rules:
  - name: Twilio API ID
    id: kingfisher.twilio.1
    pattern: |
      (?xi)
      \b
      (
        (?:SK|AC)[A-F0-9]{32}
      )
      \b
    pattern_requirements:
      min_digits: 2
    visible: false
    min_entropy: 3.5
    examples:
      - |
        const twilioAccountSid = 'AC712594f590c0d8ace55c04858f7398f9' // Your Account SID from www.twilio.com/console
        const twilioApiKeySID = 'SK9b4cc552783500ace5414a1ed3e9fd1a'
        const twilioApiKeySecret = 'l6LUelKF2BUtMLace5oShZSmRppadYqI'
      - |
        // https://www.twilio.com/console/video/dev-tools/api-keys
        'API'              => env('TWILIO_API','SK6e84981d07ace5c9df33e1ab043a2fb2'),
        'API_KEY'          => env('TWILIO_API_KEY', 'wbTs1SUt6Aace5eKeNCxuYvJa6PhaRd0')
    references:
      - https://www.twilio.com/docs/iam/api
  - name: Twilio API Key
    id: kingfisher.twilio.2
    pattern: |
      (?xi)                
      \b                  
      twilio
      (?:.|[\n\r]){0,32}?
      (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
      (?:.|[\n\r]){0,32}?
      \b                  
      (
        [a-z0-9]{32}
      )
    pattern_requirements:
      min_digits: 2
      min_uppercase: 1
      min_lowercase: 1
    min_entropy: 3.0
    examples:
      - Twilio_key=Cd2Bd1dE1201aE2DFFEcfeBafCc3c31D
    validation:
      type: Http
      content:
        request:
          headers:
            Accept: '*/*'
            Authorization: "Basic {{ TWILIOID | append: ':' | append: TOKEN | b64enc }}"
            Content-Type: application/x-www-form-urlencoded
          method: GET
          response_matcher:
            - report_response: true
            - match_all_words: true
              type: WordMatch
              words:
                - '"first_page_uri":'
                - '"accounts":'
          url: https://api.twilio.com/2010-04-01/Accounts.json
    references:
      - https://www.twilio.com/docs/usage/api#authentication
    depends_on_rule:
      - rule_id: "kingfisher.twilio.1"
        variable: TWILIOID
    
    revocation:
      type: HttpMultiStep
      content:
        steps:
          # Step 1: Get the Account SID (needed if TWILIOID is an API Key starting with SK)
          - name: lookup_account_sid
            request:
              method: GET
              url: https://api.twilio.com/2010-04-01/Accounts.json
              headers:
                Accept: application/json
                Authorization: "Basic {{ TWILIOID | append: ':' | append: TOKEN | b64enc }}"
              response_matcher:
                - type: StatusMatch
                  status: [200]
                - type: JsonValid
            extract:
              # Extract the first account SID
              ACCOUNT_SID:
                type: JsonPath
                path: "$.accounts[0].sid"
          
          # Step 2: Delete the API key using the TWILIOID (should be SK...) and ACCOUNT_SID
          # Note: This assumes TWILIOID is an API Key SID (SK...). If it's an Account SID (AC...),
          # this will fail, but you typically don't delete account SIDs.
          - name: delete_api_key
            request:
              method: DELETE
              url: https://api.twilio.com/2010-04-01/Accounts/{{ ACCOUNT_SID }}/Keys/{{ TWILIOID }}.json
              headers:
                Authorization: "Basic {{ ACCOUNT_SID | append: ':' | append: TOKEN | b64enc }}"
              response_matcher:
                - report_response: true
                - type: StatusMatch
                  status: [204]