kingfisher/crates/kingfisher-rules/data/rules/azure-notification-hub.yml

rules:
  - name: Azure Notification Hub Namespace Host
    id: kingfisher.azure.notificationhub.1
    pattern: |
      (?xi)
      \b
      (?:
        endpoint
        \s*=\s*
        sb://
      |
        notification
        (?:.|[\n\r]){0,48}?
        https://
      )
      (
        [a-z0-9]
        [a-z0-9-]{1,62}
        \.servicebus\.windows\.net
      )
      (?:/|;|\b)
    min_entropy: 2.0
    confidence: medium
    visible: false
    examples:
      - Endpoint=sb://acme-push.servicebus.windows.net/;SharedAccessKeyName=DefaultListenSharedAccessSignature;SharedAccessKey=VGhpcytpcythK3Rlc3Qra2V5K3ZhbHVlLzEyMzQ1Njc4OTA=
      - 'notificationHubEndpoint: "https://mobile-prod.servicebus.windows.net"'
    references:
      - https://learn.microsoft.com/en-us/rest/api/notificationhubs/use-rest-api-backend

  - name: Azure Notification Hub Name
    id: kingfisher.azure.notificationhub.2
    pattern: |
      (?xi)
      \b
      (?:
        notification
        (?:hub)?
        (?:name|path)
      |
        hub
        (?:name|path)
      )
      \s*[:=]\s*
      ["']?
      (
        [A-Za-z0-9]
        [A-Za-z0-9._-]{6,63}
      )
      ["']?
      \b
    min_entropy: 2.0
    confidence: medium
    visible: false
    examples:
      - NotificationHubPath=my-mobile-hub
      - 'notificationHubName: "android-prod"'
    references:
      - https://learn.microsoft.com/en-us/azure/notification-hubs/create-notification-hub-portal

  - name: Azure Notification Hub SAS Key Name
    id: kingfisher.azure.notificationhub.3
    pattern: |
      (?xi)
      \b
      ["']?
      SharedAccessKeyName
      ["']?
      \s*[:=]\s*
      ["']?
      (
        [A-Za-z]
        [A-Za-z0-9_-]{6,63}
      )
      ["']?
      \b
    min_entropy: 2.0
    confidence: medium
    visible: false
    examples:
      - SharedAccessKeyName=DefaultListenSharedAccessSignature
      - '"SharedAccessKeyName": "DefaultFullSharedAccessSignature"'
    references:
      - https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security

  - name: Azure Notification Hub Access Key
    id: kingfisher.azure.notificationhub.4
    pattern: |
      (?xi)
      (?:
        (?:notification\s*hub|Endpoint\s*=\s*sb://[a-z0-9-]{2,63}\.servicebus\.windows\.net/?)
        (?:.|[\n\r]){0,160}?
        SharedAccessKey
      |
        \b
        (?:hubAccessKey|notificationHub(?:Access)?Key)
        \b
      )
      \s*[:=]\s*
      ["']?
      (
        [A-Za-z0-9+/]{32,88}={0,2}
      )
      ["']?
      (?:[^A-Za-z0-9+/=]|$)
    pattern_requirements:
      min_digits: 2
      min_uppercase: 1
      min_lowercase: 1
      ignore_if_contains:
        - example
        - sample
        - document
        - placeholder
    min_entropy: 3.7
    confidence: medium
    examples:
      - Endpoint=sb://acme-push.servicebus.windows.net/;SharedAccessKeyName=DefaultListenSharedAccessSignature;SharedAccessKey=Q29udG9zb1Rlc3RLZXkrMTIzNDU2Nzg5MC9BQkNERUZHSEk=
      - |
        const config = {
          notificationHubName: "android-prod",
          hubAccessKey: "U2FmZUtleVZhbHVlKzEyMzQ1Njc4OTBBQkNERUYrLz09"
        };
    references:
      - https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-security
      - https://learn.microsoft.com/en-us/rest/api/notificationhubs/use-rest-api-backend
    depends_on_rule:
      - rule_id: kingfisher.azure.notificationhub.1
        variable: NH_HOST
      - rule_id: kingfisher.azure.notificationhub.2
        variable: NH_HUB
      - rule_id: kingfisher.azure.notificationhub.3
        variable: NH_KEY_NAME
    validation:
      type: Http
      content:
        request:
          method: GET
          url: 'https://{{ NH_HOST }}/{{ NH_HUB }}/registrations/?api-version=2015-01'
          headers:
            Accept: application/atom+xml
            Authorization: |
              {%- assign uri = "https://" | append: NH_HOST | append: "/" | append: NH_HUB | append: "/registrations/?api-version=2015-01" -%}
              {%- assign se = "" | unix_timestamp | plus: 300 -%}
              {%- assign nl = "" | newline -%}
              {%- assign to_sign = uri | url_encode | append: nl | append: se -%}
              {%- capture auth -%}SharedAccessSignature sr={{ uri | url_encode }}&sig={{ to_sign | hmac_sha256_b64key: TOKEN | url_encode }}&se={{ se }}&skn={{ NH_KEY_NAME | url_encode }}{%- endcapture -%}
              {{ auth | strip_newlines }}
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: XmlValid
            - type: WordMatch
              words:
                - "<feed"