diff options
Diffstat (limited to 'spec/lib/security/weak_passwords_spec.rb')
-rw-r--r-- | spec/lib/security/weak_passwords_spec.rb | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/spec/lib/security/weak_passwords_spec.rb b/spec/lib/security/weak_passwords_spec.rb new file mode 100644 index 00000000000..9d12c352abf --- /dev/null +++ b/spec/lib/security/weak_passwords_spec.rb @@ -0,0 +1,112 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Security::WeakPasswords do + describe "#weak_for_user?" do + using RSpec::Parameterized::TableSyntax + + let(:user) do + build_stubbed(:user, username: "56d4ab689a_win", + name: "Weakést McWeaky-Pass Jr", + email: "predictāble.ZZZ+seventeen@examplecorp.com", + public_email: "fortunate@acme.com" + ) + end + + where(:password, :too_weak) do + # A random password is not too weak + "d2262d56" | false + + # The case-insensitive weak password list + "password" | true + "pAssWord" | true + "princeofdarkness" | true + + # Forbidden substrings + "A1B2gitlabC3" | true + "gitlab123" | true + "theonedevopsplatform" | true + "A1gitlib" | false + + # Predicatable name substrings + "Aweakést" | true + "!@mCwEaKy" | true + "A1B2pass" | true + "A1B2C3jr" | false # jr is too short + + # Predictable username substrings + "56d4ab689a" | true + "56d4ab689a_win" | true + "56d4ab68" | false # it's part of the username, but not a full part + "A1B2Cwin" | false # win is too short + + # Predictable user.email substrings + "predictāble.ZZZ+seventeen@examplecorp.com" | true + "predictable.ZZZ+seventeen@examplecorp.com" | true + "predictāble.ZZZ+seventeen" | true + "examplecorp.com" | true + "!@exAmplecorp" | true + "predictāble123" | true + "seventeen" | true + "predictable" | false # the accent is different + "A1B2CZzZ" | false # ZZZ is too short + # Other emails are not considered + "fortunate@acme.com" | false + "A1B2acme" | false + "fortunate" | false + + # A short password is not automatically too weak + # We rely on User's password length validation, not WeakPasswords. + "1" | false + "1234567" | false + # But a short password with forbidden words or user attributes + # is still weak + "gitlab" | true + "pass" | true + end + + with_them do + it { expect(subject.weak_for_user?(password, user)).to eq(too_weak) } + end + + context 'with a user who has short email parts' do + before do + user.email = 'sid@1.io' + end + + where(:password, :too_weak) do + "11111111" | true # This is on the weak password list + "1.ioABCD" | true # 1.io is long enough to match + "sid@1.io" | true # matches the email in full + "sid@1.ioAB" | true + # sid, 1, and io on their own are too short + "sid1ioAB" | false + "sidsidsi" | false + "ioioioio" | false + end + + with_them do + it { expect(subject.weak_for_user?(password, user)).to eq(too_weak) } + end + end + + context 'with a user who is missing attributes' do + before do + user.name = nil + user.email = nil + user.username = nil + end + + where(:password, :too_weak) do + "d2262d56" | false + "password" | true + "gitlab123" | true + end + + with_them do + it { expect(subject.weak_for_user?(password, user)).to eq(too_weak) } + end + end + end +end |