More disclosure metrics (#17471)

* Add some more metrics around token disclosures * Minor refactor * Fix docs: there is no trailing slash
pypi · Jan 22, 2025 · 8329e67 · 8329e67
1 parent e8a0cda
commit 8329e67
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/docs/user/api/secrets.md b/docs/user/api/secrets.md
@@ -85,7 +85,7 @@ disclosure.
 
 ### Reporting a secret
 
-Route: `POST /_/secrets/disclose-token/`
+Route: `POST /_/secrets/disclose-token`
 
 Accepts a report of one or more arbitrary API tokens, with details on where it
 was located. The message body is a JSON array that contains one or more
@@ -101,7 +101,7 @@ Additional fields may be provide but will be ignored.
 Example request:
 
 ```http
-POST /_/secrets/disclose-token/ HTTP/1.1
+POST /_/secrets/disclose-token HTTP/1.1
 Host: pypi.org
 Some-Public-Key-Identifier: ...
 Some-Public-Key-Signature: ...

diff --git a/warehouse/integrations/secrets/views.py b/warehouse/integrations/secrets/views.py
@@ -40,8 +40,11 @@ def _detect_origin(request):
     has_translations=False,
 )
 def disclose_token(request):
+    metrics = request.find_service(IMetricsService, context=None)
+
     # If integrator headers are missing, response will be a 404
     if not (origin := _detect_origin(request)):
+        metrics.increment("warehouse.token_leak.invalid_origin")
         return HTTPNotFound()
 
     # Disclosers calls this API view when they have identified a string matching
@@ -52,12 +55,8 @@ def disclose_token(request):
 
     # The documentation for this process is at
     # https://developer.github.com/partnerships/token-scanning/
-
-    body = request.body
-
     key_id = request.headers.get(origin.key_id_header)
     signature = request.headers.get(origin.signature_header)
-    metrics = request.find_service(IMetricsService, context=None)
 
     verifier = utils.GenericTokenScanningPayloadVerifier(
         session=request.http,
@@ -67,7 +66,10 @@ def disclose_token(request):
         api_token=request.registry.settings.get(origin.api_token),
     )
 
-    if not verifier.verify(payload=body, key_id=key_id, signature=signature):
+    if not verifier.verify(payload=request.body, key_id=key_id, signature=signature):
+        metrics.increment(
+            f"warehouse.token_leak.{origin.metric_name}.error.payload.verify_error"
+        )
         return HTTPBadRequest()
 
     try: