diff options
Diffstat (limited to 'modules/auth/password/pwn')
| -rw-r--r-- | modules/auth/password/pwn/pwn.go | 118 | ||||
| -rw-r--r-- | modules/auth/password/pwn/pwn_test.go | 51 |
2 files changed, 169 insertions, 0 deletions
diff --git a/modules/auth/password/pwn/pwn.go b/modules/auth/password/pwn/pwn.go new file mode 100644 index 0000000..f77ce9f --- /dev/null +++ b/modules/auth/password/pwn/pwn.go @@ -0,0 +1,118 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package pwn + +import ( + "context" + "crypto/sha1" + "encoding/hex" + "errors" + "fmt" + "io" + "net/http" + "strconv" + "strings" + + "code.gitea.io/gitea/modules/setting" +) + +const passwordURL = "https://api.pwnedpasswords.com/range/" + +// ErrEmptyPassword is an empty password error +var ErrEmptyPassword = errors.New("password cannot be empty") + +// Client is a HaveIBeenPwned client +type Client struct { + ctx context.Context + http *http.Client +} + +// New returns a new HaveIBeenPwned Client +func New(options ...ClientOption) *Client { + client := &Client{ + ctx: context.Background(), + http: http.DefaultClient, + } + + for _, opt := range options { + opt(client) + } + + return client +} + +// ClientOption is a way to modify a new Client +type ClientOption func(*Client) + +// WithHTTP will set the http.Client of a Client +func WithHTTP(httpClient *http.Client) func(pwnClient *Client) { + return func(pwnClient *Client) { + pwnClient.http = httpClient + } +} + +// WithContext will set the context.Context of a Client +func WithContext(ctx context.Context) func(pwnClient *Client) { + return func(pwnClient *Client) { + pwnClient.ctx = ctx + } +} + +func newRequest(ctx context.Context, method, url string, body io.ReadCloser) (*http.Request, error) { + req, err := http.NewRequestWithContext(ctx, method, url, body) + if err != nil { + return nil, err + } + req.Header.Add("User-Agent", "Gitea "+setting.AppVer) + return req, nil +} + +// CheckPassword returns the number of times a password has been compromised +// Adding padding will make requests more secure, however is also slower +// because artificial responses will be added to the response +// For more information, see https://www.troyhunt.com/enhancing-pwned-passwords-privacy-with-padding/ +func (c *Client) CheckPassword(pw string, padding bool) (int, error) { + if pw == "" { + return -1, ErrEmptyPassword + } + + sha := sha1.New() + sha.Write([]byte(pw)) + enc := hex.EncodeToString(sha.Sum(nil)) + prefix, suffix := enc[:5], enc[5:] + + req, err := newRequest(c.ctx, http.MethodGet, fmt.Sprintf("%s%s", passwordURL, prefix), nil) + if err != nil { + return -1, nil + } + if padding { + req.Header.Add("Add-Padding", "true") + } + + resp, err := c.http.Do(req) + if err != nil { + return -1, err + } + + body, err := io.ReadAll(resp.Body) + if err != nil { + return -1, err + } + defer resp.Body.Close() + + for _, pair := range strings.Split(string(body), "\n") { + parts := strings.Split(pair, ":") + if len(parts) != 2 { + continue + } + if strings.EqualFold(suffix, parts[0]) { + count, err := strconv.ParseInt(strings.TrimSpace(parts[1]), 10, 64) + if err != nil { + return -1, err + } + return int(count), nil + } + } + return 0, nil +} diff --git a/modules/auth/password/pwn/pwn_test.go b/modules/auth/password/pwn/pwn_test.go new file mode 100644 index 0000000..e510815 --- /dev/null +++ b/modules/auth/password/pwn/pwn_test.go @@ -0,0 +1,51 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package pwn + +import ( + "net/http" + "testing" + "time" + + "github.com/h2non/gock" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +var client = New(WithHTTP(&http.Client{ + Timeout: time.Second * 2, +})) + +func TestPassword(t *testing.T) { + defer gock.Off() + + count, err := client.CheckPassword("", false) + require.ErrorIs(t, err, ErrEmptyPassword, "blank input should return ErrEmptyPassword") + assert.Equal(t, -1, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/5c1d8").Times(1).Reply(200).BodyString("EAF2F254732680E8AC339B84F3266ECCBB5:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2") + count, err = client.CheckPassword("pwned", false) + require.NoError(t, err) + assert.Equal(t, 1, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/ba189").Times(1).Reply(200).BodyString("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4") + count, err = client.CheckPassword("notpwned", false) + require.NoError(t, err) + assert.Equal(t, 0, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/a1733").Times(1).Reply(200).BodyString("C4CE0F1F0062B27B9E2F41AF0C08218017C:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2\r\nFE81480327C992FE62065A827429DD1318B:0") + count, err = client.CheckPassword("paddedpwned", true) + require.NoError(t, err) + assert.Equal(t, 1, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/5617b").Times(1).Reply(200).BodyString("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0") + count, err = client.CheckPassword("paddednotpwned", true) + require.NoError(t, err) + assert.Equal(t, 0, count) + + gock.New("https://api.pwnedpasswords.com").Get("/range/79082").Times(1).Reply(200).BodyString("FDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0\r\nAFEF386F56EB0B4BE314E07696E5E6E6536:0") + count, err = client.CheckPassword("paddednotpwnedzero", true) + require.NoError(t, err) + assert.Equal(t, 0, count) +} |