[Validator] Wire NotCompromisedPassword in FrameworkBundle and handle non UTF-8 password

tgalopin · fabpot · commit f8d0081a2b41 · 2019-04-06T19:55:53.000+02:00
diff --git a/Constraints/NotCompromisedPasswordValidator.php b/Constraints/NotCompromisedPasswordValidator.php
@@ -31,14 +31,16 @@ class NotCompromisedPasswordValidator extends ConstraintValidator
     private const RANGE_API = 'https://api.pwnedpasswords.com/range/%s';
 
     private $httpClient;
+    private $charset;
 
-    public function __construct(HttpClientInterface $httpClient = null)
+    public function __construct(HttpClientInterface $httpClient = null, string $charset = 'UTF-8')
     {
         if (null === $httpClient && !class_exists(HttpClient::class)) {
             throw new \LogicException(sprintf('The "%s" class requires the "HttpClient" component. Try running "composer require symfony/http-client".', self::class));
         }
 
         $this->httpClient = $httpClient ?? HttpClient::create();
+        $this->charset = $charset;
     }
 
     /**
@@ -61,6 +63,10 @@ public function validate($value, Constraint $constraint)
             return;
         }
 
+        if ('UTF-8' !== $this->charset) {
+            $value = mb_convert_encoding($value, 'UTF-8', $this->charset);
+        }
+
         $hash = strtoupper(sha1($value));
         $hashPrefix = substr($hash, 0, 5);
         $url = sprintf(self::RANGE_API, $hashPrefix);
diff --git a/Tests/Constraints/NotCompromisedPasswordValidatorTest.php b/Tests/Constraints/NotCompromisedPasswordValidatorTest.php
@@ -28,40 +28,22 @@ class NotCompromisedPasswordValidatorTest extends ConstraintValidatorTestCase
     private const PASSWORD_TRIGGERING_AN_ERROR_RANGE_URL = 'https://api.pwnedpasswords.com/range/3EF27'; // https://api.pwnedpasswords.com/range/3EF27 is the range for the value "apiError"
     private const PASSWORD_LEAKED = 'maman';
     private const PASSWORD_NOT_LEAKED = ']<0585"%sb^5aa$w6!b38",,72?dp3r4\45b28Hy';
+    private const PASSWORD_NON_UTF8_LEAKED = 'мама';
+    private const PASSWORD_NON_UTF8_NOT_LEAKED = 'м<в0dp3r4\45b28Hy';
 
     private const RETURN = [
         '35E033023A46402F94CFB4F654C5BFE44A1:1',
         '35F079CECCC31812288257CD770AA7968D7:53',
-        '36039744C253F9B2A4E90CBEDB02EBFB82D:5', // this is the matching line, password: maman
+        '36039744C253F9B2A4E90CBEDB02EBFB82D:5', // UTF-8 leaked password: maman
+        '273CA8A2A78C9B2D724144F4FAF4D221C86:6', // ISO-8859-5 leaked password: мама
         '3686792BBC66A72D40D928ED15621124CFE:7',
         '36EEC709091B810AA240179A44317ED415C:2',
     ];
 
     protected function createValidator()
     {
-        $httpClientStub = $this->createMock(HttpClientInterface::class);
-        $httpClientStub->method('request')->will(
-            $this->returnCallback(function (string $method, string $url): ResponseInterface {
-                if (self::PASSWORD_TRIGGERING_AN_ERROR_RANGE_URL === $url) {
-                    throw new class('Problem contacting the Have I been Pwned API.') extends \Exception implements ServerExceptionInterface {
-                        public function getResponse(): ResponseInterface
-                        {
-                            throw new \RuntimeException('Not implemented');
-                        }
-                    };
-                }
-
-                $responseStub = $this->createMock(ResponseInterface::class);
-                $responseStub
-                    ->method('getContent')
-                    ->willReturn(implode("\r\n", self::RETURN));
-
-                return $responseStub;
-            })
-        );
-
-        // Pass HttpClient::create() instead of this mock to run the tests against the real API
-        return new NotCompromisedPasswordValidator($httpClientStub);
+        // Pass HttpClient::create() instead of the mock to run the tests against the real API
+        return new NotCompromisedPasswordValidator($this->createHttpClientStub());
     }
 
     public function testNullIsValid()
@@ -112,6 +94,29 @@ public function testValidPassword()
         $this->assertNoViolation();
     }
 
+    public function testNonUtf8CharsetValid()
+    {
+        $validator = new NotCompromisedPasswordValidator($this->createHttpClientStub(), 'ISO-8859-5');
+        $validator->validate(mb_convert_encoding(self::PASSWORD_NON_UTF8_NOT_LEAKED, 'ISO-8859-5', 'UTF-8'), new NotCompromisedPassword());
+
+        $this->assertNoViolation();
+    }
+
+    public function testNonUtf8CharsetInvalid()
+    {
+        $constraint = new NotCompromisedPassword();
+
+        $this->context = $this->createContext();
+
+        $validator = new NotCompromisedPasswordValidator($this->createHttpClientStub(), 'ISO-8859-5');
+        $validator->initialize($this->context);
+        $validator->validate(mb_convert_encoding(self::PASSWORD_NON_UTF8_LEAKED, 'ISO-8859-5', 'UTF-8'), $constraint);
+
+        $this->buildViolation($constraint->message)
+            ->setCode(NotCompromisedPassword::COMPROMISED_PASSWORD_ERROR)
+            ->assertRaised();
+    }
+
     /**
      * @expectedException \Symfony\Component\Validator\Exception\UnexpectedTypeException
      */
@@ -142,4 +147,30 @@ public function testApiErrorSkipped()
         $this->validator->validate(self::PASSWORD_TRIGGERING_AN_ERROR, new NotCompromisedPassword(['skipOnError' => true]));
         $this->assertTrue(true); // No exception have been thrown
     }
+
+    private function createHttpClientStub(): HttpClientInterface
+    {
+        $httpClientStub = $this->createMock(HttpClientInterface::class);
+        $httpClientStub->method('request')->will(
+            $this->returnCallback(function (string $method, string $url): ResponseInterface {
+                if (self::PASSWORD_TRIGGERING_AN_ERROR_RANGE_URL === $url) {
+                    throw new class('Problem contacting the Have I been Pwned API.') extends \Exception implements ServerExceptionInterface {
+                        public function getResponse(): ResponseInterface
+                        {
+                            throw new \RuntimeException('Not implemented');
+                        }
+                    };
+                }
+
+                $responseStub = $this->createMock(ResponseInterface::class);
+                $responseStub
+                    ->method('getContent')
+                    ->willReturn(implode("\r\n", self::RETURN));
+
+                return $responseStub;
+            })
+        );
+
+        return $httpClientStub;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -31,14 +31,16 @@ class NotCompromisedPasswordValidator extends ConstraintValidator`
`31`	`31`	`private const RANGE_API = 'https://api.pwnedpasswords.com/range/%s';`
`32`	`32`
`33`	`33`	`private $httpClient;`
	`34`	`+ private $charset;`
`34`	`35`
`35`		`- public function __construct(HttpClientInterface $httpClient = null)`
	`36`	`+ public function __construct(HttpClientInterface $httpClient = null, string $charset = 'UTF-8')`
`36`	`37`	`{`
`37`	`38`	`if (null === $httpClient && !class_exists(HttpClient::class)) {`
`38`	`39`	`throw new \LogicException(sprintf('The "%s" class requires the "HttpClient" component. Try running "composer require symfony/http-client".', self::class));`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`$this->httpClient = $httpClient ?? HttpClient::create();`
	`43`	`+ $this->charset = $charset;`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`/**`
`@@ -61,6 +63,10 @@ public function validate($value, Constraint $constraint)`
`61`	`63`	`return;`
`62`	`64`	`}`
`63`	`65`
	`66`	`+ if ('UTF-8' !== $this->charset) {`
	`67`	`+ $value = mb_convert_encoding($value, 'UTF-8', $this->charset);`
	`68`	`+ }`
	`69`	`+`
`64`	`70`	`$hash = strtoupper(sha1($value));`
`65`	`71`	`$hashPrefix = substr($hash, 0, 5);`
`66`	`72`	`$url = sprintf(self::RANGE_API, $hashPrefix);`