package verify import ( "bytes" "context" "crypto/tls" "io" "net/http" "strconv" "strings" "time" "github.com/salvacybersec/keyhunter/pkg/engine" "github.com/salvacybersec/keyhunter/pkg/providers" "github.com/tidwall/gjson" ) // DefaultTimeout is the per-call verification timeout when none is configured. const DefaultTimeout = 10 * time.Second // maxMetadataBody caps how much of a JSON response we read for metadata extraction. const maxMetadataBody = 1 << 20 // 1 MiB // HTTPVerifier performs a single HTTP call against a provider's VerifySpec and // classifies the response. It is YAML-driven — no per-provider switches live here. type HTTPVerifier struct { Client *http.Client Timeout time.Duration } // NewHTTPVerifier returns an HTTPVerifier with a TLS 1.2+ HTTP client and the // given per-call timeout (falling back to DefaultTimeout when timeout <= 0). func NewHTTPVerifier(timeout time.Duration) *HTTPVerifier { if timeout <= 0 { timeout = DefaultTimeout } return &HTTPVerifier{ Client: &http.Client{ Timeout: timeout, Transport: &http.Transport{ TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12}, }, }, Timeout: timeout, } } // Verify runs a single verification against a provider's verify endpoint. // It never returns a Go error — transport/classification failures are encoded // in the Result. Callers classify via Result.Status against the Status* constants. func (v *HTTPVerifier) Verify(ctx context.Context, f engine.Finding, p providers.Provider) Result { start := time.Now() res := Result{ ProviderName: f.ProviderName, KeyMasked: f.KeyMasked, Status: StatusUnknown, } spec := p.Verify if spec.URL == "" { return res // StatusUnknown: provider has no verify endpoint } if strings.HasPrefix(strings.ToLower(spec.URL), "http://") { res.Status = StatusError res.Error = "verify URL must be HTTPS" return res } // Substitute {{KEY}} (and legacy {KEY}) in URL, headers, and body. url := substituteKey(spec.URL, f.KeyValue) method := spec.Method if method == "" { method = http.MethodGet } var bodyReader io.Reader if spec.Body != "" { bodyReader = bytes.NewBufferString(substituteKey(spec.Body, f.KeyValue)) } reqCtx, cancel := context.WithTimeout(ctx, v.Timeout) defer cancel() req, err := http.NewRequestWithContext(reqCtx, method, url, bodyReader) if err != nil { res.Status = StatusError res.Error = err.Error() return res } for k, val := range spec.Headers { req.Header.Set(k, substituteKey(val, f.KeyValue)) } resp, err := v.Client.Do(req) res.ResponseTime = time.Since(start) if err != nil { res.Status = StatusError res.Error = err.Error() return res } defer resp.Body.Close() res.HTTPCode = resp.StatusCode // Classify. Success codes take precedence, then failure, then rate-limit. switch { case containsInt(spec.EffectiveSuccessCodes(), resp.StatusCode): res.Status = StatusLive case containsInt(spec.EffectiveFailureCodes(), resp.StatusCode): res.Status = StatusDead case containsInt(spec.EffectiveRateLimitCodes(), resp.StatusCode): res.Status = StatusRateLimited if ra := resp.Header.Get("Retry-After"); ra != "" { if secs, convErr := strconv.Atoi(ra); convErr == nil { res.RetryAfter = time.Duration(secs) * time.Second } } default: res.Status = StatusUnknown } // Metadata extraction only for live responses with JSON body and configured paths. if res.Status == StatusLive && len(spec.MetadataPaths) > 0 { if strings.Contains(resp.Header.Get("Content-Type"), "application/json") { bodyBytes, _ := io.ReadAll(io.LimitReader(resp.Body, maxMetadataBody)) meta := make(map[string]string, len(spec.MetadataPaths)) for displayName, path := range spec.MetadataPaths { if r := gjson.GetBytes(bodyBytes, path); r.Exists() { meta[displayName] = r.String() } } if len(meta) > 0 { res.Metadata = meta } } } return res } // substituteKey replaces both {{KEY}} and the legacy {KEY} placeholder. func substituteKey(s, key string) string { s = strings.ReplaceAll(s, "{{KEY}}", key) s = strings.ReplaceAll(s, "{KEY}", key) return s } func containsInt(haystack []int, needle int) bool { for _, x := range haystack { if x == needle { return true } } return false }