rules:
  - name: Defined Networking API Token
    id: kingfisher.definednetworking.1
    pattern: |
      (?x)
      \b
      (
        dnkey-
        [A-Z0-9]{26}
        -
        [A-Z0-9]{52}
      )
      \b
    min_entropy: 3.6
    confidence: medium
    examples:
      - 'defined_api_token="dnkey-AHBDSNIG5ATR4LPUX4XTEVXEP4-ACW2JQ45HAWA2XA6FIJNSNBRY2Q4WMSCNNIFSL6VRZQYFZKI2VHA"'
    references:
      - https://docs.defined.net/api/defined-networking-api/
      - https://docs.defined.net/api/networks-list/
      - https://docs.defined.net/guides/rotating-api-keys/
    validation:
      type: Http
      content:
        request:
          method: GET
          url: https://api.defined.net/v1/networks
          headers:
            Accept: application/json
            Authorization: "Bearer {{ TOKEN }}"
          response_matcher:
            - report_response: true
            # 200 = valid + authorized
            # 403 = valid token but missing required scope (still proves the token is real)
            - type: StatusMatch
              status: [200, 403]
            - type: WordMatch
              words:
                - '"cidr"'
              match_all_words: true