forked from mirrors/kingfisher
124 lines
4 KiB
YAML
124 lines
4 KiB
YAML
rules:
|
|
- name: Akamai API Client Token
|
|
id: kingfisher.akamai.1
|
|
pattern: |
|
|
(?x)
|
|
\b
|
|
(?i:client[_-]?token)
|
|
\s*=\s*
|
|
(
|
|
akab-
|
|
[A-Za-z0-9_-]{18,28}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_entropy: 3.0
|
|
confidence: medium
|
|
visible: false
|
|
examples:
|
|
- "client-token=akab-sXedJBTOf0dHl27vVOd"
|
|
- "client_token = akab-c113ntt0k3n4qtari252bfxxbsl-yvsdj"
|
|
references:
|
|
- https://techdocs.akamai.com/developer/docs/set-up-authentication-credentials
|
|
|
|
- name: Akamai API Access Token
|
|
id: kingfisher.akamai.3
|
|
pattern: |
|
|
(?x)
|
|
\b
|
|
(?i:access[_-]?token)
|
|
\s*=\s*
|
|
(
|
|
akab-
|
|
[A-Za-z0-9_-]{18,36}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_entropy: 3.0
|
|
confidence: medium
|
|
visible: false
|
|
examples:
|
|
- "access-token=akab-xcsuUf7DY6xJgYscoe"
|
|
- "access_token = akab-acc35t0k3nodujqunph3w7hzp7-gtm6ij"
|
|
references:
|
|
- https://techdocs.akamai.com/developer/docs/set-up-authentication-credentials
|
|
|
|
- name: Akamai API Host
|
|
id: kingfisher.akamai.4
|
|
pattern: |
|
|
(?x)
|
|
\b
|
|
(?i:host)
|
|
\s*=\s*
|
|
(
|
|
[A-Za-z0-9-]+(?:\.[A-Za-z0-9-]+)*\.akamaiapis\.net
|
|
)
|
|
\b
|
|
min_entropy: 2.0
|
|
confidence: medium
|
|
visible: false
|
|
examples:
|
|
- "host = akab-h05tnam3wl42son7nktnlnnx-kbob3i3v.luna.akamaiapis.net"
|
|
references:
|
|
- https://techdocs.akamai.com/developer/docs/set-up-authentication-credentials
|
|
|
|
- name: Akamai API Client Secret
|
|
id: kingfisher.akamai.2
|
|
pattern: |
|
|
(?x)
|
|
\b
|
|
(?i:client[_-]?mysecret|client[_-]?secret)
|
|
\s*=\s*
|
|
(
|
|
[A-Za-z0-9+/=-]{20,36}
|
|
)
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_uppercase: 2
|
|
min_entropy: 3.0
|
|
confidence: medium
|
|
examples:
|
|
- "client-secret=431733QPkO-TgxBHBnH6alirfy"
|
|
- "client-mysecret=BcDeFgHi2345JKLM67nopqRS"
|
|
- "client_secret = C113nt53KR3TN6N90yVuAgICxIRwsObLi0E67/N8eRN="
|
|
references:
|
|
- https://techdocs.akamai.com/developer/docs/set-up-authentication-credentials
|
|
- https://techdocs.akamai.com/iam-api/reference/api-client-self
|
|
- https://techdocs.akamai.com/developer/docs/make-your-first-api-call
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: GET
|
|
url: https://{{ HOST }}/identity-management/v3/api-clients/self
|
|
headers:
|
|
Accept: application/json
|
|
Authorization: |
|
|
{%- assign timestamp = "" | iso_timestamp_no_frac | replace: "-", "" | replace: "Z", "+0000" -%}
|
|
{%- assign nonce = "" | uuid -%}
|
|
{%- assign auth_data = "EG1-HMAC-SHA256 client_token=" | append: CLIENT_TOKEN | append: ";access_token=" | append: ACCESS_TOKEN | append: ";timestamp=" | append: timestamp | append: ";nonce=" | append: nonce | append: ";" -%}
|
|
{%- capture data_to_sign -%}GET https {{ HOST }} /identity-management/v3/api-clients/self {{ auth_data }}{%- endcapture -%}
|
|
{%- assign signing_key = timestamp | hmac_sha256: TOKEN -%}
|
|
{%- assign signature = data_to_sign | hmac_sha256: signing_key -%}
|
|
{{ auth_data }}signature={{ signature }}
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
- type: StatusMatch
|
|
status: [401, 403]
|
|
negative: true
|
|
- type: JsonValid
|
|
depends_on_rule:
|
|
- rule_id: kingfisher.akamai.1
|
|
variable: CLIENT_TOKEN
|
|
- rule_id: kingfisher.akamai.3
|
|
variable: ACCESS_TOKEN
|
|
- rule_id: kingfisher.akamai.4
|
|
variable: HOST
|
|
# No revocation yet: Akamai documents self-deactivation in IAM v2 and
|
|
# client-scoped deactivation in IAM v3, but the v3 docs available here do not
|
|
# clearly expose a safe single-credential self flow we can derive from the
|
|
# leaked tuple without risking broader API-client deactivation.
|