Package org.passay.rule

Class HaveIBeenPwnedRule

java.lang.Object
org.passay.rule.HaveIBeenPwnedRule
All Implemented Interfaces:
Rule
public class HaveIBeenPwnedRule extends Object implements Rule
Validates the password against the online database of haveibeenpwned.com optionally allowing the usage of found passwords, but returns the number of found matches in the metadata.

  • Field Details

    • ERROR_CODE

      public static final String ERROR_CODE
      Error code for exposed passwords.
      See Also:

    • IO_ERROR_CODE

      public static final String IO_ERROR_CODE
      Error code for API IO errors.
      See Also:

    • DEFAULT_URL

      private static final String DEFAULT_URL
      URL for pwned passwords.
      See Also:

    • PREFIX_LENGTH

      private static final int PREFIX_LENGTH
      number of chars to use from the SHA1 digest for the api call.
      See Also:

    • DEFAULT_CONNECT_TIMEOUT

      private static final Duration DEFAULT_CONNECT_TIMEOUT
      Default time to wait for HTTP connect.

    • DEFAULT_READ_TIMEOUT

      private static final Duration DEFAULT_READ_TIMEOUT
      Default time to wait for HTTP response.

    • applicationName

      private final String applicationName
      Name of the app.

    • apiUrl

      private final URL apiUrl
      URL of the API.

    • allowExposed

      private final boolean allowExposed
      Should password be allowed if it is found in the API results.

    • allowOnException

      private final boolean allowOnException
      Should password be allowed if API calls throw exceptions.

    • connectTimeout

      private Duration connectTimeout
      Maximum waiting time for established connection. Default is 5 seconds.

    • readTimeout

      private Duration readTimeout
      Maximum waiting time for reading all data. Default is 30 seconds.

  • Constructor Details

    • HaveIBeenPwnedRule

      public HaveIBeenPwnedRule(String appName)
      Create the rule, appName is required by the API.
      Parameters:
      appName - must not be null

    • HaveIBeenPwnedRule

      public HaveIBeenPwnedRule(String appName, String address)
      Create the rule, appName is required by the API.
      Parameters:
      appName - must not be null
      address - the URL must end with a /.

    • HaveIBeenPwnedRule

      public HaveIBeenPwnedRule(String appName, String address, boolean allowExposed, boolean allowOnException)
      Create the rule, appName is required by the API.
      Parameters:
      appName - must not be null
      address - the URL must end with a /.
      allowExposed - false: the rule does not allow previously pwned passwords, true: pwned passwords are allowed, but the number of matches is returned in the result.
      allowOnException - true: if the API is not accessible, any password is accepted. false: Default, API must answer in time to allow the password.

  • Method Details

    • setConnectTimeout

      public void setConnectTimeout(Duration timeout)
      maximum Duration for connecting to the API.
      Parameters:
      timeout - for connecting.

    • setReadTimeout

      public void setReadTimeout(Duration timeout)
      maximum Duration for reading from the API.
      Parameters:
      timeout - for reading.

    • validate

      public RuleResult validate(PasswordData passwordData)
      Description copied from interface: Rule
      Validates the supplied password data per the requirements of this rule.
      Specified by:
      validate in interface Rule
      Parameters:
      passwordData - to verify (not null).
      Returns:
      details on password verification

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • searchResponse

      private RuleResult searchResponse(String hexDigest, LineNumberReader reader) throws IOException
      Reads the supplied reader line by line until a match is found against the supplied hex digest.
      Parameters:
      hexDigest - to match
      reader - to read
      Returns:
      rule result whose validity is determined by whether a match was found
      Throws:
      IOException - if an error occurs reading from the reader

    • getHexDigest

      private static String getHexDigest(PasswordData passwordData)
      Returns an uppercase, hex encoded, SHA1 hash of the password.
      Parameters:
      passwordData - to hash
      Returns:
      hex encoded hash

    • openApiConnectionForRange

      private LineNumberReader openApiConnectionForRange(String range) throws IOException
      Opens a connection to the API and returns a reader for the input stream.
      Parameters:
      range - to request from the API
      Returns:
      reader for the connection
      Throws:
      IOException - if a connection cannot be opened to the API