From 87f93ddbc6e525b0c2ec3980e7c922ffc7899823 Mon Sep 17 00:00:00 2001
From: Winni Neessen <winfried.neessen@cleverbridge.com>
Date: Tue, 12 Mar 2024 19:00:21 +0100
Subject: [PATCH] Add HIBP password check functionality

Implemented HIBP password check feature which will crosscheck generated passwords with the HIBP pwned passwords database. This functionality enhances security by not recommending potentially compromised passwords. A new flag, CheckHIBP has been added to enable or disable this feature.
---
 cmd/apg/apg.go | 12 ++++++++++++
 config.go      |  5 ++++-
 go.mod         |  2 ++
 go.sum         |  2 ++
 hibp.go        | 16 ++++++++++++++++
 5 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 go.sum
 create mode 100644 hibp.go

diff --git a/cmd/apg/apg.go b/cmd/apg/apg.go
index 9ec210b..4c817ea 100644
--- a/cmd/apg/apg.go
+++ b/cmd/apg/apg.go
@@ -43,6 +43,7 @@ func main() {
 	flag.Int64Var(&config.NumberPass, "n", config.NumberPass, "")
 	flag.BoolVar(&config.SpellPassword, "l", false, "")
 	flag.BoolVar(&config.SpellPronounceable, "t", false, "")
+	flag.BoolVar(&config.CheckHIBP, "p", false, "")
 	flag.Usage = usage
 	flag.Parse()
 
@@ -132,6 +133,17 @@ func main() {
 			continue
 		}
 		fmt.Println(password)
+
+		if config.CheckHIBP {
+			pwned, err := apg.HasBeenPwned(password)
+			if err != nil {
+				_, _ = fmt.Fprintf(os.Stderr, "failed to check HIBP database: %s\n", err)
+			}
+			if pwned {
+				fmt.Print("^-- !!WARNING: The previously generated password was found in " +
+					"HIBP database. Do not use it!!\n")
+			}
+		}
 	}
 }
 
diff --git a/config.go b/config.go
index 47c09d7..1425a4c 100644
--- a/config.go
+++ b/config.go
@@ -15,8 +15,11 @@ const (
 
 // Config represents the apg.Generator config parameters
 type Config struct {
-	// Algo
+	// Algorithm sets the Algorithm used for the password generation
 	Algorithm Algorithm
+	// CheckHIBP sets a flag if the generated password has to be checked
+	// against the HIBP pwned password database
+	CheckHIBP bool
 	// FixedLength sets a fixed length for generated passwords and ignores
 	// the MinLength and MaxLength values
 	FixedLength int64
diff --git a/go.mod b/go.mod
index 955e55e..b64b6fe 100644
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,5 @@
 module src.neessen.cloud/wneessen/apg-go
 
 go 1.22
+
+require github.com/wneessen/go-hibp v1.0.6
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..6379982
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,2 @@
+github.com/wneessen/go-hibp v1.0.6 h1:RpV540tVJpxefjCCctzq1cQaIFFlkd3nh+HhPVD6Hys=
+github.com/wneessen/go-hibp v1.0.6/go.mod h1:Ldg6DQg4fMCveVKgL+RL9Jy+9TsljjAP704Ix8X3jOw=
diff --git a/hibp.go b/hibp.go
new file mode 100644
index 0000000..db20189
--- /dev/null
+++ b/hibp.go
@@ -0,0 +1,16 @@
+package apg
+
+import (
+	"time"
+
+	"github.com/wneessen/go-hibp"
+)
+
+// HasBeenPwned checks the given password string against the HIBP pwned
+// passwords database and returns true if the password has been leaked
+func HasBeenPwned(password string) (bool, error) {
+	hc := hibp.New(hibp.WithHTTPTimeout(time.Second*2),
+		hibp.WithPwnedPadding())
+	matches, _, err := hc.PwnedPassAPI.CheckPassword(password)
+	return matches != nil && matches.Count != 0, err
+}