refactor(bitbucket): rename test filename and introduce naming conv

- .._test -> .._integration_test.go

refactor(bitbucket): code cleanup + tests
- add switch{} block + credentialPattern[] for readability
- + tidy nested loops
- reflect codebase conventions in verification scope
- hard drain io.Discard, body.Close on res call in verify func
- intro _test.go (patterns)
- chore integration tests based off others living in repo

Author: x-stp

pkg/detectors/bitbucketapppassword/bitbucketapppassword.go

@@ -4,99 +4,128 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
+	"io"
 	"net/http"
 	"regexp"
-	"strings"
 
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
 )
 
-type Scanner struct{}
+// Scanner is a stateless struct that implements the detector interface.
+type Scanner struct {
+	client *http.Client
+}
 
 // Ensure the Scanner satisfies the interface at compile time.
 var _ detectors.Detector = (*Scanner)(nil)
 
-var (
-	client = common.SaneHttpClient()
+// Keywords are used for efficiently pre-filtering chunks.
+func (s Scanner) Keywords() []string {
+	return []string{"bitbucket", "ATBB"}
+}
 
-	// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
-	// The following patterns cover the methods of authentication found here:
-	// https://support.atlassian.com/bitbucket-cloud/docs/using-app-passwords/, as well as for other general cases.
+func (s Scanner) Type() detectorspb.DetectorType {
+	return detectorspb.DetectorType_BitbucketAppPassword
+}
 
-	// Covers 'username:appPassword' pattern
-	credentialPairPattern = regexp.MustCompile(`\b([A-Za-z0-9-_]{1,30}):ATBB[A-Za-z0-9_=.-]+[A-Z0-9]{8}\b`)
-	// Covers assignment of username to variable
-	usernameAssignmentPattern = regexp.MustCompile(`(?im)(?:user|usr)\S{0,40}?[:=\s]{1,3}[ '"=]?([a-zA-Z0-9-_]{1,30})\b`)
-	// Covers 'https://[email protected]' pattern
-	usernameUrlPattern = regexp.MustCompile(`https://([a-zA-Z0-9-_]{1,30})@bitbucket.org`)
-	// Covers '("username", "password")' pattern, used for HTTP Basic Auth
-	httpBasicAuthPattern = regexp.MustCompile(`"([a-zA-Z0-9-_]{1,30})",(?: )?"ATBB[A-Za-z0-9_=.-]+[A-Z0-9]{8}"`)
+func (s Scanner) Description() string {
+	return "Bitbucket is a Git repository hosting service by Atlassian. Bitbucket App Passwords are used to authenticate to the Bitbucket API."
+}
 
-	usernamePatterns = []*regexp.Regexp{usernamePat1, usernamePat2, usernamePat3, usernamePat4}
+const bitbucketAPIUserURL = "https://api.bitbucket.org/2.0/user"
 
-	appPasswordPat = regexp.MustCompile(`\bATBB[A-Za-z0-9_=.-]+[A-Z0-9]{8}\b`)
+var (
+	defaultClient = common.SaneHttpClient()
 )
 
-// Keywords are used for efficiently pre-filtering chunks.
-// Use identifiers in the secret preferably, or the provider name.
-func (s Scanner) Keywords() []string {
-	return []string{"bitbucketapppassword", "ATBB"}
-}
+var (
+	// credentialPatterns uses named capture groups (?P<name>...) for readability and robustness.
+	credentialPatterns = []*regexp.Regexp{
+		// Explicitly define the boundary as (start of string) or (a non-username character).
+		regexp.MustCompile(`(?:^|[^A-Za-z0-9-_])(?P<username>[A-Za-z0-9-_]{1,30}):(?P<password>ATBB[A-Za-z0-9_=.-]+)\b`),
+		// Catches 'https://username:[email protected]' pattern
+		regexp.MustCompile(`https://(?P<username>[A-Za-z0-9-_]{1,30}):(?P<password>ATBB[A-Za-z0-9_=.-]+)@bitbucket\.org`),
+		// Catches '("username", "password")' pattern, used for HTTP Basic Auth
+		regexp.MustCompile(`"(?P<username>[A-Za-z0-9-_]{1,30})",\s*"(?P<password>ATBB[A-Za-z0-9_=.-]+)"`),
+	}
+)
 
 // FromData will find and optionally verify Bitbucket App Password secrets in a given set of bytes.
-func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
+func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) ([]detectors.Result, error) {
 	dataStr := string(data)
 
-	var usernameMatches [][]string
-	for _, pattern := range usernamePatterns {
-		usernameMatches = append(usernameMatches, pattern.FindAllStringSubmatch(dataStr, -1)...)
-	}
-	appPasswordMatches := appPasswordPat.FindAllString(dataStr, -1)
+	uniqueCredentials := make(map[string]string)
 
-	for _, usernameMatch := range usernameMatches {
-		if len(usernameMatch) != 2 {
-			continue
-		}
-		resUsernameMatch := strings.TrimSpace(usernameMatch[1])
+	for _, pattern := range credentialPatterns {
+		for _, match := range pattern.FindAllStringSubmatch(dataStr, -1) {
+			// Extract credentials using named capture groups for readability.
+			namedMatches := make(map[string]string)
+			for i, name := range pattern.SubexpNames() {
+				if i != 0 && name != "" {
+					namedMatches[name] = match[i]
+				}
+			}
 
-		for _, resAppPasswordMatch := range appPasswordMatches {
+			username := namedMatches["username"]
+			password := namedMatches["password"]
 
-			s1 := detectors.Result{
-				DetectorType: detectorspb.DetectorType_BitbucketAppPassword,
-				Raw:          []byte(fmt.Sprintf(`%s: %s`, resUsernameMatch, resAppPasswordMatch)),
+			if username != "" && password != "" {
+				uniqueCredentials[username] = password
 			}
+		}
+	}
 
-			if verify {
-				req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.bitbucket.org/2.0/user", nil)
-				if err != nil {
-					continue
-				}
-				req.Header.Add("Accept", "application/json")
-				data := fmt.Sprintf("%s:%s", resUsernameMatch, resAppPasswordMatch)
-				req.Header.Add("Authorization", fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte(data))))
-				res, err := client.Do(req)
-				if err == nil {
-					defer res.Body.Close()
-					// Status 403 FORBIDDEN indicates a valid secret without valid scope
-					if res.StatusCode >= 200 && res.StatusCode < 300 || res.StatusCode == 403 {
-						s1.Verified = true
-					}
-				}
+	var results []detectors.Result
+	for username, password := range uniqueCredentials {
+		result := detectors.Result{
+			DetectorType: detectorspb.DetectorType_BitbucketAppPassword,
+			Raw:          fmt.Appendf(nil, "%s:%s", username, password),
+		}
+		if verify {
+			client := s.client
+			if client == nil {
+				client = defaultClient
+			}
+			var vErr error
+			result.Verified, vErr = verifyCredential(ctx, client, username, password)
+			if vErr != nil {
+				result.SetVerificationError(vErr, username, password)
 			}
-
-			results = append(results, s1)
 		}
+		results = append(results, result)
 	}
 
 	return results, nil
 }
 
-func (s Scanner) Type() detectorspb.DetectorType {
-	return detectorspb.DetectorType_BitbucketAppPassword
-}
+// verifyCredential checks if a given username and app password are valid by making a request to the Bitbucket API.
+func verifyCredential(ctx context.Context, client *http.Client, username, password string) (bool, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, bitbucketAPIUserURL, nil)
+	if err != nil {
+		return false, err
+	}
+	req.Header.Add("Accept", "application/json")
+	auth := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", username, password)))
+	req.Header.Add("Authorization", fmt.Sprintf("Basic %s", auth))
 
-func (s Scanner) Description() string {
-	return "Bitbucket is a Git repository hosting service by Atlassian. Bitbucket App Passwords are used to authenticate to the Bitbucket API."
+	res, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	defer func() {
+		_, _ = io.Copy(io.Discard, res.Body)
+		_ = res.Body.Close()
+	}()
+
+	switch res.StatusCode {
+	case http.StatusOK, http.StatusForbidden:
+		// A 403 can indicate a valid credential with insufficient scope, which is still a finding.
+		return true, nil
+	case http.StatusUnauthorized:
+		return false, nil
+	default:
+		return false, fmt.Errorf("unexpected status code: %d", res.StatusCode)
+	}
 }

pkg/detectors/bitbucketapppassword/bitbucketapppassword_integration_test.go

@@ -0,0 +1,88 @@
+//go:build detectors
+// +build detectors
+
+package bitbucketapppassword
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
+)
+
+func TestBitbucketAppPassword_FromData_Integration(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors2")
+	if err != nil {
+		t.Fatalf("could not get test secrets from GCP: %s", err)
+	}
+
+	username := testSecrets.MustGetField("USERNAME")
+	validPassword := testSecrets.MustGetField("BITBUCKETAPPPASSWORD")
+	invalidPassword := "ATBB123abcDEF456ghiJKL789mnoPQR" // An invalid but correctly formatted password
+
+	tests := []struct {
+		name    string
+		input   string
+		want    []detectors.Result
+		wantErr bool
+	}{
+		{
+			name:  "valid credential",
+			input: fmt.Sprintf("https://%s:%[email protected]", username, validPassword),
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_BitbucketAppPassword,
+					Verified:     true,
+					Raw:          []byte(fmt.Sprintf("%s:%s", username, validPassword)),
+				},
+			},
+		},
+		{
+			name:  "invalid credential",
+			input: fmt.Sprintf("https://%s:%[email protected]", username, invalidPassword),
+			want: []detectors.Result{
+				{
+					DetectorType: detectorspb.DetectorType_BitbucketAppPassword,
+					Verified:     false,
+					Raw:          []byte(fmt.Sprintf("%s:%s", username, invalidPassword)),
+				},
+			},
+		},
+		{
+			name:  "no credential found",
+			input: "this string has no credentials",
+			want:  nil,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Scanner{}
+			got, err := s.FromData(ctx, true, []byte(tc.input))
+
+			if (err != nil) != tc.wantErr {
+				t.Fatalf("FromData() error = %v, wantErr %v", err, tc.wantErr)
+			}
+			// Normalizing results for comparison by removing fields that are not relevant for the test
+			for i := range got {
+				if got[i].VerificationError() != nil {
+					t.Logf("verification error: %s", got[i].VerificationError())
+				}
+			}
+
+			if diff := cmp.Diff(tc.want, got, cmp.Comparer(func(x, y detectors.Result) bool {
+				return x.Verified == y.Verified && string(x.Raw) == string(y.Raw) && x.DetectorType == y.DetectorType
+			})); diff != "" {
+				t.Errorf("FromData() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}