[TASK] Drop salted passwords configuration options 25/57725/9
authorChristian Kuhn <lolli@schwarzbu.ch>
Sun, 29 Jul 2018 21:26:23 +0000 (23:26 +0200)
committerAndreas Fernandez <a.fernandez@scripting-base.de>
Tue, 31 Jul 2018 11:54:21 +0000 (13:54 +0200)
commitc2cb6fa93bf796840c481ad638b6d62bc88a801f
tree4175e2b299c5ae85de82d83cedd330232fb5010d
parent70906f438ef919935050beee58229babe74fa721
[TASK] Drop salted passwords configuration options

In order to prepare the saltedpasswords extension to be implemented
as a library into the core directly, a series of configuration
options is dropped from the extension:

* FE.forceSalted & BE.forceSalted (default 0)
  Setting this to 1 disabled upgrading non-salted user password
  to salted passwords and denied login. The option is dropped, but
  only passwords that have been upgraded from simple md5 or plaintext
  in v8 are allowed to login and will get their password upgraded.

* FE.updatePasswd & BE.updatePasswd (default 1)
  Setting this to 0 disabled upgrading one salted password to
  another. This is dropped: Passwords will now always be upgraded
  to the currently configured hash algorithm if the currently used
  algorithm does no match the configured one.

* FE.onlyAuthService & BE.onlyAuthService (default 0)
  Setting this to 1 allowed stopping the authentication chain if
  the salted passwords did not verify a password. This setting is
  pretty useless since it can be expected that any sane authentication
  provider kicks in before the native salted passwords authentication.
  We found not a single usage of that flag in TER.

* checkConfigurationFE & checkConfigurationFE2
  & checkConfigurationBE & checkConfigurationBE2
  These configuration user function have been responsible to check
  various combinations of valid and invalid salted passwords
  combinations. This is obsolete with removing the other options and the
  deprecated rsaauth extension. An install tool preset for sane options
  and according warnings will be set up to establish better usability
  from an administrator point of view as soon as this patch is done.

The only option left is the main "saltedPWHashingMethod". This will
be transferred to an install tool preset including best option selection
during installation in a next step.

Resolves: #85683
Releases: master
Change-Id: I7e8150ba9bc8b36f59d08ca5cadeb547e1301f67
Reviewed-on: https://review.typo3.org/57725
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
12 files changed:
typo3/sysext/core/Classes/Configuration/ExtensionConfiguration.php
typo3/sysext/core/Documentation/Changelog/master/Important-85683-DoppedSaltedpasswordOptions.rst [new file with mode: 0644]
typo3/sysext/core/Tests/Unit/Configuration/ExtensionConfigurationTest.php
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php
typo3/sysext/saltedpasswords/Classes/Utility/SaltedPasswordsUtility.php
typo3/sysext/saltedpasswords/Documentation/Configuration/Index.rst
typo3/sysext/saltedpasswords/Resources/Private/Language/locallang.xlf
typo3/sysext/saltedpasswords/Resources/Private/Language/locallang_em.xlf
typo3/sysext/saltedpasswords/Tests/Unit/Salt/SaltFactoryTest.php
typo3/sysext/saltedpasswords/ext_conf_template.txt