3scale
diff --git a/‎.gitleaks.toml‎
Lines changed: 8 additions & 0 deletions b/‎.gitleaks.toml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎features/old/accounts/personal_details.feature‎
Lines changed: 3 additions & 2 deletions b/‎features/old/accounts/personal_details.feature‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎features/old/providers/settings.feature‎
Lines changed: 0 additions & 11 deletions b/‎features/old/providers/settings.feature‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎features/old/signup/strong_passwords.feature‎
Lines changed: 26 additions & 1 deletion b/‎features/old/signup/strong_passwords.feature‎
Lines changed: 26 additions & 1 deletion
diff --git a/‎features/old/signup/with_invitation.feature‎
Lines changed: 3 additions & 3 deletions b/‎features/old/signup/with_invitation.feature‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎features/provider/admin/account/invitations.feature‎
Lines changed: 2 additions & 2 deletions b/‎features/provider/admin/account/invitations.feature‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎features/provider/password/reset.feature‎
Lines changed: 8 additions & 8 deletions b/‎features/provider/password/reset.feature‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎features/step_definitions/settings_steps.rb‎
Lines changed: 0 additions & 4 deletions b/‎features/step_definitions/settings_steps.rb‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎features/step_definitions/strong_passwords_steps.rb‎
Lines changed: 3 additions & 2 deletions b/‎features/step_definitions/strong_passwords_steps.rb‎
Lines changed: 3 additions & 2 deletions
@@ -0,0 +1,8 @@
+[allowlist]
+description = "Global Allowlist"
+
+# Ignore based on any subset of the file path
+paths = [
+    '''test/unit/authentication/by_password_test.rb''',
+    '''test/integration/admin/api/buyers_users_controller_test.rb'''
+]
@@ -81,10 +81,11 @@ Feature: Personal Details
     And the "User extra required" field should contain "whatever"
 
   Scenario: Update own password when the user was signed up with password
-    Given the user was signed up with password
+    Given Strong passwords are enabled
+    And the user was signed up with password
     When I navigate to the Account Settings
     And I go to the provider personal details page
     And I fill in "New password" with "hi"
     And I fill in "Current password" with "supersecret"
     And I press "Update Details"
-    Then field "New password" has inline error "is too short (minimum is 6 characters)"
+    Then field "New password" has inline error "Password must be at least 16 characters long, and contain only valid characters"
@@ -7,17 +7,6 @@ Feature: Settings management
   Background:
     Given a provider is logged in
 
-  Scenario: Strong password setting
-    And I go to the usage rules settings page
-    When I check "Strong passwords"
-    And I press "Update settings"
-    Then they should see a toast alert with text "Settings updated"
-    And the provider should have strong passwords enabled
-    When I uncheck "Strong passwords"
-    And I press "Update settings"
-    Then they should see a toast alert with text "Settings updated"
-    And the provider should have strong passwords disabled
-
   Scenario: Account approval required checkbox is enabled
     Given the provider has 1 account plan
     When I go to the usage rules settings page
 
@@ -13,7 +13,7 @@ Feature: Signup with strong passwords
 
 
   Scenario: Strong password is required
-    Given provider "foo.3scale.localhost" is requiring strong passwords
+    Given Strong passwords are enabled
     When I go to the sign up page
       And I fill in the following:
        | Email                   | bender@planet.ex |
@@ -24,3 +24,28 @@ Feature: Signup with strong passwords
 
        And I press "Sign up"
     Then I should see the error that the password is too weak
+
+  Scenario: Strong password is accepted
+    Given Strong passwords are enabled
+    When I go to the sign up page
+      And I fill in the following:
+       | Email                   | bender@planet.ex   |
+       | Username                | bender             |
+       | Password                | superSecret1234#   |
+       | Password confirmation   | superSecret1234#   |
+       | Organization/Group Name | Planet eXpress     |
+
+       And I press "Sign up"
+    Then I should see "Thank you"
+
+  Scenario: Weak password is accepted when strong passwords are disabled
+    When I go to the sign up page
+      And I fill in the following:
+       | Email                   | bender@planet.ex |
+       | Username                | bender           |
+       | Password                | weakpwd          |
+       | Password confirmation   | weakpwd          |
+       | Organization/Group Name | Planet eXpress   |
+
+       And I press "Sign up"
+    Then I should see "Thank you"
@@ -22,13 +22,13 @@ Feature: Signup with invitation
     When I fill in "Username" with "bob"
       And I fill in "First name" with "bob"
       And I fill in "Last name" with "dole"
-      And I fill in "Password" with "monkey"
-      And I fill in "Password confirmation" with "monkey"
+      And I fill in "Password" with "superSecret1234#"
+      And I fill in "Password confirmation" with "superSecret1234#"
       And I press "Sign up"
     Then I should see "Thanks for signing up! You can now sign in"
       And the current domain should be the admin domain of provider "foo.3scale.localhost"
       But "bob@foo.3scale.localhost" should receive no email with subject "Account Activation"
     When I fill in "Username" with "bob"
-      And I fill in "Password" with "monkey"
+      And I fill in "Password" with "superSecret1234#"
       And I press "Sign in"
     Then I should be logged in as "bob"
@@ -82,8 +82,8 @@ Feature: Provider Account Settings User Invitations
       And the form is submitted with:
         | Email                 | peter@example.com |
         | Username              | peter             |
-        | Password              | 123456            |
-        | Password confirmation | 123456            |
+        | Password              | superSecret1234#  |
+        | Password confirmation | superSecret1234#  |
       And they log out
       When the provider logs in
       And they go to the provider users page
 
@@ -51,22 +51,22 @@ Feature: Provider password reset
     Scenario: Set a new password
       Given the user has requested a new password
       And follow the link found in the provider password reset email send to "pepe@example.com"
-      And they fill in "Password" with "monkey"
-      And they fill in "Password confirmation" with "monkey"
+      And they fill in "Password" with "superSecret1234#"
+      And they fill in "Password confirmation" with "superSecret1234#"
       And press "Change Password"
       Then they should see "The password has been changed"
       And the current page is the provider login page
-      And the user is now able to sign in with password "monkey"
+      And the user is now able to sign in with password "superSecret1234#"
 
     Scenario: New password form validation
       Given the user has requested a new password
       And follow the link found in the provider password reset email send to "pepe@example.com"
-      And they fill in "Password" with "monkey"
+      And they fill in "Password" with "superSecret1234#"
       And they fill in "Password confirmation" with ""
       Then the submit button is disabled
-      When they fill in "Password confirmation" with "donkey"
+      When they fill in "Password confirmation" with "superSecret1234#5"
       Then the submit button is disabled
-      When they fill in "Password confirmation" with "monkey"
+      When they fill in "Password confirmation" with "superSecret1234#"
       Then the submit button is enabled
 
     Scenario: Invalid password reset token
@@ -83,8 +83,8 @@ Feature: Provider password reset
     Scenario: Reuse a password reset token
       Given the user has requested a new password
       And follow the link found in the provider password reset email send to "pepe@example.com"
-      And they fill in "Password" with "monkey"
-      And they fill in "Password confirmation" with "monkey"
+      And they fill in "Password" with "superSecret1234#"
+      And they fill in "Password confirmation" with "superSecret1234#"
       When press "Change Password"
       Then they should see "The password has been changed"
       When follow the link found in the provider password reset email send to "pepe@example.com"
 
@@ -11,10 +11,6 @@
   account.settings.update!(attributes)
 end
 
-Then "{provider} should have strong passwords {enabled}" do |provider, enabled|
-  assert provider.settings.reload.strong_passwords_enabled == enabled
-end
-
 Given "{provider} has {count} account plan(s)" do |provider, count|
   current_size = provider.account_plans.size
   if count > current_size
 
@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
-Given "{provider} is requiring strong passwords" do |provider|
-  provider.settings.update_attribute :strong_passwords_enabled, true
+# When RAILS_ENV=test, strong passwords are disabled by default
+Given "Strong passwords are enabled" do
+  Rails.configuration.three_scale.stubs(:strong_passwords_disabled).returns(false)
 end
 
 Then /^I should see the error that the password is too weak$/ do