leaktor 0.2.0

A blazingly fast secrets scanner with validation capabilities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

pub mod aws;
pub mod github;
pub mod http;
pub mod slack;
pub mod stripe;

pub use aws::AwsValidator;
pub use github::GitHubValidator;
pub use http::HttpValidator;
pub use slack::SlackValidator;
pub use stripe::StripeValidator;

use crate::models::{Secret, SecretType};
use anyhow::Result;

/// Trait for validating secrets
#[async_trait::async_trait]
pub trait Validator {
    async fn validate(&self, secret: &Secret) -> Result<bool>;
    fn supports(&self, secret_type: &SecretType) -> bool;
}

/// Validate a secret using the appropriate validator
pub async fn validate_secret(secret: &mut Secret) -> Result<()> {
    let validators: Vec<Box<dyn Validator + Send + Sync>> = vec![
        Box::new(AwsValidator::new()),
        Box::new(GitHubValidator::new()),
        Box::new(SlackValidator::new()),
        Box::new(StripeValidator::new()),
    ];

    for validator in validators {
        if validator.supports(&secret.secret_type) {
            match validator.validate(secret).await {
                Ok(is_valid) => {
                    secret.validated = Some(is_valid);
                    return Ok(());
                }
                Err(_) => {
                    // Validation failed (network error, etc.), mark as unknown
                    secret.validated = None;
                }
            }
        }
    }

    Ok(())
}

/// Validate multiple secrets in parallel using tokio tasks
pub async fn validate_secrets_parallel(secrets: &mut [Secret]) -> Result<()> {
    use tokio::task::JoinSet;

    let validators: Vec<Box<dyn Validator + Send + Sync>> = vec![
        Box::new(AwsValidator::new()),
        Box::new(GitHubValidator::new()),
        Box::new(SlackValidator::new()),
        Box::new(StripeValidator::new()),
    ];

    // Build a list of (index, secret_clone) pairs that have a matching validator
    let mut tasks: JoinSet<(usize, Option<bool>)> = JoinSet::new();

    for (idx, secret) in secrets.iter().enumerate() {
        // Find which validator supports this secret type
        let mut found_validator = false;
        for v in &validators {
            if v.supports(&secret.secret_type) {
                found_validator = true;
                break;
            }
        }

        if !found_validator {
            continue;
        }

        let secret_clone = secret.clone();
        tasks.spawn(async move {
            // Re-create validators inside the task (they're cheap)
            let validators: Vec<Box<dyn Validator + Send + Sync>> = vec![
                Box::new(AwsValidator::new()),
                Box::new(GitHubValidator::new()),
                Box::new(SlackValidator::new()),
                Box::new(StripeValidator::new()),
            ];

            for validator in &validators {
                if validator.supports(&secret_clone.secret_type) {
                    match validator.validate(&secret_clone).await {
                        Ok(is_valid) => return (idx, Some(is_valid)),
                        Err(_) => return (idx, None),
                    }
                }
            }

            (idx, None)
        });
    }

    // Collect results
    while let Some(result) = tasks.join_next().await {
        if let Ok((idx, validated)) = result {
            secrets[idx].validated = validated;
        }
    }

    Ok(())
}