Use random passwords in specs
Our specs use static passwords, many of them are weak. Ideally there would be no way in our codebase to set static passwords, even for test purposes.
We should adopt a pattern where we generate a random password in a before
or let
block, and then use that value in subsequent tests.
The first MR, Remove weak and/or hardcoded user passwords fro... (!92845 - closed), was too big, so we will break it out into smaller MRs:
-
Remove a small number of hardcoded passwords in... (!92959 - merged)
ee/spec/controllers/trial_registrations_controller_spec.rb
ee/spec/features/users/login_spec.rb
spec/controllers/admin/users_controller_spec.rb
spec/controllers/profiles_controller_spec.rb
spec/controllers/registrations_controller_spec.rb
spec/features/users/login_spec.rb
spec/support/helpers/login_helpers.rb
-
Remove a small number of hardcoded passwords in... (!93059 - merged)
ee/spec/requests/api/merge_request_approvals_spec.rb
ee/spec/requests/api/scim_spec.rb
ee/spec/requests/api/users_spec.rb
spec/requests/api/users_spec.rb
-
Remove a small number of hardcoded passwords in... (!93060 - merged)
ee/spec/features/merge_request/user_approves_with_password_spec.rb
ee/spec/features/trial_registrations/signin_spec.rb
spec/features/admin/admin_appearance_spec.rb
spec/features/profile_spec.rb
spec/features/profiles/password_spec.rb
-
Remove a small number of hardcoded passwords in... (!93062 - merged)
ee/spec/services/ee/users/create_service_spec.rb
ee/spec/services/ee/users/update_service_spec.rb
ee/spec/services/merge_requests/approval_service_spec.rb
spec/services/users/create_service_spec.rb
spec/services/users/update_service_spec.rb
-
Remove a small number of hardcoded passwords in... (!93063 - merged)
db/fixtures/development/18_abuse_reports.rb
-
on 2nd thought this spec doesn't need the change I suggested; it useslib/tasks/gitlab/seed/group_seed.rake
Devise.friendly_token
instead ofUser.random_password
, but close enough. spec/tasks/gitlab/password_rake_spec.rb
spec/mailers/emails/profile_spec.rb
spec/models/hooks/system_hook_spec.rb
spec/channels/application_cable/connection_spec.rb
-
Remove hardcoded passwords in Gitlab::Auth specs (!93069 - merged)
spec/lib/gitlab/auth_spec.rb
-
Remove hardcoded passwords in user model specs (!93068 - merged)
spec/models/user_spec.rb
-
Set a random password in the User Factory (!93635 - merged)
- TODO last. Once everything is calling
user.password
updating the factory (which hardcodes to12345678
) shouldn't break any specs. (Narrator: it did). spec/factories/users.rb
- TODO last. Once everything is calling
Edited by Nick Malcolm