symfony
diff --git a/‎src/Symfony/Component/Validator/Constraints/Pwned.php
Lines changed: 32 additions & 0 deletions b/‎src/Symfony/Component/Validator/Constraints/Pwned.php
Lines changed: 32 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Validator/Constraints/PwnedValidator.php
Lines changed: 77 additions & 0 deletions b/‎src/Symfony/Component/Validator/Constraints/PwnedValidator.php
Lines changed: 77 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Validator/Tests/Constraints/PwnedTest.php
Lines changed: 27 additions & 0 deletions b/‎src/Symfony/Component/Validator/Tests/Constraints/PwnedTest.php
Lines changed: 27 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Validator/Tests/Constraints/PwnedValidatorTest.php
Lines changed: 122 additions & 0 deletions b/‎src/Symfony/Component/Validator/Tests/Constraints/PwnedValidatorTest.php
Lines changed: 122 additions & 0 deletions
@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Validator\Constraints;
+
+use Symfony\Component\Validator\Constraint;
+
+/**
+ * Checks if a password has been leaked in a data breach.
+ *
+ * @Annotation
+ * @Target({"PROPERTY", "METHOD", "ANNOTATION"})
+ *
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ */
+class Pwned extends Constraint
+{
+    const PWNED_ERROR = 'd9bcdbfe-a9d6-4bfa-a8ff-da5fd93e0f6d';
+
+    protected static $errorNames = array(self::PWNED_ERROR => 'PWNED_ERROR');
+
+    public $message = 'This password has been leaked in a data breach, it must not be used. Please use another password.';
+    public $maxCount = 1;
+}
@@ -0,0 +1,77 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Validator\Constraints;
+
+use Symfony\Component\Validator\Constraint;
+use Symfony\Component\Validator\ConstraintValidator;
+use Symfony\Component\Validator\Exception\RuntimeException;
+use Symfony\Component\Validator\Exception\UnexpectedTypeException;
+
+/**
+ * Checks if a password has been leaked in a data breach using haveibeenpwned.com's API.
+ * Use a k-anonymity model to protect the password being searched for.
+ *
+ * @see https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ */
+class PwnedValidator extends ConstraintValidator
+{
+    private const RANGE_API = 'https://api.pwnedpasswords.com/range/%s';
+    private $httpClient;
+    /**
+     * @param callable|null $httpClient Must mimic the file_get_contents's signature: function(string $url): string|false (false is returned in case of error)
+     */
+    public function __construct(?callable $httpClient = null)
+    {
+        $this->httpClient = $httpClient;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validate($value, Constraint $constraint)
+    {
+        if (!$constraint instanceof Pwned) {
+            throw new UnexpectedTypeException($constraint, Pwned::class);
+        }
+
+        if (null === $value || '' === $value) {
+            return;
+        }
+
+        if (\is_array($value) || (\is_object($value) && !method_exists($value, '__toString'))) {
+            throw new UnexpectedTypeException($value, 'string');
+        }
+
+        $httpClient = $this->httpClient;
+
+        $hash = strtoupper(sha1($value));
+        $hashPrefix = substr($hash, 0, 5);
+        $url = sprintf(self::RANGE_API, $hashPrefix);
+
+        $result = $httpClient ? $httpClient($url) : @file_get_contents($url);
+        if (false === $result) {
+            throw new RuntimeException('Problem contacting the Have I been Pwned API.');
+        }
+
+        foreach (explode("\r\n", $result) as $line) {
+            list($hashSuffix, $count) = explode(':', $line);
+
+            if ($hashPrefix.$hashSuffix === $hash && (int) $count >= $constraint->maxCount) {
+                $this->context->buildViolation($constraint->message)
+                    ->setCode(Pwned::PWNED_ERROR)
+                    ->addViolation();
+                return;
+            }
+        }
+    }
+}
@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Validator\Tests\Constraints;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Validator\Constraints\Pwned;
+
+/**
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ */
+class PwnedTest extends TestCase
+{
+    public function testDefaultValues()
+    {
+        $constraint = new Pwned();
+        $this->assertSame(1, $constraint->maxCount);
+    }
+}
@@ -0,0 +1,122 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Validator\Tests\Constraints;
+
+use Symfony\Component\Validator\Constraints\Luhn;
+use Symfony\Component\Validator\Constraints\Pwned;
+use Symfony\Component\Validator\Constraints\PwnedValidator;
+use Symfony\Component\Validator\Test\ConstraintValidatorTestCase;
+
+/**
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ */
+class PwnedValidatorTest extends ConstraintValidatorTestCase
+{
+    private const RETURN = array(
+        '35E033023A46402F94CFB4F654C5BFE44A1:1',
+        '35F079CECCC31812288257CD770AA7968D7:53',
+        '36039744C253F9B2A4E90CBEDB02EBFB82D:5', // this is the matching line, password: maman
+        '3686792BBC66A72D40D928ED15621124CFE:7',
+        '36EEC709091B810AA240179A44317ED415C:2',
+    );
+
+    protected function createValidator()
+    {
+        $httpClient = function (string $url) {
+            if ('https://api.pwnedpasswords.com/range/3EF27' === $url) {
+                // Simulate a connection error
+                // https://api.pwnedpasswords.com/range/3EF27 is the range for the value "apiError"
+                return false;
+            }
+
+            return implode("\r\n", self::RETURN);
+        };
+
+        // Pass null instead of this mock to run the tests against the real API
+        return new PwnedValidator($httpClient);
+    }
+
+    public function testNullIsValid()
+    {
+        $this->validator->validate(null, new Pwned());
+
+        $this->assertNoViolation();
+    }
+
+    public function testEmptyStringIsValid()
+    {
+        $this->validator->validate('', new Pwned());
+
+        $this->assertNoViolation();
+    }
+
+    public function testInvalidPassword()
+    {
+        $constraint = new Pwned();
+        $this->validator->validate('maman', $constraint);
+
+        $this->buildViolation($constraint->message)
+            ->setCode(Pwned::PWNED_ERROR)
+            ->assertRaised();
+    }
+
+    public function testMaxCountReached()
+    {
+        $constraint = new Pwned(array('maxCount' => 3));
+        $this->validator->validate('maman', $constraint);
+
+        $this->buildViolation($constraint->message)
+            ->setCode(Pwned::PWNED_ERROR)
+            ->assertRaised();
+    }
+
+    public function testMaxCountNotReached()
+    {
+        $constraint = new Pwned(array('maxCount' => 10));
+        $this->validator->validate('maman', $constraint);
+
+        $this->assertNoViolation();
+    }
+
+    public function testValidPassword()
+    {
+        $constraint = new Pwned();
+        $this->validator->validate(']<0585"%sb^5aa$w6!b38",,72?dp3r4\45b28Hy', $constraint);
+
+        $this->assertNoViolation();
+    }
+
+    /**
+     * @expectedException \Symfony\Component\Validator\Exception\UnexpectedTypeException
+     */
+    public function testInvalidConstraint()
+    {
+        $this->validator->validate(null, new Luhn());
+    }
+
+    /**
+     * @expectedException \Symfony\Component\Validator\Exception\UnexpectedTypeException
+     */
+    public function testInvalidValue()
+    {
+        $this->validator->validate(array(), new Pwned());
+    }
+
+    /**
+     * @expectedException \Symfony\Component\Validator\Exception\RuntimeException
+     * @expectedExceptionMessage Problem contacting the Have I been Pwned API.
+     */
+    public function testApiError()
+    {
+        $this->validator->validate('apiError', new Pwned());
+    }
+}