password_strength 0.2.0 → 0.3.0

data/CHANGELOG.rdoc

@@ -28,4 +28,14 @@
 
 == 0.1.6 - March 31 2010
 
-* Added :exclude option
+* Added :exclude option
+
+== 0.2.0 - July 27 2010
+
+* PasswordStrength can be disabled; development mode says hello!
+
+== 0.3.0 - August 11 2010
+
+* Increased required password length to 6 characters
+* Added support for custom validators
+* Added Windows 2008 validator

data/README.rdoc

@@ -64,6 +64,30 @@ If you want to compare your password against other field, you have to set the <t
 
 The available levels are: <tt>:weak</tt>, <tt>:good</tt> and <tt>:strong</tt>
 
+You can also provide a custom class/module that will test that password.
+
+  validates_strength_of :password, :using => CustomPasswordTester
+
+Your +CustomPasswordTester+ class should override the default implementation. In practice, you're
+going to override only the +test+ method that must call one of the following methods:
+<tt>invalid!</tt>, <tt>weak!</tt>, <tt>good!</tt> or <tt>strong!</tt>.
+
+  class CustomPasswordTester < PasswordStrength::Base
+    def test
+      if password != "mypass"
+        invalid!
+      else
+        strong!
+      end
+    end
+  end
+
+The tester above will accept only +mypass+ as password.
+
+PasswordStrength implements two validators: <tt>PasswordStrength::Base</tt> and <tt>PasswordStrength::Validators::Windows2008</tt>.
+
+<b>ATTENTION:</b> Custom validators are not supported by JavaScript yet!
+
 = JavaScript
 
 The PasswordStrength also implements the algorithm in the JavaScript.

data/javascripts/jquery.strength.js

@@ -1,11 +1,11 @@
 (function($){
 	$.strength = function(username, password, options, callback) {
-	  if (typeof(options) == "function") {
-	    callback = options;
-	    options = {};
-	  } else if (!options) {
-	    options = {};
-	  }
+		if (typeof(options) == "function") {
+			callback = options;
+			options = {};
+		} else if (!options) {
+			options = {};
+		}
 
 		var usernameField = $(username);
 		var passwordField = $(password);

data/javascripts/password_strength.js

@@ -13,40 +13,40 @@ var PasswordStrength = function() {
 		this.score = 0;
 
 		if (this.containInvalidMatches()) {
-      this.status = "invalid";
+			this.status = "invalid";
 		} else {
-		  this.score += this.scoreFor("password_size");
-  		this.score += this.scoreFor("numbers");
-  		this.score += this.scoreFor("symbols");
-  		this.score += this.scoreFor("uppercase_lowercase");
-  		this.score += this.scoreFor("numbers_chars");
-  		this.score += this.scoreFor("numbers_symbols");
-  		this.score += this.scoreFor("symbols_chars");
-  		this.score += this.scoreFor("only_chars");
-  		this.score += this.scoreFor("only_numbers");
-  		this.score += this.scoreFor("username");
-  		this.score += this.scoreFor("sequences");
-  		this.score += this.scoreFor("repetitions");
-
-  		if (this.score < 0) {
-  			this.score = 0;
-  		}
-
-  		if (this.score > 100) {
-  			this.score = 100;
-  		}
-
-  		if (this.score < 35) {
-  			this.status = "weak";
-  		}
-
-  		if (this.score >= 35 && this.score < 70) {
-  			this.status = "good";
-  		}
-
-  		if (this.score >= 70) {
-  			this.status = "strong";
-  		}
+			this.score += this.scoreFor("password_size");
+			this.score += this.scoreFor("numbers");
+			this.score += this.scoreFor("symbols");
+			this.score += this.scoreFor("uppercase_lowercase");
+			this.score += this.scoreFor("numbers_chars");
+			this.score += this.scoreFor("numbers_symbols");
+			this.score += this.scoreFor("symbols_chars");
+			this.score += this.scoreFor("only_chars");
+			this.score += this.scoreFor("only_numbers");
+			this.score += this.scoreFor("username");
+			this.score += this.scoreFor("sequences");
+			this.score += this.scoreFor("repetitions");
+
+			if (this.score < 0) {
+				this.score = 0;
+			}
+
+			if (this.score > 100) {
+				this.score = 100;
+			}
+
+			if (this.score < 35) {
+				this.status = "weak";
+			}
+
+			if (this.score >= 35 && this.score < 70) {
+				this.status = "good";
+			}
+
+			if (this.score >= 70) {
+				this.status = "strong";
+			}
 		}
 
 		return this.score;
@@ -162,15 +162,15 @@ var PasswordStrength = function() {
 	};
 
 	this.containInvalidMatches = function() {
-	  if (!this.exclude) {
-	    return false;
-	  }
+		if (!this.exclude) {
+			return false;
+		}
 
-    if (!this.exclude.test) {
-      return false;
-    }
+		if (!this.exclude.test) {
+			return false;
+		}
 
-    return this.exclude.test(this.password.toString());
+		return this.exclude.test(this.password.toString());
 	};
 
 	this.sequences = function(text) {

data/lib/password_strength.rb

@@ -1,6 +1,7 @@
 require "active_support"
 require "password_strength/base"
 require "password_strength/active_record"
+require "password_strength/validators/windows2008"
 
 module PasswordStrength
   # Test the password strength by applying several rules.

data/lib/password_strength/active_record/ar2.rb

@@ -14,16 +14,39 @@ module PasswordStrength
     #
     # The available levels are: <tt>:weak</tt>, <tt>:good</tt> and <tt>:strong</tt>
     #
+    # You can also provide a custom class/module that will test that password.
+    #
+    #   validates_strength_of :password, :using => CustomPasswordTester
+    #
+    # Your +CustomPasswordTester+ class should override the default implementation. In practice, you're
+    # going to override only the +test+ method that must call one of the following methods:
+    # <tt>invalid!</tt>, <tt>weak!</tt>, <tt>good!</tt> or <tt>strong!</tt>.
+    #
+    #   class CustomPasswordTester < PasswordStrength::Base
+    #     def test
+    #       if password != "mypass"
+    #         invalid!
+    #       else
+    #         strong!
+    #       end
+    #     end
+    #   end
+    #
+    # The tester above will accept only +mypass+ as password.
+    #
+    # PasswordStrength implements two validators: <tt>PasswordStrength::Base</tt> and <tt>PasswordStrength::Validators::Windows2008</tt>.
+    #
     def validates_strength_of(*attr_names)
       options = attr_names.extract_options!
-      options.reverse_merge!(:level => :good, :with => :username)
+      options.reverse_merge!(:level => :good, :with => :username, :using => PasswordStrength::Base)
 
       raise ArgumentError, "The :with option must be supplied" unless options.include?(:with)
       raise ArgumentError, "The :exclude options must be an array of string or regular expression" if options[:exclude] && !options[:exclude].kind_of?(Array) && !options[:exclude].kind_of?(Regexp)
       raise ArgumentError, "The :level option must be one of [:weak, :good, :strong]" unless [:weak, :good, :strong].include?(options[:level])
 
       validates_each(attr_names, options) do |record, attr_name, value|
-        strength = PasswordStrength.test(record.send(options[:with]), value, :exclude => options[:exclude])
+        strength = options[:using].new(record.send(options[:with]), value, :exclude => options[:exclude])
+        strength.test
         record.errors.add(attr_name, :too_weak, options) unless PasswordStrength.enabled && strength.valid?(options[:level])
       end
     end

data/lib/password_strength/active_record/ar3.rb

@@ -2,11 +2,12 @@ module ActiveModel # :nodoc:
   module Validations # :nodoc:
     class StrengthValidator < EachValidator # :nodoc: all
       def initialize(options)
-        super(options.reverse_merge(:level => :good, :with => :username))
+        super(options.reverse_merge(:level => :good, :with => :username, :using => PasswordStrength::Base))
       end
 
       def validate_each(record, attribute, value)
-        strength = PasswordStrength.test(record.send(options[:with]), value, :exclude => options[:exclude])
+        strength = options[:using].new(record.send(options[:with]), value, :exclude => options[:exclude])
+        strength.test
         record.errors.add(attribute, :too_weak, options) unless PasswordStrength.enabled && strength.valid?(options[:level])
       end
 
@@ -33,6 +34,28 @@ module ActiveModel # :nodoc:
       #
       # The available levels are: <tt>:weak</tt>, <tt>:good</tt> and <tt>:strong</tt>
       #
+      # You can also provide a custom class/module that will test that password.
+      #
+      #   validates_strength_of :password, :using => CustomPasswordTester
+      #
+      # Your +CustomPasswordTester+ class should override the default implementation. In practice, you're
+      # going to override only the +test+ method that must call one of the following methods:
+      # <tt>invalid!</tt>, <tt>weak!</tt>, <tt>good!</tt> or <tt>strong!</tt>.
+      #
+      #   class CustomPasswordTester < PasswordStrength::Base
+      #     def test
+      #       if password != "mypass"
+      #         invalid!
+      #       else
+      #         strong!
+      #       end
+      #     end
+      #   end
+      #
+      # The tester above will accept only +mypass+ as password.
+      #
+      # PasswordStrength implements two validators: <tt>PasswordStrength::Base</tt> and <tt>PasswordStrength::Validators::Windows2008</tt>.
+      #
       def validates_strength_of(*attr_names)
         validates_with StrengthValidator, _merge_attributes(attr_names)
       end

data/lib/password_strength/base.rb

@@ -4,6 +4,10 @@ module PasswordStrength
     MULTIPLE_SYMBOLS_RE = /[!@#\$%^&*?_~-].*?[!@#\$%^&*?_~-]/
     SYMBOL_RE = /[!@#\$%^&*?_~-]/
     UPPERCASE_LOWERCASE_RE = /([a-z].*[A-Z])|([A-Z].*[a-z])/
+    INVALID = :invalid
+    WEAK = :weak
+    STRONG = :strong
+    GOOD = :good
 
     # Hold the username that will be matched against password.
     attr_accessor :username
@@ -42,11 +46,11 @@ module PasswordStrength
 
     # Check if the password has the specified score.
     # Level can be +:weak+, +:good+ or +:strong+.
-    def valid?(level = :good)
+    def valid?(level = GOOD)
       case level
-      when :strong then
+      when STRONG then
         strong?
-      when :good then
+      when GOOD then
         good? || strong?
       else
         !invalid?
@@ -55,22 +59,42 @@ module PasswordStrength
 
     # Check if the password has been detected as strong.
     def strong?
-      status == :strong
+      status == STRONG
+    end
+
+    # Mark password as strong.
+    def strong!
+      @status = STRONG
     end
 
     # Check if the password has been detected as weak.
     def weak?
-      status == :weak
+      status == WEAK
+    end
+
+    # Mark password as weak.
+    def weak!
+      @status = WEAK
     end
 
     # Check if the password has been detected as good.
     def good?
-      status == :good
+      status == GOOD
+    end
+
+    # Mark password as good.
+    def good!
+      @status = GOOD
     end
 
     # Check if password has invalid characters based on PasswordStrength::Base#exclude.
     def invalid?
-      status == :invalid
+      status == INVALID
+    end
+
+    # Mark password as invalid.
+    def invalid!
+      @status = INVALID
     end
 
     # Return the score for the specified rule.
@@ -92,7 +116,7 @@ module PasswordStrength
 
       case name
       when :password_size then
-        if password.size < 4
+        if password.size < 6
           score = -100
         else
           score = password.size * 4
@@ -136,7 +160,7 @@ module PasswordStrength
       @score = 0
 
       if contain_invalid_matches?
-        @status = :invalid
+        invalid!
       else
         @score += score_for(:password_size)
         @score += score_for(:numbers)
@@ -154,9 +178,9 @@ module PasswordStrength
         @score = 0 if score < 0
         @score = 100 if score > 100
 
-        @status = :weak   if score < 35
-        @status = :good   if score >= 35 && score < 70
-        @status = :strong if score >= 70
+        weak!   if score < 35
+        good!   if score >= 35 && score < 70
+        strong! if score >= 70
       end
 
       score

data/lib/password_strength/validators/windows2008.rb

@@ -0,0 +1,37 @@
+module PasswordStrength
+  module Validators
+    # Validates a Windows 2008 password against the following rules:
+    #
+    # * Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters.
+    # * Passwords must be at least six characters in length.
+    # * Passwords must contain characters from three of the following four categories: English uppercase characters (A through Z); English lowercase characters (a through z); Base 10 digits (0 through 9); Non-alphabetic characters (for example, !, $, #, %).
+    #
+    # Reference: http://technet.microsoft.com/en-us/library/cc264456.aspx
+    #
+    class Windows2008 < PasswordStrength::Base
+      def test
+        return invalid! if password.size < 6
+
+        variety = 0
+        variety += 1 if password =~ /[A-Z]/
+        variety += 1 if password =~ /[a-z]/
+        variety += 1 if password =~ /[0-9]/
+        variety += 1 if password =~ PasswordStrength::Base::SYMBOL_RE
+
+        return invalid! if variety < 3
+        return invalid! if password_contains_username?
+
+        strong!
+      end
+
+      def password_contains_username?
+        0.upto(password.size - 1) do |i|
+          substring = password[i, 3]
+          return true if username.include?(substring)
+        end
+
+        false
+      end
+    end
+  end
+end

data/lib/password_strength/version.rb

@@ -1,7 +1,7 @@
 module PasswordStrength
   module Version # :nodoc: all
     MAJOR = 0
-    MINOR = 2
+    MINOR = 3
     PATCH = 0
     STRING = "#{MAJOR}.#{MINOR}.#{PATCH}"
   end

data/test/password_strength_test.rb

@@ -164,8 +164,8 @@ class TestPasswordStrength < Test::Unit::TestCase
   end
 
   def test_password_length
-    @strength.password = "12345"
-    assert_equal 20, @strength.score_for(:password_size)
+    @strength.password = "123456"
+    assert_equal 24, @strength.score_for(:password_size)
   end
 
   def test_password_with_numbers

data/test/validators/windows2008_test.rb

@@ -0,0 +1,68 @@
+require "test_helper"
+
+class Window2008Test < Test::Unit::TestCase
+  def setup
+    PasswordStrength.enabled = true
+    Object.class_eval { remove_const("User") } if defined?(User)
+    load "user.rb"
+    User.validates_strength_of :password, :using => PasswordStrength::Validators::Windows2008
+
+    @user = User.new(:username => "Administrator")
+  end
+
+  def test_require_password_to_include_three_character_categories
+    @user.update_attributes :password => "abcABC"
+    assert @user.errors.full_messages.any?
+
+    @user.update_attributes :password => "abc123"
+    assert @user.errors.full_messages.any?
+
+    @user.update_attributes :password => "abc$!~"
+    assert @user.errors.full_messages.any?
+
+    @user.update_attributes :password => "123ABC"
+    assert @user.errors.full_messages.any?
+
+    @user.update_attributes :password => "123$!~"
+    assert @user.errors.full_messages.any?
+
+    @user.update_attributes :password => "ABC$!~"
+    assert @user.errors.full_messages.any?
+  end
+
+  def test_invalidate_password_that_includes_username
+    @user.update_attributes :password => "abc$!~ABC123Admin"
+    assert @user.errors.full_messages.any?
+
+    @user.update_attributes :password => "abc$!~ABC123Adm"
+    assert @user.errors.full_messages.any?
+
+    @user.update_attributes :password => "abc$!~ABC123admin"
+    assert @user.errors.full_messages.any?
+  end
+
+  def test_invalidate_short_passwords
+    @user.update_attributes :password => "12345"
+    assert @user.errors.full_messages.any?
+  end
+
+  def test_accept_numbers_uppercases_and_lowercases
+    @user.update_attributes :password => "123ABCabc"
+    assert @user.valid?
+  end
+
+  def test_accept_numbers_uppercases_and_special_chars
+    @user.update_attributes :password => "123ABC$!~"
+    assert @user.valid?
+  end
+
+  def test_accept_numbers_lowercases_and_special_chars
+    @user.update_attributes :password => "123ABC$!~"
+    assert @user.valid?
+  end
+
+  def test_accept_uppercases_lowercases_and_special_chars
+    @user.update_attributes :password => "ABCabc$!~"
+    assert @user.valid?
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: password_strength
 version: !ruby/object:Gem::Version 
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors: 
 - Nando Vieira
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-07-27 00:00:00 -03:00
+date: 2010-08-11 00:00:00 -03:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -50,6 +50,7 @@ files:
 - lib/password_strength/active_record/ar2.rb
 - lib/password_strength/active_record/ar3.rb
 - lib/password_strength/base.rb
+- lib/password_strength/validators/windows2008.rb
 - lib/password_strength/version.rb
 - locales/en.yml
 - locales/pt.yml
@@ -65,6 +66,7 @@ files:
 - test/schema.rb
 - test/test_helper.rb
 - test/user.rb
+- test/validators/windows2008_test.rb
 has_rdoc: true
 homepage: http://github.com/fnando/password_strength
 licenses: []
@@ -99,3 +101,4 @@ test_files:
 - test/schema.rb
 - test/test_helper.rb
 - test/user.rb
+- test/validators/windows2008_test.rb