implement checking pwned password in password validator

2 years ago · 469af0b96c
2 changed files with 24 additions and 0 deletions
--- a/src/main/java/PasswordValidator.java
+++ b/src/main/java/PasswordValidator.java
@ -11,6 +11,7 @@ public class PasswordValidator {
    boolean requireUppercase = true;
    boolean requireLowercase = true;
    boolean requireDigit = true;
+    boolean checkPwned = true;

    private final Pattern uppercasePattern = Pattern.compile("^(?=.*[A-Z]).+$");
    private final Pattern lowercasePattern = Pattern.compile("^(?=.*[a-z]).+$");
@ -26,6 +27,8 @@ public class PasswordValidator {
            return false;
        } else if (requireDigit && !digitPattern.matcher(password).matches()) {
            return false;
+        } else if (checkPwned && isPwned(password)) {
+            return false;
        }
        return true;
    }
@ -62,6 +65,14 @@ public class PasswordValidator {
        this.requireDigit = requireDigit;
    }

+    public boolean isCheckPwned() {
+        return checkPwned;
+    }
+
+    public void setCheckPwned(boolean checkPwned) {
+        this.checkPwned = checkPwned;
+    }
+
    public static String getSHA1Hash(String input) {
        if (input.length() > 0) {
            try {
--- a/src/test/java/PasswordValidatorTest.java
+++ b/src/test/java/PasswordValidatorTest.java
@ -14,6 +14,7 @@ class PasswordValidatorTest {
        passwordValidator.setRequireUppercase(false);
        passwordValidator.setRequireLowercase(false);
        passwordValidator.setRequireDigit(false);
+        passwordValidator.setCheckPwned(false);
        assertFalse(passwordValidator.validate("abcde"));
        assertTrue(passwordValidator.validate("abcdef"));
        assertTrue(passwordValidator.validate("abcdefg"));
@ -22,6 +23,7 @@ class PasswordValidatorTest {
        passwordValidator.setRequireUppercase(true);
        passwordValidator.setRequireLowercase(false);
        passwordValidator.setRequireDigit(false);
+        passwordValidator.setCheckPwned(false);
        assertFalse(passwordValidator.validate("abcdef"));
        assertTrue(passwordValidator.validate("abCdef"));
        assertTrue(passwordValidator.validate("ABCDEF"));
@ -30,6 +32,7 @@ class PasswordValidatorTest {
        passwordValidator.setRequireUppercase(true);
        passwordValidator.setRequireLowercase(true);
        passwordValidator.setRequireDigit(false);
+        passwordValidator.setCheckPwned(false);
        assertFalse(passwordValidator.validate("abcdef"));
        assertTrue(passwordValidator.validate("abCdef"));
        assertFalse(passwordValidator.validate("ABCDEF"));
@ -38,6 +41,7 @@ class PasswordValidatorTest {
        passwordValidator.setRequireUppercase(true);
        passwordValidator.setRequireLowercase(true);
        passwordValidator.setRequireDigit(true);
+        passwordValidator.setCheckPwned(false);
        assertFalse(passwordValidator.validate("8"));
        assertFalse(passwordValidator.validate("12345678"));
        assertFalse(passwordValidator.validate("abcdef"));
@ -46,6 +50,15 @@ class PasswordValidatorTest {
        assertFalse(passwordValidator.validate("ABCDEF"));
        assertFalse(passwordValidator.validate("ABCDEF8"));
        assertTrue(passwordValidator.validate("abCDE8F"));
+
+        // test password pwned check
+        passwordValidator.setRequireUppercase(true);
+        passwordValidator.setRequireLowercase(true);
+        passwordValidator.setRequireDigit(true);
+        passwordValidator.setCheckPwned(true);
+        assertFalse(passwordValidator.validate("8"));
+        assertFalse(passwordValidator.validate("asdf12"));
+        assertTrue(passwordValidator.validate("=phan0johB4aisae6Mie0jeip9Saejahc0iuvuth7ahv9uoni6o*_.+"));
    }

    @Test