From d8b4cc67be79a119d2c8bdaea84a5f8123a35935 Mon Sep 17 00:00:00 2001
From: clemkeirua <clement@keiruaprod.fr>
Date: Thu, 17 Sep 2020 16:08:08 +0200
Subject: [PATCH] add a test scenario for users

---
 spec/models/user_spec.rb | 67 ++++++++++++++++++++++++++--------------
 1 file changed, 44 insertions(+), 23 deletions(-)

diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 0a80c9224..8dd086276 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -297,32 +297,53 @@ describe User, type: :model do
   end
 
   describe '#password_complexity' do
-    let(:email) { 'mail@beta.gouv.fr' }
-    let(:passwords) { ['pass', '12pass23', 'démarches ', 'démarches-simple', '{My-$3cure-p4ssWord}'] }
-    let(:administrateur) { build(:user, email: email, password: password, administrateur: build(:administrateur)) }
-    let(:min_complexity) { PASSWORD_COMPLEXITY_FOR_ADMIN }
+    # This password list is sorted by password complexity, according to zxcvbn (used for complexity evaluation)
+    # 0 - too guessable: risky password. (guesses < 10^3)
+    # 1 - very guessable: protection from throttled online attacks. (guesses < 10^6)
+    # 2 - somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
+    # 3 - safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
+    # 4 - very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
+    passwords = ['pass', '12pass23', 'démarches ', 'démarches-simple', '{My-$3cure-p4ssWord}']
+    min_complexity = PASSWORD_COMPLEXITY_FOR_ADMIN
 
-    subject do
-      administrateur.save
-      administrateur.errors.full_messages
+    context 'administrateurs' do
+      let(:email) { 'mail@beta.gouv.fr' }
+      let(:administrateur) { build(:user, email: email, password: password, administrateur: build(:administrateur)) }
+
+      subject do
+        administrateur.save
+        administrateur.errors.full_messages
+      end
+
+      context 'when password is too short' do
+        let(:password) { 's' * (PASSWORD_MIN_LENGTH - 1) }
+
+        it { expect(subject).to eq(["Le mot de passe est trop court"]) }
+      end
+
+      context 'when password is too simple' do
+        passwords[0..(min_complexity - 1)].each do |password|
+          let(:password) { password }
+
+          it { expect(subject).to eq(["Le mot de passe n’est pas assez complexe"]) }
+        end
+      end
+
+      context 'when password is acceptable' do
+        let(:password) { passwords[min_complexity] }
+
+        it { expect(subject).to eq([]) }
+      end
     end
 
-    context 'when password is too short' do
-      let(:password) { 's' * (PASSWORD_MIN_LENGTH - 1) }
-
-      it { expect(subject).to eq(["Le mot de passe est trop court"]) }
-    end
-
-    context 'when password is too simple' do
-      let(:password) { passwords[min_complexity - 1] }
-
-      it { expect(subject).to eq(["Le mot de passe n’est pas assez complexe"]) }
-    end
-
-    context 'when password is acceptable' do
-      let(:password) { passwords[min_complexity] }
-
-      it { expect(subject).to eq([]) }
+    context 'simple users' do
+      passwords.each do |password|
+        let(:user) { build(:user, email: 'some@email.fr', password: password) }
+        it 'has no complexity validation' do
+          user.save
+          expect(user.errors.full_messages).to eq([])
+        end
+      end
     end
   end
 end