debian-mirror-gitlab/spec/features/profiles/password_spec.rb

253 lines
7.8 KiB
Ruby
Raw Normal View History

2019-10-12 21:52:04 +05:30
# frozen_string_literal: true
2016-09-13 17:45:13 +05:30
require 'spec_helper'
2023-04-23 21:23:45 +05:30
RSpec.describe 'Profile > Password', feature_category: :user_profile do
2018-03-27 19:54:05 +05:30
let(:user) { create(:user) }
def fill_passwords(password, confirmation)
fill_in 'New password', with: password
fill_in 'Password confirmation', with: confirmation
click_button 'Save password'
end
2017-09-10 17:25:29 +05:30
context 'Password authentication enabled' do
2022-08-27 11:52:29 +05:30
let(:new_password) { User.random_password }
2017-09-10 17:25:29 +05:30
let(:user) { create(:user, password_automatically_set: true) }
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
before do
sign_in(user)
visit edit_profile_password_path
end
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
context 'User with password automatically set' do
describe 'User puts different passwords in the field and in the confirmation' do
it 'shows an error message' do
2022-08-27 11:52:29 +05:30
fill_passwords(new_password, "#{new_password}2")
2016-09-13 17:45:13 +05:30
2022-08-13 15:12:31 +05:30
page.within('.gl-alert-danger') do
2017-09-10 17:25:29 +05:30
expect(page).to have_content("Password confirmation doesn't match Password")
end
end
it 'does not contain the current password field after an error' do
2022-08-27 11:52:29 +05:30
fill_passwords(new_password, "#{new_password}2")
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
expect(page).to have_no_field('user[current_password]')
2016-09-13 17:45:13 +05:30
end
end
2017-09-10 17:25:29 +05:30
describe 'User puts the same passwords in the field and in the confirmation' do
it 'shows a success message' do
2022-08-27 11:52:29 +05:30
fill_passwords(new_password, new_password)
2016-09-13 17:45:13 +05:30
2022-04-04 11:22:00 +05:30
page.within('[data-testid="alert-info"]') do
2020-10-24 23:57:45 +05:30
expect(page).to have_content('Password was successfully updated. Please sign in again.')
2017-09-10 17:25:29 +05:30
end
end
2016-09-13 17:45:13 +05:30
end
end
2017-09-10 17:25:29 +05:30
end
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
context 'Password authentication unavailable' do
context 'Regular user' do
2022-11-25 23:54:43 +05:30
before do
gitlab_sign_in(user)
end
2017-09-10 17:25:29 +05:30
let(:user) { create(:user) }
2018-03-17 18:26:18 +05:30
it 'renders 404 when password authentication is disabled for the web interface and Git' do
stub_application_setting(password_authentication_enabled_for_web: false)
stub_application_setting(password_authentication_enabled_for_git: false)
2017-09-10 17:25:29 +05:30
visit edit_profile_password_path
2020-03-13 15:44:24 +05:30
expect(page).to have_gitlab_http_status(:not_found)
2017-09-10 17:25:29 +05:30
end
end
context 'LDAP user' do
2022-11-25 23:54:43 +05:30
include LdapHelpers
let(:ldap_settings) { { enabled: true } }
2017-09-10 17:25:29 +05:30
let(:user) { create(:omniauth_user, provider: 'ldapmain') }
2022-11-25 23:54:43 +05:30
let(:provider) { 'ldapmain' }
let(:provider_label) { 'Main LDAP' }
before do
stub_ldap_setting(ldap_settings)
stub_ldap_access(user, provider, provider_label)
sign_in_using_ldap!(user, provider_label, provider)
end
after(:all) do
Rails.application.reload_routes!
end
2017-09-10 17:25:29 +05:30
it 'renders 404' do
visit edit_profile_password_path
2020-03-13 15:44:24 +05:30
expect(page).to have_gitlab_http_status(:not_found)
2016-09-13 17:45:13 +05:30
end
end
end
2018-03-27 19:54:05 +05:30
2021-09-30 23:02:18 +05:30
context 'Change password' do
2022-08-27 11:52:29 +05:30
let(:new_password) { User.random_password }
2021-09-30 23:02:18 +05:30
2018-03-27 19:54:05 +05:30
before do
sign_in(user)
visit(edit_profile_password_path)
end
2021-09-30 23:02:18 +05:30
shared_examples 'user enters an incorrect current password' do
subject do
page.within '.update-password' do
2021-11-18 22:05:49 +05:30
fill_in 'user_password', with: user_current_password
2021-09-30 23:02:18 +05:30
fill_passwords(new_password, new_password)
end
2018-03-27 19:54:05 +05:30
end
2021-09-30 23:02:18 +05:30
it 'handles the invalid password attempt, and prompts the user to try again', :aggregate_failures do
expect(Gitlab::AppLogger).to receive(:info)
.with(message: 'Invalid current password when attempting to update user password', username: user.username, ip: user.current_sign_in_ip)
subject
user.reload
2018-03-27 19:54:05 +05:30
2021-09-30 23:02:18 +05:30
expect(user.failed_attempts).to eq(1)
expect(user.valid_password?(new_password)).to eq(false)
2022-05-07 20:08:51 +05:30
expect(page).to have_current_path(edit_profile_password_path, ignore_query: true)
2021-09-30 23:02:18 +05:30
page.within '.flash-container' do
expect(page).to have_content('You must provide a valid current password')
end
2018-03-27 19:54:05 +05:30
end
2021-09-30 23:02:18 +05:30
it 'locks the user account when user passes the maximum attempts threshold', :aggregate_failures do
user.update!(failed_attempts: User.maximum_attempts.pred)
subject
2022-05-07 20:08:51 +05:30
expect(page).to have_current_path(new_user_session_path, ignore_query: true)
2021-09-30 23:02:18 +05:30
page.within '.flash-container' do
expect(page).to have_content('Your account is locked.')
end
2018-03-27 19:54:05 +05:30
end
end
2021-09-30 23:02:18 +05:30
context 'when current password is blank' do
let(:user_current_password) { nil }
it_behaves_like 'user enters an incorrect current password'
end
context 'when current password is incorrect' do
2021-11-18 22:05:49 +05:30
let(:user_current_password) { 'invalid' }
2021-09-30 23:02:18 +05:30
it_behaves_like 'user enters an incorrect current password'
end
2023-01-13 00:05:48 +05:30
context 'when the password is too weak' do
let(:new_password) { 'password' }
subject do
page.within '.update-password' do
fill_in "user_password", with: user.password
fill_passwords(new_password, new_password)
end
end
it 'tracks the error and does not change the password', :aggregate_failures do
expect { subject }.not_to change { user.reload.valid_password?(new_password) }
expect(user.failed_attempts).to eq(0)
page.within '.gl-alert-danger' do
expect(page).to have_content('must not contain commonly used combinations of words and letters')
end
expect_snowplow_event(
category: 'Gitlab::Tracking::Helpers::WeakPasswordErrorEvent',
action: 'track_weak_password_error',
controller: 'Profiles::PasswordsController',
method: 'update'
)
end
end
2021-09-30 23:02:18 +05:30
context 'when the password reset is successful' do
subject do
page.within '.update-password' do
2021-11-18 22:05:49 +05:30
fill_in "user_password", with: user.password
2021-09-30 23:02:18 +05:30
fill_passwords(new_password, new_password)
end
2018-03-27 19:54:05 +05:30
end
2021-09-30 23:02:18 +05:30
it 'changes the password, logs the user out and prompts them to sign in again', :aggregate_failures do
expect { subject }.to change { user.reload.valid_password?(new_password) }.to(true)
2022-05-07 20:08:51 +05:30
expect(page).to have_current_path new_user_session_path, ignore_query: true
2021-09-30 23:02:18 +05:30
page.within '.flash-container' do
expect(page).to have_content('Password was successfully updated. Please sign in again.')
end
end
2018-03-27 19:54:05 +05:30
end
end
context 'when password is expired' do
2022-08-27 11:52:29 +05:30
let(:new_password) { User.random_password }
2018-03-27 19:54:05 +05:30
before do
sign_in(user)
2021-04-29 21:17:54 +05:30
user.update!(password_expires_at: 1.hour.ago)
2018-03-27 19:54:05 +05:30
user.identities.delete
expect(user.ldap_user?).to eq false
end
it 'needs change user password' do
visit edit_profile_password_path
2022-05-07 20:08:51 +05:30
expect(page).to have_current_path new_profile_password_path, ignore_query: true
2018-03-27 19:54:05 +05:30
2021-11-18 22:05:49 +05:30
fill_in :user_password, with: user.password
2022-08-27 11:52:29 +05:30
fill_in :user_new_password, with: new_password
fill_in :user_password_confirmation, with: new_password
2018-03-27 19:54:05 +05:30
click_button 'Set new password'
2022-05-07 20:08:51 +05:30
expect(page).to have_current_path new_user_session_path, ignore_query: true
2018-03-27 19:54:05 +05:30
end
2023-01-13 00:05:48 +05:30
it 'tracks weak password error' do
visit edit_profile_password_path
expect(page).to have_current_path new_profile_password_path, ignore_query: true
fill_in :user_password, with: user.password
fill_in :user_new_password, with: "password"
fill_in :user_password_confirmation, with: "password"
click_button 'Set new password'
expect_snowplow_event(
category: 'Gitlab::Tracking::Helpers::WeakPasswordErrorEvent',
action: 'track_weak_password_error',
controller: 'Profiles::PasswordsController',
method: 'create'
)
end
2018-03-27 19:54:05 +05:30
context 'when global require_two_factor_authentication is enabled' do
it 'needs change user password' do
stub_application_setting(require_two_factor_authentication: true)
visit profile_path
2022-05-07 20:08:51 +05:30
expect(page).to have_current_path new_profile_password_path, ignore_query: true
2018-03-27 19:54:05 +05:30
end
end
end
2016-09-13 17:45:13 +05:30
end