forked from mirrors/kingfisher
ec44d9b60b
- Added Temporal Cloud active credential validation via GET https://saas-api.tmprl.cloud/cloud/current-identity using bearer auth, so Temporal keys validate against provider APIs instead of generic OIDC discovery. - Fixed JWT issuer normalization to treat bare host issuers (e.g. iss: temporal.io) as HTTPS URLs during discovery, avoiding low-level URL builder failures. - Added crates/kingfisher-rules/build.rs to ensure embedded rule assets rebuild when files under crates/kingfisher-rules/data change.
47 lines
2 KiB
YAML
47 lines
2 KiB
YAML
rules:
|
|
- name: Temporal Cloud API Key
|
|
id: kingfisher.temporal.1
|
|
pattern: |
|
|
(?x)
|
|
\b
|
|
(
|
|
eyJ[A-Za-z0-9_-]{10,}
|
|
\.
|
|
[A-Za-z0-9_-]*Y2NvdW50X2lk (?# payload contains "account_id" )
|
|
[A-Za-z0-9_-]*InRlbXBvcmFsLmlv (?# payload contains "temporal.io" )
|
|
[A-Za-z0-9_-]*(?:ICJrZXlfaWQiOi|a2V5X2lk|rZXlfaWQi) (?# payload contains "key_id" )
|
|
[A-Za-z0-9_-]{20,}
|
|
\.
|
|
[A-Za-z0-9_-]{20,}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 3
|
|
min_entropy: 3.2
|
|
confidence: medium
|
|
examples:
|
|
- 'temporal_api_key="eyJhbGciOiJFUzI1NiIsImtpZCI6IlNhbXBsZSJ9.eyJhY2NvdW50X2lkIjoic2FtcGxlIiwiYXVkIjpbInRlbXBvcmFsLmlvIl0sImlzcyI6InRlbXBvcmFsLmlvIiwia2V5X2lkIjoic2FtcGxlLWtleSIsInN1YiI6InVzZXItMTIzIiwiZXhwIjoyMDAwMDAwMDAwfQ.c2lnbmF0dXJlX3BsYWNlaG9sZGVyXzEyMzQ1Njc4OTA"'
|
|
- 'temporal --profile cloud config set --prop api_key --value "eyJhbGciOiJFUzI1NiIsImtpZCI6IkFub3RoZXJLZXkifQ.eyJhY2NvdW50X2lkIjoidGVzdC1hY2N0IiwiYXVkIjpbInRlbXBvcmFsLmlvIl0sImlzcyI6InRlbXBvcmFsLmlvIiwia2V5X2lkIjoidGVzdC1rZXktaWQiLCJzdWIiOiJ1c2VyLXRlc3QiLCJleHAiOjIwMDAwMDAwMDB9.c2lnbmF0dXJlX3Rlc3RfdmFsdWVfMDEyMzQ1Njc4OTAi'
|
|
negative_examples:
|
|
- 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInN1YiI6InVzZXIiLCJleHAiOjE5NzIxNzI0NjF9.WQWcwBAQFNE259f2o8ruFln_UMLTFEnEaUD7KHrs9Aw'
|
|
references:
|
|
- https://docs.temporal.io/cloud/api-keys
|
|
- https://docs.temporal.io/cli/env-config
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: GET
|
|
url: https://saas-api.tmprl.cloud/cloud/current-identity
|
|
headers:
|
|
Authorization: "Bearer {{ TOKEN }}"
|
|
Accept: application/json
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
- type: WordMatch
|
|
words:
|
|
- '"user"'
|
|
- '"serviceAccount"'
|
|
match_all_words: false
|