[TASK] Recommend lockSSL option in reports module 98/57298/5
authorJosef Glatz <josefglatz@gmail.com>
Fri, 22 Jun 2018 13:53:33 +0000 (15:53 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Fri, 22 Jun 2018 23:04:03 +0000 (01:04 +0200)
Introduce a new status for $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'].

The new check is only shown if the backend is accessed through
HTTPS.

The information about the usage of ext:rsaauth is removed within
the ext:saltedpasswords status message, because it is marked as
deprecated.

Resolves: #85343
Releases: master
Change-Id: I3e78a94adec7d113c7fe43d18690ef822a99768d
Reviewed-on: https://review.typo3.org/57298
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/reports/Resources/Private/Language/locallang_reports.xlf
typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php
typo3/sysext/saltedpasswords/Resources/Private/Language/locallang.xlf

index 42bbf85..e5d1036 100644 (file)
@@ -55,6 +55,10 @@ class SecurityStatus implements RequestAwareStatusProviderInterface
 
         if ($request !== null) {
             $statuses['encryptedConnectionStatus'] = $this->getEncryptedConnectionStatus($request);
+            $lockSslStatus = $this->getLockSslStatus($request);
+            if ($lockSslStatus) {
+                $statuses['getLockSslStatus'] = $lockSslStatus;
+            }
         }
 
         return $statuses;
@@ -85,6 +89,32 @@ class SecurityStatus implements RequestAwareStatusProviderInterface
     }
 
     /**
+     * @param ServerRequestInterface $request
+     * @return ReportStatus
+     */
+    protected function getLockSslStatus(ServerRequestInterface $request): ?ReportStatus
+    {
+        /** @var \TYPO3\CMS\Core\Http\NormalizedParams $normalizedParams */
+        $normalizedParams = $request->getAttribute('normalizedParams');
+
+        if ($normalizedParams->isHttps()) {
+            $value = $this->getLanguageService()->getLL('status_ok');
+            $message = '';
+            $severity = ReportStatus::OK;
+
+            if (!$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL']) {
+                $value = $this->getLanguageService()->getLL('status_insecure');
+                $message = $this->getLanguageService()->getLL('status_lockSslStatus_insecure');
+                $severity = ReportStatus::WARNING;
+            }
+
+            return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_lockSslStatus'), $value, $message, $severity);
+        }
+
+        return null;
+    }
+
+    /**
      * Checks if the trusted hosts pattern check is disabled.
      *
      * @return ReportStatus An object representing whether the check is disabled
index d2c0ca7..2b69fe4 100644 (file)
                        <trans-unit id="status_encryptedConnectionStatus_insecure">
                                <source>Your backend access is not secured using HTTPS but relies on HTTP which sends all your data (including login passwords) over an insecure connection. All modern web sites should rely on HTTPS and only sites secured differently, for instance some intranet installations may use HTTP only.</source>
                        </trans-unit>
+                       <trans-unit id="status_lockSslStatus">
+                               <source>Backend only accessible through HTTPS</source>
+                       </trans-unit>
+                       <trans-unit id="status_lockSslStatus_insecure">
+                               <source><![CDATA[It is highly recommended to activate the option (<code>$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL']</code>).]]></source>
+                       </trans-unit>
                        <trans-unit id="status_trustedHostsPattern">
                                <source>Trusted Hosts Pattern</source>
                        </trans-unit>
index 7edb5e6..685c373 100644 (file)
@@ -192,17 +192,7 @@ class ExtensionManagerConfigurationUtility
                 $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.backendSecurityLevelNotRsa');
             }
         } else {
-            // This means that we don't use any encryption method
-            $this->setErrorLevel('warning');
-            $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.rsaInstructionsIntro') . '<br />
-                               <ul>
-                               <li>' . $lang->getLL('ext.saltedpasswords.configuration.message.rsaInstructionsFirstItem') . '</li>
-
-                               <li>' . nl2br($lang->getLL('ext.saltedpasswords.configuration.message.rsaInstructionsSecondItem')) .
-                '</li>
-                               </ul>
-                               <br />
-                               ' . $lang->getLL('ext.saltedpasswords.configuration.message.rsaInstructionsFootnote');
+            $this->setErrorLevel('ok');
         }
         // Only saltedpasswords as authsservice
         if ($extConf['onlyAuthService']) {
index 386a3a6..608993f 100644 (file)
                        <trans-unit id="ext.saltedpasswords.configuration.message.backendSecurityLevelNotRsa">
                                <source>The "rsaauth" extension is installed, but TYPO3 is not configured to use it during login. Use the Install Tool to set the Login Security Level for the backend to "rsa" ($TYPO3_CONF_VARS['BE']['loginSecurityLevel'])</source>
                        </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.rsaInstructionsIntro">
-                               <source>SaltedPasswords is used without any transfer encryption, this means your passwords are sent in plain text. Please install rsaauth to secure your passwords submits.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.rsaInstructionsFirstItem">
-                               <source>Install the "rsaauth" extension and use the Install Tool to set the Login Security Level for the backend to "rsa" ($TYPO3_CONF_VARS['BE']['loginSecurityLevel'])</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.rsaInstructionsSecondItem" xml:space="preserve">
-                               <source>If you have the option to use SSL, you can also configure your backend for SSL usage:
-Use the Install Tool to set the Security-Level for the backend to "normal" ($TYPO3_CONF_VARS['BE']['loginSecurityLevel']) and the SSL-locking option to a value greater than "0" (see description - $TYPO3_CONF_VARS['BE']['lockSSL'])</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.rsaInstructionsFootnote">
-                               <source>It is also possible to use "lockSSL" and "rsa" Login Security Level at the same time.</source>
-                       </trans-unit>
                        <trans-unit id="ext.saltedpasswords.configuration.message.warningForceSalted">
                                <source>SaltedPasswords has been configured to be the only authentication service for the backend. Additionally, usage of salted passwords is enforced (forceSalted). The result is that there is no chance to login with users not having a salted password hash.</source>
                        </trans-unit>