haveibeenpwned Ansible role

A friend & colleague wrote a powershell module which queries Troy Hunt’s haveibeenpwned.com API.  The haveibeenpwned site that Troy runs, documents/records data breaches where data has been leaked and provides an API to query the data.

Wanting to punch out a few Ansible roles onto galaxy, I started to put together a role that queries the haveibeenpwned API:  Im0.have-i-been-pwned

Using the role

Download from galaxy with something like: ansible-galaxy install Im0.have-i-been-pwned

Run it by including it in a role a number of ways:

- name: Check have i been pwned
  hosts: localhost
  - { role: Im0.ansible-role-have-i-been-pwned,
      lookup: 'password',
      password: 'password123' }
  - { role: Im0.ansible-role-have-i-been-pwned,
      lookup: 'password',
      hash: 'AB87D24BDC7452E55738DEB5F868E1F16DEA5ACE'}
  - { role: Im0.ansible-role-have-i-been-pwned,
      lookup: 'account_breach',
      account: '[email protected]'}

Or, as a task:

  - include_role:
      name: Im0.ansible-role-have-i-been-pwned
      tasks_from: password_lookup
      password: 'password123'
  - include_role:
      name: Im0.ansible-role-have-i-been-pwned
      tasks_from: account_breach
      account: [email protected]

If an account or password is in either of the queried databases, the task will fail.

TASK [ansible-role-have-i-been-pwned : Fail if the password is in the pwned database] *************************************************************

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Password is compromised"}

 to retry, use: --limit @/home/user/haveibeenpwned.retry


TASK [ansible-role-have-i-been-pwned : Fail if "[email protected]" is found in breached account list] ************************************************

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Account [email protected] was found in 1 breaches"}

The haveibeenpwned database also contains some data from pastes, which, I may add soon.

Further reading on the API overview page.