles.Secret, bool) {
    80  			return OnePasswordRecoveryCode{Key: string(b)}, true
    81  		},
    82  	}
    83  }