wneessen/go-hibp
1
1
Fork 0
mirror of https://github.com/wneessen/go-hibp.git synced 2024-11-09 15:32:52 +01:00
Code Issues Projects Releases Packages Wiki Activity
go-hibp/password_test.go

484 lines
15 KiB
Go
Raw Normal View History

v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
package hibp
import (
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
"errors"
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
"fmt"
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
"testing"
)
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
const (
// PwStringInsecure is the string representation of an insecure password
PwStringInsecure = "test"
// PwStringSecure is the string representation of an insecure password
PwStringSecure = "F/0Ws#.%{Z/NVax=OU8Ajf1qTRLNS12p/?s/adX"
// PwHashInsecure is the SHA1 checksum of an insecure password
// Represents the string: test
PwHashInsecure = "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3"
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// PwHashInsecure is the NTLM hash of an insecure password
// Represents the string: test
PwHashInsecureNTLM = "0cb6948805f797bf2a82807973b89537"
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
// PwHashSecure is the SHA1 checksum of a secure password
// Represents the string: F/0Ws#.%{Z/NVax=OU8Ajf1qTRLNS12p/?s/adX
PwHashSecure = "90efc095c82eab44e882fda507cfab1a2cd31fc0"
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// PwHashSecureNTLM is the NTLM hash of a secure password
// Represents the string: F/0Ws#.%{Z/NVax=OU8Ajf1qTRLNS12p/?s/adX
PwHashSecureNTLM = "997f11041d9aa830842e682d1b4207df"
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
)
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// TestPwnedPassAPI_CheckPassword verifies the Pwned Passwords API with the CheckPassword method
func TestPwnedPassAPI_CheckPassword(t *testing.T) {
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
testTable := []struct {
testName string
pwString string
isLeaked bool
}{
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
{"weak password 'test' is expected to be leaked", PwStringInsecure, true},
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
{
"strong, unknown password is expected to be not leaked",
PwStringSecure, false,
},
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
hc := New()
for _, tc := range testTable {
t.Run(tc.testName, func(t *testing.T) {
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
m, _, err := hc.PwnedPassAPI.CheckPassword(tc.pwString)
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
if err != nil {
t.Error(err)
}
if m == nil && tc.isLeaked {
t.Errorf("password is expected to be leaked but 0 leaks were returned in Pwned Passwords DB")
}
if m != nil && m.Count > 0 && !tc.isLeaked {
t.Errorf("password is not expected to be leaked but %d leaks were found in Pwned Passwords DB",
m.Count)
}
})
}
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// TestPwnedPassAPI_CheckPassword_NTLM verifies the Pwned Passwords API with the CheckPassword method
// with NTLM hashes enabled
func TestPwnedPassAPI_CheckPassword_NTLM(t *testing.T) {
testTable := []struct {
testName string
pwString string
isLeaked bool
}{
{"weak password 'test' is expected to be leaked", PwStringInsecure, true},
{
"strong, unknown password is expected to be not leaked",
PwStringSecure, false,
},
}
hc := New(WithPwnedNTLMHash())
for _, tc := range testTable {
t.Run(tc.testName, func(t *testing.T) {
m, _, err := hc.PwnedPassAPI.CheckPassword(tc.pwString)
if err != nil {
t.Error(err)
}
if m == nil && tc.isLeaked {
t.Errorf("password is expected to be leaked but 0 leaks were returned in Pwned Passwords DB")
}
if m != nil && m.Count > 0 && !tc.isLeaked {
t.Errorf("password is not expected to be leaked but %d leaks were found in Pwned Passwords DB",
m.Count)
}
})
}
}
Improved test coverage
2023-02-09 22:25:08 +01:00
// TestPwnedPassAPI_CheckPassword_failed verifies the Pwned Passwords API with the CheckPassword method
// with intentionally failing requests
func TestPwnedPassAPI_CheckPassword_failed(t *testing.T) {
hc := New()
hc.PwnedPassAPIOpts.HashMode = 99
_, _, err := hc.PwnedPassAPI.CheckPassword(PwStringInsecure)
if err == nil {
t.Error("CheckPassword with unsupported HashMode was supposed to fail, but didn't")
}
if !errors.Is(err, ErrUnsupportedHashMode) {
t.Errorf("CheckPassword wrong error, expected: %s, got: %s", ErrUnsupportedHashMode, err)
}
}
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// TestPwnedPassAPI_CheckSHA1 verifies the Pwned Passwords API with the CheckSHA1 method
func TestPwnedPassAPI_CheckSHA1(t *testing.T) {
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
testTable := []struct {
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
testName string
pwHash string
isLeaked bool
shouldFail bool
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}{
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
{
"weak password 'test' is expected to be leaked",
PwHashInsecure, true, false,
},
{
"strong, unknown password is expected to be not leaked",
PwHashSecure, false, false,
},
{
"empty string should fail",
"", false, true,
},
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
hc := New()
for _, tc := range testTable {
t.Run(tc.testName, func(t *testing.T) {
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
m, _, err := hc.PwnedPassAPI.CheckSHA1(tc.pwHash)
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
if err != nil && !tc.shouldFail {
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
t.Error(err)
Introducing the breaches API So far only the "list all breaches" API is implemented, though
2021-09-21 19:46:48 +02:00
return
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
}
if m == nil && tc.isLeaked {
t.Errorf("password is expected to be leaked but 0 leaks were returned in Pwned Passwords DB")
}
if m != nil && m.Count > 0 && !tc.isLeaked {
t.Errorf("password is not expected to be leaked but %d leaks were found in Pwned Passwords DB",
m.Count)
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
if m != nil && m.Hash != tc.pwHash {
t.Errorf("password hashes don't match, expected: %s, got %s", tc.pwHash, m.Hash)
}
})
}
}
// TestPwnedPassAPI_CheckNTLM verifies the Pwned Passwords API with the CheckNTLM method
func TestPwnedPassAPI_CheckNTLM(t *testing.T) {
testTable := []struct {
testName string
pwHash string
isLeaked bool
shouldFail bool
}{
{
"weak password 'test' is expected to be leaked",
PwHashInsecureNTLM, true, false,
},
{
"strong, unknown password is expected to be not leaked",
PwHashSecureNTLM, false, false,
},
{
"empty string should fail",
"", false, true,
},
}
hc := New()
for _, tc := range testTable {
t.Run(tc.testName, func(t *testing.T) {
m, _, err := hc.PwnedPassAPI.CheckNTLM(tc.pwHash)
if err != nil && !tc.shouldFail {
t.Error(err)
return
}
if m == nil && tc.isLeaked {
t.Errorf("password is expected to be leaked but 0 leaks were returned in Pwned Passwords DB")
}
if m != nil && m.Count > 0 && !tc.isLeaked {
t.Errorf("password is not expected to be leaked but %d leaks were found in Pwned Passwords DB",
m.Count)
}
if m != nil && m.Hash != tc.pwHash {
t.Errorf("password hashes don't match, expected: %s, got %s", tc.pwHash, m.Hash)
}
v0.1.1: Complete refactor
2021-09-21 11:21:04 +02:00
})
}
}
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// TestPwnedPassAPI_ListHashesPrefix tests the ListHashesPrefix method (especially for failures that are not
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
// tested by the other tests already)
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func TestPwnedPassAPI_ListHashesPrefix(t *testing.T) {
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
hc := New()
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
// Should return at least 1 restults
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
l, _, err := hc.PwnedPassAPI.ListHashesPrefix("a94a8")
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
if err != nil {
t.Errorf("ListHashesPrefix was not supposed to fail, but did: %s", err)
}
if len(l) <= 0 {
t.Errorf("ListHashesPrefix was supposed to return a list longer than 0")
}
// Prefix has wrong size
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
_, _, err = hc.PwnedPassAPI.ListHashesPrefix("ZZZZZZZZZZZZZZ")
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
if err == nil {
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
t.Errorf("ListHashesPrefix was supposed to fail, but didn't")
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
}
// Non allowed characters
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
_, _, err = hc.PwnedPassAPI.ListHashesPrefix(string([]byte{0, 0, 0, 0, 0}))
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
if err == nil {
t.Errorf("ListHashesPrefix was supposed to fail, but didn't")
}
Improved test coverage
2023-02-09 22:25:08 +01:00
// Should fall back to SHA-1
hc.PwnedPassAPIOpts.HashMode = 99
l, _, err = hc.PwnedPassAPI.ListHashesPrefix("a94a8")
if err != nil {
t.Errorf("ListHashesPrefix was not supposed to fail, but did: %s", err)
}
if len(l) <= 0 {
t.Errorf("ListHashesPrefix was supposed to return a list longer than 0")
}
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
}
Overhauling error handling of the different APIs as part of #24 - More error generalization - Fixed PwnedPasswords API errors - Added SHA1 hash validation with corresponding error - More tests for error handling
2022-12-22 15:59:48 +01:00
// TestPwnedPassAPI_ListHashesPrefix_Errors tests the ListHashesPrefix method's errors
func TestPwnedPassAPI_ListHashesPrefix_Errors(t *testing.T) {
hc := New()
// Empty prefix
t.Run("empty prefix", func(t *testing.T) {
_, _, err := hc.PwnedPassAPI.ListHashesPrefix("")
if err == nil {
t.Errorf("ListHashesPrefix with empty prefix should fail but didn't")
return
}
if !errors.Is(err, ErrPrefixLengthMismatch) {
t.Errorf("ListHashesPrefix with empty prefix should return ErrPrefixLengthMismatch error but didn't")
return
}
})
// Too long prefix
t.Run("too long prefix", func(t *testing.T) {
_, _, err := hc.PwnedPassAPI.ListHashesPrefix("abcdefg12345")
if err == nil {
t.Errorf("ListHashesPrefix with too long prefix should fail but didn't")
return
}
if !errors.Is(err, ErrPrefixLengthMismatch) {
t.Errorf("ListHashesPrefix with too long prefix should return ErrPrefixLengthMismatch error but didn't")
}
})
}
// TestPwnedPassAPI_ListHashesSHA1_Errors tests the ListHashesSHA1 method's errors
func TestPwnedPassAPI_ListHashesSHA1_Errors(t *testing.T) {
hc := New()
// Empty hash
t.Run("empty hash", func(t *testing.T) {
_, _, err := hc.PwnedPassAPI.ListHashesSHA1("")
if err == nil {
t.Errorf("ListHashesSHA1 with empty hash should fail but didn't")
}
if !errors.Is(err, ErrSHA1LengthMismatch) {
t.Errorf("ListHashesSHA1 with empty hash should return ErrSHA1LengthMismatch error but didn't")
}
})
// Too long hash
t.Run("too long hash", func(t *testing.T) {
_, _, err := hc.PwnedPassAPI.ListHashesSHA1("FF36DC7D3284A39991ADA90CAF20D1E3C0DADEFAB")
if err == nil {
t.Errorf("ListHashesSHA1 with too long hash should fail but didn't")
}
if !errors.Is(err, ErrSHA1LengthMismatch) {
t.Errorf("ListHashesSHA1 with too long hash should return ErrSHA1LengthMismatch error but didn't")
}
})
// Invalid hash
t.Run("invalid hash", func(t *testing.T) {
_, _, err := hc.PwnedPassAPI.ListHashesSHA1("FF36DC7D3284A39991ADA90CAF20D1E3C0DADEFZ")
if err == nil {
t.Errorf("ListHashesSHA1 with invalid hash should fail but didn't")
}
if !errors.Is(err, ErrSHA1Invalid) {
t.Errorf("ListHashesSHA1 with invalid hash should return ErrSHA1Invalid error but didn't")
}
})
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// TestPwnedPassAPI_ListHashesNTLM_Errors tests the ListHashesNTLM method's errors
func TestPwnedPassAPI_ListHashesNTLM_Errors(t *testing.T) {
hc := New()
// Empty hash
t.Run("empty hash", func(t *testing.T) {
_, _, err := hc.PwnedPassAPI.ListHashesNTLM("")
if err == nil {
t.Errorf("ListHashesNTLM with empty hash should fail but didn't")
}
if !errors.Is(err, ErrNTLMLengthMismatch) {
t.Errorf("ListHashesNTLM with empty hash should return ErrNTLMLengthMismatch error but didn't")
}
})
// Too long hash
t.Run("too long hash", func(t *testing.T) {
_, _, err := hc.PwnedPassAPI.ListHashesNTLM("FF36DC7D3284A39991ADA90CAF20D1E3C0DADEFAB")
if err == nil {
t.Errorf("ListHashesNTLM with too long hash should fail but didn't")
}
if !errors.Is(err, ErrNTLMLengthMismatch) {
t.Errorf("ListHashesNTLM with too long hash should return ErrNTLMLengthMismatch error but didn't")
}
})
// Invalid hash
t.Run("invalid hash", func(t *testing.T) {
_, _, err := hc.PwnedPassAPI.ListHashesNTLM("3284A39991ADA90CAF20D1E3C0DADEFZ")
if err == nil {
t.Errorf("ListHashesNTLM with invalid hash should fail but didn't")
}
if !errors.Is(err, ErrNTLMInvalid) {
t.Errorf("ListHashesNTLM with invalid hash should return ErrSHA1Invalid error but didn't")
}
})
}
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// TestPwnedPassApi_ListHashesSHA1 tests the PwnedPassAPI.ListHashesSHA1 metethod
func TestPwnedPassAPI_ListHashesSHA1(t *testing.T) {
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
hc := New()
// List length should be >0
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
l, _, err := hc.PwnedPassAPI.ListHashesSHA1(PwHashInsecure)
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
if err != nil {
t.Errorf("ListHashesSHA1 was not supposed to fail, but did: %s", err)
}
if len(l) <= 0 {
t.Errorf("ListHashesSHA1 was supposed to return a list longer than 0")
}
// Hash has wrong size
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
_, _, err = hc.PwnedPassAPI.ListHashesSHA1(PwStringInsecure)
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
if err == nil {
t.Errorf("ListHashesSHA1 was supposed to fail, but didn't")
}
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// TestPwnedPassApi_ListHashesNTLM tests the PwnedPassAPI.ListHashesNTLM metethod
func TestPwnedPassAPI_ListHashesNTLM(t *testing.T) {
hc := New(WithPwnedNTLMHash())
// List length should be >0
l, _, err := hc.PwnedPassAPI.ListHashesNTLM(PwHashInsecureNTLM)
if err != nil {
t.Errorf("ListHashesNTLM was not supposed to fail, but did: %s", err)
}
if len(l) <= 0 {
t.Errorf("ListHashesNTLM was supposed to return a list longer than 0")
}
// Hash has wrong size
_, _, err = hc.PwnedPassAPI.ListHashesNTLM(PwStringInsecure)
if err == nil {
t.Errorf("ListHashesNTLM was supposed to fail, but didn't")
}
}
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// TestPwnedPassAPI_ListHashesPassword tests the PwnedPassAPI.ListHashesPassword metethod
func TestPwnedPassAPI_ListHashesPassword(t *testing.T) {
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
hc := New()
// List length should be >0
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
l, _, err := hc.PwnedPassAPI.ListHashesPassword(PwStringInsecure)
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
if err != nil {
t.Errorf("ListHashesPassword was not supposed to fail, but did: %s", err)
}
if len(l) <= 0 {
t.Errorf("ListHashesPassword was supposed to return a list longer than 0")
}
Improved test coverage
2023-02-09 22:25:08 +01:00
}
#14: Add `ListHashes*()` methods to get access to all returned hashes - This method replaces the previously private apiCall() method - Added `ListHashesSHA1()` as well as `ListHashesPassword()` to keep consistency in the naming schema - Added length checks for SHA1() methods - Added length check for Prefix() method
2022-06-08 17:26:41 +02:00
Improved test coverage
2023-02-09 22:25:08 +01:00
// TestPwnedPassAPI_ListHashesPassword_failed tests the PwnedPassAPI.ListHashesPassword metethod
// with a unsupported HashMode
func TestPwnedPassAPI_ListHashesPassword_failed(t *testing.T) {
hc := New()
hc.PwnedPassAPIOpts.HashMode = 99
_, _, err := hc.PwnedPassAPI.ListHashesPassword(PwStringInsecure)
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
if err == nil {
Improved test coverage
2023-02-09 22:25:08 +01:00
t.Error("ListHashesPassword with unspported HashMode was supposed to fail, but didn't")
}
if !errors.Is(err, ErrUnsupportedHashMode) {
t.Errorf("ListHashesPassword error does not match, expected: %s, got: %s", ErrUnsupportedHashMode, err)
}
}
// TestPwnedPassAPI_ListHashesPasswordNTLM tests the PwnedPassAPI.ListHashesPassword metethod
// with NTLM HashMode
func TestPwnedPassAPI_ListHashesPasswordNTLM(t *testing.T) {
hc := New(WithPwnedNTLMHash())
// List length should be >0
l, _, err := hc.PwnedPassAPI.ListHashesPassword(PwStringInsecure)
if err != nil {
t.Errorf("ListHashesPassword was not supposed to fail, but did: %s", err)
}
if len(l) <= 0 {
t.Errorf("ListHashesPassword was supposed to return a list longer than 0")
v1.0.2: More tests and better README.md.
2022-05-08 12:44:20 +02:00
}
}
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// ExamplePwnedPassAPI_CheckPassword is a code example to show how to check a given password
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
// against the HIBP passwords API
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func ExamplePwnedPassAPI_CheckPassword() {
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
hc := New()
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
m, _, err := hc.PwnedPassAPI.CheckPassword("test")
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
if err != nil {
panic(err)
}
if m != nil && m.Count != 0 {
fmt.Printf("Your password with the hash %q was found %d times in the pwned passwords DB\n",
m.Hash, m.Count)
Update password hash count in test output The expected output counts for password hash matches in the pwned passwords database have been updated in multiple test scenarios. The changes reflect recent statistics, ensuring the tests' output aligns with current data for greater test accuracy.
2024-03-14 22:19:50 +01:00
// Output: Your password with the hash "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" was found 142835 times in the pwned passwords DB
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
}
}
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// ExamplePwnedPassAPI_CheckPassword_withPadding is a code example to show how to check a given password
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
// against the HIBP passwords API with the WithPadding() option set
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func ExamplePwnedPassAPI_CheckPassword_withPadding() {
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
hc := New(WithPwnedPadding())
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
m, _, err := hc.PwnedPassAPI.CheckPassword("test")
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
if err != nil {
panic(err)
}
if m != nil && m.Count != 0 {
fmt.Printf("Your password with the hash %q was found %d times in the pwned passwords DB\n",
m.Hash, m.Count)
Update password hash count in test output The expected output counts for password hash matches in the pwned passwords database have been updated in multiple test scenarios. The changes reflect recent statistics, ensuring the tests' output aligns with current data for greater test accuracy.
2024-03-14 22:19:50 +01:00
// Output: Your password with the hash "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" was found 142835 times in the pwned passwords DB
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
}
}
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
// ExamplePwnedPassAPI_checkSHA1 is a code example to show how to check a given password SHA1 hash
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
// against the HIBP passwords API using the CheckSHA1() method
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
func ExamplePwnedPassAPI_checkSHA1() {
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
hc := New()
pwHash := "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" // represents the PW: "test"
Implement a golangci-lint workflow and the accordingly GH action
2022-10-29 15:32:12 +02:00
m, _, err := hc.PwnedPassAPI.CheckSHA1(pwHash)
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
if err != nil {
panic(err)
}
if m != nil && m.Count != 0 {
fmt.Printf("Your password with the hash %q was found %d times in the pwned passwords DB\n",
m.Hash, m.Count)
Update password hash count in test output The expected output counts for password hash matches in the pwned passwords database have been updated in multiple test scenarios. The changes reflect recent statistics, ensuring the tests' output aligns with current data for greater test accuracy.
2024-03-14 22:19:50 +01:00
// Output: Your password with the hash "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" was found 142835 times in the pwned passwords DB
Moved all code examples into the test files using GoDoc syntax
2022-05-08 12:02:58 +02:00
}
}
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
// ExamplePwnedPassAPI_checkNTLM is a code example to show how to check a given password NTLM hash
// against the HIBP passwords API using the CheckNTLM() method
func ExamplePwnedPassAPI_checkNTLM() {
hc := New()
pwHash := "0cb6948805f797bf2a82807973b89537" // represents the PW: "test"
m, _, err := hc.PwnedPassAPI.CheckNTLM(pwHash)
if err != nil {
panic(err)
}
if m != nil && m.Count != 0 {
fmt.Printf("Your password with the hash %q was found %d times in the pwned passwords DB\n",
m.Hash, m.Count)
Update password hash count in test output The expected output counts for password hash matches in the pwned passwords database have been updated in multiple test scenarios. The changes reflect recent statistics, ensuring the tests' output aligns with current data for greater test accuracy.
2024-03-14 22:19:50 +01:00
// Output: Your password with the hash "0cb6948805f797bf2a82807973b89537" was found 142835 times in the pwned passwords DB
#27: Implement NTLM hash support for PwnedPassAPI This PR implements support for NTLM hashes as announced by Troy Hunt: https://s.pebcak.de/@troyhunt@infosec.exchange/109833758367903768 For this we needed to be able to calculate MD4 hashes, as NTLM basically is calculated like this: `MD4(UTF-16LE(pw))`. For this we ported the official golang.org/x/crypto/md4 package, so we can still claim that "only depends on Go stdlib" A new Client option has been introduced: `WithPwnedNTLMHash`. If the client is initalized with this option, all generic methods (`ListHashesPassword` and `CheckPassword`) will operate on NTLM hashes. Additionally, there are now equivalent methods for checking passwords and listing hashes for NTLM: `CheckNTLM` and `ListHashesNTLM`
2023-02-09 17:07:20 +01:00
}
}
Reference in a new issue Copy permalink