[FEATURE] ext:saltedpasswords is required and enabled in backend 33/23333/6
authorNicole Cordes <typo3@cordes.co>
Mon, 26 Aug 2013 19:30:14 +0000 (21:30 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Tue, 27 Aug 2013 12:02:09 +0000 (14:02 +0200)
This patch adds saltedpasswords as a required system extension,
forcing salted hashes to be enabled for backend authentication.
The install tool checks settings and adapts them if needed.
Rsaauth is added to the list of recommended extensions
in the install tool extension installation upgrade wizard.

Resolves: #51352
Releases: 6.2
Change-Id: Ifd3b9f195101bcdb083b3bf9db4a74c812f0a709
Reviewed-on: https://review.typo3.org/23333
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/install/Classes/Controller/StepController.php
typo3/sysext/install/Classes/Updates/InstallSysExtsUpdate.php
typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php
typo3/sysext/saltedpasswords/Classes/Utility/SaltedPasswordsUtility.php
typo3/sysext/saltedpasswords/Documentation/Configuration/Index.rst
typo3/sysext/saltedpasswords/ext_conf_template.txt

index 031d39a..8604ab3 100644 (file)
@@ -108,7 +108,7 @@ class SystemEnvironmentBuilder {
                define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,phpsh,inc,phtml');
 
                // List of extensions required to run the core
-               define('REQUIRED_EXTENSIONS', 'core,backend,frontend,cms,lang,sv,extensionmanager,recordlist,extbase,fluid,cshmanual,install');
+               define('REQUIRED_EXTENSIONS', 'core,backend,frontend,cms,lang,sv,extensionmanager,recordlist,extbase,fluid,cshmanual,install,saltedpasswords');
 
                // Operating system identifier
                // Either "WIN" or empty string
index 1ae1f9a..01959ac 100644 (file)
@@ -236,9 +236,28 @@ return array(
                        't3editor',
                        'felogin',
                        'feedit',
-                       'recycler'
+                       'recycler',
+                       'saltedpasswords',
+               ),
+               'extConf' => array(
+                       'saltedpasswords' => serialize(array(
+                               'checkConfigurationFE' => 0,
+                               'checkConfigurationBE' => 0,
+                               'BE.' => array(
+                                       'saltedPWHashingMethod' => 'TYPO3\\CMS\\Saltedpasswords\\Salt\\PhpassSalt',
+                                       'forceSalted' => 0,
+                                       'onlyAuthService' => 0,
+                                       'updatePasswd' => 1,
+                               ),
+                               'FE.' => array(
+                                       'enabled' => 0,
+                                       'saltedPWHashingMethod' => 'TYPO3\\CMS\\Saltedpasswords\\Salt\\PhpassSalt',
+                                       'forceSalted' => 0,
+                                       'onlyAuthService' => 0,
+                                       'updatePasswd' => 1,
+                               ),
+                       )),
                ),
-               'extConf' => array()
        ),
        'BE' => array(
                // Backend Configuration.
index 13318d6..ce14d82 100644 (file)
@@ -105,6 +105,8 @@ class StepController extends AbstractController {
                $this->executeOrOutputFirstInstallStepIfNeeded();
                $this->removeObsoleteLocalConfigurationSettings();
                $this->generateEncryptionKeyIfNeeded();
+               $this->configureBackendLoginSecurity();
+               $this->configureSaltedpasswords();
                $this->initializeSession();
                $this->checkSessionToken();
                $this->checkSessionLifetime();
@@ -381,5 +383,60 @@ class StepController extends AbstractController {
                        $this->redirect();
                }
        }
+
+       /**
+        * "Silent" upgrade: Backend login security is set to rsa if rsaauth
+        * is installed (but not used) otherwise the default value "normal" has to be used.
+        *
+        * @return void
+        */
+       protected function configureBackendLoginSecurity() {
+               if (\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('rsaauth')
+                       && $GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel'] !== 'rsa')
+               {
+                       $configurationManager = $this->objectManager->get('TYPO3\\CMS\\Core\\Configuration\\ConfigurationManager');
+                       $configurationManager->setLocalConfigurationValueByPath('BE/loginSecurityLevel', 'rsa');
+                       $this->redirect();
+               } elseif (!\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('rsaauth')
+                       && $GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel'] !== 'normal'
+               ) {
+                       $configurationManager = $this->objectManager->get('TYPO3\\CMS\\Core\\Configuration\\ConfigurationManager');
+                       $configurationManager->setLocalConfigurationValueByPath('BE/loginSecurityLevel', 'normal');
+                       $this->redirect();
+               }
+       }
+
+       /**
+        * "Silent" upgrade: Check the settings for saltedpasswords extension to
+        * load it as a required extension.
+        *
+        * @return void
+        */
+       protected function configureSaltedpasswords() {
+               $configurationManager = $this->objectManager->get('TYPO3\\CMS\\Core\\Configuration\\ConfigurationManager');
+               $defaultConfiguration = $configurationManager->getDefaultConfiguration();
+               $defaultExtensionConfiguration = unserialize($defaultConfiguration['EXT']['extConf']['saltedpasswords']);
+               $extensionConfiguration = @unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['saltedpasswords']);
+               if (is_array($extensionConfiguration) && !empty($extensionConfiguration)) {
+                       if (isset($extensionConfiguration['BE.']['enabled'])) {
+                               if ($extensionConfiguration['BE.']['enabled']) {
+                                       unset($extensionConfiguration['BE.']['enabled']);
+                               } else {
+                                       $extensionConfiguration['BE.'] = $defaultExtensionConfiguration['BE.'];
+                               }
+                               $configurationManager->setLocalConfigurationValueByPath(
+                                       'EXT/extConf/saltedpasswords',
+                                       serialize($extensionConfiguration)
+                               );
+                               $this->redirect();
+                       }
+               } else {
+                       $configurationManager->setLocalConfigurationValueByPath(
+                               'EXT/extConf/saltedpasswords',
+                               serialize($defaultExtensionConfiguration)
+                       );
+                       $this->redirect();
+               }
+       }
 }
 ?>
index f84ff81..4d5f2e3 100644 (file)
@@ -61,6 +61,7 @@ class InstallSysExtsUpdate extends AbstractUpdate {
                'scheduler',
                'simulatestatic',
                'documentation',
+               'rsaauth',
        );
 
        /**
index a372189..b663ad2 100644 (file)
@@ -147,95 +147,90 @@ your TYPO3 installation and the usability of the backend.';
                // The backend is called over SSL
                $SSL = ($GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] > 0 ? TRUE : FALSE) && $GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel'] != 'superchallenged';
                $rsaAuthLoaded = \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('rsaauth');
-               if ($extConf['enabled']) {
-                       // SSL configured?
-                       if ($SSL) {
-                               $this->setErrorLevel('ok');
-                               $problems[] = 'The backend is configured to use SaltedPasswords over SSL.';
-                       } elseif ($rsaAuthLoaded) {
-                               if (trim($GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel']) === 'rsa') {
-                                       if ($this->isRsaAuthBackendAvailable()) {
-                                               $this->setErrorLevel('ok');
-                                               $problems[] = 'The backend is configured to use SaltedPasswords with RSA authentication.';
-                                       } else {
-                                               // This means that login would fail because rsaauth is not working properly
-                                               $this->setErrorLevel('error');
-                                               $problems[] = '<strong>Using the extension "rsaauth" is not possible, as no encryption backend ' . 'is available. Please install and configure the PHP extension "openssl". ' . 'See <a href="http://php.net/manual/en/openssl.installation.php" target="_blank">PHP.net</a></strong>.';
-                                       }
+               // SSL configured?
+               if ($SSL) {
+                       $this->setErrorLevel('ok');
+                       $problems[] = 'The backend is configured to use SaltedPasswords over SSL.';
+               } elseif ($rsaAuthLoaded) {
+                       if (trim($GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel']) === 'rsa') {
+                               if ($this->isRsaAuthBackendAvailable()) {
+                                       $this->setErrorLevel('ok');
+                                       $problems[] = 'The backend is configured to use SaltedPasswords with RSA authentication.';
                                } else {
-                                       // This means that we are not using saltedpasswords
+                                       // This means that login would fail because rsaauth is not working properly
                                        $this->setErrorLevel('error');
-                                       $problems[] = 'The "rsaauth" extension is installed, but TYPO3 is not configured to use it during login.
-                                               Use the Install Tool to set the Login Security Level for the backend to "rsa"
-                                               ($TYPO3_CONF_VARS[\'BE\'][\'loginSecurityLevel\'])';
+                                       $problems[] = '<strong>Using the extension "rsaauth" is not possible, as no encryption backend ' .
+                                               'is available. Please install and configure the PHP extension "openssl". ' .
+                                               'See <a href="http://php.net/manual/en/openssl.installation.php" target="_blank">PHP.net</a></strong>.';
                                }
                        } else {
-                               // This means that we are not using saltedpasswords
-                               $this->setErrorLevel('error');
-                               $problems[] = 'Backend requirements for SaltedPasswords are not met, therefore the
-authentication will not work even if it was explicitly enabled for backend
-usage:<br />
+                               // This means that rsaauth is enabled but not used
+                               $this->setErrorLevel('warning');
+                               $problems[] = 'The "rsaauth" extension is installed, but TYPO3 is not configured to use it during login.
+                                       Use the Install Tool to set the Login Security Level for the backend to "rsa"
+                                       ($TYPO3_CONF_VARS[\'BE\'][\'loginSecurityLevel\'])';
+                       }
+               } else {
+                       // This means that we don't use any encryption method
+                       $this->setErrorLevel('warning');
+                       $problems[] = 'SaltedPasswords is used without any transfer encryption, this means your passwords are sent in plain text.
+Please install rsaauth to secure your passwords submits.<br />
 <ul>
-       <li>Install the "rsaauth" extension and use the Install Tool to set the
-               Login Security Level for the backend to "rsa"
-               ($TYPO3_CONF_VARS[\'BE\'][\'loginSecurityLevel\'])</li>
+<li>Install the "rsaauth" extension and use the Install Tool to set the
+       Login Security Level for the backend to "rsa"
+       ($TYPO3_CONF_VARS[\'BE\'][\'loginSecurityLevel\'])</li>
 
-       <li>If you have the option to use SSL, you can also configure your
-               backend for SSL usage:<br />
-               Use the Install Tool to set the Security-Level for the backend
-               to "normal" ($TYPO3_CONF_VARS[\'BE\'][\'loginSecurityLevel\']) and
-               the SSL-locking option to a value greater than "0"
-               (see description - $TYPO3_CONF_VARS[\'BE\'][\'lockSSL\'])</li>
+<li>If you have the option to use SSL, you can also configure your
+       backend for SSL usage:<br />
+       Use the Install Tool to set the Security-Level for the backend
+       to "normal" ($TYPO3_CONF_VARS[\'BE\'][\'loginSecurityLevel\']) and
+       the SSL-locking option to a value greater than "0"
+       (see description - $TYPO3_CONF_VARS[\'BE\'][\'lockSSL\'])</li>
 </ul>
 <br />
 It is also possible to use "lockSSL" and "rsa" Login Security Level at the same
 time.';
-                       }
-                       // Only saltedpasswords as authsservice
-                       if ($extConf['onlyAuthService']) {
-                               // Warn user that the combination with "forceSalted" may lock him out from Backend
-                               if ($extConf['forceSalted']) {
-                                       $this->setErrorLevel('warning');
-                                       $problems[] = 'SaltedPasswords has been configured to be the only authentication service for
+               }
+               // Only saltedpasswords as authsservice
+               if ($extConf['onlyAuthService']) {
+                       // Warn user that the combination with "forceSalted" may lock him out from Backend
+                       if ($extConf['forceSalted']) {
+                               $this->setErrorLevel('warning');
+                               $problems[] = 'SaltedPasswords has been configured to be the only authentication service for
 the backend. Additionally, usage of salted passwords is enforced (forceSalted).
 The result is that there is no chance to login with users not having a salted
 password hash.<br />
 <strong><i>WARNING:</i></strong> This may lock you out of the backend!';
-                               } else {
-                                       // Inform the user that things like openid won't work anymore
-                                       $this->setErrorLevel('info');
-                                       $problems[] = 'SaltedPasswords has been configured to be the only authentication service for
+                       } else {
+                               // Inform the user that things like openid won't work anymore
+                               $this->setErrorLevel('info');
+                               $problems[] = 'SaltedPasswords has been configured to be the only authentication service for
 the backend. This means that other services like "ipauth", "openid", etc. will
 be ignored (except "rsauth", which is implicitely used).';
-                               }
                        }
-                       // forceSalted is set
-                       if ($extConf['forceSalted'] && !$extConf['onlyAuthService']) {
-                               $this->setErrorLevel('info');
-                               $problems[] = 'SaltedPasswords has been configured to enforce salted passwords (forceSalted).
+               }
+               // forceSalted is set
+               if ($extConf['forceSalted'] && !$extConf['onlyAuthService']) {
+                       $this->setErrorLevel('info');
+                       $problems[] = 'SaltedPasswords has been configured to enforce salted passwords (forceSalted).
 <br />
 This means that only passwords in the format of this extension will succeed for
 login.<br />
 <strong><i>IMPORTANT:</i></strong> This has the effect that passwords that are set from
 the Install Tool will not work!';
-                       }
-                       // updatePasswd wont work with "forceSalted"
-                       if ($extConf['updatePasswd'] && $extConf['forceSalted']) {
-                               $this->setErrorLevel('error');
-                               $problems[] = 'SaltedPasswords is configured wrong and will not work as expected:<br />
+               }
+               // updatePasswd wont work with "forceSalted"
+               if ($extConf['updatePasswd'] && $extConf['forceSalted']) {
+                       $this->setErrorLevel('error');
+                       $problems[] = 'SaltedPasswords is configured wrong and will not work as expected:<br />
 It is not possible to set "updatePasswd" and "forceSalted" at the same time.
 Please disable either one of them.';
-                       }
-                       // Check if the configured hash-method is available on system
-                       if (!($instance = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL, 'BE') || !$instance->isAvailable())) {
-                               $this->setErrorLevel('error');
-                               $problems[] = 'The selected method for hashing your salted passwords is not available on this
-system! Please check your configuration.';
-                       }
-               } else {
-                       // Not enabled warning
+               }
+               // Check if the configured hash-method is available on system
+               if (!($instance = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL, 'BE') || !$instance->isAvailable())) {
                        $this->setErrorLevel('error');
-                       $problems[] = 'SaltedPasswords has been disabled for backend users.';
+                       $problems[] = 'The selected method for hashing your salted passwords is not available on this
+system! Please check your configuration.';
                }
                $this->problems = $problems;
                return $this->renderFlashMessage();
index 88def29..0cf80aa 100644 (file)
@@ -128,8 +128,8 @@ class SaltedPasswordsUtility {
                // Login Security Level Recognition
                $extConf = self::returnExtConf($mode);
                $securityLevel = $GLOBALS['TYPO3_CONF_VARS'][$mode]['loginSecurityLevel'];
-               if ($mode == 'BE' && $extConf['enabled']) {
-                       return $securityLevel == 'normal' && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] > 0 || $securityLevel == 'rsa';
+               if ($mode == 'BE') {
+                       return TRUE;
                } elseif ($mode == 'FE' && $extConf['enabled']) {
                        return \TYPO3\CMS\Core\Utility\GeneralUtility::inList('normal,rsa', $securityLevel);
                }
index 23cbb1b..446f956 100644 (file)
@@ -39,13 +39,6 @@ Defines hashing method to use for TYPO3 frontend.
 
 ::
 
-   # Enable BE (boolean)
-   BE.enabled = 1
-
-Enables usage of salted user password records for the TYPO3 backend
-
-::
-
    # Hashing method for the backend (list)
    BE.saltedPWHashingMethod = tx_saltedpasswords_salts_phpass (Portable PHP password hashing)
 
index 4b4fd95..08ea547 100644 (file)
@@ -10,9 +10,6 @@ FE.enabled = 1
 # cat=Basic/enable; type=user[EXT:saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php:TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility->buildHashMethodSelectorFE]; label=Hashing method for the frontend: Defines salted hashing method to use. Choose "Portable PHP password hashing" to stay compatible with other CMS (e.g. Drupal, Wordpress). Choose "MD5 salted hashing" to reuse TYPO3 passwords for OS level authentication (other servers could use TYPO3 passwords). Choose "Blowfish salted hashing" for advanced security to reuse passwords on OS level (Blowfish might not be supported on your system TODO).
 FE.saltedPWHashingMethod = tx_saltedpasswords_salts_phpass
 
-# cat=Basic/enable; type=boolean; label=Enable BE: Enable SaltedPasswords in the backend
-BE.enabled = 1
-
 # cat=Basic/enable; type=user[EXT:saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php:TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility->buildHashMethodSelectorBE]; label=Hashing method for the backend: Defines salted hashing method to use. Choose "Portable PHP password hashing" to stay compatible with other CMS (e.g. Drupal, Wordpress). Choose "MD5 salted hashing" to reuse TYPO3 passwords for OS level authentication (other servers could use TYPO3 passwords). Choose "Blowfish salted hashing" for advanced security to reuse passwords on OS level (Blowfish might not be supported on your system TODO).
 BE.saltedPWHashingMethod = tx_saltedpasswords_salts_phpass