Enforce password and password-confirm as strings

app/code/Magento/Customer/Model/Customer.php

@@ -1367,4 +1367,20 @@ public function isCustomerLocked()
         }
         return false;
     }
+
+    /**
+     * @return string
+     */
+    public function getPasswordConfirm()
+    {
+        return (string) $this->getData('password_confirm');
+    }
+
+    /**
+     * @return string
+     */
+    public function getPassword()
+    {
+        return (string) $this->getData('password');
+    }
 }

app/code/Magento/Customer/Model/Customer/Attribute/Backend/Password.php

@@ -53,7 +53,7 @@ public function beforeSave($object)
                 );
             }
 
-            if (trim($password) != $password) {
+            if (trim($password) !== $password) {
                 throw new LocalizedException(__('The password can not begin or end with a space.'));
             }
 
@@ -68,7 +68,7 @@ public function beforeSave($object)
     public function validate($object)
     {
         $password = $object->getPassword();
-        if ($password && $password == $object->getPasswordConfirm()) {
+        if ($password && $password === $object->getPasswordConfirm()) {
             return true;
         }
 

app/code/Magento/Customer/Test/Unit/Model/Customer/Attribute/Backend/PasswordTest.php

@@ -6,6 +6,7 @@
 
 namespace Magento\Customer\Test\Unit\Model\Customer\Attribute\Backend;
 
+use Magento\Framework\DataObject;
 use Magento\Framework\Stdlib\StringUtils;
 use Magento\Customer\Model\Customer\Attribute\Backend\Password;
 
@@ -25,14 +26,15 @@ protected function setUp()
     public function testValidatePositive()
     {
         $password = 'password';
-        $object = $this->getMockBuilder('Magento\Framework\DataObject')
-            ->disableOriginalConstructor()
-            ->setMethods(['getPassword', 'getPasswordConfirm'])
-            ->getMock();
 
-        $object->expects($this->once())->method('getPassword')->will($this->returnValue($password));
-        $object->expects($this->once())->method('getPasswordConfirm')->will($this->returnValue($password));
-        /** @var \Magento\Framework\DataObject $object */
+        /** @var DataObject|\PHPUnit_Framework_MockObject_MockObject $object */
+        $object = $this->getMockBuilder(DataObject::class)
+                       ->disableOriginalConstructor()
+                       ->setMethods(['getPassword', 'getPasswordConfirm'])
+                       ->getMock();
+
+        $object->expects($this->once())->method('getPassword')->willReturn($password);
+        $object->expects($this->once())->method('getPasswordConfirm')->willReturn($password);
 
         $this->assertTrue($this->testable->validate($object));
     }
@@ -52,13 +54,13 @@ public function passwordNegativeDataProvider()
      */
     public function testBeforeSaveNegative($password)
     {
-        $object = $this->getMockBuilder('Magento\Framework\DataObject')
-            ->disableOriginalConstructor()
-            ->setMethods(['getPassword'])
-            ->getMock();
+        /** @var DataObject|\PHPUnit_Framework_MockObject_MockObject $object */
+        $object = $this->getMockBuilder(DataObject::class)
+                       ->disableOriginalConstructor()
+                       ->setMethods(['getPassword'])
+                       ->getMock();
 
-        $object->expects($this->once())->method('getPassword')->will($this->returnValue($password));
-        /** @var \Magento\Framework\DataObject $object */
+        $object->expects($this->once())->method('getPassword')->willReturn($password);
 
         $this->testable->beforeSave($object);
     }
@@ -67,16 +69,62 @@ public function testBeforeSavePositive()
     {
         $password = 'more-then-6';
         $passwordHash = 'password-hash';
-        $object = $this->getMockBuilder('Magento\Framework\DataObject')
-            ->disableOriginalConstructor()
-            ->setMethods(['getPassword', 'setPasswordHash', 'hashPassword'])
-            ->getMock();
 
-        $object->expects($this->once())->method('getPassword')->will($this->returnValue($password));
-        $object->expects($this->once())->method('hashPassword')->will($this->returnValue($passwordHash));
-        $object->expects($this->once())->method('setPasswordHash')->with($passwordHash)->will($this->returnSelf());
-        /** @var \Magento\Framework\DataObject $object */
+        /** @var DataObject|\PHPUnit_Framework_MockObject_MockObject $object */
+        $object = $this->getMockBuilder(DataObject::class)
+                       ->disableOriginalConstructor()
+                       ->setMethods(['getPassword', 'setPasswordHash', 'hashPassword'])
+                       ->getMock();
+
+        $object->expects($this->once())->method('getPassword')->willReturn($password);
+        $object->expects($this->once())->method('hashPassword')->willReturn($passwordHash);
+        $object->expects($this->once())->method('setPasswordHash')->with($passwordHash)->willReturnSelf();
 
         $this->testable->beforeSave($object);
     }
+
+    /**
+     * @return array
+     */
+    public function randomValuesProvider()
+    {
+        return [
+            [ false ],
+            [ 1 ],
+            [ "23" ],
+            [ null ],
+            [ "" ],
+            [ -1 ],
+            [ 12.3 ],
+            [ true ],
+            [ 0 ],
+        ];
+    }
+
+    /**
+     * @dataProvider randomValuesProvider
+     * @param mixed $randomValue
+     */
+    public function testCustomerGetPasswordAndGetPasswordConfirmAlwaysReturnsAString($randomValue)
+    {
+        /** @var \Magento\Customer\Model\Customer|\PHPUnit_Framework_MockObject_MockObject $customer */
+        $customer = $this->getMockBuilder(\Magento\Customer\Model\Customer::class)
+                         ->disableOriginalConstructor()
+                         ->setMethods(['getData'])
+                         ->getMock();
+
+        $customer->expects($this->exactly(2))->method('getData')->willReturn($randomValue);
+
+        $this->assertInternalType(
+            'string',
+            $customer->getPassword(),
+            'Customer password should always return a string'
+        );
+
+        $this->assertInternalType(
+            'string',
+            $customer->getPasswordConfirm(),
+            'Customer password-confirm should always return a string'
+        );
+    }
 }