gitea/modules/auth/password/pwn/pwn_test.go

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package pwn

import (
	"errors"
	"io"
	"net/http"
	"strings"
	"testing"

	"github.com/stretchr/testify/assert"
)

type mockTransport struct{}

func (mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {
	if req.URL.Host != "api.pwnedpasswords.com" {
		return nil, errors.New("unsupported host")
	}
	respMap := map[string]string{
		"/range/5c1d8": "EAF2F254732680E8AC339B84F3266ECCBB5:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2",
		"/range/ba189": "FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4",
		"/range/a1733": "C4CE0F1F0062B27B9E2F41AF0C08218017C:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2\r\nFE81480327C992FE62065A827429DD1318B:0",
		"/range/5617b": "FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0",
		"/range/79082": "FDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0\r\nAFEF386F56EB0B4BE314E07696E5E6E6536:0",
	}
	if resp, ok := respMap[req.URL.Path]; ok {
		return &http.Response{Request: req, Body: io.NopCloser(strings.NewReader(resp))}, nil
	}
	return nil, errors.New("unsupported path")
}

func TestPassword(t *testing.T) {
	client := New(WithHTTP(&http.Client{Transport: mockTransport{}}))

	count, err := client.CheckPassword("", false)
	assert.ErrorIs(t, err, ErrEmptyPassword, "blank input should return ErrEmptyPassword")
	assert.Equal(t, -1, count)

	count, err = client.CheckPassword("pwned", false)
	assert.NoError(t, err)
	assert.Equal(t, 1, count)

	count, err = client.CheckPassword("notpwned", false)
	assert.NoError(t, err)
	assert.Equal(t, 0, count)

	count, err = client.CheckPassword("paddedpwned", true)
	assert.NoError(t, err)
	assert.Equal(t, 1, count)

	count, err = client.CheckPassword("paddednotpwned", true)
	assert.NoError(t, err)
	assert.Equal(t, 0, count)

	count, err = client.CheckPassword("paddednotpwnedzero", true)
	assert.NoError(t, err)
	assert.Equal(t, 0, count)
}
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00			`// Copyright 2023 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package pwn`

			`import (`
Trivial fixes (#33103) 1. remove `gock` dependency, it is not needed 2. fix a regression from org private profile readme 2025-01-05 06:25:50 +08:00			`"errors"`
			`"io"`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00			`"net/http"`
Trivial fixes (#33103) 1. remove `gock` dependency, it is not needed 2. fix a regression from org private profile readme 2025-01-05 06:25:50 +08:00			`"strings"`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00			`"testing"`
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next. 2024-02-04 14:29:09 +01:00
			`"github.com/stretchr/testify/assert"`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00			`)`

Trivial fixes (#33103) 1. remove `gock` dependency, it is not needed 2. fix a regression from org private profile readme 2025-01-05 06:25:50 +08:00			`type mockTransport struct{}`

			`func (mockTransport) RoundTrip(req http.Request) (http.Response, error) {`
			`if req.URL.Host != "api.pwnedpasswords.com" {`
			`return nil, errors.New("unsupported host")`
			`}`
			`respMap := map[string]string{`
			`"/range/5c1d8": "EAF2F254732680E8AC339B84F3266ECCBB5:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2",`
			`"/range/ba189": "FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4",`
			`"/range/a1733": "C4CE0F1F0062B27B9E2F41AF0C08218017C:1\r\nFC446EB88938834178CB9322C1EE273C2A7:2\r\nFE81480327C992FE62065A827429DD1318B:0",`
			`"/range/5617b": "FD4CB34F0378BCB15D23F6FFD28F0775C9E:3\r\nFDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0",`
			`"/range/79082": "FDF342FCD8C3611DAE4D76E8A992A3E4169:4\r\nFE81480327C992FE62065A827429DD1318B:0\r\nAFEF386F56EB0B4BE314E07696E5E6E6536:0",`
			`}`
			`if resp, ok := respMap[req.URL.Path]; ok {`
			`return &http.Response{Request: req, Body: io.NopCloser(strings.NewReader(resp))}, nil`
			`}`
			`return nil, errors.New("unsupported path")`
			`}`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00
			`func TestPassword(t *testing.T) {`
Trivial fixes (#33103) 1. remove `gock` dependency, it is not needed 2. fix a regression from org private profile readme 2025-01-05 06:25:50 +08:00			`client := New(WithHTTP(&http.Client{Transport: mockTransport{}}))`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00
			`count, err := client.CheckPassword("", false)`
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next. 2024-02-04 14:29:09 +01:00			`assert.ErrorIs(t, err, ErrEmptyPassword, "blank input should return ErrEmptyPassword")`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00			`assert.Equal(t, -1, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00			`count, err = client.CheckPassword("pwned", false)`
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next. 2024-02-04 14:29:09 +01:00			`assert.NoError(t, err)`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00			`assert.Equal(t, 1, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00			`count, err = client.CheckPassword("notpwned", false)`
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next. 2024-02-04 14:29:09 +01:00			`assert.NoError(t, err)`
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00			`assert.Equal(t, 0, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00			`count, err = client.CheckPassword("paddedpwned", true)`
			`assert.NoError(t, err)`
			`assert.Equal(t, 1, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00			`count, err = client.CheckPassword("paddednotpwned", true)`
			`assert.NoError(t, err)`
			`assert.Equal(t, 0, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00
Remove external API calls in `TestPassword` (#30716) The test had a dependency on `https://api.pwnedpasswords.com` which caused many failures on CI recently: ``` --- FAIL: TestPassword (2.37s) pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers) FAIL coverage: 82.9% of statements ``` 2024-05-02 16:43:23 +02:00			`count, err = client.CheckPassword("paddednotpwnedzero", true)`
			`assert.NoError(t, err)`
			`assert.Equal(t, 0, count)`
Consume hcaptcha and pwn deps (#22610) This PR just consumes the [hcaptcha](https://gitea.com/jolheiser/hcaptcha) and [haveibeenpwned](https://gitea.com/jolheiser/pwn) modules directly into Gitea. Also let this serve as a notice that I'm fine with transferring my license (which was already MIT) from my own name to "The Gitea Authors". Signed-off-by: jolheiser <john.olheiser@gmail.com> 2023-01-29 09:49:51 -06:00			`}`