feat: Disable HaveIBeenPwned validation when HaveIBeenPwnedEnabled is set to false

[jertel]

Related issue

Implements remaining request from #316 to support disabling the check for pwned passwords.

Proposed changes

Environments disconnected from the Internet, and environments that enforce strict outbound network access restrictions should not attempt to access a remote URL to determine if a password has appeared in a prior breech. While the current implementation allows for custom host definition, environments that do not have a custom pwned password host currently have no method to skip this check. This PR provides that feature.

Checklist

• I have read the contributing guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further comments

None

[aeneasr]

You can already ignore network errors using passwordPolicyConfig.IgnoreNetworkErrors. Is there a particular reason for adding another control mechanism?

[jertel]

Yes, with network errors ignored, the client will attempt several retries using an exponential backoff algorithm (see https://github.com/hashicorp/go-retryablehttp). This removes 15 seconds of unnecessary waiting from the password process, when it's known in advance that the remote host is unavailable.

[aeneasr]

Right, that makes sense then! Would it be possible to introduce a new variable for this though? Something that makes it explicit that this is disabled.

[jertel]

Yes, take a look a the new changes and let me know if it needs adjustments.

[aeneasr]

Just one minor thing, then this is good to merge IMO!

[aeneasr]

Thank you, this looks great! The CI is failing because some files are formatted incorrectly. To format them, run:

$ make format
$ git commit -a -m "styles: format code"
$ git push

Thank you!

[codecov]

Codecov Report

Merging #1445 (5a2f0f0) into master (171206c) will increase coverage by 0.07%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #1445      +/-   ##
==========================================
+ Coverage   71.29%   71.36%   +0.07%     
==========================================
  Files         250      250              
  Lines       10645    10648       +3     
==========================================
+ Hits         7589     7599      +10     
+ Misses       2436     2429       -7     
  Partials      620      620              

Impacted Files	Coverage Δ
driver/config/config.go	75.15% <100.00%> (+0.07%)	⬆️
selfservice/strategy/password/validator.go	88.23% <100.00%> (+0.35%)	⬆️
cmd/courier/watch.go	68.00% <0.00%> (+14.00%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 171206c...5a2f0f0. Read the comment docs.

[aeneasr]

Awesome, thank you! 🎉 Your contribution makes Ory better :)