[TASK] Remove unused loginSecurityLevel options
authorOliver Bartsch <bo@cedev.de>
Fri, 11 Jun 2021 12:04:08 +0000 (14:04 +0200)
committerAndreas Fernandez <a.fernandez@scripting-base.de>
Fri, 11 Jun 2021 14:13:22 +0000 (16:13 +0200)
Since removing the last remains of EXT:rsaauth in #94279
the `FE/loginSecurityLevel` and `BE/loginSecurityLevel`
options became obsolete and are therefore now removed.

Resolves: #94312
Related: #66997
Related: #87470
Related: #94279
Releases: master
Change-Id: I03231f4ab798165e4820d67dea2cf44e32b8c4fa
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69460
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
typo3/sysext/core/Documentation/Changelog/master/Important-94312-RemovedBEloginSecurityLevelAndFEloginSecurityLevelOptions.rst [new file with mode: 0644]
typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php
typo3/sysext/install/Tests/Unit/Service/SilentConfigurationUpgradeServiceTest.php

index 77af35a..9209db4 100644 (file)
@@ -1119,18 +1119,14 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
     }
 
     /**
-     * Processes Login data submitted by a form or params depending on the
-     * passwordTransmissionStrategy
+     * Processes Login data submitted by a form or params
      *
      * @param array $loginData Login data array
-     * @param string $passwordTransmissionStrategy Alternative passwordTransmissionStrategy. Used when authentication services wants to override the default.
      * @return array
      * @internal
      */
-    public function processLoginData($loginData, $passwordTransmissionStrategy = '')
+    public function processLoginData($loginData)
     {
-        $loginSecurityLevel = trim($GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['loginSecurityLevel']) ?: 'normal';
-        $passwordTransmissionStrategy = $passwordTransmissionStrategy ?: $loginSecurityLevel;
         $this->logger->debug('Login data before processing', $loginData);
         $subType = 'processLoginData' . $this->loginType;
         $authInfo = $this->getAuthInfoArray();
@@ -1138,7 +1134,7 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
         $processedLoginData = $loginData;
         /** @var AuthenticationService $serviceObject */
         foreach ($this->getAuthServices($subType, $loginData, $authInfo) as $serviceObject) {
-            $serviceResult = $serviceObject->processLoginData($processedLoginData, $passwordTransmissionStrategy);
+            $serviceResult = $serviceObject->processLoginData($processedLoginData, 'normal');
             if (!empty($serviceResult)) {
                 $isLoginDataProcessed = true;
                 // If the service returns >=200 then no more processing is needed
index f1533d4..71a93c0 100644 (file)
@@ -1185,7 +1185,6 @@ return [
         'cookieDomain' => '',
         'cookieName' => 'be_typo_user',
         'cookieSameSite' => 'strict',
-        'loginSecurityLevel' => 'normal',
         'showRefreshLoginPopup' => false,
         'adminOnly' => 0,
         'disable_exec_function' => false,
@@ -1361,7 +1360,6 @@ return [
         'checkFeUserPid' => true,
         'lockIP' => 0,
         'lockIPv6' => 0,
-        'loginSecurityLevel' => 'normal',
         'lifetime' => 0,
         'sessionTimeout' => 6000,
         'sessionDataLifetime' => 86400,
index 435f2fe..03798f6 100644 (file)
@@ -323,9 +323,6 @@ BE:
             'strict': 'Cookies sent by TYPO3 are only available for the current site, never shared to other third-party packages'
             'none': 'Allow cookies set by TYPO3 to be sent to other sites as well, please note - this only works with HTTPS connections'
           description: 'Indicates that the cookie should send proper information where the cookie can be shared (first-party cookies vs. third-party cookies) in TYPO3 Backend.'
-        loginSecurityLevel:
-            type: text
-            description: 'Keywords that determines the security level of login to the backend. "normal" means the password from the login form is sent in clear-text. The client/server communication should be secured with HTTPS.'
         showRefreshLoginPopup:
             type: bool
             description: 'If set, the Ajax relogin will show a real popup window for relogin after the count down. Some auth services need this as they add custom validation to the login form. If it''s not set, the Ajax relogin will show an inline relogin window.'
@@ -435,9 +432,6 @@ FE:
               '7': 'Use the first seven blocks (112 bits) of the editors'' IPv6 address (e.g. "2001:0db8:85a3:08d3:1319:8a2e:0370") as part of the session locking of Backend Users'
               '8': 'Use the visitors'' full IPv6 address (e.g. "2001:0db8:85a3:08d3:1319:8a2e:0370:7344") as part of the session locking of Backend Users (highest security)'
             description: 'If activated, Frontend Users are locked to (a part of) their public IP (<code>$_SERVER[''REMOTE_ADDR'']</code>) for their session, if REMOTE_ADDR is an IPv6-address. Enhances security but may throw off users that may change IP during their session (in which case you can lower it). The integer indicates how many parts of the IP address to include in the check for the session.'
-        loginSecurityLevel:
-            type: text
-            description: 'See description for <a href="#BE-loginSecurityLevel">[BE][loginSecurityLevel]</a>. Default state for frontend is "normal". The client/server communication should be secured with HTTPS.'
         lifetime:
             type: int
             description: 'If >0 and the option permalogin is >=0, the cookie of FE users will have a lifetime of the number of seconds this value indicates. Otherwise it will be a session cookie (deleted when browser is shut down). Setting this value to 604800 will result in automatic login of FE users during a whole week, 86400 will keep the FE users logged in for a day.'
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Important-94312-RemovedBEloginSecurityLevelAndFEloginSecurityLevelOptions.rst b/typo3/sysext/core/Documentation/Changelog/master/Important-94312-RemovedBEloginSecurityLevelAndFEloginSecurityLevelOptions.rst
new file mode 100644 (file)
index 0000000..25222fc
--- /dev/null
@@ -0,0 +1,39 @@
+.. include:: ../../Includes.txt
+
+===================================================================================
+Important: #94312 - Removed BE/loginSecurityLevel and FE/loginSecurityLevel options
+===================================================================================
+
+See :issue:`94312`
+
+Description
+===========
+
+The `FE/loginSecurityLevel` and `BE/loginSecurityLevel` options were used to
+define the security level of the backend and frontend login. Since dropping
+the two possibilities `challenged` and `superchallenged` in v7, `rsa` and
+`normal` were the only two valid values left.
+
+The `rsa` value however also became more or less obsolete, after dropping
+`EXT:rsaauth` from core in :issue:`#87470`. Setting `rsa` therefore only had
+effect in case the standalone `friendsoftypo3/rsaauth` extension was installed.
+
+Finally, with :issue:`#94279` also the support for the standalone
+`friendsoftypo3/rsaauth` was abandoned, making the `loginSecurityLevel`
+option superfluous, as `normal` was left as the only valid option.
+
+Therefore, both options `FE/loginSecurityLevel` and `BE/loginSecurityLevel`
+have been removed. As a result and to follow our backwards-compatibility promise,
+all authentication services will still receive the `$passwordTransmissionStrategy`
+argument in their :php:`processLoginData()` method, which however will now
+always be `normal`.
+
+Impact
+======
+
+The options have been removed from the TYPO3's default configuration.
+When those options have been set in your :php:`LocalConfiguration.php`
+or :php:`AdditionalConfiguration.php` files, they are automatically
+removed when accessing the Install Tool or System Maintenance area.
+
+.. index:: LocalConfiguration, ext:core
index e779641..f478bc2 100644 (file)
@@ -162,6 +162,9 @@ class SilentConfigurationUpgradeService
         'BE/lockBeUserToDBmounts',
         // #92941
         'BE/enabledBeUserIPLock',
+        // #94312
+        'BE/loginSecurityLevel',
+        'FE/loginSecurityLevel'
     ];
 
     public function __construct(ConfigurationManager $configurationManager)
@@ -178,8 +181,6 @@ class SilentConfigurationUpgradeService
     public function execute()
     {
         $this->generateEncryptionKeyIfNeeded();
-        $this->configureBackendLoginSecurity();
-        $this->configureFrontendLoginSecurity();
         $this->migrateImageProcessorSetting();
         $this->transferHttpSettings();
         $this->disableImageMagickDetailSettingsIfImageMagickIsDisabled();
@@ -220,44 +221,6 @@ class SilentConfigurationUpgradeService
         }
     }
 
-    /**
-     * This forces 'normal' for backend login security level.
-     *
-     * @throws ConfigurationChangedException
-     */
-    protected function configureBackendLoginSecurity()
-    {
-        try {
-            $currentLoginSecurityLevelValue = $this->configurationManager->getLocalConfigurationValueByPath('BE/loginSecurityLevel');
-            if ($currentLoginSecurityLevelValue !== 'normal') {
-                $this->configurationManager->setLocalConfigurationValueByPath('BE/loginSecurityLevel', 'normal');
-                $this->throwConfigurationChangedException();
-            }
-        } catch (MissingArrayPathException $e) {
-            // If an exception is thrown, the value is not set in LocalConfiguration
-            $this->configurationManager->setLocalConfigurationValueByPath('BE/loginSecurityLevel', 'normal');
-            $this->throwConfigurationChangedException();
-        }
-    }
-
-    /**
-     * Frontend login security is set to normal in case other value is set.
-     *
-     * @throws ConfigurationChangedException
-     */
-    protected function configureFrontendLoginSecurity()
-    {
-        try {
-            $currentLoginSecurityLevelValue = $this->configurationManager->getLocalConfigurationValueByPath('FE/loginSecurityLevel');
-            if ($currentLoginSecurityLevelValue !== 'normal') {
-                $this->configurationManager->setLocalConfigurationValueByPath('FE/loginSecurityLevel', 'normal');
-                $this->throwConfigurationChangedException();
-            }
-        } catch (MissingArrayPathException $e) {
-            // no value set, just ignore
-        }
-    }
-
     /**
      * The encryption key is crucial for securing form tokens
      * and the whole TYPO3 link rendering later on. A random key is set here in
index 53e0753..f69676f 100644 (file)
@@ -477,4 +477,14 @@ return [
             'Feature-93056-NewEventAfterRetrievingUserGroupsRecursively.rst',
         ],
     ],
+    '$GLOBALS[\'TYPO3_CONF_VARS\'][\'BE\'][\'loginSecurityLevel\']' => [
+        'restFiles' => [
+            'Important-94312-RemovedBEloginSecurityLevelAndFEloginSecurityLevelOptions.rst',
+        ],
+    ],
+    '$GLOBALS[\'TYPO3_CONF_VARS\'][\'FE\'][\'loginSecurityLevel\']' => [
+        'restFiles' => [
+            'Important-94312-RemovedBEloginSecurityLevelAndFEloginSecurityLevelOptions.rst',
+        ],
+    ],
 ];
index 36cf19f..f083121 100644 (file)
@@ -77,82 +77,6 @@ class SilentConfigurationUpgradeServiceTest extends UnitTestCase
             ->getMock();
     }
 
-    /**
-     * @test
-     */
-    public function configureBackendLoginSecurity(): void
-    {
-        /** @var $silentConfigurationUpgradeServiceInstance SilentConfigurationUpgradeService|\PHPUnit\Framework\MockObject\MockObject|\TYPO3\TestingFramework\Core\AccessibleObjectInterface */
-        $silentConfigurationUpgradeServiceInstance = $this->getAccessibleMock(
-            SilentConfigurationUpgradeService::class,
-            ['dummy'],
-            [],
-            '',
-            false
-        );
-
-        $currentLocalConfiguration = [
-            ['BE/loginSecurityLevel', 'rsa']
-        ];
-
-        $this->createConfigurationManagerWithMockedMethods(
-            [
-                'getLocalConfigurationValueByPath',
-                'setLocalConfigurationValueByPath',
-            ]
-        );
-        $this->configurationManager->expects(self::once())
-            ->method('getLocalConfigurationValueByPath')
-            ->willReturnMap($currentLocalConfiguration);
-        $this->configurationManager->expects(self::once())
-            ->method('setLocalConfigurationValueByPath')
-            ->with(self::equalTo('BE/loginSecurityLevel'), self::equalTo('normal'));
-
-        $this->expectException(ConfigurationChangedException::class);
-
-        $silentConfigurationUpgradeServiceInstance->_set('configurationManager', $this->configurationManager);
-
-        $silentConfigurationUpgradeServiceInstance->_call('configureBackendLoginSecurity');
-    }
-
-    /**
-     * @test
-     */
-    public function configureFrontendLoginSecurity(): void
-    {
-        /** @var $silentConfigurationUpgradeServiceInstance SilentConfigurationUpgradeService|\PHPUnit\Framework\MockObject\MockObject|\TYPO3\TestingFramework\Core\AccessibleObjectInterface */
-        $silentConfigurationUpgradeServiceInstance = $this->getAccessibleMock(
-            SilentConfigurationUpgradeService::class,
-            ['dummy'],
-            [],
-            '',
-            false
-        );
-
-        $currentLocalConfiguration = [
-            ['FE/loginSecurityLevel', 'rsa']
-        ];
-
-        $this->createConfigurationManagerWithMockedMethods(
-            [
-                'getLocalConfigurationValueByPath',
-                'setLocalConfigurationValueByPath',
-            ]
-        );
-        $this->configurationManager->expects(self::once())
-            ->method('getLocalConfigurationValueByPath')
-            ->willReturnMap($currentLocalConfiguration);
-        $this->configurationManager->expects(self::once())
-            ->method('setLocalConfigurationValueByPath')
-            ->with(self::equalTo('FE/loginSecurityLevel'), self::equalTo('normal'));
-
-        $this->expectException(ConfigurationChangedException::class);
-
-        $silentConfigurationUpgradeServiceInstance->_set('configurationManager', $this->configurationManager);
-
-        $silentConfigurationUpgradeServiceInstance->_call('configureFrontendLoginSecurity');
-    }
-
     /**
      * @test
      */