summaryrefslogtreecommitdiffstats
path: root/modules/auth/password/pwn
diff options
context:
space:
mode:
authorDaniel Baumann <daniel@debian.org>2024-10-18 20:33:49 +0200
committerDaniel Baumann <daniel@debian.org>2024-12-12 23:57:56 +0100
commite68b9d00a6e05b3a941f63ffb696f91e554ac5ec (patch)
tree97775d6c13b0f416af55314eb6a89ef792474615 /modules/auth/password/pwn
parentInitial commit. (diff)
downloadforgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.tar.xz
forgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.zip
Adding upstream version 9.0.3.
Signed-off-by: Daniel Baumann <daniel@debian.org>
Diffstat (limited to '')
-rw-r--r--modules/auth/password/pwn.go52
-rw-r--r--modules/auth/password/pwn/pwn.go118
-rw-r--r--modules/auth/password/pwn/pwn_test.go51
3 files changed, 221 insertions, 0 deletions
diff --git a/modules/auth/password/pwn.go b/modules/auth/password/pwn.go
new file mode 100644
index 0000000..e00205e
--- /dev/null
+++ b/modules/auth/password/pwn.go
@@ -0,0 +1,52 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package password
+
+import (
+ "context"
+ "errors"
+ "fmt"
+
+ "code.gitea.io/gitea/modules/auth/password/pwn"
+ "code.gitea.io/gitea/modules/setting"
+)
+
+var ErrIsPwned = errors.New("password has been pwned")
+
+type ErrIsPwnedRequest struct {
+ err error
+}
+
+func IsErrIsPwnedRequest(err error) bool {
+ _, ok := err.(ErrIsPwnedRequest)
+ return ok
+}
+
+func (err ErrIsPwnedRequest) Error() string {
+ return fmt.Sprintf("using Have-I-Been-Pwned service failed: %v", err.err)
+}
+
+func (err ErrIsPwnedRequest) Unwrap() error {
+ return err.err
+}
+
+// IsPwned checks whether a password has been pwned
+// If a password has not been pwned, no error is returned.
+func IsPwned(ctx context.Context, password string) error {
+ if !setting.PasswordCheckPwn {
+ return nil
+ }
+
+ client := pwn.New(pwn.WithContext(ctx))
+ count, err := client.CheckPassword(password, true)
+ if err != nil {
+ return ErrIsPwnedRequest{err}
+ }
+
+ if count > 0 {
+ return ErrIsPwned
+ }
+
+ return nil
+}
diff --git a/modules/auth/password/pwn/pwn.go b/modules/auth/password/pwn/pwn.go
new file mode 100644
index 0000000..f77ce9f
--- /dev/null
+++ b/modules/auth/password/pwn/pwn.go
@@ -0,0 +1,118 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package pwn
+
+import (
+ "context"
+ "crypto/sha1"
+ "encoding/hex"
+ "errors"
+ "fmt"
+ "io"
+ "net/http"
+ "strconv"
+ "strings"
+
+ "code.gitea.io/gitea/modules/setting"
+)
+
+const passwordURL = "https://api.pwnedpasswords.com/range/"
+
+// ErrEmptyPassword is an empty password error
+var ErrEmptyPassword = errors.New("password cannot be empty")
+
+// Client is a HaveIBeenPwned client
+type Client struct {
+ ctx context.Context
+ http *http.Client
+}
+
+// New returns a new HaveIBeenPwned Client
+func New(options ...ClientOption) *Client {
+ client := &Client{
+ ctx: context.Background(),
+ http: http.DefaultClient,
+ }
+
+ for _, opt := range options {
+ opt(client)
+ }
+
+ return client
+}
+
+// ClientOption is a way to modify a new Client
+type ClientOption func(*Client)
+
+// WithHTTP will set the http.Client of a Client
+func WithHTTP(httpClient *http.Client) func(pwnClient *Client) {
+ return func(pwnClient *Client) {
+ pwnClient.http = httpClient
+ }
+}
+
+// WithContext will set the context.Context of a Client
+func WithContext(ctx context.Context) func(pwnClient *Client) {
+ return func(pwnClient *Client) {
+ pwnClient.ctx = ctx
+ }
+}
+
+func newRequest(ctx context.Context, method, url string, body io.ReadCloser) (*http.Request, error) {
+ req, err := http.NewRequestWithContext(ctx, method, url, body)
+ if err != nil {
+ return nil, err
+ }
+ req.Header.Add("User-Agent", "Gitea "+setting.AppVer)
+ return req, nil
+}
+
+// CheckPassword returns the number of times a password has been compromised
+// Adding padding will make requests more secure, however is also slower
+// because artificial responses will be added to the response
+// For more information, see https://www.troyhunt.com/enhancing-pwned-passwords-privacy-with-padding/
+func (c *Client) CheckPassword(pw string, padding bool) (int, error) {
+ if pw == "" {
+ return -1, ErrEmptyPassword
+ }
+
+ sha := sha1.New()
+ sha.Write([]byte(pw))
+ enc := hex.EncodeToString(sha.Sum(nil))
+ prefix, suffix := enc[:5], enc[5:]
+
+ req, err := newRequest(c.ctx, http.MethodGet, fmt.Sprintf("%s%s", passwordURL, prefix), nil)
+ if err != nil {
+ return -1, nil
+ }
+ if padding {
+ req.Header.Add("Add-Padding", "true")
+ }
+
+ resp, err := c.http.Do(req)
+ if err != nil {
+ return -1, err
+ }
+
+ body, err := io.ReadAll(resp.Body)
+ if err != nil {
+ return -1, err
+ }
+ defer resp.Body.Close()
+
+ for _, pair := range strings.Split(string(body), "\n") {
+ parts := strings.Split(pair, ":")
+ if len(parts) != 2 {
+ continue
+ }
+ if strings.EqualFold(suffix, parts[0]) {
+ count, err := strconv.ParseInt(strings.TrimSpace(parts[1]), 10, 64)
+ if err != nil {
+ return -1, err
+ }
+ return int(count), nil
+ }
+ }
+ return 0, nil
+}
diff --git a/modules/auth/password/pwn/pwn_test.go b/modules/auth/password/pwn/pwn_test.go
new file mode 100644
index 0000000..e510815
--- /dev/null
+++ b/modules/auth/password/pwn/pwn_test.go
@@ -0,0 +1,51 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package pwn
+
+import (
+ "net/http"
+ "testing"
+ "time"
+
+ "github.com/h2non/gock"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+var client = New(WithHTTP(&http.Client{
+ Timeout: time.Second * 2,
+}))
+
+func TestPassword(t *testing.T) {
+ defer gock.Off()
+
+ count, err := client.CheckPassword("", false)
+ require.ErrorIs(t, err, ErrEmptyPassword, "blank input should return ErrEmptyPassword")
+ assert.Equal(t, -1, count)
+
+ gock.New("https://api.pwnedpasswords.com").Get("/range/5c1d8").Times(1).Reply(200).BodyString("EAF2F254732680E8AC339B84F3266ECCBB5:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2")
+ count, err = client.CheckPassword("pwned", false)
+ require.NoError(t, err)
+ assert.Equal(t, 1, count)
+
+ gock.New("https://api.pwnedpasswords.com").Get("/range/ba189").Times(1).Reply(200).BodyString("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4")
+ count, err = client.CheckPassword("notpwned", false)
+ require.NoError(t, err)
+ assert.Equal(t, 0, count)
+
+ gock.New("https://api.pwnedpasswords.com").Get("/range/a1733").Times(1).Reply(200).BodyString("C4CE0F1F0062B27B9E2F41AF0C08218017C:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2\r\nFE81480327C992FE62065A827429DD1318B:0")
+ count, err = client.CheckPassword("paddedpwned", true)
+ require.NoError(t, err)
+ assert.Equal(t, 1, count)
+
+ gock.New("https://api.pwnedpasswords.com").Get("/range/5617b").Times(1).Reply(200).BodyString("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0")
+ count, err = client.CheckPassword("paddednotpwned", true)
+ require.NoError(t, err)
+ assert.Equal(t, 0, count)
+
+ gock.New("https://api.pwnedpasswords.com").Get("/range/79082").Times(1).Reply(200).BodyString("FDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0\r\nAFEF386F56EB0B4BE314E07696E5E6E6536:0")
+ count, err = client.CheckPassword("paddednotpwnedzero", true)
+ require.NoError(t, err)
+ assert.Equal(t, 0, count)
+}