Merge pull request #1389 from salesforcecli/d/W-21055675

soridalac · web-flow · commit f677ae3ceabd · 2026-03-19T13:08:30.000-07:00
feat: generated passwords default to complexity 3 if a lower value is provided @W-21055675@
diff --git a/messages/password.generate.md b/messages/password.generate.md
@@ -70,6 +70,10 @@ version 51.0 of the Metadata API.
 
 Starting in Summer '26, this command will fail if you specify a password length below 20. For now, the command is generating a password of length 20 instead of the requested length.
 
+# defaultingToComplexity3Password
+
+Starting in Summer '26, this command will fail if you specify a password complexity below 3. For now, the command is generating a password of complexity 3 instead of the requested complexity.
+
 # scratchFeaturesUrl
 
 see https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_scratch_orgs_def_file_config_values.htm
diff --git a/src/commands/org/generate/password.ts b/src/commands/org/generate/password.ts
@@ -71,10 +71,15 @@ export class GenerateUserPasswordCommand extends UserPasswordGenerateBaseCommand
       this.warn(messages.getMessage('defaultingToLength20Password'));
       length = 20;
     }
+    let complexity: number = flags.complexity;
+    if (complexity < 3) {
+      this.warn(messages.getMessage('defaultingToComplexity3Password'));
+      complexity = 3;
+    }
     return this.generate({
       usernames: ensureArray(flags['on-behalf-of'] ?? flags['target-org'].getUsername()),
       length,
-      complexity: flags.complexity,
+      complexity,
       conn: flags['target-org'].getConnection(flags['api-version']),
     });
   }
diff --git a/test/allCommands.nut.ts b/test/allCommands.nut.ts
@@ -30,6 +30,11 @@ let session: TestSession;
 
 let mainUserId: string | undefined;
 
+const digitArray: string[] = '0123456789'.split('');
+const upperArray: string[] = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split('');
+const lowerArray: string[] = 'abcdefghijklmnopqrstuvwxyz'.split('');
+const symbolArray: string[] = '!@#$|%^&*()[]_-'.split('');
+
 describe('verifies all commands run successfully ', () => {
   before(async () => {
     session = await TestSession.create({
@@ -133,19 +138,49 @@ describe('verifies all commands run successfully ', () => {
     }).jsonOutput?.result;
     // testing default length
     expect(output?.password?.length).to.equal(20);
-    const complexity5Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$|%^&*()[\\]_-])');
     // testing default complexity
-    expect(complexity5Regex.test(output?.password ?? '')).to.be.true;
+    const passwordAsCharArray = (output?.password ?? '').split('');
+    expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have digits'
+    );
+    expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have uppercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have lowercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have symbols'
+    );
   });
 
   it('generates new passwords for main user testing length 11 and complexity 5', () => {
-    const output = execCmd<{ username: string; password: string }>('org:generate:password --json -l 11 -c 3', {
+    const output = execCmd<{ username: string; password: string }>('org:generate:password --json -l 11 -c 5', {
       ensureExitCode: 0,
     }).jsonOutput?.result;
     // Password length gets overridden to 20
     expect(output?.password.length).to.equal(20);
-    const complexity3Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])');
-    expect(complexity3Regex.test(output?.password ?? ''));
+    const passwordAsCharArray = (output?.password ?? '').split('');
+    expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have digits'
+    );
+    expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have uppercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have lowercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have symbols'
+    );
   });
 
   it('generates new password for secondary user (onbehalfof)', () => {
@@ -160,9 +195,24 @@ describe('verifies all commands run successfully ', () => {
 
     // Password length overridden to 20
     expect(output?.password.length).to.equal(20);
-    const complexity5Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$|%^&*()[\\]_-])');
     // testing the default complexity
-    expect(complexity5Regex.test(output?.password ?? ''));
+    const passwordAsCharArray = (output?.password ?? '').split('');
+    expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have digits'
+    );
+    expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have uppercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have lowercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have symbols'
+    );
   });
 
   it('generates new password for secondary user (onbehalfof) with complexity 3', () => {
@@ -171,8 +221,23 @@ describe('verifies all commands run successfully ', () => {
     }).jsonOutput?.result;
     // testing default length
     expect(output?.password.length).to.equal(20);
-    const complexity3Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])');
-    expect(complexity3Regex.test(output?.password ?? ''));
+    const passwordAsCharArray = (output?.password ?? '').split('');
+    expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have digits'
+    );
+    expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have uppercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have lowercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+      false,
+      'complexity 3 passwords do not have symbols'
+    );
   });
 
   it('generates new password for secondary user (onbehalfof) with complexity 7 should thrown an error', () => {
diff --git a/test/commands/password/generate.test.ts b/test/commands/password/generate.test.ts
@@ -85,6 +85,105 @@ describe('org:generate:password', () => {
     expect(queryStub.callCount).to.equal(1);
   });
 
+  describe('--complexity handling', () => {
+    const digitArray: string[] = '0123456789'.split('');
+    const upperArray: string[] = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split('');
+    const lowerArray: string[] = 'abcdefghijklmnopqrstuvwxyz'.split('');
+    const symbolArray: string[] = '!@#$|%^&*()[]_-'.split('');
+
+    it('when no complexity is specified, password should default to complexity 5', async () => {
+      await prepareStubs(false, false);
+      const result = (await GenerateUserPasswordCommand.run([
+        '--target-org',
+        testOrg.username,
+        '--json',
+      ])) as PasswordData;
+
+      const passwordAsCharArray: string[] = result.password.split('');
+
+      expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+        true,
+        'complexity 5 passwords have digits'
+      );
+      expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+        true,
+        'complexity 5 passwords have uppercase chars'
+      );
+      expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+        true,
+        'complexity 5 passwords have lowercase chars'
+      );
+      expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+        true,
+        'complexity 5 passwords have symbols'
+      );
+    });
+
+    it('when complexity <3 is specified, logs warn-level message and defaults to 3', async () => {
+      await prepareStubs(false, false);
+      const uxStubs = stubSfCommandUx($$.SANDBOX);
+      const result = (await GenerateUserPasswordCommand.run([
+        '--target-org',
+        testOrg.username,
+        '--complexity',
+        '2',
+        '--json',
+      ])) as PasswordData;
+
+      const passwordAsCharArray: string[] = result.password.split('');
+
+      expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+        true,
+        'complexity 3 passwords have digits'
+      );
+      expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+        true,
+        'complexity 3 passwords have uppercase chars'
+      );
+      expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+        true,
+        'complexity 3 passwords have lowercase chars'
+      );
+      expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+        false,
+        'complexity 3 passwords do not have symbols'
+      );
+      expect(uxStubs.warn.args.flat()).to.include(messages.getMessage('defaultingToComplexity3Password'));
+    });
+
+    it('when complexity >=3 is specified, complexity is used as-is', async () => {
+      await prepareStubs(false, false);
+      const uxStubs = stubSfCommandUx($$.SANDBOX);
+      const result = (await GenerateUserPasswordCommand.run([
+        '--target-org',
+        testOrg.username,
+        '--complexity',
+        '4',
+        '--json',
+      ])) as PasswordData;
+
+      const passwordAsCharArray: string[] = result.password.split('');
+
+      expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+        false,
+        'complexity 4 passwords do not have digits'
+      );
+      expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+        true,
+        'complexity 4 passwords have uppercase chars'
+      );
+      expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+        true,
+        'complexity 4 passwords have lowercase chars'
+      );
+      expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+        true,
+        'complexity 4 passwords have symbols'
+      );
+      expect(uxStubs.warn.args.flat()).to.have.length(0, 'no warnings expected');
+    });
+  });
+
   describe('--length handling', () => {
     it('when no length is specified, password should default to length 20', async () => {
       await prepareStubs(false, false);
@@ -97,7 +196,7 @@ describe('org:generate:password', () => {
       expect(result.password.length).to.equal(20);
     });
 
-    it('when length <20 is specified, logs info-level message and defaults to 20', async () => {
+    it('when length <20 is specified, logs warn-level message and defaults to 20', async () => {
       await prepareStubs(false, false);
       const uxStubs = stubSfCommandUx($$.SANDBOX);
       const result = (await GenerateUserPasswordCommand.run([
diff --git a/test/forceCommands.nut.ts b/test/forceCommands.nut.ts
@@ -30,6 +30,11 @@ let session: TestSession;
 
 let mainUserId: string | undefined;
 
+const digitArray: string[] = '0123456789'.split('');
+const upperArray: string[] = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split('');
+const lowerArray: string[] = 'abcdefghijklmnopqrstuvwxyz'.split('');
+const symbolArray: string[] = '!@#$|%^&*()[]_-'.split('');
+
 describe('verifies legacy force commands run successfully ', () => {
   before(async () => {
     session = await TestSession.create({
@@ -136,18 +141,48 @@ describe('verifies legacy force commands run successfully ', () => {
     }).jsonOutput?.result;
     // testing default length
     expect(output?.password?.length).to.equal(20);
-    const complexity5Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$|%^&*()[\\]_-])');
     // testing default complexity
-    expect(complexity5Regex.test(output?.password ?? '')).to.be.true;
+    const passwordAsCharArray = (output?.password ?? '').split('');
+    expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have digits'
+    );
+    expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have uppercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have lowercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have symbols'
+    );
   });
 
-  it('generates new password for main user testing length 11 and complexity 5', () => {
+  it('generates new password for main user testing length 11 and complexity 3', () => {
     const output = execCmd<{ username: string; password: string }>('force:user:password:generate --json -l 11 -c 3', {
       ensureExitCode: 0,
     }).jsonOutput?.result;
     expect(output?.password.length).to.equal(11);
-    const complexity3Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])');
-    expect(complexity3Regex.test(output?.password ?? ''));
+    const passwordAsCharArray = (output?.password ?? '').split('');
+    expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have digits'
+    );
+    expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have uppercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have lowercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+      false,
+      'complexity 3 passwords do not have symbols'
+    );
   });
 
   it('generates new password for secondary user (onbehalfof)', () => {
@@ -164,9 +199,24 @@ describe('verifies legacy force commands run successfully ', () => {
     ).jsonOutput?.result;
 
     expect(output?.password.length).to.equal(12);
-    const complexity5Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$|%^&*()[\\]_-])');
     // testing the default complexity
-    expect(complexity5Regex.test(output?.password ?? ''));
+    const passwordAsCharArray = (output?.password ?? '').split('');
+    expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have digits'
+    );
+    expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have uppercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have lowercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+      true,
+      'complexity 5 passwords have symbols'
+    );
   });
 
   it('generates new password for secondary user (onbehalfof) with complexity 3', () => {
@@ -178,8 +228,23 @@ describe('verifies legacy force commands run successfully ', () => {
     ).jsonOutput?.result;
     // testing default length
     expect(output?.password.length).to.equal(20);
-    const complexity3Regex = new RegExp('^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])');
-    expect(complexity3Regex.test(output?.password ?? ''));
+    const passwordAsCharArray = (output?.password ?? '').split('');
+    expect(passwordAsCharArray.some((c) => digitArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have digits'
+    );
+    expect(passwordAsCharArray.some((c) => upperArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have uppercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => lowerArray.includes(c))).to.equal(
+      true,
+      'complexity 3 passwords have lowercase chars'
+    );
+    expect(passwordAsCharArray.some((c) => symbolArray.includes(c))).to.equal(
+      false,
+      'complexity 3 passwords do not have symbols'
+    );
   });
 
   it('generates new password for secondary user (onbehalfof) with complexity 7 should thrown an error', () => {
diff --git a/yarn.lock b/yarn.lock
