doorman/tests/test_admin_password_validation.py

"""
Test Admin Password Strength Validation
Validates that weak admin passwords are rejected
"""

def test_admin_password_strength():
    """Test admin password validation logic"""

    test_cases = [
        {
            'password': '',
            'valid': False,
            'length': 0,
            'reason': 'Empty password'
        },
        {
            'password': 'short',
            'valid': False,
            'length': 5,
            'reason': 'Too short (5 chars)'
        },
        {
            'password': 'password1',
            'valid': False,
            'length': 9,
            'reason': 'Common weak password (9 chars)'
        },
        {
            'password': 'password123',
            'valid': False,
            'length': 11,
            'reason': 'Just under 12 chars'
        },
        {
            'password': 'Password123!',
            'valid': True,
            'length': 12,
            'reason': 'Exactly 12 chars - minimum valid'
        },
        {
            'password': 'MySecureP@ssw0rd!',
            'valid': True,
            'length': 17,
            'reason': 'Strong password (17 chars)'
        },
        {
            'password': 'NDHhcY+l3+sn42gB796K3Q==',
            'valid': True,
            'length': 24,
            'reason': 'Base64 generated (24 chars)'
        },
        {
            'password': 'a' * 12,
            'valid': True,
            'length': 12,
            'reason': 'Simple but meets length requirement'
        }
    ]

    print("Admin Password Strength Validation Tests")
    print("=" * 70)

    for test in test_cases:
        password = test['password']
        is_valid = len(password) >= 12

        status = '✓' if is_valid == test['valid'] else '✗'
        result = 'VALID' if is_valid else 'INVALID'

        print(f"{status} {test['reason']}")
        print(f"   Password: {'*' * min(len(password), 20)}{'...' if len(password) > 20 else ''}")
        print(f"   Length: {test['length']} chars")
        print(f"   Result: {result}")
        print()

    print("=" * 70)
    print("Implementation Notes:")
    print()
    print("1. Validation enforced ALWAYS (not just production)")
    print("   - Runs at startup in app_lifespan (before JWT validation)")
    print("   - Application fails to start if password < 12 chars")
    print()
    print("2. Minimum requirement: 12 characters")
    print("   - This prevents common weak passwords")
    print("   - Allows for sufficient entropy")
    print()
    print("3. Recommended password generation:")
    print("   openssl rand -base64 16")
    print("   Generates 24-character base64 string")
    print()
    print("4. Location: backend-services/doorman.py:99-105")
    print()
    print("5. Error message if validation fails:")
    print("   RuntimeError: DOORMAN_ADMIN_PASSWORD must be at least 12 characters.")
    print("                 Generate strong password: openssl rand -base64 16")
    print()

if __name__ == '__main__':
    test_admin_password_strength()