kingfisher/crates/kingfisher-rules/data/rules/openshift.yml

rules:
  - name: OpenShift API Server URL
    id: kingfisher.openshift.1
    pattern: |
      (?xi)
      (?:
        \boc\s+login\b
        (?:.|[\n\r]){0,128}?
        --server=
      |
        \bopenshift(?:[_-]?(?:server|api(?:[_-]?server)?|cluster(?:[_-]?url)?))?\b
        (?:.|[\n\r]){0,32}?
        \b(?:server|api(?:[_-]?server)?|cluster(?:[_-]?url)?)?\b
        \s*[:=]\s*
      )
      ["']?
      (
        https://
        (?:
          \[[0-9a-f:.]+\]
        |
          [a-z0-9]
          [a-z0-9.-]{1,253}
        )
        (?::\d{2,5})?
      )
      ["']?
    min_entropy: 2.0
    confidence: medium
    visible: false
    examples:
      - oc login --token=sha256~kV46hPnEYhCWFnB85r5NrprAxggzgb6GOeLbgcKNsH0 --server=https://api.cluster.example.com:6443
      - OPENSHIFT_SERVER=https://api.dev-cluster.example.net:6443
    references:
      - https://docs.redhat.com/en/documentation/openshift_container_platform/4.9/html-single/authentication_and_authorization/index
      - https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/user_and_group_apis/user-user-openshift-io-v1

  - name: OpenShift OAuth Access Token
    id: kingfisher.openshift.2
    pattern: |
      (?x)
      \b
      (
        sha256~[A-Za-z0-9_-]{43}
      )
      (?:[^A-Za-z0-9_-]|$)
    pattern_requirements:
      min_digits: 3
      min_uppercase: 1
      min_lowercase: 3
      ignore_if_contains:
        - put_your_token_here
        - xxxxxx
    min_entropy: 3.8
    confidence: medium
    examples:
      - 'Authorization: Bearer sha256~kV46hPnEYhCWFnB85r5NrprAxggzgb6GOeLbgcKNsH0'
      - oc login --token=sha256~ZBMKw9VAayhdnyANaHvjJeXDiGwA7Fsr5gtLKj3-eh- --server=https://api.cluster.example.com:6443
    references:
      - https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/oauth_apis/oauthaccesstoken-oauth-openshift-io-v1
      - https://docs.redhat.com/en/documentation/openshift_container_platform/4.9/html-single/authentication_and_authorization/index
    depends_on_rule:
      - rule_id: kingfisher.openshift.1
        variable: OPENSHIFT_API_SERVER
    validation:
      type: Http
      content:
        request:
          method: GET
          url: '{{ OPENSHIFT_API_SERVER }}/apis/user.openshift.io/v1/users'
          headers:
            Authorization: 'Bearer {{ TOKEN }}'
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200, 403]
            - type: JsonValid