From ae8bcbbcccc80776868e8c30fa7ea4d922baab56 Mon Sep 17 00:00:00 2001
From: Baruch Odem <baruch.odem@checkmarx.com>
Date: Tue, 26 Mar 2024 13:08:07 +0200
Subject: [PATCH] Add validation for GitLab personal access tokens

Add Secret validation #191
---
 engine/validation/client.go    | 21 +++++++++++++++++++++
 engine/validation/github.go    |  9 +--------
 engine/validation/gitlab.go    | 25 +++++++++++++++++++++++++
 engine/validation/validator.go |  1 +
 4 files changed, 48 insertions(+), 8 deletions(-)
 create mode 100644 engine/validation/client.go
 create mode 100644 engine/validation/gitlab.go

diff --git a/engine/validation/client.go b/engine/validation/client.go
new file mode 100644
index 00000000..b6577f73
--- /dev/null
+++ b/engine/validation/client.go
@@ -0,0 +1,21 @@
+package validation
+
+import (
+	"net/http"
+)
+
+func sendValidationRequest(endpoint string, authorization string) (*http.Response, error) {
+	req, err := http.NewRequest("GET", endpoint, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", authorization)
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}
diff --git a/engine/validation/github.go b/engine/validation/github.go
index 646e3e31..182b08ba 100644
--- a/engine/validation/github.go
+++ b/engine/validation/github.go
@@ -11,15 +11,8 @@ import (
 func validateGithub(s *secrets.Secret) secrets.ValidationResult {
 	const githubURL = "https://api.github.com/"
 
-	req, err := http.NewRequest("GET", githubURL, nil)
-	if err != nil {
-		log.Warn().Err(err).Msg("Failed to validate secret")
-		return secrets.UnknownResult
-	}
-	req.Header.Set("Authorization", fmt.Sprintf("token %s", s.Value))
+	resp, err := sendValidationRequest(githubURL, fmt.Sprintf("token %s", s.Value))
 
-	client := &http.Client{}
-	resp, err := client.Do(req)
 	if err != nil {
 		log.Warn().Err(err).Msg("Failed to validate secret")
 		return secrets.UnknownResult
diff --git a/engine/validation/gitlab.go b/engine/validation/gitlab.go
new file mode 100644
index 00000000..c983a9c5
--- /dev/null
+++ b/engine/validation/gitlab.go
@@ -0,0 +1,25 @@
+package validation
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/checkmarx/2ms/lib/secrets"
+	"github.com/rs/zerolog/log"
+)
+
+func validateGitlab(s *secrets.Secret) secrets.ValidationResult {
+	const gitlabURL = "https://gitlab.com/api/v4/user"
+
+	resp, err := sendValidationRequest(gitlabURL, fmt.Sprintf("Bearer %s", s.Value))
+
+	if err != nil {
+		log.Warn().Err(err).Msg("Failed to validate secret")
+		return secrets.UnknownResult
+	}
+
+	if resp.StatusCode == http.StatusOK {
+		return secrets.ValidResult
+	}
+	return secrets.RevokedResult
+}
diff --git a/engine/validation/validator.go b/engine/validation/validator.go
index 7c92f486..026b8ab4 100644
--- a/engine/validation/validator.go
+++ b/engine/validation/validator.go
@@ -11,6 +11,7 @@ type validationFunc = func(*secrets.Secret) secrets.ValidationResult
 var ruleIDToFunction = map[string]validationFunc{
 	"github-fine-grained-pat": validateGithub,
 	"github-pat":              validateGithub,
+	"gitlab-pat":              validateGitlab,
 }
 
 type Validator struct {