RubyGems - devise-security - Versions diffs - 0.12.0 → 0.18.0 - Mend

devise-security 0.12.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

checksums.yaml +4 -4
data/LICENSE.txt +3 -1
data/README.md +199 -65
data/app/controllers/devise/paranoid_verification_code_controller.rb +28 -12
data/app/controllers/devise/password_expired_controller.rb +34 -10
data/app/views/devise/paranoid_verification_code/show.html.erb +4 -4
data/app/views/devise/password_expired/show.html.erb +6 -6
data/config/locales/bg.yml +42 -0
data/config/locales/by.yml +50 -0
data/config/locales/cs.yml +46 -0
data/config/locales/de.yml +33 -7
data/config/locales/en.yml +26 -1
data/config/locales/es.yml +31 -6
data/config/locales/fa.yml +42 -0
data/config/locales/fr.yml +42 -0
data/config/locales/hi.yml +43 -0
data/config/locales/it.yml +36 -4
data/config/locales/ja.yml +42 -0
data/config/locales/nl.yml +42 -0
data/config/locales/pt.yml +42 -0
data/config/locales/ru.yml +50 -0
data/config/locales/tr.yml +42 -0
data/config/locales/uk.yml +50 -0
data/config/locales/zh_CN.yml +42 -0
data/config/locales/zh_TW.yml +42 -0
data/lib/devise-security/controllers/helpers.rb +74 -51
data/lib/devise-security/hooks/expirable.rb +6 -4
data/lib/devise-security/hooks/paranoid_verification.rb +3 -3
data/lib/devise-security/hooks/password_expirable.rb +5 -3
data/lib/devise-security/hooks/session_limitable.rb +31 -14
data/lib/devise-security/models/active_record/old_password.rb +5 -0
data/lib/devise-security/models/compatibility/active_record_patch.rb +41 -0
data/lib/devise-security/models/compatibility/mongoid_patch.rb +32 -0
data/lib/devise-security/models/compatibility.rb +8 -15
data/lib/devise-security/models/database_authenticatable_patch.rb +20 -10
data/lib/devise-security/models/expirable.rb +14 -7
data/lib/devise-security/models/mongoid/old_password.rb +21 -0
data/lib/devise-security/models/paranoid_verification.rb +4 -2
data/lib/devise-security/models/password_archivable.rb +19 -8
data/lib/devise-security/models/password_expirable.rb +103 -48
data/lib/devise-security/models/secure_validatable.rb +69 -12
data/lib/devise-security/models/security_questionable.rb +2 -0
data/lib/devise-security/models/session_limitable.rb +19 -2
data/lib/devise-security/orm/mongoid.rb +7 -0
data/lib/devise-security/patches/controller_captcha.rb +2 -0
data/lib/devise-security/patches/controller_security_question.rb +3 -1
data/lib/devise-security/patches.rb +16 -8
data/lib/devise-security/rails.rb +2 -0
data/lib/devise-security/routes.rb +4 -3
data/lib/devise-security/validators/password_complexity_validator.rb +62 -0
data/lib/devise-security/version.rb +3 -1
data/lib/devise-security.rb +23 -11
data/lib/generators/devise_security/install_generator.rb +6 -6
data/lib/generators/templates/devise_security.rb +52 -0
data/test/{test_captcha_controller.rb → controllers/test_captcha_controller.rb} +2 -0
data/test/controllers/test_paranoid_verification_code_controller.rb +133 -0
data/test/controllers/test_password_expired_controller.rb +164 -0
data/test/controllers/test_security_question_controller.rb +66 -0
data/test/dummy/Rakefile +3 -1
data/test/dummy/app/assets/config/manifest.js +3 -0
data/test/dummy/app/controllers/application_controller.rb +2 -0
data/test/dummy/app/controllers/captcha/sessions_controller.rb +2 -0
data/test/dummy/app/controllers/overrides/paranoid_verification_code_controller.rb +7 -0
data/test/dummy/app/controllers/overrides/password_expired_controller.rb +17 -0
data/test/dummy/app/controllers/security_question/unlocks_controller.rb +2 -0
data/test/dummy/app/controllers/widgets_controller.rb +9 -0
data/test/dummy/app/models/application_record.rb +10 -2
data/test/dummy/app/models/application_user_record.rb +12 -0
data/test/dummy/app/models/captcha_user.rb +7 -2
data/test/dummy/app/models/mongoid/confirmable_fields.rb +15 -0
data/test/dummy/app/models/mongoid/database_authenticable_fields.rb +18 -0
data/test/dummy/app/models/mongoid/expirable_fields.rb +13 -0
data/test/dummy/app/models/mongoid/lockable_fields.rb +15 -0
data/test/dummy/app/models/mongoid/mappings.rb +15 -0
data/test/dummy/app/models/mongoid/omniauthable_fields.rb +13 -0
data/test/dummy/app/models/mongoid/paranoid_verification_fields.rb +12 -0
data/test/dummy/app/models/mongoid/password_archivable_fields.rb +11 -0
data/test/dummy/app/models/mongoid/password_expirable_fields.rb +12 -0
data/test/dummy/app/models/mongoid/recoverable_fields.rb +13 -0
data/test/dummy/app/models/mongoid/registerable_fields.rb +21 -0
data/test/dummy/app/models/mongoid/rememberable_fields.rb +12 -0
data/test/dummy/app/models/mongoid/secure_validatable_fields.rb +13 -0
data/test/dummy/app/models/mongoid/security_questionable_fields.rb +15 -0
data/test/dummy/app/models/mongoid/session_limitable_fields.rb +12 -0
data/test/dummy/app/models/mongoid/timeoutable_fields.rb +11 -0
data/test/dummy/app/models/mongoid/trackable_fields.rb +16 -0
data/test/dummy/app/models/mongoid/validatable_fields.rb +9 -0
data/test/dummy/app/models/paranoid_verification_user.rb +26 -0
data/test/dummy/app/models/password_expired_user.rb +26 -0
data/test/dummy/app/models/security_question_user.rb +9 -4
data/test/dummy/app/models/user.rb +16 -1
data/test/dummy/app/models/widget.rb +4 -0
data/test/dummy/app/mongoid/admin.rb +31 -0
data/test/dummy/app/mongoid/one_user.rb +58 -0
data/test/dummy/app/mongoid/shim.rb +25 -0
data/test/dummy/app/mongoid/user_on_engine.rb +41 -0
data/test/dummy/app/mongoid/user_on_main_app.rb +41 -0
data/test/dummy/app/mongoid/user_with_validations.rb +37 -0
data/test/dummy/app/mongoid/user_without_email.rb +38 -0
data/test/dummy/config/application.rb +13 -11
data/test/dummy/config/boot.rb +3 -1
data/test/dummy/config/environment.rb +3 -1
data/test/dummy/config/environments/test.rb +6 -13
data/test/dummy/config/initializers/devise.rb +6 -3
data/test/dummy/config/initializers/migration_class.rb +3 -6
data/test/dummy/config/locales/en.yml +10 -0
data/test/dummy/config/mongoid.yml +6 -0
data/test/dummy/config/routes.rb +8 -3
data/test/dummy/config.ru +3 -1
data/test/dummy/db/migrate/20120508165529_create_tables.rb +17 -6
data/test/dummy/db/migrate/20150402165590_add_verification_columns.rb +2 -0
data/test/dummy/db/migrate/20150407162345_add_verification_attempt_column.rb +2 -0
data/test/dummy/db/migrate/20160320162345_add_security_questions_fields.rb +2 -0
data/test/dummy/db/migrate/20180318103603_add_expireable_columns.rb +2 -0
data/test/dummy/db/migrate/20180318105329_add_confirmable_columns.rb +2 -0
data/test/dummy/db/migrate/20180318105732_add_rememberable_columns.rb +2 -0
data/test/dummy/db/migrate/20180318111336_add_recoverable_columns.rb +2 -0
data/test/dummy/db/migrate/20180319114023_add_widget.rb +2 -0
data/test/dummy/lib/shared_expirable_columns.rb +15 -0
data/test/dummy/lib/shared_security_questions_fields.rb +17 -0
data/test/dummy/lib/shared_user.rb +43 -0
data/test/dummy/lib/shared_user_with_password_verification.rb +13 -0
data/test/dummy/lib/shared_user_without_omniauth.rb +24 -0
data/test/dummy/lib/shared_verification_fields.rb +16 -0
data/test/dummy/log/test.log +45240 -0
data/test/i18n_test.rb +22 -0
data/test/integration/test_paranoid_verification_code_workflow.rb +53 -0
data/test/integration/test_password_expirable_workflow.rb +53 -0
data/test/integration/test_session_limitable_workflow.rb +69 -0
data/test/orm/active_record.rb +15 -0
data/test/orm/mongoid.rb +13 -0
data/test/support/integration_helpers.rb +35 -0
data/test/support/mongoid.yml +6 -0
data/test/test_compatibility.rb +15 -0
data/test/test_complexity_validator.rb +282 -0
data/test/test_database_authenticatable_patch.rb +146 -0
data/test/test_helper.rb +41 -9
data/test/test_install_generator.rb +20 -3
data/test/test_paranoid_verification.rb +10 -9
data/test/test_password_archivable.rb +37 -13
data/test/test_password_expirable.rb +72 -9
data/test/test_secure_validatable.rb +289 -55
data/test/test_secure_validatable_overrides.rb +185 -0
data/test/test_session_limitable.rb +57 -0
data/test/tmp/config/initializers/devise_security.rb +52 -0
data/test/tmp/config/locales/devise.security_extension.by.yml +50 -0
data/test/tmp/config/locales/devise.security_extension.cs.yml +46 -0
data/test/tmp/config/locales/devise.security_extension.de.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.en.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.es.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.fa.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.fr.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.hi.yml +43 -0
data/test/tmp/config/locales/devise.security_extension.it.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.ja.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.nl.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.pt.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.ru.yml +50 -0
data/test/tmp/config/locales/devise.security_extension.tr.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.uk.yml +50 -0
data/test/tmp/config/locales/devise.security_extension.zh_CN.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.zh_TW.yml +42 -0
metadata +290 -124
data/.circleci/config.yml +0 -41
data/.document +0 -5
data/.gitignore +0 -40
data/.rubocop.yml +0 -63
data/.ruby-version +0 -1
data/.travis.yml +0 -25
data/Appraisals +0 -19
data/Gemfile +0 -3
data/Rakefile +0 -28
data/devise-security.gemspec +0 -44
data/gemfiles/rails_4.1_stable.gemfile +0 -8
data/gemfiles/rails_4.2_stable.gemfile +0 -8
data/gemfiles/rails_5.0_stable.gemfile +0 -8
data/gemfiles/rails_5.1_stable.gemfile +0 -8
data/gemfiles/rails_5.2_rc1.gemfile +0 -8
data/lib/devise-security/models/old_password.rb +0 -4
data/lib/devise-security/orm/active_record.rb +0 -18
data/lib/devise-security/patches/confirmations_controller_captcha.rb +0 -21
data/lib/devise-security/patches/confirmations_controller_security_question.rb +0 -24
data/lib/devise-security/patches/passwords_controller_captcha.rb +0 -20
data/lib/devise-security/patches/passwords_controller_security_question.rb +0 -23
data/lib/devise-security/patches/registrations_controller_captcha.rb +0 -33
data/lib/devise-security/patches/sessions_controller_captcha.rb +0 -24
data/lib/devise-security/patches/unlocks_controller_captcha.rb +0 -20
data/lib/devise-security/patches/unlocks_controller_security_question.rb +0 -23
data/lib/devise-security/schema.rb +0 -64
data/lib/generators/templates/devise-security.rb +0 -38
data/test/dummy/app/controllers/foos_controller.rb +0 -0
data/test/dummy/app/models/.gitkeep +0 -0
data/test/dummy/app/models/secure_user.rb +0 -3
data/test/test_password_expired_controller.rb +0 -44
data/test/test_security_question_controller.rb +0 -84

data/test/i18n_test.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+require 'i18n/tasks'
+class I18nTest < ActiveSupport::TestCase
+  def setup
+    @i18n = I18n::Tasks::BaseTask.new
+    @missing_keys = @i18n.missing_keys
+  end
+  def test_no_missing_keys
+    assert_empty @missing_keys,
+                 "Missing #{@missing_keys.leaves.count} i18n keys, run `i18n-tasks missing' to show them"
+  end
+  def test_no_inconsistent_interpolations
+    inconsistent_interpolations = @i18n.inconsistent_interpolations
+    error_message = "#{inconsistent_interpolations.leaves.count} i18n keys have inconsistent interpolations.\n" \
+                    "Please run `i18n-tasks check-consistent-interpolations' to show them"
+    assert_empty inconsistent_interpolations, error_message
+  end
+end

data/test/integration/test_paranoid_verification_code_workflow.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+require 'test_helper'
+class TestParanoidVerificationCodeWorkflow < ActionDispatch::IntegrationTest
+  include IntegrationHelpers
+  setup do
+    @user = User.create!(
+      password: 'passWord1',
+      password_confirmation: 'passWord1',
+      email: 'bob@microsoft.com',
+      paranoid_verification_code: 'cookies'
+    ) # the default verification code is nil
+    @user.confirm
+    assert @user.valid?
+    assert @user.need_paranoid_verification?
+  end
+  test 'sign in and check paranoid verification code' do
+    sign_in(@user)
+    assert_redirected_to(root_path)
+    follow_redirect!
+    assert_redirected_to(user_paranoid_verification_code_path)
+    # @note This is not the same controller used by Devise for password changes
+    patch '/users/verification_code', params: {
+      user: {
+        paranoid_verification_code: 'cookies'
+      }
+    }
+    assert_redirected_to(root_path)
+    @user.reload
+    assert_not @user.need_paranoid_verification?
+  end
+  test 'sign in and paranoid verification code is checked before redirect completes' do
+    sign_in(@user)
+    assert_redirected_to(root_path)
+    # simulates an external process verifying the paranoid verification code
+    @user.update(paranoid_verification_code: nil)
+    assert_not @user.need_paranoid_verification?
+    follow_redirect!
+    assert_response :success
+    # if the paranoid verification code is not empty/nil at this point they will be redirected to the
+    # paranoid verification code change controller.
+    get root_path
+    assert_response :success
+  end
+end

data/test/integration/test_password_expirable_workflow.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+require 'test_helper'
+class TestPasswordExpirableWorkflow < ActionDispatch::IntegrationTest
+  include IntegrationHelpers
+  setup do
+    @user = User.create!(password: 'passWord1',
+                         password_confirmation: 'passWord1',
+                         email: 'bob@microsoft.com',
+                         password_changed_at: 4.months.ago) # the default expiration time is 3.months.ago
+    @user.confirm
+    assert @user.valid?
+    assert @user.need_change_password?
+  end
+  test 'sign in and change expired password' do
+    sign_in(@user)
+    assert_redirected_to(root_path)
+    follow_redirect!
+    assert_redirected_to(user_password_expired_path)
+    # @note This is not the same controller used by Devise for password changes
+    put '/users/password_expired', params: {
+      user: {
+        current_password: 'passWord1',
+        password: 'Password12345!',
+        password_confirmation: 'Password12345!'
+      }
+    }
+    assert_redirected_to(root_path)
+    @user.reload
+    assert_not @user.need_change_password?
+  end
+  test 'sign in and password is updated before redirect completes' do
+    sign_in(@user)
+    assert_redirected_to(root_path)
+    # simulates an external process updating the password
+    @user.update(password_changed_at: Time.zone.now)
+    assert_not @user.need_change_password?
+    follow_redirect!
+    assert_response :success
+    # if the password is expired at this point they will be redirected to the
+    # password change controller.
+    get root_path
+    assert_response :success
+  end
+end

data/test/integration/test_session_limitable_workflow.rb ADDED Viewed

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+require 'test_helper'
+class TestSessionLimitableWorkflow < ActionDispatch::IntegrationTest
+  include IntegrationHelpers
+  setup do
+    @user = User.create!(password: 'passWord1',
+                         password_confirmation: 'passWord1',
+                         email: 'bob@microsoft.com')
+    @user.confirm
+  end
+  test 'failed login' do
+    assert_nil @user.unique_session_id
+    open_session do |session|
+      failed_sign_in(@user, session)
+      session.assert_response(:success)
+      assert_equal session.flash[:alert], I18n.t('devise.failure.invalid', authentication_keys: 'Email')
+      assert_nil @user.reload.unique_session_id
+    end
+  end
+  test 'successful login' do
+    assert_nil @user.unique_session_id
+    open_session do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal('success', session.response.body)
+      assert_not_nil @user.reload.unique_session_id
+    end
+  end
+  test 'session is logged out when another session is created' do
+    first_session = open_session
+    second_session = open_session
+    unique_session_id = nil
+    first_session.tap do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal('success', session.response.body)
+      unique_session_id = @user.reload.unique_session_id
+      assert_not_nil unique_session_id
+    end
+    second_session.tap do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal('success', session.response.body)
+      assert_not_equal unique_session_id, @user.reload.unique_session_id
+    end
+    first_session.tap do |session|
+      session.get widgets_path
+      session.assert_redirected_to new_user_session_path
+      assert_equal session.flash[:alert], I18n.t('devise.failure.session_limited')
+    end
+  end
+end

data/test/orm/active_record.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+require 'active_record'
+ActiveRecord::Migration.verbose = false
+ActiveRecord::Base.logger = Logger.new(nil)
+if Rails.gem_version >= Gem::Version.new('6.0.0')
+  ActiveRecord::MigrationContext.new(File.expand_path('../dummy/db/migrate', __dir__), ActiveRecord::SchemaMigration).migrate
+elsif Rails.gem_version >= Gem::Version.new('5.2.0')
+  ActiveRecord::MigrationContext.new(File.expand_path('../dummy/db/migrate', __dir__)).migrate
+end
+DatabaseCleaner[:active_record].strategy = :transaction
+ORMInvalidRecordException = ActiveRecord::RecordInvalid

data/test/orm/mongoid.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+require 'mongoid/version'
+require 'database_cleaner-mongoid'
+Mongoid.configure do |config|
+  config.load!('test/support/mongoid.yml', Rails.env)
+  config.use_utc = true
+  config.include_root_in_json = true
+end
+DatabaseCleaner[:mongoid].strategy = :deletion
+ORMInvalidRecordException = Mongoid::Errors::Validations

data/test/support/integration_helpers.rb ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+module IntegrationHelpers
+  # login the user.  This will exercise all the Warden Hooks
+  # @param user [User]
+  # @param session [ActionDispatch::Integration::Session]
+  # @return [void]
+  def sign_in(user, session = integration_session)
+    session.post(
+      new_user_session_path,
+      params: {
+        user: {
+          email: user.email,
+          password: user.password
+        }
+      }
+    )
+  end
+  # attempt to login the user with a bad password. This will exercise all the Warden Hooks
+  # @param user [User]
+  # @param session [ActionDispatch::Integration::Session]
+  # @return [void]
+  def failed_sign_in(user, session)
+    session.post(
+      new_user_session_path,
+      params: {
+        user: {
+          email: user.email,
+          password: 'bad-password'
+        }
+      }
+    )
+  end
+end

data/test/support/mongoid.yml ADDED Viewed

@@ -0,0 +1,6 @@
+test:
+  clients:
+    default:
+      database: devise-test-suite
+      hosts:
+        - localhost:<%= ENV.fetch('MONGODB_PORT', '27017') %>

data/test/test_compatibility.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+require 'test_helper'
+class TestCompatibility < ActiveSupport::TestCase
+  test 'can access ActiveRecord namespace' do
+    skip unless DEVISE_ORM == :active_record
+    assert_nothing_raised { User.new.some_method_calling_active_record }
+  end
+  test 'can access Mongoid namespace' do
+    skip unless DEVISE_ORM == :mongoid
+    assert_nothing_raised { User.new.some_method_calling_mongoid }
+  end
+end

data/test/test_complexity_validator.rb ADDED Viewed

@@ -0,0 +1,282 @@
+# frozen_string_literal: true
+require 'test_helper'
+class PasswordComplexityValidatorTest < ActiveSupport::TestCase
+  class ModelWithPassword
+    include ActiveModel::Validations
+    attr_reader :password
+    def initialize(password)
+      @password = password
+    end
+  end
+  def setup
+    ModelWithPassword.clear_validators!
+  end
+  def create_model(password, opts = {})
+    ModelWithPassword.validates(
+      :password, 'devise_security/password_complexity': opts
+    )
+    ModelWithPassword.new(password)
+  end
+  def test_with_no_rules_anything_goes
+    assert(create_model('aaaa').valid?)
+  end
+  def test_allows_blank
+    assert(create_model('', { upper: 1 }).valid?)
+  end
+  def test_enforces_uppercase_invalid
+    model = create_model('aaaa', { upper: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least one upper-case letter'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_uppercase_valid
+    assert(create_model('Aaaa', { upper: 1 }).valid?)
+  end
+  def test_enforces_uppercase_count_invalid
+    model = create_model('Aaaa', { upper: 2 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least 2 upper-case letters'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_uppercase_count_valid
+    assert(create_model('AAaa', { upper: 2 }).valid?)
+  end
+  def test_enforces_digit_invalid
+    model = create_model('aaaa', { digit: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least one digit'] }, model.errors.messages
+    )
+  end
+  def test_enforces_digit_valid
+    assert(create_model('1aaa', { digit: 1 }).valid?)
+  end
+  def test_enforces_digit_count_invalid
+    model = create_model('1aaa', { digit: 2 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least 2 digits'] }, model.errors.messages
+    )
+  end
+  def test_enforces_digit_count_valid
+    assert(create_model('11aa', { digit: 2 }).valid?)
+  end
+  def test_enforces_digits_invalid
+    model = create_model('aaaa', { digits: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least one digit'] }, model.errors.messages
+    )
+  end
+  def test_enforces_digits_valid
+    assert(create_model('1aaa', { digits: 1 }).valid?)
+  end
+  def test_enforces_digits_count_invalid
+    model = create_model('1aaa', { digits: 2 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least 2 digits'] }, model.errors.messages
+    )
+  end
+  def test_enforces_digits_count_valid
+    assert(create_model('11aa', { digits: 2 }).valid?)
+  end
+  def test_enforces_lower_invalid
+    model = create_model('AAAA', { lower: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least one lower-case letter'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_lower_valid
+    assert(create_model('aAAA', { lower: 1 }).valid?)
+  end
+  def test_enforces_lower_count_invalid
+    model = create_model('aAAA', { lower: 2 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least 2 lower-case letters'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_lower_count_valid
+    assert(create_model('aaAA', { lower: 2 }).valid?)
+  end
+  def test_enforces_symbol_invalid
+    model = create_model('aaaa', { symbol: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least one punctuation mark or symbol'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_symbol_valid
+    assert(create_model('!aaa', { symbol: 1 }).valid?)
+  end
+  def test_enforces_symbol_count_invalid
+    model = create_model('!aaa', { symbol: 2 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least 2 punctuation marks or symbols'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_symbol_count_valid
+    assert(create_model('!!aa', { symbol: 2 }).valid?)
+  end
+  def test_enforces_symbols_invalid
+    model = create_model('aaaa', { symbols: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least one punctuation mark or symbol'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_symbols_valid
+    assert(create_model('!aaa', { symbols: 1 }).valid?)
+  end
+  def test_enforces_symbols_count_invalid
+    model = create_model('!aaa', { symbols: 2 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least 2 punctuation marks or symbols'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_symbols_count_valid
+    assert(create_model('!!aa', { symbols: 2 }).valid?)
+  end
+  def test_enforces_combination_only_lower_invalid
+    model = create_model('aaaa', { lower: 1, upper: 1, digit: 1, symbol: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      {
+        password:
+        [
+          'must contain at least one digit',
+          'must contain at least one punctuation mark or symbol',
+          'must contain at least one upper-case letter'
+        ]
+      },
+      model.errors.messages
+    )
+  end
+  def test_enforces_combination_only_upper_invalid
+    model = create_model('AAAA', { lower: 1, upper: 1, digit: 1, symbol: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      {
+        password:
+        [
+          'must contain at least one digit',
+          'must contain at least one lower-case letter',
+          'must contain at least one punctuation mark or symbol'
+        ]
+      },
+      model.errors.messages
+    )
+  end
+  def test_enforces_combination_only_digit_invalid
+    model = create_model('1111', { lower: 1, upper: 1, digit: 1, symbol: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      {
+        password:
+        [
+          'must contain at least one lower-case letter',
+          'must contain at least one punctuation mark or symbol',
+          'must contain at least one upper-case letter'
+        ]
+      },
+      model.errors.messages
+    )
+  end
+  def test_enforces_combination_only_symbol_invalid
+    model = create_model('!!!!', { lower: 1, upper: 1, digit: 1, symbol: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      {
+        password:
+        [
+          'must contain at least one digit',
+          'must contain at least one lower-case letter',
+          'must contain at least one upper-case letter'
+        ]
+      },
+      model.errors.messages
+    )
+  end
+  def test_enforces_combination_some_but_not_all_invalid
+    model = create_model('aAa!', { lower: 1, upper: 1, digit: 1, symbol: 1 })
+    assert_not(model.valid?)
+    assert_equal(
+      { password: ['must contain at least one digit'] },
+      model.errors.messages
+    )
+  end
+  def test_enforces_combination_all_valid
+    model = create_model('aA1!', { lower: 1, upper: 1, digit: 1, symbol: 1 })
+    assert(model.valid?)
+  end
+end