kingfisher/crates/kingfisher-rules/data/rules/tinybird.yml

rules:
  - name: Tinybird Static Token
    id: kingfisher.tinybird.1
    pattern: |
      (?x)
      \b
      (
        p\.eyJ1I[A-Za-z0-9_-]{80,260}\.[A-Za-z0-9_-]{43}
      )
      (?:[^A-Za-z0-9_-]|$)
    pattern_requirements:
      min_digits: 1
      min_uppercase: 1
      min_lowercase: 1
      min_special_chars: 2
    min_entropy: 3.5
    confidence: medium
    examples:
      - 'workspace admin token: p.eyJ1IjogIjdmMmM5YTQxLWI2ZDgtNGUwMy05MWFhLTU4YzI0YjdkMGU5NiIsICJpZCI6ICI1YTBiOGM3MS1kM2U0LTRmMjktOGI2NS0wYzlkMmU3YTRmMTMiLCAiaG9zdCI6ICJnY3AtZXVyb3BlLXdlc3QyIn0.QgGQO4xKgNTfZ6GHe8_sBeTk4b2axbZLEdvzCQYvHnw' # nosemgrep: generic-jwt-token
      - 'admin token: "p.eyJ1IjogImM5NGE3ZDUyLThmMDMtNDdiZS05YTE2LTJlODBkNWI3YzM0MSIsICJpZCI6ICIwZDdiMmY0OC02YTkxLTRjNWUtOGYzMC1iMmE2ZDU5ZTAxN2MiLCAiaG9zdCI6ICJnY3AtdXMtZWFzdDEifQ.rziyKeAZJYhenUJChcWxV1K8n_3ejHiS4XlzXK49jFI"' # nosemgrep: generic-jwt-token
      - 'user token: p.eyJ1IjogIjNiOGU3MmQwLWE5MTQtNGY2Yy04NmQxLTA1YzdlMjlhNGI2OCIsICJpZCI6ICJlMTdjNmYzMC00YjhhLTQxZDktOTI3ZS02YTA1YjM4YzJmNzQiLCAiaG9zdCI6ICJhd3MtdXMtZWFzdC0xIn0.IIU-mUxglkE7kOSc8tweaZIcwACiBNCqoGAnoeluISA' # nosemgrep: generic-jwt-token
    references:
      - https://www.tinybird.co/docs/api-reference/token-api
      - https://tinybird.co/docs/forward/administration/tokens/static-tokens
    # Validation decodes the JWT payload to extract the "host" field, maps it to
    # the correct regional API base URL, then calls GET /v0/pipes/ which requires
    # only read scope and returns 200 for any valid token with pipe-read access.
    # Write-only tokens (DATASOURCES:APPEND) may return 403 even if valid.
    validation:
      type: Http
      content:
        request:
          method: GET
          url: >
            {%- assign parts = TOKEN | split: "." -%}
            {%- assign payload_enc = parts[1] -%}
            {%- assign payload = payload_enc | b64url_dec -%}
            {%- assign after_host_key = payload | split: '"host"' -%}
            {%- assign after_host_val = after_host_key[1] -%}
            {%- assign host_parts = after_host_val | split: '"' -%}
            {%- assign host = host_parts[1] -%}
            {%- if host == "gcp-europe-west3" or host == "eu_shared" -%}
              {%- assign api_base = "api.tinybird.co" -%}
            {%- elsif host == "gcp-europe-west2" -%}
              {%- assign api_base = "api.europe-west2.gcp.tinybird.co" -%}
            {%- elsif host == "gcp-us-east4" or host == "us_east" or host == "gcp-us-east1" -%}
              {%- assign api_base = "api.us-east.tinybird.co" -%}
            {%- elsif host == "gcp-northamerica-northeast2" or host == "northamerica-northeast2-gcp" -%}
              {%- assign api_base = "api.northamerica-northeast2.gcp.tinybird.co" -%}
            {%- elsif host == "us-east-aws" -%}
              {%- assign api_base = "api.us-east.aws.tinybird.co" -%}
            {%- elsif host contains "aws-" -%}
              {%- assign region = host | remove: "aws-" -%}
              {%- assign api_base = "api." | append: region | append: ".aws.tinybird.co" -%}
            {%- else -%}
              {%- assign api_base = "api.tinybird.co" -%}
            {%- endif -%}
            https://{{ api_base }}/v0/pipes/
          headers:
            Authorization: "Bearer {{ TOKEN }}"
            Accept: application/json
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200]
            - type: JsonValid