[TASK] Drop salted passwords configuration options 25/57725/9
authorChristian Kuhn <lolli@schwarzbu.ch>
Sun, 29 Jul 2018 21:26:23 +0000 (23:26 +0200)
committerAndreas Fernandez <a.fernandez@scripting-base.de>
Tue, 31 Jul 2018 11:54:21 +0000 (13:54 +0200)
In order to prepare the saltedpasswords extension to be implemented
as a library into the core directly, a series of configuration
options is dropped from the extension:

* FE.forceSalted & BE.forceSalted (default 0)
  Setting this to 1 disabled upgrading non-salted user password
  to salted passwords and denied login. The option is dropped, but
  only passwords that have been upgraded from simple md5 or plaintext
  in v8 are allowed to login and will get their password upgraded.

* FE.updatePasswd & BE.updatePasswd (default 1)
  Setting this to 0 disabled upgrading one salted password to
  another. This is dropped: Passwords will now always be upgraded
  to the currently configured hash algorithm if the currently used
  algorithm does no match the configured one.

* FE.onlyAuthService & BE.onlyAuthService (default 0)
  Setting this to 1 allowed stopping the authentication chain if
  the salted passwords did not verify a password. This setting is
  pretty useless since it can be expected that any sane authentication
  provider kicks in before the native salted passwords authentication.
  We found not a single usage of that flag in TER.

* checkConfigurationFE & checkConfigurationFE2
  & checkConfigurationBE & checkConfigurationBE2
  These configuration user function have been responsible to check
  various combinations of valid and invalid salted passwords
  combinations. This is obsolete with removing the other options and the
  deprecated rsaauth extension. An install tool preset for sane options
  and according warnings will be set up to establish better usability
  from an administrator point of view as soon as this patch is done.

The only option left is the main "saltedPWHashingMethod". This will
be transferred to an install tool preset including best option selection
during installation in a next step.

Resolves: #85683
Releases: master
Change-Id: I7e8150ba9bc8b36f59d08ca5cadeb547e1301f67
Reviewed-on: https://review.typo3.org/57725
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
12 files changed:
typo3/sysext/core/Classes/Configuration/ExtensionConfiguration.php
typo3/sysext/core/Documentation/Changelog/master/Important-85683-DoppedSaltedpasswordOptions.rst [new file with mode: 0644]
typo3/sysext/core/Tests/Unit/Configuration/ExtensionConfigurationTest.php
typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php
typo3/sysext/saltedpasswords/Classes/Utility/SaltedPasswordsUtility.php
typo3/sysext/saltedpasswords/Documentation/Configuration/Index.rst
typo3/sysext/saltedpasswords/Resources/Private/Language/locallang.xlf
typo3/sysext/saltedpasswords/Resources/Private/Language/locallang_em.xlf
typo3/sysext/saltedpasswords/Tests/Unit/Salt/SaltFactoryTest.php
typo3/sysext/saltedpasswords/ext_conf_template.txt

index c79e2db..207fc4b 100644 (file)
@@ -100,8 +100,8 @@ class ExtensionConfiguration
      * ->get('myExtension');
      *
      * // Get a nested config value if the path is a "TypoScript" a-like sub-path
-     * // in ext_conf_template.txt "FE.forceSalted = defaultValue"
-     * ->get('myExtension', 'FE/forceSalted')
+     * // in ext_conf_template.txt "topLevelKey.subLevelKey = defaultValue"
+     * ->get('myExtension', 'topLevelKey/subLevelKey')
      *
      * Notes:
      * - If a configuration or configuration path of an extension is not found, the
@@ -310,8 +310,7 @@ class ExtensionConfiguration
     /**
      * The old EXT/extConf layer had '.' (dots) at the end of all nested array keys. This is created here
      * to keep EXT/extConf format compatible with old not yet adapted extensions.
-     * Most prominent usage is ext:saltedpasswords which uses sub keys like FE.forceSalted and BE.forceSalted,
-     * but extensions may rely on ending dots if using legacy unserialize() on their extensions, too.
+     * But extensions may rely on ending dots if using legacy unserialize() on their extensions, too.
      *
      * A EXTENSIONS array like:
      * TYPO3_CONF_VARS['EXTENSIONS']['someExtension'] => [
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Important-85683-DoppedSaltedpasswordOptions.rst b/typo3/sysext/core/Documentation/Changelog/master/Important-85683-DoppedSaltedpasswordOptions.rst
new file mode 100644 (file)
index 0000000..08abfc8
--- /dev/null
@@ -0,0 +1,40 @@
+.. include:: ../../Includes.txt
+
+====================================================
+Important: #85026 - Dropped salted passwords options
+====================================================
+
+See :issue:`85683`
+
+Description
+===========
+
+Some extension configuration of the salted passwords extension have been dropped:
+
+- FE.forceSalted and BE.forceSalted
+  By explicitly setting forceSalted to 1 (default 0) in the saltedpasswords extension configuration, it was possible to
+  deny login of users who had not stored their password as salted password yet. This option has been removed.
+  User who have been upgraded to salted passwords using the "Convert user passwords to salted hashes" from
+  core version 8 are still able to login and will get their passwords updated to the configured salted password
+  mechanism upon first successful login. This upgrade will be dropped in core version 10. Other non salted passwords
+  mechanisms (simple md5 or plaintext) will however lead to a failed login. Administrators who did not yet upgrade
+  their user base to salted passwords must perform the "Convert user passwords to salted hashes" in core
+  version 7 or version 8 before upgrading to v9.
+
+- FE.updatePasswd and BE.updatePasswd
+  By explicitly setting updatePasswd to 0 (default 1) in the saltedpasswords extension configuration, it was possible
+  to not update a given hashed password to the currently configured has algorithm, but still allow login. This has
+  been dropped: A user submitting a valid password using an old salted passwords algorithm that is no longer configured
+  as current salted passwords algorithm will always get his password updated and stored using the currently
+  configured password salt.
+
+- FE.onlyAuthService and BE.onlyAuthService
+  By explicitly setting onlyAuthService to 1 (default 0), it was possible to deny any further authentication service
+  to successfully validate a user. This setting is mostly useless since any different authentication service is usually
+  configured to kick in before the native TYPO3 internal authentication service. It does not make sense to have this toggle
+  and a search in open extensions revealed no usage. On upgrading to v9, if you are running additional authentication services,
+  please verify those have a higher priority than the default :php:`SaltedPasswordService`, actions are only needed if
+  additionally onlyAuthService has been set to 1 in salted passwords configuration, which is probably never the case.
+
+
+.. index:: Backend, Database, Frontend, ext:saltedpasswords
index 2c6b6e4..6086426 100644 (file)
@@ -122,18 +122,18 @@ class ExtensionConfigurationTest extends UnitTestCase
         $configurationManagerProphecy = $this->prophesize(ConfigurationManager::class);
         GeneralUtility::addInstance(ConfigurationManager::class, $configurationManagerProphecy->reveal());
         $nestedInput = [
-            'FE' => [
-                'forceSalted' => true,
+            'TopLevelKey' => [
+                'subLevelKey' => true,
             ]
         ];
         $expectedLegacyExtConf = [
-            'FE.' => [
-                'forceSalted' => true,
+            'TopLevelKey.' => [
+                'subLevelKey' => true,
             ]
         ];
         $configurationManagerProphecy->setLocalConfigurationValueByPath(Argument::cetera())->shouldBeCalled();
-        $configurationManagerProphecy->setLocalConfigurationValueByPath('EXT/extConf', ['saltedPasswords' => serialize($expectedLegacyExtConf)])->shouldBeCalled();
-        (new ExtensionConfiguration())->set('saltedPasswords', '', $nestedInput);
+        $configurationManagerProphecy->setLocalConfigurationValueByPath('EXT/extConf', ['someExtension' => serialize($expectedLegacyExtConf)])->shouldBeCalled();
+        (new ExtensionConfiguration())->set('someExtension', '', $nestedInput);
     }
 
     /**
index e5d1036..ca0d8ab 100644 (file)
@@ -19,13 +19,10 @@ use Psr\Http\Message\ServerRequestInterface;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
 use TYPO3\CMS\Core\Localization\LanguageService;
-use TYPO3\CMS\Core\Messaging\FlashMessage;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Reports\RequestAwareStatusProviderInterface;
 use TYPO3\CMS\Reports\Status as ReportStatus;
 use TYPO3\CMS\Saltedpasswords\Salt\SaltFactory;
-use TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility;
-use TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility;
 
 /**
  * Performs several checks about the system's health
@@ -50,7 +47,6 @@ class SecurityStatus implements RequestAwareStatusProviderInterface
             'adminUserAccount' => $this->getAdminAccountStatus(),
             'fileDenyPattern' => $this->getFileDenyPatternStatus(),
             'htaccessUpload' => $this->getHtaccessUploadStatus(),
-            'saltedpasswords' => $this->getSaltedPasswordsStatus(),
         ];
 
         if ($request !== null) {
@@ -247,58 +243,6 @@ class SecurityStatus implements RequestAwareStatusProviderInterface
     }
 
     /**
-     * Checks whether salted Passwords are configured or not.
-     *
-     * @return ReportStatus An object representing the security of the saltedpassswords extension
-     */
-    protected function getSaltedPasswordsStatus(): ReportStatus
-    {
-        $value = $this->getLanguageService()->getLL('status_ok');
-        $severity = ReportStatus::OK;
-        /** @var ExtensionManagerConfigurationUtility $configCheck */
-        $configCheck = GeneralUtility::makeInstance(ExtensionManagerConfigurationUtility::class);
-        $message = '<p>' . $this->getLanguageService()->getLL('status_saltedPasswords_infoText') . '</p>';
-        $messageDetail = '';
-        $resultCheck = $configCheck->checkConfigurationBackend([]);
-
-        switch ($resultCheck['errorType']) {
-            case FlashMessage::INFO:
-                $messageDetail .= $resultCheck['html'];
-                break;
-            case FlashMessage::WARNING:
-                $severity = ReportStatus::WARNING;
-                $messageDetail .= $resultCheck['html'];
-                break;
-            case FlashMessage::ERROR:
-                $value = $this->getLanguageService()->getLL('status_insecure');
-                $severity = ReportStatus::ERROR;
-                $messageDetail .= $resultCheck['html'];
-                break;
-            default:
-        }
-
-        $unsecureUserCount = SaltedPasswordsUtility::getNumberOfBackendUsersWithInsecurePassword();
-
-        if ($unsecureUserCount > 0) {
-            $value = $this->getLanguageService()->getLL('status_insecure');
-            $severity = ReportStatus::ERROR;
-            $messageDetail .= '<div class="panel panel-warning">' .
-                '<div class="panel-body">' .
-                    $this->getLanguageService()->getLL('status_saltedPasswords_notAllPasswordsHashed') .
-                '</div>' .
-            '</div>';
-        }
-
-        $message .= $messageDetail;
-
-        if (empty($messageDetail)) {
-            $message = '';
-        }
-
-        return GeneralUtility::makeInstance(ReportStatus::class, $this->getLanguageService()->getLL('status_saltedPasswords'), $value, $message, $severity);
-    }
-
-    /**
      * @return LanguageService
      */
     protected function getLanguageService(): LanguageService
index 3caeea0..21d4a02 100644 (file)
@@ -18,6 +18,7 @@ use TYPO3\CMS\Core\Authentication\AbstractAuthenticationService;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\TimeTracker\TimeTracker;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Saltedpasswords\Salt\SaltFactory;
 
 /**
  * Class implements salted-password hashes authentication service.
@@ -89,7 +90,7 @@ class SaltedPasswordService extends AbstractAuthenticationService
         $validPasswd = false;
         $password = $loginData['uident_text'];
         // Determine method used for given salted hashed password
-        $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($user['password']);
+        $this->objInstanceSaltedPW = SaltFactory::getSaltingInstance($user['password']);
         // Existing record is in format of Salted Hash password
         if (is_object($this->objInstanceSaltedPW)) {
             $validPasswd = $this->objInstanceSaltedPW->checkPassword($password, $user['password']);
@@ -103,41 +104,32 @@ class SaltedPasswordService extends AbstractAuthenticationService
             // Test for wrong salted hashing method (only if current method is not related to default method)
             if ($validPasswd && get_class($this->objInstanceSaltedPW) !== $defaultHashingClassName && !is_subclass_of($this->objInstanceSaltedPW, $defaultHashingClassName)) {
                 // Instantiate default method class
-                $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null);
+                $this->objInstanceSaltedPW = SaltFactory::getSaltingInstance(null);
                 $this->updatePassword((int)$user['uid'], ['password' => $this->objInstanceSaltedPW->getHashedPassword($password)]);
             }
             if ($validPasswd && !$skip && $this->objInstanceSaltedPW->isHashUpdateNeeded($user['password'])) {
                 $this->updatePassword((int)$user['uid'], ['password' => $this->objInstanceSaltedPW->getHashedPassword($password)]);
             }
-        } elseif (!(int)$this->extConf['forceSalted']) {
+        } else {
             // Stored password is in deprecated salted hashing method
             $hashingMethod = substr($user['password'], 0, 2);
-            if ($hashingMethod === 'C$' || $hashingMethod === 'M$') {
+            if ($hashingMethod === 'M$') {
                 // Instantiate default method class
-                $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(substr($user['password'], 1));
-                // md5
-                if ($hashingMethod === 'M$') {
-                    $validPasswd = $this->objInstanceSaltedPW->checkPassword(md5($password), substr($user['password'], 1));
-                } else {
-                    $validPasswd = $this->objInstanceSaltedPW->checkPassword($password, substr($user['password'], 1));
-                }
-                // Skip further authentication methods
-                if (!$validPasswd) {
-                    $this->authenticationFailed = true;
-                }
-            } elseif (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
-                $validPasswd = hash_equals(md5($password), (string)$user['password']);
+                $this->objInstanceSaltedPW = SaltFactory::getSaltingInstance(substr($user['password'], 1));
+                // md5 passwords that have been upgraded to salted passwords using old scheduler task
+                // @todo: The entire 'else' should be dropped in v10, admins had to upgrade users to salted passwords with v8 latest since the
+                // @todo: scheduler task has been dropped with v9, users should have had logged in in v9 era, this fallback is obsolete with v10.
+                $validPasswd = $this->objInstanceSaltedPW->checkPassword(md5($password), substr($user['password'], 1));
+
                 // Skip further authentication methods
                 if (!$validPasswd) {
                     $this->authenticationFailed = true;
                 }
-            } else {
-                $validPasswd = (string)$password !== '' && hash_equals((string)$user['password'], (string)$password);
             }
-            // Should we store the new format value in DB?
-            if ($validPasswd && (int)$this->extConf['updatePasswd']) {
+            // Upgrade to a sane salt mechanism if password was correct
+            if ($validPasswd) {
                 // Instantiate default method class
-                $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null);
+                $this->objInstanceSaltedPW = SaltFactory::getSaltingInstance(null);
                 $this->updatePassword((int)$user['uid'], ['password' => $this->objInstanceSaltedPW->getHashedPassword($password)]);
             }
         }
@@ -166,7 +158,7 @@ class SaltedPasswordService extends AbstractAuthenticationService
                 // Failed login attempt (wrong password)
                 $errorMessage = 'Login-attempt from ###IP### (%s), username \'%s\', password not accepted!';
                 // No delegation to further services
-                if ((int)$this->extConf['onlyAuthService'] || $this->authenticationFailed) {
+                if ($this->authenticationFailed) {
                     $this->writeLogMessage(TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'', $this->login['uname']);
                     $OK = 0;
                 } else {
index 685c373..aea31ae 100644 (file)
@@ -15,8 +15,6 @@ namespace TYPO3\CMS\Saltedpasswords\Utility;
  */
 
 use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
-use TYPO3\CMS\Core\Messaging\FlashMessage;
-use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
@@ -25,123 +23,11 @@ use TYPO3\CMS\Core\Utility\GeneralUtility;
 class ExtensionManagerConfigurationUtility
 {
     /**
-     * @var int
-     */
-    protected $errorType = FlashMessage::OK;
-
-    /**
-     * @var string
-     */
-    protected $header;
-
-    /**
-     * @var string
-     */
-    protected $preText;
-
-    /**
-     * @var array
-     */
-    protected $problems = [];
-
-    /**
      * @var array
      */
     protected $extConf = [];
 
     /**
-     * Set the error level if no higher level
-     * is set already
-     *
-     * @param string $level One out of error, ok, warning, info
-     */
-    protected function setErrorLevel($level)
-    {
-        $lang = $this->getLanguageService();
-        switch ($level) {
-            case 'error':
-                $this->errorType = FlashMessage::ERROR;
-                $this->header = $lang->getLL('ext.saltedpasswords.configuration.header.errorsFound');
-                $this->preText = $lang->getLL('ext.saltedpasswords.configuration.message.errorsFound') . '<br />';
-                break;
-            case 'warning':
-                if ($this->errorType < FlashMessage::ERROR) {
-                    $this->errorType = FlashMessage::WARNING;
-                    $this->header = $lang->getLL('ext.saltedpasswords.configuration.header.warningsFound');
-                    $this->preText = $lang->getLL('ext.saltedpasswords.configuration.message.warningsFound') . '<br />';
-                }
-                break;
-            case 'info':
-                if ($this->errorType < FlashMessage::WARNING) {
-                    $this->errorType = FlashMessage::INFO;
-                    $this->header = $lang->getLL('ext.saltedpasswords.configuration.header.additionalInformation');
-                    $this->preText = '<br />';
-                }
-                break;
-            case 'ok':
-                // @todo Remove INFO condition as it has lower importance
-                if ($this->errorType < FlashMessage::WARNING && $this->errorType != FlashMessage::INFO) {
-                    $this->errorType = FlashMessage::OK;
-                    $this->header = $lang->getLL('ext.saltedpasswords.configuration.header.noErrorsFound');
-                    $this->preText = $lang->getLL('ext.saltedpasswords.configuration.message.noErrorsFound') . '<br />';
-                }
-                break;
-            default:
-        }
-    }
-
-    /**
-     * Renders the messages if problems have been found.
-     *
-     * @return array an array with errorType and html code
-     */
-    protected function renderMessage()
-    {
-        $message = '';
-        // If there are problems, render them into an unordered list
-        if (!empty($this->problems)) {
-            $message = '<ul><li>###PROBLEMS###</li></ul>';
-            $message = str_replace('###PROBLEMS###', implode('<br />&nbsp;</li><li>', $this->problems), $message);
-            if ($this->errorType > FlashMessage::OK) {
-                $message .= '<br />' .
-                $this->getLanguageService()->getLL('ext.saltedpasswords.configuration.message.securityWarning');
-            }
-        }
-        if (empty($message)) {
-            $this->setErrorLevel('ok');
-        }
-        $message = $this->preText . $message;
-
-        $class = 'default';
-        switch ($this->errorType) {
-            case FlashMessage::NOTICE:
-                $class = 'notice';
-                break;
-            case FlashMessage::INFO:
-                $class = 'info';
-                break;
-            case FlashMessage::OK:
-                $class = 'success';
-                break;
-            case FlashMessage::WARNING:
-                $class = 'warning';
-                break;
-            case FlashMessage::ERROR:
-                $class = 'danger';
-                break;
-            default:
-        }
-        $html = '<div class="panel panel-' . $class . '">' .
-                    '<div class="panel-heading">' . $this->header . '</div>' .
-                    '<div class="panel-body">' . $message . '</div>' .
-                '</div>';
-        return [
-            'errorType' => $this->errorType,
-            'html' => $html
-        ];
-    }
-
-    /**
      * Initializes this object.
      */
     private function init()
@@ -154,188 +40,6 @@ class ExtensionManagerConfigurationUtility
     }
 
     /**
-     * Checks the backend configuration and shows a message if necessary.
-     * The method returns an array or the HTML code depends on
-     * $params['propertyName'] is set or not.
-     *
-     * @param array $params Field information to be rendered
-     * @return array|string array with errorType and HTML or only the HTML as string
-     */
-    public function checkConfigurationBackend(array $params)
-    {
-        $this->init();
-        $extConf = $this->extConf['BE'];
-        // The backend is called over SSL
-        $isBackendCalledOverSsl = (bool)$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'];
-        $rsaAuthLoaded = ExtensionManagementUtility::isLoaded('rsaauth');
-        // SSL configured?
-        $lang = $this->getLanguageService();
-        if ($isBackendCalledOverSsl) {
-            $this->setErrorLevel('ok');
-            $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.backendSsl');
-        } elseif ($rsaAuthLoaded) {
-            $loginSecurityLevel = trim($GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel']) ?: 'normal';
-            if ($loginSecurityLevel === 'rsa') {
-                if ($this->isRsaAuthBackendAvailable()) {
-                    $this->setErrorLevel('ok');
-                    $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.backendRsa');
-                } else {
-                    // This means that login would fail because rsaauth is not working properly
-                    $this->setErrorLevel('error');
-                    $problems[] = '<strong>' .
-                        $lang->getLL('ext.saltedpasswords.configuration.message.openSslMissing') .
-                        '<a href="http://php.net/manual/en/openssl.installation.php" target="_blank">PHP.net</a></strong>.';
-                }
-            } else {
-                // This means that rsaauth is enabled but not used
-                $this->setErrorLevel('warning');
-                $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.backendSecurityLevelNotRsa');
-            }
-        } else {
-            $this->setErrorLevel('ok');
-        }
-        // Only saltedpasswords as authsservice
-        if ($extConf['onlyAuthService']) {
-            // Warn user that the combination with "forceSalted" may lock him
-            // out from Backend
-            if ($extConf['forceSalted']) {
-                $this->setErrorLevel('warning');
-                $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.warningForceSalted') . '<br />
-                                       <strong><i>' . $lang->getLL('ext.saltedpasswords.configuration.label.warning') . '</i></strong> ' .
-                    $lang->getLL('ext.saltedpasswords.configuration.message.warningForceSaltedNoteForBackend');
-            } else {
-                // Inform the user that things like openid won't work anymore
-                $this->setErrorLevel('info');
-                $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.infoOnlyBackendAuthService');
-            }
-        }
-        // forceSalted is set
-        if ($extConf['forceSalted'] && !$extConf['onlyAuthService']) {
-            $this->setErrorLevel('info');
-            $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.infoForceSalted') .
-                ' <br /> ' . $lang->getLL('ext.saltedpasswords.configuration.message.infoForceSaltedNote');
-        }
-        // updatePasswd wont work with "forceSalted"
-        if ($extConf['updatePasswd'] && $extConf['forceSalted']) {
-            $this->setErrorLevel('error');
-            $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.errorForceSaltedAndUpdatePassword') .
-                '<br /> ' .
-                $lang->getLL('ext.saltedpasswords.configuration.message.errorForceSaltedAndUpdatePasswordReason');
-        }
-        // Check if the configured hash-method is available on system
-        $instance = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null, 'BE');
-        if ($instance === null || !$instance->isAvailable()) {
-            $this->setErrorLevel('error');
-            $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.errorHashMethodNotAvailable');
-        }
-        $this->problems = $problems;
-        $result = $this->renderMessage();
-        if (!empty($params['propertyName'])) {
-            return $result['html'];
-        }
-        return $result;
-    }
-
-    /**
-     * Checks if rsaauth is able to obtain a backend
-     *
-     * @return bool
-     */
-    protected function isRsaAuthBackendAvailable()
-    {
-        // Try to instantiate an RSAauth backend. If this does not work,
-        // it means that OpenSSL is not usable
-        /** @var \TYPO3\CMS\Rsaauth\Backend\BackendFactory $rsaauthBackendFactory */
-        $rsaauthBackendFactory = GeneralUtility::makeInstance(\TYPO3\CMS\Rsaauth\Backend\BackendFactory::class);
-        $backend = $rsaauthBackendFactory->getBackend();
-        return $backend !== null;
-    }
-
-    /**
-     * Checks the frontend configuration and shows a message if necessary.
-     * The method returns an array or the HTML code depends on
-     * $params['propertyName'] is set or not.
-     *
-     * @param array $params Field information to be rendered
-     * @return array|string array with errorType and HTML or only the HTML as string
-     */
-    public function checkConfigurationFrontend(array $params)
-    {
-        $this->init();
-        $extConf = $this->extConf['FE'];
-        $problems = [];
-        $lang = $this->getLanguageService();
-        $loginSecurityLevel = trim($GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel']) ?: 'normal';
-        if ($loginSecurityLevel !== 'normal' && $loginSecurityLevel !== 'rsa') {
-            $this->setErrorLevel('info');
-            $problems[] = '<strong>' . $lang->getLL('ext.saltedpasswords.configuration.label.important') .
-                '</strong><br /> ' .
-                $lang->getLL('ext.saltedpasswords.configuration.message.infoLoginSecurityLevelDifferent') .
-                '<br />
-                <ul>
-                    <li>' .
-                $lang->getLL('ext.saltedpasswords.configuration.message.infoLoginSecurityLevelDifferentFirstItem') .
-                '</li>
-
-                    <li>' .
-                $lang->getLL('ext.saltedpasswords.configuration.message.infoLoginSecurityLevelDifferentSecondItem') .
-                '</li>
-                </ul>
-                <br />
-                ' . $lang->getLL('ext.saltedpasswords.configuration.message.infoLoginSecurityLevelDifferentNote');
-        } elseif ($loginSecurityLevel === 'rsa') {
-            if (ExtensionManagementUtility::isLoaded('rsaauth')) {
-                if ($this->isRsaAuthBackendAvailable()) {
-                    $this->setErrorLevel('ok');
-                    $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.okFeRsaauthLoaded');
-                } else {
-                    // This means that login would fail because rsaauth is not working properly
-                    $this->setErrorLevel('error');
-                    $problems[] = '<strong>' . $lang->getLL('ext.saltedpasswords.configuration.message.openSslMissing') .
-                        ' <a href="http://php.net/manual/en/openssl.installation.php" target="_blank">PHP.net</a></strong>.';
-                }
-            } else {
-                // Rsaauth is not installed but configured to be used
-                $this->setErrorLevel('warning');
-                $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.warningRsaauthNotInstalledButConfigured');
-            }
-        }
-        // Only saltedpasswords as authsservice
-        if ($extConf['onlyAuthService']) {
-            // Warn user that the combination with "forceSalted" may lock
-            // him out from frontend
-            if ($extConf['forceSalted']) {
-                $this->setErrorLevel('warning');
-                $problems[] = nl2br($lang->getLL('ext.saltedpasswords.configuration.message.infoForceSalted')) .
-                    '<strong><i>' . $lang->getLL('ext.saltedpasswords.configuration.label.important') .
-                    '</i></strong> ' . $lang->getLL('ext.saltedpasswords.configuration.message.warningForceSaltedNoteForFrontend');
-            } else {
-                // Inform the user that things like openid won't work anymore
-                $this->setErrorLevel('info');
-                $problems[] = $lang->getLL('ext.saltedpasswords.configuration.message.infoOnlyFrontendAuthService');
-            }
-        }
-        // forceSalted is set
-        if ($extConf['forceSalted'] && !$extConf['onlyAuthService']) {
-            $this->setErrorLevel('warning');
-            $problems[] = nl2br($lang->getLL('ext.saltedpasswords.configuration.message.infoForceSalted')) .
-                '<strong><i>' . $lang->getLL('ext.saltedpasswords.configuration.label.important') .
-                '</i></strong> ' . $lang->getLL('ext.saltedpasswords.configuration.message.warningForceSaltedNote2');
-        }
-        // updatePasswd wont work with "forceSalted"
-        if ($extConf['updatePasswd'] && $extConf['forceSalted']) {
-            $this->setErrorLevel('error');
-            $problems[] = nl2br($lang->getLL('ext.saltedpasswords.configuration.message.errorForceSaltedAndUpdatePassword'));
-        }
-        $this->problems = $problems;
-        $result = $this->renderMessage();
-        if (!empty($params['propertyName'])) {
-            return $result['html'];
-        }
-        return $result;
-    }
-
-    /**
      * Renders a selector element that allows to select the hash method to be used.
      *
      * @param array $params Field information to be rendered
index b58e432..d6a4228 100644 (file)
@@ -91,9 +91,6 @@ class SaltedPasswordsUtility
     public static function returnExtConfDefaults()
     {
         return [
-            'onlyAuthService' => '0',
-            'forceSalted' => '0',
-            'updatePasswd' => '1',
             'saltedPWHashingMethod' => \TYPO3\CMS\Saltedpasswords\Salt\PhpassSalt::class,
         ];
     }
index bd83be3..d21fce7 100644 (file)
@@ -36,64 +36,3 @@ Defines hashing method to use for TYPO3 frontend.
    BE.saltedPWHashingMethod = tx_saltedpasswords_salts_phpass (Portable PHP password hashing)
 
 Defines hashing method to use for TYPO3 backend.
-
-
-.. _advanced-frontend-configuration:
-
-Advanced frontend configuration
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   # Force salted passwords (boolean)
-   FE.forceSalted = 0
-
-Enforces usage of salted user password hashes only. Any other type of
-stored password will result in a failed authentication.
-
-::
-
-   # Exclusive FE usage (boolean)
-   FE.onlyAuthService = 0
-
-If authentication fails, no further authentication service will be tried
-
-::
-
-   # Update FE user passwords (boolean)
-   FE.updatePasswd = 1
-
-Uses existing FE user passwords but automatically convert them to the
-salted hash format during authentication (will not work if forceSalted
-is enabled).
-
-
-.. _advanced-backend-configuration:
-
-Advanced backend configuration
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   # Force salted passwords (boolean)
-   BE.forceSalted = 0
-
-Enforces usage of salted user password hashes only. Any other type of
-stored password will result in a failed authentication.
-
-::
-
-   # Exclusive BE usage (boolean)
-   BE.onlyAuthService = 0
-
-If authentication fails, no further authentication service will be tried.
-
-::
-
-   # Update BE user passwords (boolean)
-   BE.updatePasswd = 1
-
-Uses existing BE user passwords but automatically convert them to the
-salted hash format during authentication (will not work if forceSalted
-is enabled).
-
index 608993f..6fdfda8 100644 (file)
                        <trans-unit id="ext.saltedpasswords.title.argon2isalt">
                                <source>Argon2i password hashing (PHP native)</source>
                        </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.header.noErrorsFound">
-                               <source>No errors were found</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.noErrorsFound">
-                               <source>SaltedPasswords has been configured correctly and works as expected.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.header.errorsFound">
-                               <source>Errors found in your configuration</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.errorsFound">
-                               <source>SaltedPasswords will not work until these problems have been resolved</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.header.warningsFound">
-                               <source>Warnings about your configuration</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.warningsFound">
-                               <source>SaltedPasswords might behave different than expected</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.header.additionalInformation">
-                               <source>Additional information</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.securityWarning">
-                               <source>Note, that a wrong configuration might have impact on the security of your TYPO3 installation and the usability of the backend.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.backendSsl">
-                               <source>The backend is configured to use SaltedPasswords over SSL.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.backendRsa">
-                               <source>The backend is configured to use SaltedPasswords with RSA authentication.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.openSslMissing">
-                               <source>Using the extension "rsaauth" is not possible, as no encryption backend is available. Please install and configure the PHP extension "openssl". See </source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.backendSecurityLevelNotRsa">
-                               <source>The "rsaauth" extension is installed, but TYPO3 is not configured to use it during login. Use the Install Tool to set the Login Security Level for the backend to "rsa" ($TYPO3_CONF_VARS['BE']['loginSecurityLevel'])</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.warningForceSalted">
-                               <source>SaltedPasswords has been configured to be the only authentication service for the backend. Additionally, usage of salted passwords is enforced (forceSalted). The result is that there is no chance to login with users not having a salted password hash.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.label.warning">
-                               <source>WARNING</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.warningForceSaltedNoteForBackend">
-                               <source>This may lock you out of the backend!</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.infoOnlyBackendAuthService">
-                               <source>SaltedPasswords has been configured to be the only authentication service for the backend. This means that other services like "ipauth", "openid", etc. will be ignored (except "rsauth", which is implicitely used).</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.infoForceSalted" xml:space="preserve">
-                               <source>SaltedPasswords has been configured to enforce salted passwords (forceSalted).
-This means that only passwords in the format of this extension will succeed for login.
-</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.errorForceSaltedAndUpdatePassword" xml:space="preserve">
-                               <source>SaltedPasswords is configured wrong and will not work as expected:
-It is not possible to set "updatePasswd" and "forceSalted" at the same time. Please disable either one of them.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.errorHashMethodNotAvailable">
-                               <source>The selected method for hashing your salted passwords is not available on this system! Please check your configuration.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.label.important">
-                               <source>IMPORTANT</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.infoLoginSecurityLevelDifferent">
-                               <source>Frontend requirements for SaltedPasswords are not met, therefore the authentication will not work</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.infoLoginSecurityLevelDifferentFirstItem">
-                               <source>Install the "rsaauth" extension and use the Install Tool to set the Login Security Level for the frontend to "rsa" ($TYPO3_CONF_VARS['FE']['loginSecurityLevel'])</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.infoLoginSecurityLevelDifferentSecondItem">
-                               <source>Alternatively, use the Install Tool to set the Login Security Level for the frontend to "normal" ($TYPO3_CONF_VARS['FE']['loginSecurityLevel'])</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.infoLoginSecurityLevelDifferentNote">
-                               <source>Make sure that the Login Security Level is not set to "" or "challenged"!</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.okFeRsaauthLoaded">
-                               <source>The frontend is configured to use SaltedPasswords with RSA authentication.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.warningRsaauthNotInstalledButConfigured">
-                               <source>The "rsaauth" extension is not installed, but TYPO3 CMS is configured to use it. Either install the extension or adapt the configuration by setting [FE][loginSecurityLevel] to "normal" in the Install Tool.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.warningForceSaltedNoteForFrontend">
-                               <source>Because of this, it is not possible to login with users not having a salted password hash (e.g. existing frontend users).</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.infoOnlyFrontendAuthService">
-                               <source>SaltedPasswords has been configured to be the only authentication service for frontend logins. This means that other services like "ipauth", "openid", etc. will be ignored.</source>
-                       </trans-unit>
-                       <trans-unit id="ext.saltedpasswords.configuration.message.warningForceSaltedNote2">
-                               <source>This has the effect that passwords that were set before SaltedPasswords was used will not work (in fact, they need to be redefined).</source>
-                       </trans-unit>
                </body>
        </file>
 </xliff>
index d82d312..1977ab1 100644 (file)
@@ -3,42 +3,12 @@
        <file t3:id="1415814983" source-language="en" datatype="plaintext" original="messages" date="2011-10-17T20:22:32Z" product-name="saltedpasswords">
                <header/>
                <body>
-                       <trans-unit id="saltedpasswords.config.checkConfigurationFE">
-                               <source>Frontend configuration check</source>
-                       </trans-unit>
-                       <trans-unit id="saltedpasswords.config.checkConfigurationBE">
-                               <source>Backend configuration check</source>
-                       </trans-unit>
                        <trans-unit id="saltedpasswords.config.FE.saltedPWHashingMethod">
                                <source>Hashing method for the frontend: Defines salted hashing method to use. Choose "Portable PHP password hashing" to stay compatible with other CMS (e.g. Drupal, Wordpress). Choose "MD5 salted hashing" to reuse TYPO3 passwords for OS level authentication (other servers could use TYPO3 passwords). Choose "Blowfish salted hashing" for advanced security to reuse passwords on OS level (Blowfish might not be supported on your system TODO).</source>
                        </trans-unit>
                        <trans-unit id="saltedpasswords.config.BE.saltedPWHashingMethod">
                                <source>Hashing method for the backend: Defines salted hashing method to use. Choose "Portable PHP password hashing" to stay compatible with other CMS (e.g. Drupal, Wordpress). Choose "MD5 salted hashing" to reuse TYPO3 passwords for OS level authentication (other servers could use TYPO3 passwords). Choose "Blowfish salted hashing" for advanced security to reuse passwords on OS level (Blowfish might not be supported on your system TODO).</source>
                        </trans-unit>
-                       <trans-unit id="saltedpasswords.config.checkConfigurationFE2">
-                               <source>Frontend configuration check</source>
-                       </trans-unit>
-                       <trans-unit id="saltedpasswords.config.FE.forceSalted">
-                               <source>Force salted passwords: Enforce usage of SaltedPasswords. Old MD5 hashed passwords will stop working.</source>
-                       </trans-unit>
-                       <trans-unit id="saltedpasswords.config.FE.onlyAuthService">
-                               <source>Exclusive FE usage: If authentication fails, no further authentication service will be tried.</source>
-                       </trans-unit>
-                       <trans-unit id="saltedpasswords.config.FE.updatePasswd">
-                               <source>Update FE user passwords: Keep existing FE user passwords but automatically convert them to the salted hash format during authentication (will not work if forceSalted is used).</source>
-                       </trans-unit>
-                       <trans-unit id="saltedpasswords.config.checkConfigurationBE2">
-                               <source>Backend configuration check</source>
-                       </trans-unit>
-                       <trans-unit id="saltedpasswords.config.BE.forceSalted">
-                               <source>Force salted passwords: Enforce usage of SaltedPasswords. Old MD5 hashed passwords will stop working.</source>
-                       </trans-unit>
-                       <trans-unit id="saltedpasswords.config.BE.onlyAuthService">
-                               <source>Exclusive BE usage: If authentication fails, no further authentication service will be tried.</source>
-                       </trans-unit>
-                       <trans-unit id="saltedpasswords.config.BE.updatePasswd">
-                               <source>Update BE user passwords: Keep existing BE user passwords but automatically convert them to the salted hash format during authentication (will not work if forceSalted is used).</source>
-                       </trans-unit>
                </body>
        </file>
 </xliff>
index 5df1205..029bb8d 100644 (file)
@@ -37,15 +37,9 @@ class SaltFactoryTest extends UnitTestCase
         $GLOBALS['TYPO3_CONF_VARS']['EXTENSIONS']['saltedpasswords'] = [
             'BE' => [
                 'saltedPWHashingMethod' => \TYPO3\CMS\Saltedpasswords\Salt\Pbkdf2Salt::class,
-                'forceSalted' => 0,
-                'onlyAuthService' => 0,
-                'updatePasswd' => 1,
             ],
             'FE' => [
                 'saltedPWHashingMethod' => \TYPO3\CMS\Saltedpasswords\Salt\Pbkdf2Salt::class,
-                'forceSalted' => 0,
-                'onlyAuthService' => 0,
-                'updatePasswd' => 1,
             ],
         ];
         $this->objectInstance = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance();
index 91abe3e..e909f2e 100644 (file)
@@ -1,35 +1,5 @@
-# cat=Basic/enable; type=user[TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility->checkConfigurationFrontend]; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.checkConfigurationFE
-checkConfigurationFE=0
-
-# cat=Basic/enable; type=user[TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility->checkConfigurationBackend]; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.checkConfigurationBE
-checkConfigurationBE=0
-
 # cat=Basic/enable; type=user[TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility->buildHashMethodSelectorFE]; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.FE.saltedPWHashingMethod
 FE.saltedPWHashingMethod = TYPO3\CMS\Saltedpasswords\Salt\Pbkdf2Salt
 
 # cat=Basic/enable; type=user[TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility->buildHashMethodSelectorBE]; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.BE.saltedPWHashingMethod
 BE.saltedPWHashingMethod = TYPO3\CMS\Saltedpasswords\Salt\Pbkdf2Salt
-
-# cat=Frontend; type=user[TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility->checkConfigurationFrontend]; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.checkConfigurationFE2
-checkConfigurationFE2=0
-
-# cat=Frontend; type=boolean; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.FE.forceSalted
-FE.forceSalted = 0
-
-# cat=Frontend; type=boolean; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.FE.onlyAuthService
-FE.onlyAuthService = 0
-
-# cat=Frontend; type=boolean; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.FE.updatePasswd
-FE.updatePasswd = 1
-
-# cat=Backend; type=user[TYPO3\CMS\Saltedpasswords\Utility\ExtensionManagerConfigurationUtility->checkConfigurationBackend]; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.checkConfigurationBE2
-checkConfigurationBE2=0
-
-# cat=Backend; type=boolean; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.BE.forceSalted
-BE.forceSalted = 0
-
-# cat=Backend; type=boolean; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.BE.onlyAuthService
-BE.onlyAuthService = 0
-
-# cat=Backend; type=boolean; label=LLL:EXT:saltedpasswords/Resources/Private/Language/locallang_em.xlf:saltedpasswords.config.BE.updatePasswd
-BE.updatePasswd = 1