trufflesecurity
diff --git a/‎pkg/detectors/salesforcerefreshtoken/salesforcerefreshtoken.go
Lines changed: 153 additions & 0 deletions b/‎pkg/detectors/salesforcerefreshtoken/salesforcerefreshtoken.go
Lines changed: 153 additions & 0 deletions
diff --git a/‎pkg/detectors/salesforcerefreshtoken/salesforcerefreshtoken_integration_test.go
Lines changed: 198 additions & 0 deletions b/‎pkg/detectors/salesforcerefreshtoken/salesforcerefreshtoken_integration_test.go
Lines changed: 198 additions & 0 deletions
@@ -0,0 +1,153 @@
+package salesforcerefreshtoken
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	regexp "github.com/wasilibs/go-re2"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
+)
+
+type Scanner struct {
+	client *http.Client
+}
+
+var (
+	// Ensure the Scanner satisfies the interface at compile time.
+	_             detectors.Detector = (*Scanner)(nil)
+	defaultClient                    = common.SaneHttpClient()
+
+	// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
+	refreshTokenPat   = regexp.MustCompile(`(?i)\b(5AEP861[a-zA-Z0-9._=]{80,})\b`)
+	consumerKeyPat    = regexp.MustCompile(`\b(3MVG9[0-9a-zA-Z._+/=]{80,251})`)
+	consumerSecretPat = regexp.MustCompile(detectors.PrefixRegex([]string{"salesforce", "consumer", "secret"}) + `\b([A-Za-z0-9+/=.]{64}|[0-9]{19})\b`)
+)
+
+// Keywords are used for efficiently pre-filtering chunks.
+// Use identifiers in the secret preferably, or the provider name.
+func (s Scanner) Keywords() []string {
+	return []string{"salesforce", "5AEP861", "3MVG9"}
+}
+
+func (s Scanner) getClient() *http.Client {
+	if s.client != nil {
+		return s.client
+	}
+
+	return defaultClient
+}
+
+func (s Scanner) Type() detectorspb.DetectorType {
+	return detectorspb.DetectorType_SalesforceRefreshToken
+}
+
+func (s Scanner) Description() string {
+	return "Salesforce is a customer relationship management (CRM) platform that provides a suite of applications and APIs. OAuth 2.0 refresh tokens are long-lived credentials that allow applications to obtain new access tokens without requiring user interaction. They enable continuous access to an organization's data and must be handled securely."
+}
+
+// FromData will find and optionally verify Salesforceoauth2 refresh token in a given set of bytes.
+func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
+	dataStr := string(data)
+
+	uniqueTokenMatches, uniqueKeyMatches, uniqueSecretMatches := make(map[string]struct{}), make(map[string]struct{}), make(map[string]struct{})
+	for _, match := range refreshTokenPat.FindAllStringSubmatch(dataStr, -1) {
+		uniqueTokenMatches[match[1]] = struct{}{}
+	}
+
+	for _, match := range consumerKeyPat.FindAllStringSubmatch(dataStr, -1) {
+		uniqueKeyMatches[match[1]] = struct{}{}
+	}
+
+	for _, match := range consumerSecretPat.FindAllStringSubmatch(dataStr, -1) {
+		uniqueSecretMatches[match[1]] = struct{}{}
+	}
+
+	for refreshToken := range uniqueTokenMatches {
+		for key := range uniqueKeyMatches {
+			for secret := range uniqueSecretMatches {
+				s1 := detectors.Result{
+					DetectorType: detectorspb.DetectorType_SalesforceRefreshToken,
+					Raw:          []byte(refreshToken),
+					RawV2:        fmt.Appendf([]byte{}, "%s:%s:%s", refreshToken, key, secret),
+				}
+
+				if verify {
+					isVerified, verificationErr := s.verifyMatch(ctx, s.getClient(), refreshToken, key, secret)
+					s1.Verified = isVerified
+					if verificationErr != nil {
+						s1.SetVerificationError(verificationErr, secret)
+					}
+				}
+
+				results = append(results, s1)
+			}
+		}
+	}
+
+	return
+}
+
+// verifyMatch attempts to validate a Salesforce Refresh Token.
+func (s Scanner) verifyMatch(ctx context.Context, client *http.Client, refreshToken, key, secret string) (bool, error) {
+	form := url.Values{}
+	form.Set("token", refreshToken)
+	form.Set("client_id", key)
+	form.Set("client_secret", secret)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, "https://login.salesforce.com/services/oauth2/introspect",
+		strings.NewReader(form.Encode()))
+	if err != nil {
+		return false, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	resp, err := client.Do(req)
+	if err != nil {
+		return false, fmt.Errorf("failed to perform request: %w", err)
+	}
+	defer func() {
+		_, _ = io.Copy(io.Discard, resp.Body)
+		_ = resp.Body.Close()
+	}()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		bodyBytes, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return false, fmt.Errorf("failed to read error response body: %w", err)
+		}
+		var apiResp introspectAPIResponse
+		if err := json.Unmarshal(bodyBytes, &apiResp); err != nil {
+			return false, fmt.Errorf("failed to unmarshal error response: %w (body: %s)", err, string(bodyBytes))
+		}
+
+		if !apiResp.Active {
+			return false, nil
+		}
+		return true, nil
+
+	case http.StatusBadRequest:
+		// Salesforce returns a 400 Bad Request if the consumer key/secret are valid, but the refresh token is invalid or missing
+		return false, nil
+
+	case http.StatusUnauthorized:
+		// Salesforce returns a 401 Unauthorized if the consumer key/secret are invalid.
+		// This means that a 401 can also occur when the refresh token is valid but the consumer key or secret is incorrect.
+		return false, fmt.Errorf("unauthorized: invalid client credentials")
+
+	default:
+		return false, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+	}
+}
+
+type introspectAPIResponse struct {
+	Active bool `json:"active"`
+}
@@ -0,0 +1,198 @@
+//go:build detectors
+// +build detectors
+
+package salesforcerefreshtoken
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
+)
+
+func TestSalesforcerefreshtoken_FromChunk(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+
+	testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6")
+	if err != nil {
+		t.Fatalf("could not get test secrets from GCP: %s", err)
+	}
+	refreshToken := testSecrets.MustGetField("SALESFORCE_REFRESH_TOKEN")
+	consumerKey := testSecrets.MustGetField("SALESFORCE_REFRESH_TOKEN_KEY")
+	consumerSecret := testSecrets.MustGetField("SALESFORCE_REFRESH_TOKEN_SECRET")
+	inactiveSecret := testSecrets.MustGetField("SALESFORCE_REFRESH_TOKEN_INACTIVE_SECRET")
+
+	type args struct {
+		ctx    context.Context
+		data   []byte
+		verify bool
+	}
+	tests := []struct {
+		name                string
+		s                   Scanner
+		args                args
+		want                []detectors.Result
+		wantErr             bool
+		wantVerificationErr bool
+	}{
+		{
+			name: "found one valid trio, verified",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte(fmt.Sprintf("refresh_token: %s, key: %s, secret: %s", refreshToken, consumerKey, consumerSecret)),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_SalesforceRefreshToken,
+					Verified:     true,
+				},
+			},
+			wantErr:             false,
+			wantVerificationErr: false,
+		},
+		{
+			name: "found one invalid trio, unverified",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte(fmt.Sprintf("refresh_token: %s, key: %s, secret: %s", refreshToken, consumerKey, inactiveSecret)),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_SalesforceRefreshToken,
+					Verified:     false,
+				},
+			},
+			wantErr:             false,
+			wantVerificationErr: true, // Verification fails because the credentials are invalid and we can't verify the refresh token.
+		},
+		{
+			name: "multiple findings, one verified",
+			s:    Scanner{},
+			args: args{
+				ctx: context.Background(),
+				data: []byte(fmt.Sprintf(`
+				refresh_token: %s, key: %s, valid_secret: %s, 
+				invalid_refresh_token: 5Aep861eN26Sp9j0R5QPjh0AAAABBBBCCCCjcNqfo5kVBplkpP5tzyWXyVGAivx26AAAABBBBjYE133BBBBAAAA`,
+					refreshToken, consumerKey, consumerSecret)),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_SalesforceRefreshToken,
+					Verified:     true, // The valid refresh token combination
+				},
+				{
+					DetectorType: detectorspb.DetectorType_SalesforceRefreshToken,
+					Verified:     false, // The invalid refresh token combination
+				},
+			},
+			wantErr:             false,
+			wantVerificationErr: false,
+		},
+		{
+			name: "not found (missing a component)",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte(fmt.Sprintf("key: %s, secret: %s", consumerKey, consumerSecret)), // No refresh token
+				verify: true,
+			},
+			want:                nil,
+			wantErr:             false,
+			wantVerificationErr: false,
+		},
+		{
+			name: "found, would be verified if not for timeout",
+			s:    Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte(fmt.Sprintf("refresh_token: %s, key: %s, secret: %s", refreshToken, consumerKey, consumerSecret)),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_SalesforceRefreshToken,
+					Verified:     false,
+				},
+			},
+			wantErr:             false,
+			wantVerificationErr: true,
+		},
+		{
+			name: "found, unexpected api response",
+			s:    Scanner{client: common.ConstantResponseHttpClient(404, "")},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte(fmt.Sprintf("refresh_token: %s, key: %s, secret: %s", refreshToken, consumerKey, consumerSecret)),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_SalesforceRefreshToken,
+					Verified:     false,
+				},
+			},
+			wantErr:             false,
+			wantVerificationErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("FromData() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			// Since the order of results can vary with maps, we use a more robust comparison.
+			// This checks that for every `want` result, there is a matching `got` result.
+			opts := []cmp.Option{
+				cmpopts.IgnoreFields(detectors.Result{}, "Raw", "RawV2", "verificationError", "ExtraData", "VerificationFromCache", "primarySecret"),
+				cmpopts.SortSlices(func(a, b detectors.Result) bool { return a.Verified }),
+			}
+			if diff := cmp.Diff(tt.want, got, opts...); diff != "" {
+				t.Errorf("FromData() results mismatch (-want +got):\n%s", diff)
+			}
+
+			// Also check that verification errors match expectations across all results.
+			var gotErr bool
+			for _, r := range got {
+				if r.VerificationError() != nil {
+					gotErr = true
+					break
+				}
+			}
+			if gotErr != tt.wantVerificationErr {
+				t.Errorf("wantVerificationErr = %v, but got an error state of %v", tt.wantVerificationErr, gotErr)
+			}
+		})
+	}
+}
+
+func BenchmarkFromData(benchmark *testing.B) {
+	ctx := context.Background()
+	s := Scanner{}
+	for name, data := range detectors.MustGetBenchmarkData() {
+		benchmark.Run(name, func(b *testing.B) {
+			b.ResetTimer()
+			for n := 0; n < b.N; n++ {
+				_, err := s.FromData(ctx, false, data)
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}