eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
kingfisher/crates/kingfisher-rules/data/rules/livekit.yml
Mick Grove 3645db2214 performance improvements and rule improvements
2026-04-21 16:44:49 -07:00

108 lines
3.5 KiB
YAML
Raw Permalink Blame History

rules:
- name: LiveKit API Key
id: kingfisher.livekit.1
visible: false
pattern: |
(?x)
\b
(?i:livekit)
(?:.|[\n\r]){0,32}?
\b
(
API[A-Za-z0-9]{12}
)
\b
pattern_requirements:
min_uppercase: 3
min_entropy: 2.5
confidence: medium
examples:
- 'LIVEKIT_API_KEY=APIAb1Cd2Ef3Gh4'
- 'livekit_key: "APIQw2Er3Ty4Ui5"'
references:
- https://docs.livekit.io/home/get-started/authentication/
- name: LiveKit API Secret
id: kingfisher.livekit.2
visible: true
pattern: |
(?xi)
\b
(?:
LIVEKIT_API_SECRET
|
livekit_api_secret
|
livekit[-_]?secret
|
livekitSecret
)
\s*[:=]\s*
['"]?
(
[A-Za-z0-9]{43,44}
)
['"]?
\b
pattern_requirements:
min_digits: 3
min_uppercase: 3
min_lowercase: 3
min_entropy: 3.0
confidence: medium
examples:
- 'LIVEKIT_API_SECRET=AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AaBbCcDd'
references:
- https://docs.livekit.io/home/get-started/authentication/
- https://docs.livekit.io/reference/other/roomservice-api.md
- https://docs.livekit.io/frontends/reference/tokens-grants.md
depends_on_rule:
- rule_id: kingfisher.livekit.1
variable: API_KEY
- rule_id: kingfisher.livekit.3
variable: LIVEKIT_URL
validation:
type: Http
content:
request:
method: POST
url: >
{%- assign base_url = LIVEKIT_URL | replace: "wss://", "https://" | replace: "ws://", "http://" -%}
{{ base_url }}/twirp/livekit.RoomService/ListParticipants
headers:
Content-Type: application/json
Accept: application/json
Authorization: '{%- assign header = "HS256" | jwt_header -%}{%- assign now = "" | unix_timestamp -%}{%- assign exp = now | plus: 300 -%}{%- assign nbf = now | minus: 5 -%}{%- assign payload_json = ''{"iss":"'' | append: API_KEY | append: ''","sub":"kingfisher-validation","exp":'' | append: exp | append: '',"nbf":'' | append: nbf | append: '',"video":{"roomAdmin":true,"room":"__kingfisher_validation__"}}'' -%}{%- assign payload = payload_json | b64url_enc -%}{%- assign signing_input = header | append: "." | append: payload -%}{%- assign sig_b64 = signing_input | hmac_sha256: TOKEN -%}{%- assign sig = sig_b64 | replace: "+", "-" | replace: "/", "_" | replace: "=", "" -%}Bearer {{ header }}.{{ payload }}.{{ sig }}'
body: |
{"room":"__kingfisher_validation__"}
response_matcher:
- report_response: true
- type: StatusMatch
status: [200, 404]
- type: StatusMatch
status: [401, 403]
negative: true
- type: JsonValid
# LiveKit validation needs the URL and API key as well, so standalone API secrets must remain
# detectable even when contextual verification is unavailable.
- name: LiveKit URL
id: kingfisher.livekit.3
pattern: |
(?xi)
\b(?:livekit|LIVEKIT)
(?:.|[\n\r]){0,32}?
(?:URL|HOST|WS[_-]?URL|HTTP[_-]?URL)
(?:.|[\n\r]){0,16}?
(
(?:wss?|https?)://[A-Za-z0-9.-]+(?:livekit\.(?:cloud|io)|[A-Za-z0-9.-]+)
)
\b
min_entropy: 3.0
confidence: medium
visible: false
examples:
- 'LIVEKIT_URL=wss://acme-demo.livekit.cloud'
- 'livekit_host=https://acme-voice.livekit.cloud'
references:
- https://docs.livekit.io/home/get-started/authentication/
View git blame Copy permalink