From 0cee28393e2747940dc2542e01e9c018ff0d1ce1 Mon Sep 17 00:00:00 2001
From: Nick Malcolm <nmalcolm@gitlab.com>
Date: Fri, 22 Jul 2022 14:53:53 +1200
Subject: [PATCH] Remove a small number of hardcoded passwords in specs

Our specs use static passwords, many of them are weak. This makes it
difficult to create changes which introduce password complexity
constraints.

This MR updates a small number of instances where we set weak or
hardcoded passwords, to use randomly generated passwords.

https://gitlab.com/gitlab-org/gitlab/-/issues/360030
---
 db/fixtures/development/18_abuse_reports.rb        | 2 +-
 spec/channels/application_cable/connection_spec.rb | 2 +-
 spec/mailers/emails/profile_spec.rb                | 3 ++-
 spec/models/hooks/system_hook_spec.rb              | 2 +-
 spec/tasks/gitlab/password_rake_spec.rb            | 9 +++++----
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/db/fixtures/development/18_abuse_reports.rb b/db/fixtures/development/18_abuse_reports.rb
index 88d2f784852f..7dd930691220 100644
--- a/db/fixtures/development/18_abuse_reports.rb
+++ b/db/fixtures/development/18_abuse_reports.rb
@@ -11,7 +11,7 @@ def self.seed
                   name: FFaker::Name.name,
                   email: FFaker::Internet.email,
                   confirmed_at: DateTime.now,
-                  password: '12345678'
+                  password: ::User.random_password
                 )
 
               ::AbuseReport.create(reporter: ::User.take, user: reported_user, message: 'User sends spam')
diff --git a/spec/channels/application_cable/connection_spec.rb b/spec/channels/application_cable/connection_spec.rb
index f5b2cdd2fca1..4943669bde03 100644
--- a/spec/channels/application_cable/connection_spec.rb
+++ b/spec/channels/application_cable/connection_spec.rb
@@ -21,7 +21,7 @@
       end
 
       context 'with a stale password' do
-        let(:partial_password_hash) { build(:user, password: 'some_old_password').authenticatable_salt }
+        let(:partial_password_hash) { build(:user, password: User.random_password).authenticatable_salt }
         let(:session_hash) { { 'warden.user.user.key' => [[user.id], partial_password_hash] } }
 
         it 'sets current_user to nil' do
diff --git a/spec/mailers/emails/profile_spec.rb b/spec/mailers/emails/profile_spec.rb
index 09ed27eb90fe..fce552569223 100644
--- a/spec/mailers/emails/profile_spec.rb
+++ b/spec/mailers/emails/profile_spec.rb
@@ -49,7 +49,7 @@
 
   describe 'for users that signed up, the email' do
     let(:example_site_path) { root_path }
-    let(:new_user) { create(:user, email: new_user_address, password: "securePassword") }
+    let(:new_user) { create(:user, email: new_user_address) }
 
     subject { Notify.new_user_email(new_user.id) }
 
@@ -59,6 +59,7 @@
     it_behaves_like 'a user cannot unsubscribe through footer link'
 
     it 'does not contain the new user\'s password' do
+      is_expected.not_to have_body_text(new_user.password)
       is_expected.not_to have_body_text /password/
     end
   end
diff --git a/spec/models/hooks/system_hook_spec.rb b/spec/models/hooks/system_hook_spec.rb
index 9f5f81dd6c0d..f4786083b75d 100644
--- a/spec/models/hooks/system_hook_spec.rb
+++ b/spec/models/hooks/system_hook_spec.rb
@@ -37,7 +37,7 @@
     let(:project)     { create(:project, namespace: user.namespace) }
     let(:group)       { create(:group) }
     let(:params) do
-      { name: 'John Doe', username: 'jduser', email: 'jg@example.com', password: 'mydummypass' }
+      { name: 'John Doe', username: 'jduser', email: 'jg@example.com', password: User.random_password }
     end
 
     before do
diff --git a/spec/tasks/gitlab/password_rake_spec.rb b/spec/tasks/gitlab/password_rake_spec.rb
index 65bba836024d..5d5e5af25369 100644
--- a/spec/tasks/gitlab/password_rake_spec.rb
+++ b/spec/tasks/gitlab/password_rake_spec.rb
@@ -3,7 +3,8 @@
 require 'rake_helper'
 
 RSpec.describe 'gitlab:password rake tasks', :silence_stdout do
-  let_it_be(:user_1) { create(:user, username: 'foobar', password: 'initial_password') }
+  let_it_be(:user_1) { create(:user, username: 'foobar', password: User.random_password) }
+  let_it_be(:password) { User.random_password }
 
   def stub_username(username)
     allow(Gitlab::TaskHelpers).to receive(:prompt).with('Enter username: ').and_return(username)
@@ -19,14 +20,14 @@ def stub_password(password, confirmation = nil)
     Rake.application.rake_require 'tasks/gitlab/password'
 
     stub_username('foobar')
-    stub_password('secretpassword')
+    stub_password(password)
   end
 
   describe ':reset' do
     context 'when all inputs are correct' do
       it 'updates the password properly' do
         run_rake_task('gitlab:password:reset', user_1.username)
-        expect(user_1.reload.valid_password?('secretpassword')).to eq(true)
+        expect(user_1.reload.valid_password?(password)).to eq(true)
       end
     end
 
@@ -55,7 +56,7 @@ def stub_password(password, confirmation = nil)
 
     context 'when passwords do not match' do
       before do
-        stub_password('randompassword', 'differentpassword')
+        stub_password(password, User.random_password)
       end
 
       it 'aborts with an error' do
-- 
GitLab