forked from mirrors/kingfisher
107 lines
3.1 KiB
YAML
107 lines
3.1 KiB
YAML
rules:
|
|
- name: Unkey Root Key
|
|
id: kingfisher.unkey.1
|
|
pattern: |
|
|
(?x)
|
|
\b
|
|
(
|
|
unkey_[A-Za-z0-9]{20,32}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 1
|
|
min_uppercase: 1
|
|
min_lowercase: 1
|
|
min_entropy: 3.5
|
|
confidence: medium
|
|
examples:
|
|
- 'UNKEY_ROOT_KEY=unkey_3ZVfA2xpgBS9WJjN4m8ApeJg'
|
|
- 'Authorization: Bearer unkey_3ZV3tmPyoE5mmf1P6EHFJfG3'
|
|
- 'unkey_root_key = "unkey_3ZV4z6rNpDCjmyadJH1MttTh"'
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: POST
|
|
url: https://api.unkey.com/v2/keys.verifyKey
|
|
headers:
|
|
Authorization: "Bearer {{ TOKEN }}"
|
|
Content-Type: application/json
|
|
body: '{"key":"invalid_key_test"}'
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200, 403]
|
|
- type: WordMatch
|
|
words:
|
|
- '"Unauthorized"'
|
|
negative: true
|
|
match_all_words: false
|
|
# Root keys cannot be revoked via API; use Settings → Root Keys in the Unkey dashboard.
|
|
references:
|
|
- https://www.unkey.com/docs/security/root-keys
|
|
- https://www.unkey.com/docs/api-reference/v2/auth
|
|
- https://www.unkey.com/docs/api-reference/v2/keys/verify-api-key
|
|
|
|
- name: Unkey API Key (key_ prefix)
|
|
id: kingfisher.unkey.2
|
|
pattern: |
|
|
(?x)
|
|
\b
|
|
(
|
|
key_[A-Za-z0-9]{10,48}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 1
|
|
min_uppercase: 1
|
|
min_lowercase: 1
|
|
min_entropy: 3.5
|
|
confidence: medium
|
|
examples:
|
|
- 'UNKEY_API_KEY=key_KH1V87o2X2GW'
|
|
- 'x-api-key: key_KH1V87o2X2GW'
|
|
- 'Authorization: Bearer key_KH1V87o2X2GW'
|
|
# Revocation requires a root key with api.*.delete_key permission.
|
|
# Pass via: --var UNKEY_ROOT_KEY=unkey_xxx
|
|
revocation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: POST
|
|
url: https://api.unkey.com/v2/keys.deleteKey
|
|
headers:
|
|
Authorization: "Bearer {{ UNKEY_ROOT_KEY }}"
|
|
Content-Type: application/json
|
|
body: '{"keyId":"{{ TOKEN | json_escape }}","permanent":false}'
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
references:
|
|
- https://www.unkey.com/docs/api-reference/v2/keys/create-api-key
|
|
- https://www.unkey.com/docs/api-reference/v2/keys/verify-api-key
|
|
- https://www.unkey.com/docs/api-reference/v2/keys/delete-api-keys
|
|
|
|
- name: Unkey API Key Secret (creation-only plaintext)
|
|
id: kingfisher.unkey.3
|
|
pattern: |
|
|
(?xi)
|
|
unkey
|
|
(?:_(?:secret|plaintext|key|create)){1,3}
|
|
\s* [=:] \s*
|
|
['"]?
|
|
(?P<secret>[A-Za-z0-9]{20,48})
|
|
['"]?
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 1
|
|
min_uppercase: 1
|
|
min_lowercase: 1
|
|
min_entropy: 3.5
|
|
confidence: medium
|
|
examples:
|
|
- 'unkey_secret = "3Zem2ZG4U1rsRiMSxy6pBjvZ"'
|
|
- 'UNKEY_KEY_SECRET: 3Zem2ZG4U1rsRiMSxy6pBjvZ'
|
|
references:
|
|
- https://www.unkey.com/docs/api-reference/v2/keys/create-api-key
|