kingfisher/crates/kingfisher-rules/data/rules/docusign.yml

rules:
  - name: DocuSign API Secret Key
    id: kingfisher.docusign.1
    pattern: |
      (?xi)
      \b
      docusign
      (?:.|[\n\r]){0,64}?
      \b(?:secret[_-]?key|ds[_-]?secret|secret)\b
      (?:.|[\n\r]){0,16}?
      [=:"'\s]
      ['"]*
      (
        [a-f0-9]{8}-
        [a-f0-9]{4}-
        [a-f0-9]{4}-
        [a-f0-9]{4}-
        [a-f0-9]{12}
      )
      \b
    pattern_requirements:
      min_digits: 6
    min_entropy: 3.0
    confidence: medium
    examples:
      - "docusign.secret_key = 7a39ce6d-94cf-4bf6-9e9e-9213373c15f4"
      - "docusign\nds_secret = 3d2f18c9-2075-4e78-834b-64f57f8757d0"
    validation:
      type: Http
      content:
        request:
          method: POST
          url: "https://{{ DOCUSIGN_AUTH_HOST }}/oauth/token"
          headers:
            Accept: application/json
            Content-Type: application/x-www-form-urlencoded
          body: >
            grant_type=authorization_code&code=INVALID_AUTH_CODE&client_id={{ DOCUSIGN_CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&redirect_uri={{ REDIRECT_URI | url_encode }}
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [400]
            - type: WordMatch
              match_all_words: false
              words:
                - invalid_grant
                - invalid authorization code
            - type: WordMatch
              words:
                - invalid_client
              negative: true
    depends_on_rule:
      - rule_id: kingfisher.docusign.2
        variable: DOCUSIGN_CLIENT_ID
      - rule_id: kingfisher.docusign.3
        variable: DOCUSIGN_AUTH_HOST
      - rule_id: kingfisher.docusign.4
        variable: REDIRECT_URI
    references:
      - https://developers.docusign.com/platform/auth/
      - https://developers.docusign.com/platform/build-integration/

  - name: DocuSign Integration Key
    id: kingfisher.docusign.2
    pattern: |
      (?xi)
      \b
      docusign
      (?:.|[\n\r]){0,64}?
      (?:integration[_-]?key|client[_-]?id|app[_-]?id)\b
      (?:.|[\n\r]){0,16}?
      [=:"'\s]
      ['"]*
      (
        [a-f0-9]{8}-
        [a-f0-9]{4}-
        [a-f0-9]{4}-
        [a-f0-9]{4}-
        [a-f0-9]{12}
      )
      \b
    pattern_requirements:
      min_digits: 6
    min_entropy: 3.0
    confidence: medium
    visible: false
    examples:
      - DOCUSIGN_CLIENT_ID=7a39ce6d-94cf-4bf6-9e9e-9213373c15f4
      - 'docusign.integration_key = "3d2f18c9-2075-4e78-834b-64f57f8757d0"'
    references:
      - https://developers.docusign.com/platform/build-integration/

  - name: DocuSign Auth Host
    id: kingfisher.docusign.3
    pattern: |
      (?xi)
      \b
      (
        account(?:-d)?\.docusign\.com
      )
      \b
    min_entropy: 1.0
    confidence: medium
    visible: false
    examples:
      - account.docusign.com
      - account-d.docusign.com
    references:
      - https://developers.docusign.com/platform/auth/

  - name: DocuSign Redirect URI
    id: kingfisher.docusign.4
    pattern: |
      (?xi)
      \b
      docusign
      (?:.|[\n\r]){0,64}?
      (?:redirect[_-]?uri|oauth[_-]?redirect)\b
      (?:.|[\n\r]){0,16}?
      [=:"'\s]
      (
        https?://[^\s"'<>]{6,200}
      )
    min_entropy: 1.5
    confidence: medium
    visible: false
    examples:
      - DOCUSIGN_REDIRECT_URI=https://example.com/docusign/callback
      - 'docusign.redirect_uri = "https://localhost:3000/oauth/docusign"'
    references:
      - https://developers.docusign.com/platform/auth/