Skip to content

Commit

Permalink
add validation
Browse files Browse the repository at this point in the history
  • Loading branch information
juli1 committed Nov 5, 2024
1 parent a0c671b commit d82eec2
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 57 deletions.
6 changes: 1 addition & 5 deletions crates/cli/src/datadog_utils.rs
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,7 @@ pub fn get_secrets_rules(use_staging: bool) -> Result<Vec<SecretRule>> {
let api_response = serde_json::from_str::<StaticAnalysisSecretsAPIResponse>(response_text);

match api_response {
Ok(d) => Ok(d
.data
.iter()
.map(|v| v.clone().into())
.collect()),
Ok(d) => Ok(d.data.iter().map(|v| v.clone().into()).collect()),
Err(e) => {
eprintln!("Error when parsing the secret rules {e:?}");
eprintln!("{response_text}");
Expand Down
32 changes: 16 additions & 16 deletions crates/cli/src/model/datadog_api.rs
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
use std::collections::HashMap;
use kernel::model::common::Language;
use kernel::model::rule::{Argument, EntityChecked, Rule, RuleCategory, RuleSeverity, RuleType};
use kernel::model::rule_test::RuleTest;
use kernel::model::ruleset::RuleSet;
use secrets::model::secret_rule::{
SecretRule, SecretRuleMatchValidation, SecretRuleMatchValidationHttpCode,
SecretRuleMatchValidationHttpMethod,
};
use serde::{Deserialize, Serialize};
use secrets::model::secret_rule::{SecretRule, SecretRuleMatchValidation, SecretRuleMatchValidationHttpCode, SecretRuleMatchValidationHttpMethod};
use std::collections::HashMap;

// Data for diff-aware scanning
#[derive(Serialize, Deserialize, Debug, Clone)]
Expand Down Expand Up @@ -252,7 +255,7 @@ pub struct SecretRuleApiMatchValidationHttpCode {

impl From<SecretRuleApiMatchValidationHttpCode> for SecretRuleMatchValidationHttpCode {
fn from(value: SecretRuleApiMatchValidationHttpCode) -> Self {
SecretRuleMatchValidationHttpCode{
SecretRuleMatchValidationHttpCode {
start: value.start,
end: value.end,
}
Expand All @@ -276,15 +279,11 @@ pub enum SecretRuleApiMatchValidationHttpMethod {
impl From<SecretRuleApiMatchValidationHttpMethod> for SecretRuleMatchValidationHttpMethod {
fn from(val: SecretRuleApiMatchValidationHttpMethod) -> Self {
match val {
SecretRuleApiMatchValidationHttpMethod::Get => {
SecretRuleMatchValidationHttpMethod::Get
}
SecretRuleApiMatchValidationHttpMethod::Get => SecretRuleMatchValidationHttpMethod::Get,
SecretRuleApiMatchValidationHttpMethod::Post => {
SecretRuleMatchValidationHttpMethod::Post
}
SecretRuleApiMatchValidationHttpMethod::Put => {
SecretRuleMatchValidationHttpMethod::Put
}
SecretRuleApiMatchValidationHttpMethod::Put => SecretRuleMatchValidationHttpMethod::Put,
SecretRuleApiMatchValidationHttpMethod::Patch => {
SecretRuleMatchValidationHttpMethod::Patch
}
Expand All @@ -310,17 +309,19 @@ pub struct SecretRuleApiMatchValidation {

impl From<SecretRuleApiMatchValidation> for SecretRuleMatchValidation {
fn from(val: SecretRuleApiMatchValidation) -> Self {


SecretRuleMatchValidation{
SecretRuleMatchValidation {
r#type: val.r#type,
endpoint: val.endpoint.clone(),
hosts: val.hosts.clone(),
request_headers: val.request_headers,
http_method: val.http_method.map(|v| v.into()),
timeout_seconds: val.timeout_seconds,
valid_http_status_code: val.valid_http_status_code.map(|v| v.iter().map(|w| w.clone().into()).collect()),
invalid_http_status_code: val.invalid_http_status_code.map(|v| v.iter().map(|w| w.clone().into()).collect()),
valid_http_status_code: val
.valid_http_status_code
.map(|v| v.iter().map(|w| w.clone().into()).collect()),
invalid_http_status_code: val
.invalid_http_status_code
.map(|v| v.iter().map(|w| w.clone().into()).collect()),
}
}
}
Expand Down Expand Up @@ -356,8 +357,7 @@ impl From<SecretRuleApiType> for SecretRule {
.clone()
.unwrap_or_default(),
validators: val.attributes.validators.clone(),
match_validation: val.attributes.match_validation.map(|v| v.into())

match_validation: val.attributes.match_validation.map(|v| v.into()),
}
}
}
Expand Down
1 change: 0 additions & 1 deletion crates/secrets/src/lib.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
pub mod model;
pub mod scanner;
pub mod secret_files;

73 changes: 39 additions & 34 deletions crates/secrets/src/model/secret_rule.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,17 @@
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2024 Datadog, Inc.

use std::collections::HashMap;
use std::ops::Range;
use std::string::ToString;
use common::model::diff_aware::DiffAware;
use dd_sds::{HttpValidatorConfigBuilder, MatchAction, MatchValidationType, ProximityKeywordsConfig, RegexRuleConfig, HttpMethod, AwsConfig, RequestHeader};
use dd_sds::AwsType::{AwsId, AwsSecret, AwsSession};
use dd_sds::SecondaryValidator::JwtExpirationChecker;
use dd_sds::{
AwsConfig, HttpMethod, HttpValidatorConfigBuilder, MatchAction, MatchValidationType,
ProximityKeywordsConfig, RegexRuleConfig, RequestHeader,
};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::ops::Range;
use std::string::ToString;

const DEFAULT_LOOK_AHEAD_CHARACTER_COUNT: usize = 30;
const AWS_ID_STRING: &str = "AwsId";
Expand Down Expand Up @@ -50,7 +53,6 @@ impl From<SecretRuleMatchValidationHttpMethod> for HttpMethod {
}
}


#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct SecretRuleMatchValidation {
#[serde(rename = "type")]
Expand All @@ -67,56 +69,60 @@ pub struct SecretRuleMatchValidation {
impl SecretRuleMatchValidation {
pub fn get_request_headers(&self) -> Vec<RequestHeader> {
if let Some(rhs) = &self.request_headers {
rhs.iter().map(|(k, v)| {
RequestHeader{
rhs.iter()
.map(|(k, v)| RequestHeader {
key: k.clone(),
value: v.clone()
}
}).collect()
value: v.clone(),
})
.collect()
} else {
Vec::new()
}
}
}

impl TryFrom<SecretRuleMatchValidation> for MatchValidationType {


impl TryFrom<SecretRuleMatchValidation> for MatchValidationType {
type Error = &'static str;

fn try_from(value: SecretRuleMatchValidation) -> Result<Self, Self::Error> {
match value.r#type.as_str() {
AWS_ID_STRING => {
Ok(MatchValidationType::Aws(AwsId))
}
AWS_SECRET_STRING => {
Ok(MatchValidationType::Aws(AwsSecret(AwsConfig::default())))
}
AWS_SESSION_STRING => {
Ok(MatchValidationType::Aws(AwsSession))
}
AWS_ID_STRING => Ok(MatchValidationType::Aws(AwsId)),
AWS_SECRET_STRING => Ok(MatchValidationType::Aws(AwsSecret(AwsConfig::default()))),
AWS_SESSION_STRING => Ok(MatchValidationType::Aws(AwsSession)),
CUSTOM_HTTP_STRING => {
let invalid_ports: Vec<Range<u16>> = value.invalid_http_status_code.clone().unwrap_or_default().iter().map(|v| {
Range{start: v.start, end: v.end}
}).collect();
let valid_ports: Vec<Range<u16>> = value.valid_http_status_code.clone().unwrap_or_default().iter().map(|v| {
Range{start: v.start, end: v.end}
}).collect();
let invalid_ports: Vec<Range<u16>> = value
.invalid_http_status_code
.clone()
.unwrap_or_default()
.iter()
.map(|v| Range {
start: v.start,
end: v.end,
})
.collect();
let valid_ports: Vec<Range<u16>> = value
.valid_http_status_code
.clone()
.unwrap_or_default()
.iter()
.map(|v| Range {
start: v.start,
end: v.end,
})
.collect();
Ok(MatchValidationType::CustomHttp(
HttpValidatorConfigBuilder::new(value.endpoint.clone().unwrap())
.set_hosts(value.hosts.clone().unwrap_or_default())
.set_invalid_http_status_code(invalid_ports)
.set_request_header(
value.clone().get_request_headers()
)
.set_request_header(value.clone().get_request_headers())
.set_valid_http_status_code(valid_ports)
.set_method(value.http_method.unwrap().into())
.build()
.unwrap()
.unwrap(),
))
}

_ => {Err("invalid type")}
_ => Err("invalid type"),
}
}
}
Expand Down Expand Up @@ -160,7 +166,6 @@ impl SecretRule {
}
}


rule_config
}
}
Expand Down
2 changes: 1 addition & 1 deletion crates/secrets/src/scanner.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ use anyhow::Error;
use common::analysis_options::AnalysisOptions;
use common::model::position::Position;
use common::utils::position_utils::get_position_in_string;
use itertools::Itertools;
use dd_sds::{RuleConfig, Scanner};
use itertools::Itertools;
use std::sync::Arc;

/// Build the SDS scanner used to scan all code using the rules fetched from
Expand Down

0 comments on commit d82eec2

Please sign in to comment.