THREESCALE-8916: Make strong passwords mandatory

.circleci/config.yml

@@ -98,8 +98,8 @@ system-builder-ruby33: &system-builder-ruby33
     ORACLE_SYSTEM_PASSWORD: threescalepass
     NLS_LANG: AMERICAN_AMERICA.UTF8
     TZ: UTC
-    MASTER_PASSWORD: p
-    USER_PASSWORD: p
+    MASTER_PASSWORD: superSecret1234#
+    USER_PASSWORD: superSecret1234#
     LC_ALL: C.utf8
     RAILS_ENV: test
 

.gitleaks.toml

@@ -0,0 +1,8 @@
+[allowlist]
+description = "Global Allowlist"
+
+# Ignore based on any subset of the file path
+paths = [
+    '''test/unit/authentication/by_password_test.rb''',
+    '''test/integration/admin/api/buyers_users_controller_test.rb'''
+]

app/controllers/admin/api/settings_controller.rb

@@ -12,9 +12,9 @@ class Admin::Api::SettingsController < Admin::Api::BaseController
   before_action :validate_enforcing_sso_allowed, only: [:update]
 
   ALLOWED_PARAMS = %i[
-    useraccountarea_enabled hide_service signups_enabled account_approval_required strong_passwords_enabled
-    public_search account_plans_ui_visible change_account_plan_permission service_plans_ui_visible
-    change_service_plan_permission enforce_sso
+    useraccountarea_enabled hide_service signups_enabled account_approval_required public_search
+    account_plans_ui_visible change_account_plan_permission service_plans_ui_visible change_service_plan_permission
+    enforce_sso
   ].freeze
 
   # Settings Read

app/controllers/partners/providers_controller.rb

@@ -56,7 +56,7 @@ def account_params
   def user_params
     {
       signup_type: partner.signup_type,
-      password: permitted_params[:password].presence || SecureRandom.hex,
+      password: permitted_params[:password].presence,
       email: permitted_params[:email],
       first_name: permitted_params[:first_name],
       last_name: permitted_params[:last_name],

app/controllers/partners/users_controller.rb

@@ -22,19 +22,19 @@ def destroy
   def create
     @user = @account.users.build
     @user.email = params[:email]
-    @user.password = SecureRandom.hex
+    @user.password = params[:password].presence
     @user.first_name = params[:first_name].presence
     @user.last_name = params[:last_name].presence
     @user.open_id = params[:open_id].presence
     @user.username = params[:username]
     @user.signup_type = :partner
     @user.role = :admin
     @user.activate!
-    if @user.save
-      render json: {id: @user.id, success: true}
-    else
-      render json: {errors: @user.errors, success: false}
-    end
+    @user.save!
+
+    render json: {id: @user.id, success: true}
+  rescue StandardError
+    render json: {errors: @user.errors, success: false}, status: :unprocessable_entity
   end
 
   private

app/javascript/src/Login/utils/validations.ts

@@ -1,5 +1,14 @@
 import validate from 'validate.js'
 
+// IMPORTANT: These STRONG_PASSWORD_* constants are duplicated from the backend.
+// The source of truth is app/lib/authentication/by_password.rb. If those constants change in Ruby,
+// you must update them here as well. Do not modify these without updating the backend first.
+// The error message is also defined in config/locales/en.yml at:
+// activerecord.errors.models.user.attributes.password.weak
+const STRONG_PASSWORD_MIN_SIZE = 15
+const RE_STRONG_PASSWORD = new RegExp(`^[ -~]{${STRONG_PASSWORD_MIN_SIZE},}$`)
+const STRONG_PASSWORD_FAIL_MSG = `Password must be at least ${STRONG_PASSWORD_MIN_SIZE} characters long, and contain only valid characters.`
+
 const loginConstraints = {
   username: { presence: { allowEmpty: false, message: 'Email or username is mandatory' } },
   password: { presence: { allowEmpty: false, message: 'Password is mandatory' } }
@@ -12,7 +21,7 @@ function validateLogin (fields: Record<keyof typeof loginConstraints, string>):
 const changePasswordConstraints = {
   password: {
     presence: { allowEmpty: false, message: 'Password is mandatory' },
-    length: { minimum: 6 }
+    format: { pattern: RE_STRONG_PASSWORD, message: STRONG_PASSWORD_FAIL_MSG }
   },
   passwordConfirmation: {
     presence: { allowEmpty: false, message: 'Password confirmation is mandatory' },

app/lib/authentication/by_password.rb

@@ -4,35 +4,26 @@ module ByPassword
     extend ActiveSupport::Concern
 
     # strong passwords
-    SPECIAL_CHARACTERS = '-+=><_$#.:;!?@&*()~][}{|'
-    RE_STRONG_PASSWORD = /
-      \A
-        (?=.*\d) # number
-        (?=.*[a-z]) # lowercase
-        (?=.*[A-Z]) # uppercase
-        (?=.*[#{Regexp.escape(SPECIAL_CHARACTERS)}]) # special char
-        (?!.*\s) # does not end with space
-        .{8,} # at least 8 characters
-      \z
-    /x
-    STRONG_PASSWORD_FAIL_MSG = "Password must be at least 8 characters long, and contain both upper and lowercase letters, a digit and one special character of #{SPECIAL_CHARACTERS}.".freeze
+    STRONG_PASSWORD_MIN_SIZE = 15
+    # All printable characters in ASCII, from 'space' (32) to ~ (126)
+    # at least STRONG_PASSWORD_MIN_SIZE characters
+    RE_STRONG_PASSWORD = /\A[ -~]{#{STRONG_PASSWORD_MIN_SIZE},}\z/
+    STRONG_PASSWORD_FAIL_MSG = I18n.t('activerecord.errors.models.user.attributes.password.weak', min_size: STRONG_PASSWORD_MIN_SIZE)
 
     included do
       # We only need length validations as they are already set in Authentication::ByPassword
       has_secure_password validations: false
 
-      validates_presence_of :password, if: :password_required?
+      validates_presence_of :password, if: :validate_password?
 
       validates_confirmation_of :password, allow_blank: true
 
       validates :password, format: { :with => RE_STRONG_PASSWORD, :message => STRONG_PASSWORD_FAIL_MSG,
-                                     if: -> { password_required? && provider_requires_strong_passwords? } }
-      validates :password, length: { minimum: 6, allow_blank: true,
-                                     if: -> { password_required? && !provider_requires_strong_passwords? } }
+                                     if: -> { validate_strong_password? } }
 
       validates :lost_password_token, :password_digest, length: { maximum: 255 }
 
-      attr_accessible :password, :password_confirmation
+      attr_accessible :password, :password_confirmation, as: %i[default member admin]
 
       scope :with_valid_password_token, -> { where { lost_password_token_generated_at >= 24.hours.ago } }
 
@@ -45,8 +36,15 @@ def find_with_valid_password_token(token)
       end
     end
 
-    def password_required?
-      signup.by_user? && (password_digest.blank? || password_digest_changed?)
+    def validate_password?
+      will_save_change_to_password_digest? || (signup.by_user? && password_digest.blank?)
+    end
+
+    def validate_strong_password?
+      return false if Rails.configuration.three_scale.strong_passwords_disabled
+      return false if signup.sample_data?
+
+      validate_password?
     end
 
     def just_changed_password?
@@ -59,9 +57,10 @@ def expire_password_token
 
     def generate_lost_password_token
       token = SecureRandom.hex(32)
-      return unless update_columns(lost_password_token: token, lost_password_token_generated_at: Time.current)
+      self.lost_password_token = token
+      self.lost_password_token_generated_at = Time.current
 
-      token
+      token if save(validate: false)
     end
 
     def generate_lost_password_token!
@@ -82,7 +81,7 @@ def update_password(new_password, new_password_confirmation)
     end
 
     def using_password?
-      password_digest.present?
+      password_digest_in_database.present?
     end
 
     def can_set_password?

app/lib/logic/provider_signup.rb

@@ -64,7 +64,7 @@ def ensure_users(count)
       def signup_user
         email_part = email.split('@')
         user_attributes = { email: "#{email_part[0]}+test@#{email_part[1]}", username: 'john', first_name: 'John',
-                            last_name: 'Doe', password: '123456', password_confirmation: '123456', signup_type: :minimal}
+                            last_name: 'Doe', password: '123456', password_confirmation: '123456', signup_type: :sample_data}
         signup_params = ::Signup::SignupParams.new(plans: [], user_attributes: user_attributes, account_attributes: { org_name: 'Developer' })
         ::Signup::DeveloperAccountManager.new(@provider).create(signup_params)
       end

app/lib/signup/developer_account_manager.rb

@@ -15,7 +15,7 @@ def persist!(result, plans, defaults)
 
       # TODO: Temporary here. A new object should have the responsability to activate and approve when needed
       # As part of THREESCALE-1317
-      result.user_activate! if result.user_activate_on_minimal_signup?
+      result.user_activate! if result.user_activate_on_minimal_or_sample_data?
     end
   end
 end

app/lib/signup/result.rb

@@ -20,7 +20,7 @@ def local_initialize; end
     attr_reader :user, :account
 
     delegate :approve, :approve!, :approved?, :approval_required?, :make_pending!,   to: :account, prefix: true
-    delegate :activate, :activate!, :active?, :activate_on_minimal_signup?,          to: :user,    prefix: true
+    delegate :activate, :activate!, :active?, :activate_on_minimal_or_sample_data?,  to: :user, prefix: true
     delegate :id, to: :account
 
     def valid?

app/models/user.rb

@@ -344,14 +344,6 @@ def provider_id_for_audits
     account.try!(:provider_id_for_audits) || provider_account.try!(:provider_id_for_audits)
   end
 
-  def provider_requires_strong_passwords?
-    # use fields definitons source (instance variable) as backup when creating new record
-    # and there is no provider account (its still new record and not set through association.build)
-    if source = fields_definitions_source_root
-      source.settings.strong_passwords_enabled?
-    end
-  end
-
   protected
 
   def account_for_sphinx
@@ -436,6 +428,11 @@ def minimal?
       signup_type == :minimal
     end
 
+    def sample_data?
+      # This is true only for John Doe
+      signup_type == :sample_data
+    end
+
     def api?
       signup_type == :api
     end
@@ -457,7 +454,7 @@ def cas?
     end
 
     def machine?
-      minimal? || api? || created_by_provider? || open_id? || cas? || oauth2?
+      minimal? || sample_data? || api? || created_by_provider? || open_id? || cas? || oauth2?
     end
 
     def by_user?

app/models/user/states.rb

@@ -75,8 +75,8 @@ def make_activation_code
     self.activation_code = self.class.make_token
   end
 
-  def activate_on_minimal_signup?
-    minimal_signup? && password.present? && !account.try!(:bought_account_plan).try!(:approval_required?)
+  def activate_on_minimal_or_sample_data?
+    (minimal_signup? || signup.sample_data?) && password.present? && !account.try!(:bought_account_plan).try!(:approval_required?)
   end
 
   def generate_email_verification_token

app/representers/settings_representer.rb

@@ -9,7 +9,6 @@ module SettingsRepresenter
   property :hide_service
   property :signups_enabled
   property :account_approval_required
-  property :strong_passwords_enabled
   property :public_search
   property :account_plans_ui_visible
   property :change_account_plan_permission

app/views/buyers/accounts/new.html.erb

@@ -21,7 +21,7 @@
         </div>
         <%= form.fields_for [:user, @user ] do |user| %>
           <%= user.user_defined_form %>
-          <%= user.input :password, as: :patternfly_input, required: true %>
+          <%= user.input :password, as: :patternfly_input, input_html: { type: 'password' }, required: true %>
         <% end %>
       </section>
 

app/views/buyers/users/edit.html.erb

@@ -13,8 +13,8 @@
   <% end %>
 
   <%= form.inputs :name => "Change Password" do %>
-    <%= form.input :password, required: true, input_html: { autocomplete: 'off' } %>
-    <%= form.input :password_confirmation, required: true, input_html: { autocomplete: 'off' } %>
+    <%= form.input :password, required: false, input_html: { autocomplete: 'off' } %>
+    <%= form.input :password_confirmation, required: false, input_html: { autocomplete: 'off' } %>
   <% end -%>
 
   <% if can? :update_role, @user %>

app/views/provider/admin/account/users/_form.html.erb

@@ -3,8 +3,8 @@
 <% end %>
 
 <%= form.inputs :name => "Change Password" do %>
-  <%= form.input :password, :required => true %>
-  <%= form.input :password_confirmation, :required => true %>
+  <%= form.input :password, :required => false %>
+  <%= form.input :password_confirmation, :required => false %>
 <% end -%>
 
 <% if can? :update_role, @user %>

app/views/provider/admin/user/personal_details/edit.html.slim

@@ -3,13 +3,6 @@
 - content_for :javascripts do
   = stylesheet_packs_chunks_tag 'pf_form'
 
-- if current_user.can_set_password? && !current_account.settings.enforce_sso?
-  - content_for :page_header_alert do
-      br
-      = pf_inline_alert t('.set_password_html', href: new_provider_password_path), variant: :info
-
-- using_password = current_user.using_password?
-
 div class="pf-c-card"
   div class="pf-c-card__body"
     = semantic_form_for current_user, builder: Fields::PatternflyFormBuilder,
@@ -20,13 +13,12 @@ div class="pf-c-card"
 
       = form.inputs 'User Information' do
         = form.user_defined_form
-        - if using_password
-          = form.input :password, as: :patternfly_input,
-                                  label: t('.new_password_label'),
-                                  required: current_user.password_required?,
-                                  input_html: { value: '', required: current_user.password_required? }
+        = form.input :password, as: :patternfly_input,
+                                label: t('.new_password_label'),
+                                required: false,
+                                input_html: { value: '', type: 'password', required: false }
 
-      - if using_password
+      - if current_user.using_password?
         = form.inputs "Provide your current password and update your personal details" do
           = form.input :current_password, as: :patternfly_input,
                                           required: true,

app/views/sites/usage_rules/edit.html.slim

@@ -27,10 +27,6 @@ div class="pf-c-card"
                                                    input_html: { disabled: settings.approval_required_disabled? },
                                                    hint: account_approval_required_hint(current_account)
 
-      = form.inputs 'Users'
-        = form.input :strong_passwords_enabled, as: :patternfly_checkbox,
-                                                hint: t("formtastic.hints.settings.strong_passwords_enabled", strong_password_definition: strong_password_definition)
-
       = form.inputs 'Search'
         = form.input :public_search, as: :patternfly_checkbox
 

config/examples/settings.yml

@@ -53,6 +53,7 @@ development:
   force_ssl: false
   report_traffic: false
   secure_cookie: false
+  strong_passwords_disabled: true
 
 test:
   <<: *default

config/locales/en.yml

@@ -452,7 +452,7 @@ en:
 
     invitee_signups:
       create:
-        error: There are some errors:\n%{errors}
+        error: "There are some errors:\n%{errors}"
         success: Thanks for signing up! You can now sign in
       already_logged_in: You are already signed up. Log out if you want to sign up again
 
@@ -897,7 +897,6 @@ en:
           edit:
             header_title: Personal Details
             submit_button_label: Update Details
-            set_password_html: You have no password set. If you'd like to set one use the <a href="%{href}">password reset form</a>.
             new_password_label: New password
           update:
             success: User was successfully updated
@@ -1930,6 +1929,7 @@ en:
               blank: "can't be blank"
             password:
               blank: "can't be blank"
+              weak: "Password must be at least %{min_size} characters long, and contain only valid characters."
           current_password_incorrect: "is incorrect"
           last_admin: "Can't delete last admin"
 
@@ -2216,7 +2216,6 @@ en:
         approval_required_referer: "Set per account plan from %{link}."
         account_approval_required: "Approval is required by you before developer accounts are activated."
         useraccountarea_enabled: 'Only disable this if you provide another way to manage this information (e.g. via the User Management API).'
-        strong_passwords_enabled: "Require strong passwords from your users: %{strong_password_definition} Existing passwords will still work."
         public_search: >
           Allow anyone to search on your Developer Portal.
           If you have Restricted Pages your Developer Portal we advise you not to change this setting.
@@ -2356,7 +2355,6 @@ en:
         hide_service: 'Used a default service plan'
         signups_enabled: 'Developers are allowed sign up themselves'
         cas_server_url: 'CAS Server URL'
-        strong_passwords_enabled: 'Strong passwords'
         public_search: 'Enable public search on Developer Portal'
         cms_escape_draft_html: 'Use Automatic Escaping for draft content'
         cms_escape_published_html: 'Use Automatic Escaping for published content'

doc/active_docs/account_management_api.json

@@ -9973,10 +9973,6 @@
                     "type": "boolean",
                     "description": "Approval is required by you before developer accounts are activated."
                   },
-                  "strong_passwords_enabled": {
-                    "type": "boolean",
-                    "description": "Require strong passwords from your users: Password must be at least 8 characters long, and contain both upper and lowercase letters, a digit and one special character of -+=><_$#.:;!?@&*()~][}{|. Existing passwords will still work. "
-                  },
                   "public_search": {
                     "type": "boolean",
                     "description": "Enables public search on Developer Portal"