Implement detectors.EndpointCustomizer on datadogtoken

[simonwhitaker]

Description

As reported in #2265, Datadog API and app key verification only works if the tokens were generated in the main Datadog region (US East 1, aka api.datadoghq.com). This PR makes it possible to override the Datadog API endpoint at runtime.

Please note: when specifying a custom verifier host on the command line, trufflehog checks both the custom host and the default host. (See example below of when I ran this.) I wasn't expecting this, but it does appear to be the expected behaviour of detectors.EndpointCustomizer when using detectors.EndpointSetter. Please let me know if I've misunderstood anything here. (Very possible.)

Closes #2265

Typical usage

By default, validate against https://api.datadoghq.com only:

trufflehog filesystem .

Validate against a different endpoint:

trufflehog filesystem . --verifier \
    datadogToken=https://api.datadoghq.eu

Validate against multiple endpoints:

trufflehog filesystem . --verifier \
    datadogToken=https://api.datadoghq.eu,https://api.us3.datadoghq.com/

Sample output

I registered API and app tokens on both https://api.datadoghq.com/ and https://api.datadoghq.eu. (I gave both app tokens access to the user_access_read scope, since this is needed by the verifier; removing this dependency would be nice to do, but belongs in a separate PR.)

With the default verifier host:

$ go run . filesystem ~/misc/trufflehog-datadog-truffles/
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-02-25T20:18:01Z	info-0	trufflehog	running source	{"source_manager_worker_id": "mvt4B", "with_units": true}
Found unverified result 🐷🔑❓
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: APIKeyOnly
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-eu-api-only.py

Found unverified result 🐷🔑❓
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: Application+APIKey
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-eu.py
Line: 1

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: APIKeyOnly
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-us-api-only.py

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: Application+APIKey
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-us.py
Line: 1

2024-02-25T20:18:01Z	info-0	trufflehog	finished scanning	{"chunks": 4, "bytes": 334, "verified_secrets": 2, "unverified_secrets": 2, "scan_duration": "557.51975ms"}

With a custom verifier host:

$ go run . filesystem ~/misc/trufflehog-datadog-truffles/ --verifier datadogToken=https://api.datadoghq.eu
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-02-25T20:18:11Z	info-0	trufflehog	configured detector with verification urls	{"detector": "DatadogToken", "urls": ["https://api.datadoghq.eu", "https://api.datadoghq.com"]}
2024-02-25T20:18:11Z	info-0	trufflehog	running source	{"source_manager_worker_id": "IbfYG", "with_units": true}
✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: APIKeyOnly
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-us-api-only.py

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: APIKeyOnly
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-eu-api-only.py

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: Application+APIKey
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-us.py
Line: 1

✅ Found verified result 🐷🔑
Detector Type: DatadogToken
Decoder Type: PLAIN
Raw result: <REDACTED>
Type: Application+APIKey
File: /Users/simon/misc/trufflehog-datadog-truffles/datadog-eu.py
Line: 1

2024-02-25T20:18:13Z	info-0	trufflehog	finished scanning	{"chunks": 4, "bytes": 334, "verified_secrets": 4, "unverified_secrets": 0, "scan_duration": "1.693135959s"}

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

Notes on testing

• I did run make test-community but it failed, for an issue unrelated to this change.
• I would suggest also updating datadogtoken_test.go here, to also test Datadog credentials from an instance other than the default (api.datadoghq.com), but I think this needs to be done by someone with access to the test secrets in GCP.

[zricethezav]

Hi @simonwhitaker! Thanks so much for opening this PR. This is a shinning example of a community contribution -- great description and the code changes are consistent with other detectors. This PR LGTM!

We really appreciate the video you posted on youtube! It was really insightful to see your process navigating the code and documentation. Thank you for identifying notable gaps in our documentation. We're working on upping our documentation game ;)