forgejo/modules/auth/password/pwn/pwn_test.go

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package pwn

import (
	"errors"
	"io"
	"net/http"
	"strings"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

type mockTransport struct{}

func (mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
	if req.URL.Host != "api.pwnedpasswords.com" {
		return nil, errors.New("unexpected host")
	}

	res := &http.Response{
		ProtoMajor: 1,
		ProtoMinor: 1,
		Proto:      "HTTP/1.1",
		Request:    req,
		Header:     make(http.Header),
		StatusCode: 200,
	}

	switch req.URL.Path {
	case "/range/5c1d8":
		res.Body = io.NopCloser(strings.NewReader("EAF2F254732680E8AC339B84F3266ECCBB5:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2"))
		return res, nil
	case "/range/ba189":
		res.Body = io.NopCloser(strings.NewReader("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4"))
		return res, nil
	case "/range/a1733":
		res.Body = io.NopCloser(strings.NewReader("C4CE0F1F0062B27B9E2F41AF0C08218017C:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2\r\nFE81480327C992FE62065A827429DD1318B:0"))
		return res, nil
	case "/range/5617b":
		res.Body = io.NopCloser(strings.NewReader("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0"))
		return res, nil
	case "/range/79082":
		res.Body = io.NopCloser(strings.NewReader("FDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0\r\nAFEF386F56EB0B4BE314E07696E5E6E6536:0"))
		return res, nil
	}

	return nil, errors.New("unexpected path")
}

var client = New(WithHTTP(&http.Client{
	Timeout:   time.Second * 2,
	Transport: mockTransport{},
}))

func TestPassword(t *testing.T) {
	count, err := client.CheckPassword("", false)
	require.ErrorIs(t, err, ErrEmptyPassword, "blank input should return ErrEmptyPassword")
	assert.Equal(t, -1, count)

	count, err = client.CheckPassword("pwned", false)
	require.NoError(t, err)
	assert.Equal(t, 1, count)

	count, err = client.CheckPassword("notpwned", false)
	require.NoError(t, err)
	assert.Equal(t, 0, count)

	count, err = client.CheckPassword("paddedpwned", true)
	require.NoError(t, err)
	assert.Equal(t, 1, count)

	count, err = client.CheckPassword("paddednotpwned", true)
	require.NoError(t, err)
	assert.Equal(t, 0, count)

	count, err = client.CheckPassword("paddednotpwnedzero", true)
	require.NoError(t, err)
	assert.Equal(t, 0, count)
}
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00			`// Copyright 2023 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package pwn`

			`import (`
chore: avoid using gock - Avoid using gock to do HTTP mocking, this is fairly simply to do ourselves and avoids a dependency, this commit does right that. 2024-12-18 00:40:02 -05:00			`"errors"`
			`"io"`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00			`"net/http"`
chore: avoid using gock - Avoid using gock to do HTTP mocking, this is fairly simply to do ourselves and avoids a dependency, this commit does right that. 2024-12-18 00:40:02 -05:00			`"strings"`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00			`"testing"`
			`"time"`
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next. 2024-02-04 08:29:09 -05:00
			`"github.com/stretchr/testify/assert"`
Add testifylint to lint checks (#4535) go-require lint is ignored for now Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-committed-by: TheFox0x7 <thefox0x7@gmail.com> 2024-07-30 15:41:10 -04:00			`"github.com/stretchr/testify/require"`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00			`)`

chore: avoid using gock - Avoid using gock to do HTTP mocking, this is fairly simply to do ourselves and avoids a dependency, this commit does right that. 2024-12-18 00:40:02 -05:00			`type mockTransport struct{}`

			`func (mockTransport) RoundTrip(req http.Request) (http.Response, error) {`
			`if req.URL.Host != "api.pwnedpasswords.com" {`
			`return nil, errors.New("unexpected host")`
			`}`

			`res := &http.Response{`
			`ProtoMajor: 1,`
			`ProtoMinor: 1,`
			`Proto: "HTTP/1.1",`
			`Request: req,`
			`Header: make(http.Header),`
			`StatusCode: 200,`
			`}`

			`switch req.URL.Path {`
			`case "/range/5c1d8":`
			`res.Body = io.NopCloser(strings.NewReader("EAF2F254732680E8AC339B84F3266ECCBB5:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2"))`
			`return res, nil`
			`case "/range/ba189":`
			`res.Body = io.NopCloser(strings.NewReader("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4"))`
			`return res, nil`
			`case "/range/a1733":`
			`res.Body = io.NopCloser(strings.NewReader("C4CE0F1F0062B27B9E2F41AF0C08218017C:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2\r\nFE81480327C992FE62065A827429DD1318B:0"))`
			`return res, nil`
			`case "/range/5617b":`
			`res.Body = io.NopCloser(strings.NewReader("FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0"))`
			`return res, nil`
			`case "/range/79082":`
			`res.Body = io.NopCloser(strings.NewReader("FDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0\r\nAFEF386F56EB0B4BE314E07696E5E6E6536:0"))`
			`return res, nil`
			`}`

			`return nil, errors.New("unexpected path")`
			`}`

Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00			`var client = New(WithHTTP(&http.Client{`
chore: avoid using gock - Avoid using gock to do HTTP mocking, this is fairly simply to do ourselves and avoids a dependency, this commit does right that. 2024-12-18 00:40:02 -05:00			`Timeout: time.Second * 2,`
			`Transport: mockTransport{},`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00			`}))`

			`func TestPassword(t *testing.T) {`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`count, err := client.CheckPassword("", false)`
Add testifylint to lint checks (#4535) go-require lint is ignored for now Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-committed-by: TheFox0x7 <thefox0x7@gmail.com> 2024-07-30 15:41:10 -04:00			`require.ErrorIs(t, err, ErrEmptyPassword, "blank input should return ErrEmptyPassword")`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`assert.Equal(t, -1, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`count, err = client.CheckPassword("pwned", false)`
Add testifylint to lint checks (#4535) go-require lint is ignored for now Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-committed-by: TheFox0x7 <thefox0x7@gmail.com> 2024-07-30 15:41:10 -04:00			`require.NoError(t, err)`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`assert.Equal(t, 1, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`count, err = client.CheckPassword("notpwned", false)`
Add testifylint to lint checks (#4535) go-require lint is ignored for now Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-committed-by: TheFox0x7 <thefox0x7@gmail.com> 2024-07-30 15:41:10 -04:00			`require.NoError(t, err)`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`assert.Equal(t, 0, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`count, err = client.CheckPassword("paddedpwned", true)`
Add testifylint to lint checks (#4535) go-require lint is ignored for now Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-committed-by: TheFox0x7 <thefox0x7@gmail.com> 2024-07-30 15:41:10 -04:00			`require.NoError(t, err)`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`assert.Equal(t, 1, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`count, err = client.CheckPassword("paddednotpwned", true)`
Add testifylint to lint checks (#4535) go-require lint is ignored for now Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-committed-by: TheFox0x7 <thefox0x7@gmail.com> 2024-07-30 15:41:10 -04:00			`require.NoError(t, err)`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`assert.Equal(t, 0, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`count, err = client.CheckPassword("paddednotpwnedzero", true)`
Add testifylint to lint checks (#4535) go-require lint is ignored for now Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4535 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-committed-by: TheFox0x7 <thefox0x7@gmail.com> 2024-07-30 15:41:10 -04:00			`require.NoError(t, err)`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` (cherry picked from commit 9235442ba58524c8d12ae54865d583acfa1f439d) 2024-05-02 10:43:23 -04:00			`assert.Equal(t, 0, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 10:49:51 -05:00			`}`