diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/auth/password/pwn.go | 52 | ||||
| -rw-r--r-- | modules/auth/password/pwn/pwn.go | 118 | ||||
| -rw-r--r-- | modules/auth/password/pwn/pwn_test.go | 51 |
3 files changed, 221 insertions, 0 deletions
diff --git a/modules/auth/password/pwn.go b/modules/auth/password/pwn.go new file mode 100644 index 0000000..e00205e --- /dev/null +++ b/modules/auth/password/pwn.go @@ -0,0 +1,52 @@ +// Copyright 2020 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package password + +import ( + "context" + "errors" + "fmt" + + "code.gitea.io/gitea/modules/auth/password/pwn" + "code.gitea.io/gitea/modules/setting" +) + +var ErrIsPwned = errors.New("password has been pwned") + +type ErrIsPwnedRequest struct { + err error +} + +func IsErrIsPwnedRequest(err error) bool { + _, ok := err.(ErrIsPwnedRequest) + return ok +} + +func (err ErrIsPwnedRequest) Error() string { + return fmt.Sprintf("using Have-I-Been-Pwned service failed: %v", err.err) +} + +func (err ErrIsPwnedRequest) Unwrap() error { + return err.err +} + +// IsPwned checks whether a password has been pwned +// If a password has not been pwned, no error is returned. +func IsPwned(ctx context.Context, password string) error { + if !setting.PasswordCheckPwn { + return nil + } + + client := pwn.New(pwn.WithContext(ctx)) + count, err := client.CheckPassword(password, true) + if err != nil { + return ErrIsPwnedRequest{err} + } + + if count > 0 { + return ErrIsPwned + } + + return nil +} diff --git a/modules/auth/password/pwn/pwn.go b/modules/auth/password/pwn/pwn.go new file mode 100644 index 0000000..f77ce9f --- /dev/null +++ b/modules/auth/password/pwn/pwn.go @@ -0,0 +1,118 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package pwn + +import ( + "context" + "crypto/sha1" + "encoding/hex" + "errors" + "fmt" + "io" + "net/http" + "strconv" + "strings" + + "code.gitea.io/gitea/modules/setting" +) + +const passwordURL = "https://api.pwnedpasswords.com/range/" + +// ErrEmptyPassword is an empty password error +var ErrEmptyPassword = errors.New("password cannot be empty") + +// Client is a HaveIBeenPwned client +type Client struct { + ctx context.Context + http *http.Client +} + +// New returns a new HaveIBeenPwned Client +func New(options ...ClientOption) *Client { + client := &Client{ + ctx: context.Background(), + http: http.DefaultClient, + } + + for _, opt := range options { + opt(client) + } + + return client +} + +// ClientOption is a way to modify a new Client +type ClientOption func(*Client) + +// WithHTTP will set the http.Client of a Client +func WithHTTP(httpClient *http.Client) func(pwnClient *Client) { + return func(pwnClient *Client) { + pwnClient.http = httpClient + } +} + +// WithContext will set the context.Context of a Client +func WithContext(ctx context.Context) func(pwnClient *Client) { + return func(pwnClient *Client) { + pwnClient.ctx = ctx + } +} + +func newRequest(ctx context.Context, method, url string, body io.ReadCloser) (*http.Request, error) { + req, err := http.NewRequestWithContext(ctx, method, url, body) + if err != nil { + return nil, err + } + req.Header.Add("User-Agent", "Gitea "+setting.AppVer) + return req, nil +} + +// CheckPassword returns the number of times a password has been compromised +// Adding padding will make requests more secure, however is also slower +// because artificial responses will be added to the response +// For more information, see https://www.troyhunt.com/enhancing-pwned-passwords-privacy-with-padding/ +func (c *Client) CheckPassword(pw string, padding bool) (int, error) { + if pw == "" { + return -1, ErrEmptyPassword + } + + sha := sha1.New() + sha.Write([]byte(pw)) + enc := hex.EncodeToString(sha.Sum(nil)) + prefix, suffix := enc[:5], enc[5:] + + req, err := newRequest(c.ctx, http.MethodGet, fmt.Sprintf("%s%s", passwordURL, prefix), nil) + if err != nil { + return -1, nil + } + if padding { + req.Header.Add("Add-Padding", "true") + } + + resp, err := c.http.Do(req) + if err != nil { + return -1, err + } + + body, err := io.ReadAll(resp.Body) + if err != nil { + return -1, err + } + defer resp.Body.Close() + + for _, pair := range strings.Split(string(body), "\n") { + parts := strings.Split(pair, ":") + if len(parts) != 2 { + continue + } + if strings.EqualFold(suffix, parts[0]) { + count, err := strconv.ParseInt(strings.TrimSpace(parts[1]), 10, 64) + if err != nil { + return -1, err + } + return int(count), nil + } + } + return 0, nil +} diff --git a/modules/auth/password/pwn/pwn_test.go b/modules/auth/password/pwn/pwn_test.go new file mode 100644 index 0000000..e510815 --- /dev/null +++ b/modules/auth/password/pwn/pwn_test.go @@ -0,0 +1,51 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package pwn + +import ( + "net/http" + "testing" + "time" + + "github.com/h2non/gock" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +var client = New(WithHTTP(&http.Client{ + Timeout: time.Second * 2, +})) + +func TestPassword(t *testing.T) { + defer gock.Off() + + count, err := client.CheckPassword("", false) + require.ErrorIs(t, err, ErrEmptyPassword, "blank input should return ErrEmptyPassword") + assert.Equal(t, -1, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/5c1d8").Times(1).Reply(200).BodyString("EAF2F254732680E8AC339B84F3266ECCBB5:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2") + count, err = client.CheckPassword("pwned", false) + require.NoError(t, err) + assert.Equal(t, 1, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/ba189").Times(1).Reply(200).BodyString("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4") + count, err = client.CheckPassword("notpwned", false) + require.NoError(t, err) + assert.Equal(t, 0, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/a1733").Times(1).Reply(200).BodyString("C4CE0F1F0062B27B9E2F41AF0C08218017C:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2\r\nFE81480327C992FE62065A827429DD1318B:0") + count, err = client.CheckPassword("paddedpwned", true) + require.NoError(t, err) + assert.Equal(t, 1, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/5617b").Times(1).Reply(200).BodyString("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0") + count, err = client.CheckPassword("paddednotpwned", true) + require.NoError(t, err) + assert.Equal(t, 0, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/79082").Times(1).Reply(200).BodyString("FDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0\r\nAFEF386F56EB0B4BE314E07696E5E6E6536:0") + count, err = client.CheckPassword("paddednotpwnedzero", true) + require.NoError(t, err) + assert.Equal(t, 0, count) +} |