Add Review Board's new API tokens format to secret scanning.
Review Request #12651 — Created Sept. 28, 2022 and submitted
This allows Review Bot's secret scanner to identify Review Board's API tokens,
which were recently updated to follow a newrbp_[A-Za-z0-9]{251}
format.This change also updates the secret scanner unit tests to ensure that any
additional validation methods for validating the secrets are called when
they're supposed to be called. Further, the unit tests were updated to
ensure that checksums are taken into account for secrets that use checksums.
- Manually tested making review requests that contained new API tokens
and saw that secret scanning picked them up. - Ran and added unit tests to
./reviewbot/tools/tests/test_rbsecretscanner.py
Summary | ID |
---|---|
315bc8c4130e1fed34844f761d7d05beef3af1db |
Description | From | Last Updated |
---|---|---|
Since our tokens can be validated, we should add a validator (like the GitHub one) to avoid false-positives. |
|
|
djblets isn't a dependency for the bot, only for the extension. We should probably just duplicate the validation logic, since … |
|
|
Just a note to update this timestamp when you're ready to land. |
|
|
We can just call checksum.swapcase() in the conditional, so we only do it if needed. |
|
|
Maybe we should say "Review Board 5+ API Tokens" |
|

Change Summary:
Added Review Board API Tokens to the list of supported secrets in the docs.
Commits: |
|
|||||||
---|---|---|---|---|---|---|---|---|
Diff: |
Revision 2 (+56) |
Checks run (2 succeeded)

Change Summary:
- Added a validation method for Review Board API Tokens.
- Updated unit tests for checking for validation method calls and for properly checking checksums.
Description: |
|
|||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Commits: |
|
|||||||||||||||||||||
Depends On: |
|
|||||||||||||||||||||
Diff: |
Revision 3 (+302 -2) |
Checks run (2 succeeded)
-
-
bot/reviewbot/tools/rbsecretscanner.py (Diff revision 3) djblets isn't a dependency for the bot, only for the extension. We should probably just duplicate the validation logic, since it's pretty simple.

Change Summary:
- Removed djblets dependency and copied over the token validation logic instead.
- Catches valid tokens that use our faulty base62-encoding from Review Board 5.0.
Commits: |
|
|||||||
---|---|---|---|---|---|---|---|---|
Diff: |
Revision 4 (+338 -2) |
Checks run (2 succeeded)
-
-
bot/reviewbot/tools/rbsecretscanner.py (Diff revision 4) Just a note to update this timestamp when you're ready to land.
-
bot/reviewbot/tools/rbsecretscanner.py (Diff revision 4) We can just call
checksum.swapcase()
in the conditional, so we only do it if needed. -
docs/reviewbot/tools/rbsecretscanner.rst (Diff revision 4) Maybe we should say "Review Board 5+ API Tokens"

Change Summary:
- Compares against
checksum.swapcase()
directly in the conditional so that the swapcase operation only happens if it needs to. - Specified that API tokens are for Review Board 5+.
Note: will update the "Rule updated" timestamp for the tokens whenever I land.
Commits: |
|
|||||||
---|---|---|---|---|---|---|---|---|
Diff: |
Revision 5 (+334 -2) |
Checks run (2 succeeded)

Change Summary:
Updated the "Rule updated" date for the API tokens.
Commits: |
|
|||||||
---|---|---|---|---|---|---|---|---|
Diff: |
Revision 6 (+334 -2) |