debian-mirror-gitlab/spec/lib/security/weak_passwords_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

114 lines
3.4 KiB
Ruby
Raw Normal View History

2022-10-11 01:57:18 +05:30
# frozen_string_literal: true
require 'spec_helper'
2023-05-27 22:25:52 +05:30
RSpec.describe Security::WeakPasswords, feature_category: :system_access do
2022-10-11 01:57:18 +05:30
describe "#weak_for_user?" do
using RSpec::Parameterized::TableSyntax
let(:user) do
build_stubbed(:user, username: "56d4ab689a_win",
name: "Weakést McWeaky-Pass Jr",
email: "predictāble.ZZZ+seventeen@examplecorp.com",
public_email: "fortunate@acme.com"
)
end
where(:password, :too_weak) do
# A random password is not too weak
"d2262d56" | false
# The case-insensitive weak password list
"password" | true
"pAssWord" | true
"princeofdarkness" | true
# Forbidden substrings
"A1B2gitlabC3" | true
"gitlab123" | true
"theonedevopsplatform" | true
"A1gitlib" | false
# Predicatable name substrings
"Aweakést" | true
"!@mCwEaKy" | true
"A1B2pass" | true
"A1B2C3jr" | false # jr is too short
2023-03-04 22:38:38 +05:30
"3e18a7f60a908e329958396d68131d39e1b66a03ea420725e2a0fce7cb17pass" | false # Password is >= 64 chars
2022-10-11 01:57:18 +05:30
# Predictable username substrings
"56d4ab689a" | true
"56d4ab689a_win" | true
"56d4ab68" | false # it's part of the username, but not a full part
"A1B2Cwin" | false # win is too short
# Predictable user.email substrings
"predictāble.ZZZ+seventeen@examplecorp.com" | true
"predictable.ZZZ+seventeen@examplecorp.com" | true
"predictāble.ZZZ+seventeen" | true
"examplecorp.com" | true
"!@exAmplecorp" | true
"predictāble123" | true
"seventeen" | true
"predictable" | false # the accent is different
"A1B2CZzZ" | false # ZZZ is too short
# Other emails are not considered
"fortunate@acme.com" | false
"A1B2acme" | false
"fortunate" | false
# A short password is not automatically too weak
# We rely on User's password length validation, not WeakPasswords.
"1" | false
"1234567" | false
# But a short password with forbidden words or user attributes
# is still weak
"gitlab" | true
"pass" | true
end
with_them do
it { expect(subject.weak_for_user?(password, user)).to eq(too_weak) }
end
context 'with a user who has short email parts' do
before do
user.email = 'sid@1.io'
end
where(:password, :too_weak) do
"11111111" | true # This is on the weak password list
"1.ioABCD" | true # 1.io is long enough to match
"sid@1.io" | true # matches the email in full
"sid@1.ioAB" | true
# sid, 1, and io on their own are too short
"sid1ioAB" | false
"sidsidsi" | false
"ioioioio" | false
end
with_them do
it { expect(subject.weak_for_user?(password, user)).to eq(too_weak) }
end
end
context 'with a user who is missing attributes' do
before do
user.name = nil
user.email = nil
user.username = nil
end
where(:password, :too_weak) do
"d2262d56" | false
"password" | true
"gitlab123" | true
end
with_them do
it { expect(subject.weak_for_user?(password, user)).to eq(too_weak) }
end
end
end
end