fixup of tests

mchybo · mchybo · commit b8142ba57732 · 2025-12-04T23:43:16.000+01:00
diff --git a/pkg/detectors/gcpoauth2/gcpoauth2.go b/pkg/detectors/gcpoauth2/gcpoauth2.go
@@ -16,10 +16,8 @@ type Scanner struct {
 	detectors.DefaultMultiPartCredentialProvider
 }
 
-// Ensure the Scanner satisfies the interface at compile time.
 var _ detectors.Detector = (*Scanner)(nil)
 
-// GCP Oauth2 Client ID and secret regex patterns.
 var (
 	oauth2ClientID     = regexp.MustCompile("[0-9a-zA-Z\\-_]{16,}\\.apps\\.googleusercontent\\.com")
 	oauth2ClientSecret = regexp.MustCompile("GOCSPX-[0-9a-zA-Z\\-_]{20,}")
@@ -29,10 +27,8 @@ const (
 	gcpOAuthBadVerificationCodeError = "bad_verification_code"
 )
 
-// Keywords are used for efficiently pre-filtering chunks.
-// Use identifiers in the secret preferably, or the provider name.
 func (s Scanner) Keywords() []string {
-	return []string{".apps.googleusercontent.com", "GOCSPX-"}
+	return []string{".apps.googleusercontent.com", "GOCSPX-", "oauth2_client_id", "oauth2_client_secret"}
 }
 
 func (s Scanner) Type() detectorspb.DetectorType {
@@ -43,40 +39,87 @@ func (s Scanner) Description() string {
 	return "GCP OAuth2 credentials are sensitive strings (client ID and secret) issued by Google Cloud to identify your application and securely authorize its access to Google APIs on behalf of users."
 }
 
-// FromData will find and optionally verify GitHub secrets in a given set of bytes.
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	dataStr := string(data)
 
-	// Oauth2 client ID and secret
 	oauth2ClientIDMatches := oauth2ClientID.FindAllStringSubmatch(dataStr, -1)
 	oauth2ClientSecretMatches := oauth2ClientSecret.FindAllStringSubmatch(dataStr, -1)
 
-	for _, idMatch := range oauth2ClientIDMatches {
-		for _, secretMatch := range oauth2ClientSecretMatches {
-
-			s1 := detectors.Result{
-				DetectorType: detectorspb.DetectorType_GoogleOauth2,
-				Raw:          []byte(idMatch[1]),
-				RawV2:        []byte(idMatch[1] + secretMatch[1]),
+	seen := make(map[string]bool)
+
+	pairedIDs := make(map[string]bool)
+	pairedSecrets := make(map[string]bool)
+
+	if len(oauth2ClientIDMatches) > 0 && len(oauth2ClientSecretMatches) > 0 {
+		for _, idMatch := range oauth2ClientIDMatches {
+			for _, secretMatch := range oauth2ClientSecretMatches {
+				clientID := idMatch[0]
+				clientSecret := secretMatch[0]
+				key := "pair:" + clientID + ":" + clientSecret
+
+				if !seen[key] {
+					seen[key] = true
+					pairedIDs[clientID] = true
+					pairedSecrets[clientSecret] = true
+
+					s1 := detectors.Result{
+						DetectorType: detectorspb.DetectorType_GoogleOauth2,
+						Raw:          []byte(clientID),
+						RawV2:        []byte(clientID + clientSecret),
+					}
+
+					if verify {
+						config := &clientcredentials.Config{
+							ClientID:     clientID,
+							ClientSecret: clientSecret,
+							TokenURL:     google.Endpoint.TokenURL,
+						}
+						_, err := config.Token(ctx)
+						if err != nil && strings.Contains(err.Error(), gcpOAuthBadVerificationCodeError) {
+							s1.Verified = true
+						}
+					}
+
+					results = append(results, s1)
+				}
 			}
+		}
+	}
 
-			config := &clientcredentials.Config{
-				ClientID:     idMatch[1],
-				ClientSecret: secretMatch[1],
-				TokenURL:     google.Endpoint.TokenURL,
-			}
-			if verify {
-				_, err := config.Token(ctx)
-				// if client id and client secret is correct, it will return bad verification code error as we do not pass any verification code
-				if err != nil && strings.Contains(err.Error(), gcpOAuthBadVerificationCodeError) {
-					// mark result as verified only in case of bad verification code error, for any other error the result will be unverified
-					s1.Verified = true
+	// Process orphan ClientID-only matches (not part of any pair)
+	if len(oauth2ClientIDMatches) > 0 && len(pairedIDs) == 0 {
+		for _, idMatch := range oauth2ClientIDMatches {
+			clientID := idMatch[0]
+			key := "id:" + clientID
+
+			if !pairedIDs[clientID] && !seen[key] {
+				seen[key] = true
+				s1 := detectors.Result{
+					DetectorType: detectorspb.DetectorType_GoogleOauth2,
+					Raw:          []byte(clientID),
+					RawV2:        []byte(clientID),
 				}
+				results = append(results, s1)
 			}
-
-			results = append(results, s1)
 		}
 	}
 
+	// Process orphan ClientSecret-only matches (not part of any pair)
+	if len(oauth2ClientSecretMatches) > 0 && len(pairedSecrets) == 0 {
+		for _, secretMatch := range oauth2ClientSecretMatches {
+			clientSecret := secretMatch[0]
+			key := "secret:" + clientSecret
+
+			if !pairedSecrets[clientSecret] && !seen[key] {
+				seen[key] = true
+				s1 := detectors.Result{
+					DetectorType: detectorspb.DetectorType_GoogleOauth2,
+					Raw:          []byte(clientSecret),
+					RawV2:        []byte(clientSecret),
+				}
+				results = append(results, s1)
+			}
+		}
+	}
 	return
 }
diff --git a/pkg/detectors/gcpoauth2/gcpoauth2_test.go b/pkg/detectors/gcpoauth2/gcpoauth2_test.go
@@ -33,11 +33,11 @@ func TestGcpOAuth2_Pattern(t *testing.T) {
 			},
 		},
 		{
-			name:  "typical pattern - multiline with both client_id and client_secret",
-			input: "oauth2_client_id = '1234567890-abc123def456ghi789jkl012mno345pq.apps.googleusercontent.com'\noauth2_client_secret = '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'",
+			name: "typical pattern - multiline with both keywords",
+			input: `oauth2_client_id = '1234567890-abc123def456ghi789jkl012mno345pq.apps.googleusercontent.com'
+			oauth2_client_secret = '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'`,
 			want: []string{
-				"1234567890-abc123def456ghi789jkl012mno345pq.apps.googleusercontent.com",
-				"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",
+				"1234567890-abc123def456ghi789jkl012mno345pq.apps.googleusercontent.comGOCSPX-5aBcD3fgHiJK_lMnOpQRstuVwXyZ",
 			},
 		},
 		{
