secure-keys 1.1.6 → 1.2.0

data/lib/validation/utils/patterns.rb

@@ -0,0 +1,204 @@
+#!/usr/bin/env ruby
+
+# rubocop:disable Lint/Syntax, Metrics/ModuleLength
+
+module SecureKeys
+  module Validation
+    # Known secret patterns with descriptions
+    PATTERNS = {
+      # GitHub
+      github_token: {
+        pattern: /ghp_[a-zA-Z0-9]{36}/,
+        description: 'GitHub Personal Access Token',
+        severity: :high,
+        example: 'ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      },
+      github_oauth: {
+        pattern: /gho_[a-zA-Z0-9]{36}/,
+        description: 'GitHub OAuth Access Token',
+        severity: :high,
+        example: 'gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      },
+      github_app: {
+        pattern: /(ghu|ghs)_[a-zA-Z0-9]{36}/,
+        description: 'GitHub App Token',
+        severity: :high,
+        example: 'ghu_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      },
+      github_refresh: {
+        pattern: /ghr_[a-zA-Z0-9]{36}/,
+        description: 'GitHub Refresh Token',
+        severity: :high,
+        example: 'ghr_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      },
+
+      # AWS
+      aws_access_key: {
+        pattern: /AKIA[0-9A-Z]{16}/,
+        description: 'AWS Access Key ID',
+        severity: :critical,
+        example: 'AKIAIOSFODNN7EXAMPLE'
+      },
+      aws_secret_key: {
+        pattern: %r{(?i)aws(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]},
+        description: 'AWS Secret Access Key',
+        severity: :critical,
+        example: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
+      },
+      aws_session_token: {
+        pattern: %r{(?i)aws(.{0,20})?session(.{0,20})?['\"][0-9a-zA-Z/+]{100,}['\"]},
+        description: 'AWS Session Token',
+        severity: :high,
+        example: 'FwoGZXIvYXdzEBaa...(very long token)'
+      },
+
+      # Google Cloud
+      gcp_api_key: {
+        pattern: /AIza[0-9A-Za-z\-_]{35}/,
+        description: 'Google Cloud API Key',
+        severity: :high,
+        example: 'AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe'
+      },
+      gcp_oauth: {
+        pattern: /ya29\.[0-9A-Za-z\-_]+/,
+        description: 'Google OAuth Access Token',
+        severity: :high,
+        example: 'ya29.a0AfH6SMBx...'
+      },
+
+      # Stripe
+      stripe_secret_key: {
+        pattern: /sk_(live|test)_[0-9a-zA-Z]{24,}/,
+        description: 'Stripe Secret Key',
+        severity: :critical,
+        example: 'sk_live_51H...'
+      },
+      stripe_publishable_key: {
+        pattern: /pk_(live|test)_[0-9a-zA-Z]{24,}/,
+        description: 'Stripe Publishable Key',
+        severity: :medium,
+        example: 'pk_live_51H...'
+      },
+      stripe_restricted_key: {
+        pattern: /rk_(live|test)_[0-9a-zA-Z]{24,}/,
+        description: 'Stripe Restricted Key',
+        severity: :high,
+        example: 'rk_live_51H...'
+      },
+
+      # Slack
+      slack_token: {
+        pattern: /xox[baprs]-[0-9a-zA-Z]{10,48}/,
+        description: 'Slack Token',
+        severity: :high,
+        example: 'xoxb-1234567890123-1234567890123-xxxxxxxxxxxxx'
+      },
+      slack_webhook: {
+        pattern: %r{https://hooks\.slack\.com/services/T[a-zA-Z0-9_]{8,}/B[a-zA-Z0-9_]{8,}/[a-zA-Z0-9_]{24}},
+        description: 'Slack Webhook URL',
+        severity: :medium,
+        example: 'https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX'
+      },
+
+      # OAuth & JWT
+      jwt_token: {
+        pattern: %r{eyJ[A-Za-z0-9\-_=]+\.eyJ[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_.+/=]*},
+        description: 'JWT Token',
+        severity: :medium,
+        example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U'
+      },
+
+      # Generic patterns
+      private_key: {
+        pattern: /-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----/,
+        description: 'Private Key',
+        severity: :critical,
+        example: '-----BEGIN PRIVATE KEY-----'
+      },
+      generic_api_key: {
+        pattern: /(?i)(api[_-]?key|apikey)[\s]*[:=][\s]*['\"]([a-zA-Z0-9_\-]{20,})['\"]/,
+        description: 'Generic API Key',
+        severity: :medium,
+        example: 'api_key: "abcdef1234567890abcdef1234567890"'
+      },
+      generic_secret: {
+        pattern: /(?i)(secret|password|passwd|pwd)[\s]*[:=][\s]*['\"]([^\s'\"]{8,})['\"]/,
+        description: 'Generic Secret/Password',
+        severity: :medium,
+        example: 'secret: "mysecretpassword123"'
+      },
+
+      # Firebase
+      firebase_key: {
+        pattern: /AIza[0-9A-Za-z\-_]{35}/,
+        description: 'Firebase API Key',
+        severity: :medium,
+        example: 'AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe'
+      },
+
+      # Twilio
+      twilio_api_key: {
+        pattern: /SK[a-z0-9]{32}/,
+        description: 'Twilio API Key',
+        severity: :high,
+        example: 'SKxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      },
+      twilio_account_sid: {
+        pattern: /AC[a-z0-9]{32}/,
+        description: 'Twilio Account SID',
+        severity: :low,
+        example: 'ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      },
+
+      # SendGrid
+      sendgrid_api_key: {
+        pattern: /SG\.[a-zA-Z0-9_\-]{22}\.[a-zA-Z0-9_\-]{43}/,
+        description: 'SendGrid API Key',
+        severity: :high,
+        example: 'SG.xxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      },
+
+      # Mailchimp
+      mailchimp_api_key: {
+        pattern: /[a-f0-9]{32}-us[0-9]{1,2}/,
+        description: 'Mailchimp API Key',
+        severity: :medium,
+        example: 'abcdef1234567890abcdef1234567890-us19'
+      },
+
+      # Square
+      square_access_token: {
+        pattern: /sq0atp-[0-9A-Za-z\-_]{22}/,
+        description: 'Square Access Token',
+        severity: :high,
+        example: 'sq0atp-xxxxxxxxxxxxxxxxxxxxxx'
+      },
+
+      # PayPal
+      paypal_braintree: {
+        pattern: /access_token\$production\$[a-z0-9]{16}\$[a-f0-9]{32}/,
+        description: 'PayPal Braintree Access Token',
+        severity: :critical,
+        example: 'access_token$production$xxxxxxxxxxxxxxxx$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      },
+
+      # Heroku
+      heroku_api_key: {
+        pattern: /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/,
+        description: 'Heroku API Key (UUID format)',
+        severity: :high,
+        example: '12345678-1234-1234-1234-123456789012'
+      },
+
+      # Generic Base64 secrets (often used for keys)
+      base64_secret: {
+        pattern: %r{(?i)(secret|key|token|password)[\s]*[:=][\s]*['\"]([A-Za-z0-9+/]{40,}={0,2})['\"]},
+        description: 'Base64 Encoded Secret',
+        severity: :low,
+        example: 'secret: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY3ODkw"'
+      }
+    }.freeze
+  end
+end
+
+# rubocop:enable Lint/Syntax, Metrics/ModuleLength

data/lib/validation/utils/weak_secrets.rb

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby
+
+module SecureKeys
+  module Validation
+    # Common weak or test values that should never be used
+    WEAK_SECRETS = %w[
+      password password123 123456 secret test demo
+      admin root changeme temp default example
+      sample placeholder your-key-here your_api_key
+      xxxxxxxxxxxx 0000000000 1234567890
+    ].freeze
+  end
+end

data/lib/validation/validation_issue.rb

@@ -0,0 +1,55 @@
+#!/usr/bin/env ruby
+
+module SecureKeys
+  module Validation
+    # Represents a single issue detected during secret validation
+    class ValidationIssue
+      attr_reader :severity, :type, :message, :recommendation
+
+      # Initialize a new validation issue
+      # @param severity [Symbol] The severity level (:critical, :error, :warning, :info)
+      # @param type [Symbol] The category of the issue (e.g. :empty_value, :weak_secret)
+      # @param message [String] A human-readable description of the issue
+      # @param recommendation [String, nil] An optional actionable recommendation for the developer
+      def initialize(severity:, type:, message:, recommendation:)
+        @severity = severity
+        @type = type
+        @message = message
+        @recommendation = recommendation
+      end
+
+      # Returns a string representation of the issue, including the recommendation if present
+      # @return [String] The formatted issue string
+      def to_s
+        text = "#{severity_icon} #{severity.upcase}: #{message}"
+        text += "\n\t\t💡 #{recommendation}" if recommendation
+        text
+      end
+
+      # Returns a hash representation of the issue
+      # @return [Hash] The hash representation
+      def to_h
+        {
+          severity:,
+          type:,
+          message:,
+          recommendation:,
+        }
+      end
+
+      private
+
+      # Returns the appropriate icon for the severity level
+      # @return [String] The severity icon
+      def severity_icon
+        case severity
+        when :critical then '🔴'
+        when :error then '❌'
+        when :warning then '⚠️'
+        when :info then 'ℹ️'
+        else '•'
+        end
+      end
+    end
+  end
+end

data/lib/validation/validation_result.rb

@@ -0,0 +1,117 @@
+#!/usr/bin/env ruby
+
+require_relative '../core/console/logger'
+
+module SecureKeys
+  module Validation
+    # Encapsulates the result of validating a single secret value
+    class ValidationResult
+      private
+
+      attr_writer :key, :value, :issues, :detected_type
+
+      public
+
+      attr_reader :key, :value, :issues, :detected_type
+
+      # Initialize a new validation result
+      # @param key [Symbol] The key identifier that was validated
+      # @param value [String] The value that was validated
+      # @param issues [Array<ValidationIssue>] The list of issues found during validation
+      # @param detected_type [Hash, nil] The detected secret type config, if any pattern matched
+      def initialize(key:, value:, issues:, detected_type: nil)
+        @key = key
+        @value = value
+        @issues = issues
+        @detected_type = detected_type
+      end
+
+      # Check if validation passed with no errors or critical issues
+      # @return [Boolean] true if no critical or error issues were found
+      def valid?
+        !errors? && !critical?
+      end
+
+      # Check if any critical-severity issues were found
+      # @return [Boolean] true if critical issues exist
+      def critical?
+        issues.any? { |issue| issue.severity == :critical }
+      end
+
+      # Check if any error-severity issues were found
+      # @return [Boolean] true if error issues exist
+      def errors?
+        issues.any? { |issue| issue.severity == :error }
+      end
+
+      # Check if any warning-severity issues were found
+      # @return [Boolean] true if warning issues exist
+      def warnings?
+        issues.any? { |issue| issue.severity == :warning }
+      end
+
+      # Returns the highest severity level across all issues
+      # @return [Symbol] :critical, :error, :warning, or :ok
+      def severity_level
+        return :critical if critical?
+        return :error if errors?
+        return :warning if warnings?
+
+        :ok
+      end
+
+      # Returns a one-line summary of the validation outcome
+      # @return [String] The summary string
+      def summary
+        return "✅ '#{key}' passed validation" if valid?
+
+        "#{severity_icon} '#{key}' has #{issues.length} issue(s)"
+      end
+
+      # Prints the full validation result to the console via Logger
+      def print
+        Core::Console::Logger.message(message: "\nValidation Result for '#{key}':")
+        Core::Console::Logger.message(message: '-' * 70)
+
+        if detected_type
+          Core::Console::Logger.message(message: "Detected Type: #{detected_type[:description]}")
+          Core::Console::Logger.message(message: "Severity:      #{detected_type[:severity]}")
+        end
+
+        if issues.empty?
+          Core::Console::Logger.success(message: '✅ No issues found')
+        else
+          Core::Console::Logger.message(message: '')
+          issues.each { |issue| Core::Console::Logger.message(message: "  #{issue}") }
+        end
+
+        Core::Console::Logger.message(message: '-' * 70)
+      end
+
+      # Returns a hash representation of the validation result
+      # @return [Hash] The hash representation
+      def to_h
+        {
+          key:,
+          valid: valid?,
+          severity: severity_level,
+          detected_type:,
+          issues: issues.map(&:to_h),
+        }
+      end
+
+      private
+
+      # Returns the appropriate icon for the current severity level
+      # @return [String] The severity icon
+      def severity_icon
+        case severity_level
+        when :critical then '🔴'
+        when :error then '❌'
+        when :warning then '⚠️'
+        else '✅'
+        end
+      end
+    end
+  end
+end

data/lib/validation/validator.rb

@@ -0,0 +1,203 @@
+#!/usr/bin/env ruby
+
+require_relative 'globals/globals'
+require_relative 'utils/weak_secrets'
+require_relative 'utils/patterns'
+require_relative 'utils/min_length'
+require_relative 'utils/entropy'
+require_relative 'validation_issue'
+require_relative 'validation_result'
+
+module SecureKeys
+  module Validation
+    # Validates individual secret values against known patterns and security rules
+    class Validator
+      private
+
+      attr_accessor :issues
+
+      public
+
+      # Initialize a new validator
+      def initialize
+        self.issues = []
+      end
+
+      # Validate a single secret value against all configured rules
+      # @param key [Symbol] The key identifier for the secret
+      # @param value [String] The value to validate
+      # @param options [Hash] Additional validation options
+      # @option options [Boolean] :check_entropy Enable Shannon entropy checking (default: false)
+      # @option options [Boolean] :allow_production Skip production key warnings (default: false)
+      # @option options [Boolean] :warn_on_pattern Emit informational notices for matched patterns (default: false)
+      # @return [ValidationResult] The result of the validation
+      def validate(key:, value:, options: {})
+        self.issues = []
+
+        check_empty(key:, value:)
+        check_weak_secret(key:, value:)
+        check_minimum_length(key:, value:)
+        check_pattern_match(key:, value:, options:)
+        check_entropy(key:, value:) if options[:check_entropy]
+
+        ValidationResult.new(key:, value:, issues:, detected_type: detect_type(value:))
+      end
+
+      # Detect the secret type of a value by matching against known patterns
+      # @param value [String] The value to analyze
+      # @return [Hash, nil] The matching pattern config merged with :type key, or nil if no match
+      def detect_type(value:)
+        PATTERNS.each do |type, config|
+          return config.merge(type:) if value.to_s.match?(config[:pattern])
+        end
+
+        nil
+      end
+
+      # Returns security recommendations for a given key name
+      # @param key [Symbol] The key identifier
+      # @return [Array<String>] List of actionable recommendations
+      def recommendations(key:)
+        result = []
+        formatted_key = key.to_s.downcase
+
+        if formatted_key.include?('github')
+          result << 'Use GitHub Personal Access Tokens with minimal required scopes'
+          result << 'Consider fine-grained tokens with repository-specific access'
+        end
+
+        if formatted_key.include?('aws')
+          result << 'Use AWS IAM roles instead of long-lived access keys when possible'
+          result << 'Enable MFA for all IAM users with access keys'
+          result << 'Rotate AWS access keys every 90 days'
+        end
+
+        if formatted_key.include?('stripe')
+          result << 'Never commit live Stripe keys to version control'
+          result << 'Use Stripe test keys for development and staging'
+          result << 'Consider Stripe restricted keys with minimal permissions'
+        end
+
+        if formatted_key.include?('api') || formatted_key.include?('key')
+          result << 'Rotate this key regularly (every 90 days recommended)'
+          result << 'Use environment-specific keys for dev, staging, and production'
+        end
+
+        result
+      end
+
+      private
+
+      # Check if the value is empty
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      def check_empty(key:, value:)
+        return unless value.to_s.empty?
+
+        issues << ValidationIssue.new(
+          severity: :error,
+          type: :empty_value,
+          message: "Key '#{key}' has an empty value",
+          recommendation: 'Provide a non-empty secret value'
+        )
+      end
+
+      # Check if the value is a known weak or placeholder secret
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      def check_weak_secret(key:, value:)
+        return unless value
+
+        formatted_value = value.downcase
+
+        WEAK_SECRETS.each do |weak|
+          next unless formatted_value == weak || formatted_value.include?(weak)
+
+          issues << ValidationIssue.new(
+            severity: :critical,
+            type: :weak_secret,
+            message: "Key '#{key}' uses a weak or placeholder value matching '#{weak}'",
+            recommendation: 'Replace with a strong, randomly generated secret'
+          )
+        end
+      end
+
+      # Check if the value meets the minimum length requirement for its inferred key type
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      def check_minimum_length(key:, value:)
+        return unless value
+
+        key_type = determine_key_type(key:)
+        min_length = MIN_LENGTHS[key_type] || MIN_LENGTHS[:key]
+
+        return unless value.length < min_length
+
+        issues << ValidationIssue.new(
+          severity: :warning,
+          type: :too_short,
+          message: "Key '#{key}' is too short (#{value.length} chars, minimum is #{min_length})",
+          recommendation: "Use a longer secret (recommended: #{min_length * 2}+ characters)"
+        )
+      end
+
+      # Check if the value matches a known production secret pattern
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      # @param options [Hash] Validation options controlling severity behaviour
+      def check_pattern_match(key:, value:, options:)
+        return unless value
+
+        detected = detect_type(value:)
+        return unless detected
+
+        if detected[:severity] == :critical && !options[:allow_production]
+          issues << ValidationIssue.new(
+            severity: :critical,
+            type: :production_key_detected,
+            message: "Key '#{key}' appears to be a live #{detected[:description]}",
+            recommendation: 'Use test or development keys locally. Store production keys in your CI/CD secrets manager.'
+          )
+        elsif options[:warn_on_pattern]
+          issues << ValidationIssue.new(
+            severity: :info,
+            type: :pattern_detected,
+            message: "Key '#{key}' matches the pattern for: #{detected[:description]}",
+            recommendation: nil
+          )
+        end
+      end
+
+      # Check if the value has sufficient Shannon entropy to be a strong secret
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      def check_entropy(key:, value:)
+        return unless value
+
+        entropy = Entropy.calculate(string: value)
+        return unless entropy < Globals.min_entropy_threshold
+
+        issues << ValidationIssue.new(
+          severity: :warning,
+          type: :low_entropy,
+          message: "Key '#{key}' has low entropy (#{entropy.round(2)})",
+          recommendation: 'Use a more random secret with a wider variety of characters'
+        )
+      end
+
+      # Infer the semantic key type from the key name for minimum-length lookup
+      # @param key [Symbol] The key identifier
+      # @return [Symbol] One of :api_key, :token, :secret, :password, or :key
+      def determine_key_type(key:)
+        formatted_key = key.to_s.downcase
+
+        return :api_key if formatted_key.include?('api') && formatted_key.include?('key')
+        return :token if formatted_key.include?('token')
+        return :secret if formatted_key.include?('secret')
+        return :password if formatted_key.include?('password') || formatted_key.include?('pwd')
+
+        :key
+      end
+    end
+  end
+end

data/lib/version.rb

@@ -1,8 +1,9 @@
 #!/usr/bin/env ruby
 
 module SecureKeys
-  VERSION = '1.1.6'.freeze
+  VERSION = '1.2.0'.freeze
   SUMMARY = 'Secure Keys is a simple tool for managing your secret keys'.freeze
   DESCRIPTION = 'Secure Keys is a simple tool to manage your secret keys in your iOS project'.freeze
   HOMEPAGE_URI = 'https://github.com/derian-cordoba/secure-keys'.freeze
+  GEM_HOMEPAGE_URI = 'https://rubygems.pkg.github.com'.freeze
 end