discourse/spec/components/validators/password_validator_spec.rb

require 'rails_helper'
require_dependency "common_passwords/common_passwords"

describe PasswordValidator do

  def password_error_message(key)
    I18n.t("activerecord.errors.models.user.attributes.password.#{key.to_s}")
  end

  let(:validator) { described_class.new(attributes: :password) }
  subject(:validate) { validator.validate_each(record, :password, @password) }

  context "password required" do
    let(:record) { u = Fabricate.build(:user, password: @password); u.password_required!; u }

    context "password is not common" do
      before do
        CommonPasswords.stubs(:common_password?).returns(false)
      end

      context "min password length is 8" do
        before { SiteSetting.min_password_length = 8 }

        it "doesn't add an error when password is good" do
          @password = "weron235alsfn234"
          validate
          expect(record.errors[:password]).not_to be_present
        end

        it "adds an error when password is too short" do
          @password = "p"
          validate
          expect(record.errors[:password]).to be_present
        end

        it "adds an error when password is blank" do
          @password = ''
          validate
          expect(record.errors[:password]).to be_present
        end

        it "adds an error when password is nil" do
          @password = nil
          validate
          expect(record.errors[:password]).to be_present
        end

        it "adds an error when user is admin and password is less than 15 chars" do
          SiteSetting.min_admin_password_length = 15

          @password = "12345678912"
          record.admin = true
          validate
          expect(record.errors[:password]).to be_present
        end
      end

      context "min password length is 12" do
        before { SiteSetting.min_password_length = 12 }

        it "adds an error when password length is 11" do
          @password = "gt38sdt92bv"
          validate
          expect(record.errors[:password]).to be_present
        end
      end
    end

    context "password is commonly used" do
      before do
        SiteSetting.min_password_length = 8
        CommonPasswords.stubs(:common_password?).returns(true)
      end

      it "adds an error when block_common_passwords is enabled" do
        SiteSetting.block_common_passwords = true
        @password = "password"
        validate
        expect(record.errors[:password]).to include(password_error_message(:common))
      end

      it "doesn't add an error when block_common_passwords is disabled" do
        SiteSetting.block_common_passwords = false
        @password = "password"
        validate
        expect(record.errors[:password]).not_to be_present
      end
    end

    context "password_unique_characters is 5" do
      before do
        SiteSetting.password_unique_characters = 5
      end

      it "adds an error when there are too few unique characters" do
        SiteSetting.password_unique_characters = 6
        @password = "aaaaaa5432"
        validate
        expect(record.errors[:password]).to include(password_error_message(:unique_characters))
      end

      it "doesn't add an error when there are enough unique characters" do
        @password = "aaaaa12345"
        validate
        expect(record.errors[:password]).not_to be_present
      end

      it "counts capital letters as different" do
        @password = "aaaAaa1234"
        validate
        expect(record.errors[:password]).not_to be_present
      end
    end

    it "adds an error when password is the same as the username" do
      @password = "porkchops1234"
      record.username = @password
      validate
      expect(record.errors[:password]).to include(password_error_message(:same_as_username))
    end

    it "adds an error when password is the same as the email" do
      @password = "pork@chops.com"
      record.email = @password
      validate
      expect(record.errors[:password]).to include(password_error_message(:same_as_email))
    end

    it "adds an error when new password is same as current password" do
      @password = "mypetsname"
      record.save!
      record.reload
      record.password = @password
      validate
      expect(record.errors[:password]).to include(password_error_message(:same_as_current))
    end
  end

  context "password not required" do
    let(:record) { Fabricate.build(:user, password: @password) }

    it "doesn't add an error if password is not required" do
      @password = nil
      validate
      expect(record.errors[:password]).not_to be_present
    end
  end

end
Prepare for separation of RSpec helper files Since rspec-rails 3, the default installation creates two helper files: * `spec_helper.rb` * `rails_helper.rb` `spec_helper.rb` is intended as a way of running specs that do not require Rails, whereas `rails_helper.rb` loads Rails (as Discourse's current `spec_helper.rb` does). For more information: https://www.relishapp.com/rspec/rspec-rails/docs/upgrade#default-helper-files In this commit, I've simply replaced all instances of `spec_helper` with `rails_helper`, and renamed the original `spec_helper.rb`. This brings the Discourse project closer to the standard usage of RSpec in a Rails app. At present, every spec relies on loading Rails, but there are likely many that don't need to. In a future pull request, I hope to introduce a separate, minimal `spec_helper.rb` which can be used in tests which don't rely on Rails. 2015-10-11 05:41:23 -04:00			`require 'rails_helper'`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`require_dependency "common_passwords/common_passwords"`
Move password validation into PasswordValidator 2013-12-19 15:12:03 -05:00
			`describe PasswordValidator do`

FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`def password_error_message(key)`
			`I18n.t("activerecord.errors.models.user.attributes.password.#{key.to_s}")`
			`end`

Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`let(:validator) { described_class.new(attributes: :password) }`
			`subject(:validate) { validator.validate_each(record, :password, @password) }`
Move password validation into PasswordValidator 2013-12-19 15:12:03 -05:00
			`context "password required" do`
			`let(:record) { u = Fabricate.build(:user, password: @password); u.password_required!; u }`

Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`context "password is not common" do`
			`before do`
Fix password_validator_spec 2013-12-27 11:15:53 -05:00			`CommonPasswords.stubs(:common_password?).returns(false)`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`end`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`context "min password length is 8" do`
Nuke all `SiteSetting.stubs` from our codebase. 2017-07-07 02:09:14 -04:00			`before { SiteSetting.min_password_length = 8 }`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00
			`it "doesn't add an error when password is good" do`
			`@password = "weron235alsfn234"`
			`validate`
few components with rspec3 syntax 2015-01-09 11:34:37 -05:00			`expect(record.errors[:password]).not_to be_present`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`end`

			`it "adds an error when password is too short" do`
			`@password = "p"`
			`validate`
few components with rspec3 syntax 2015-01-09 11:34:37 -05:00			`expect(record.errors[:password]).to be_present`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`end`

			`it "adds an error when password is blank" do`
			`@password = ''`
			`validate`
few components with rspec3 syntax 2015-01-09 11:34:37 -05:00			`expect(record.errors[:password]).to be_present`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`end`

			`it "adds an error when password is nil" do`
			`@password = nil`
			`validate`
few components with rspec3 syntax 2015-01-09 11:34:37 -05:00			`expect(record.errors[:password]).to be_present`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`end`
FEATURE: new setting min_admin_password_length and better default 2016-03-02 03:31:38 -05:00
			`it "adds an error when user is admin and password is less than 15 chars" do`
			`SiteSetting.min_admin_password_length = 15`

			`@password = "12345678912"`
			`record.admin = true`
			`validate`
			`expect(record.errors[:password]).to be_present`
			`end`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00			`end`

Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`context "min password length is 12" do`
Nuke all `SiteSetting.stubs` from our codebase. 2017-07-07 02:09:14 -04:00			`before { SiteSetting.min_password_length = 12 }`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00
			`it "adds an error when password length is 11" do`
			`@password = "gt38sdt92bv"`
			`validate`
few components with rspec3 syntax 2015-01-09 11:34:37 -05:00			`expect(record.errors[:password]).to be_present`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`end`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00			`end`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`end`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`context "password is commonly used" do`
			`before do`
Nuke all `SiteSetting.stubs` from our codebase. 2017-07-07 02:09:14 -04:00			`SiteSetting.min_password_length = 8`
Fix password_validator_spec 2013-12-27 11:15:53 -05:00			`CommonPasswords.stubs(:common_password?).returns(true)`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00			`end`

Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`it "adds an error when block_common_passwords is enabled" do`
Nuke all `SiteSetting.stubs` from our codebase. 2017-07-07 02:09:14 -04:00			`SiteSetting.block_common_passwords = true`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`@password = "password"`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00			`validate`
FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`expect(record.errors[:password]).to include(password_error_message(:common))`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00			`end`
Move password validation into PasswordValidator 2013-12-19 15:12:03 -05:00
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`it "doesn't add an error when block_common_passwords is disabled" do`
Nuke all `SiteSetting.stubs` from our codebase. 2017-07-07 02:09:14 -04:00			`SiteSetting.block_common_passwords = false`
Block passwords that are in the top 5000 most common passwords. Site setting block_common_passwords can disable this feature. 2013-12-20 16:34:34 -05:00			`@password = "password"`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00			`validate`
few components with rspec3 syntax 2015-01-09 11:34:37 -05:00			`expect(record.errors[:password]).not_to be_present`
Minimum password length is configurable with the min_password_length site setting. FIX: reset password needs to validate password length. 2013-12-19 16:15:36 -05:00			`end`
Move password validation into PasswordValidator 2013-12-19 15:12:03 -05:00			`end`
FEATURE: don't allow username and password to be the same 2015-02-25 11:59:57 -05:00
FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`context "password_unique_characters is 5" do`
			`before do`
			`SiteSetting.password_unique_characters = 5`
			`end`

			`it "adds an error when there are too few unique characters" do`
FIX: password validator was being too strict 2017-02-14 09:17:52 -05:00			`SiteSetting.password_unique_characters = 6`
fix unique char counting in password validator 2017-02-10 10:38:17 -05:00			`@password = "aaaaaa5432"`
FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`validate`
			`expect(record.errors[:password]).to include(password_error_message(:unique_characters))`
			`end`

			`it "doesn't add an error when there are enough unique characters" do`
increase req min unique pw chars from 5 to 6 2017-02-16 20:06:19 -05:00			`@password = "aaaaa12345"`
FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`validate`
			`expect(record.errors[:password]).not_to be_present`
			`end`

fix unique char counting in password validator 2017-02-10 10:38:17 -05:00			`it "counts capital letters as different" do`
increase req min unique pw chars from 5 to 6 2017-02-16 20:06:19 -05:00			`@password = "aaaAaa1234"`
FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`validate`
			`expect(record.errors[:password]).not_to be_present`
			`end`
			`end`

FEATURE: don't allow username and password to be the same 2015-02-25 11:59:57 -05:00			`it "adds an error when password is the same as the username" do`
FEATURE: new setting min_admin_password_length and better default 2016-03-02 03:31:38 -05:00			`@password = "porkchops1234"`
FEATURE: don't allow username and password to be the same 2015-02-25 11:59:57 -05:00			`record.username = @password`
			`validate`
FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`expect(record.errors[:password]).to include(password_error_message(:same_as_username))`
FEATURE: don't allow username and password to be the same 2015-02-25 11:59:57 -05:00			`end`
FEATURE: don't allow username and email to be the same 2015-02-27 13:47:43 -05:00
			`it "adds an error when password is the same as the email" do`
			`@password = "pork@chops.com"`
			`record.email = @password`
			`validate`
FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`expect(record.errors[:password]).to include(password_error_message(:same_as_email))`
FEATURE: don't allow username and email to be the same 2015-02-27 13:47:43 -05:00			`end`
SECURITY: don't allow re-using the current password during password reset 2016-08-24 12:27:09 -04:00
			`it "adds an error when new password is same as current password" do`
			`@password = "mypetsname"`
			`record.save!`
			`record.reload`
			`record.password = @password`
			`validate`
FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00			`expect(record.errors[:password]).to include(password_error_message(:same_as_current))`
SECURITY: don't allow re-using the current password during password reset 2016-08-24 12:27:09 -04:00			`end`
Move password validation into PasswordValidator 2013-12-19 15:12:03 -05:00			`end`

			`context "password not required" do`
			`let(:record) { Fabricate.build(:user, password: @password) }`

			`it "doesn't add an error if password is not required" do`
			`@password = nil`
			`validate`
few components with rspec3 syntax 2015-01-09 11:34:37 -05:00			`expect(record.errors[:password]).not_to be_present`
Move password validation into PasswordValidator 2013-12-19 15:12:03 -05:00			`end`
			`end`

			`end`