Commit 87fe3344 authored by Christian Kuhn's avatar Christian Kuhn Committed by Anja Leichsenring
Browse files

[!!!][TASK] Drop extension rsaauth

Extension rsaauth that has been marked deprecated in v9 due
to its flaws and is dropped from core v10 with this patch.
People who still think not using https but using the
rsaauth extension approach is a good idea can fetch the
extension from ter using an upgrade wizard or
composer require friendsoftypo3/rsaauth.

Needs a typo3/testing-framework raise since the
acceptance tests still used loginSecurityLevel rsa:
composer require --dev typo3/testing-framework ~5.0.4

Resolves: #87470
Releases: master
Change-Id: Iefdd1c4e4b8725e0968875d4b8cb68103634783c
Reviewed-on: https://review.typo3.org/59470


Reviewed-by: Andreas Fernandez's avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez's avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: default avatarTYPO3com <noreply@typo3.com>
Reviewed-by: Anja Leichsenring's avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring's avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
parent e3bea939
......@@ -80,10 +80,6 @@
"../typo3/sysext/recycler/Resources/Public/JavaScript/*",
"../typo3/sysext/recycler/Resources/Private/TypeScript/*"
],
"TYPO3/CMS/Rsaauth/*": [
"../typo3/sysext/rsaauth/Resources/Public/JavaScript/*",
"../typo3/sysext/rsaauth/Resources/Private/TypeScript/*"
],
"TYPO3/CMS/RteCkeditor/*": [
"../typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/*",
"../typo3/sysext/rte_ckeditor/Resources/Private/TypeScript/*"
......
......@@ -68,7 +68,7 @@
"fiunchinho/phpunit-randomizer": "^4.0",
"friendsofphp/php-cs-fixer": "^2.12.2",
"typo3/cms-styleguide": "~10.0.2",
"typo3/testing-framework": "~5.0.3"
"typo3/testing-framework": "~5.0.4"
},
"suggest": {
"ext-gd": "GDlib/Freetype is required for building images with text (GIFBUILDER) and can also be used to scale images",
......@@ -142,7 +142,6 @@
"typo3/cms-recycler": "self.version",
"typo3/cms-redirects": "self.version",
"typo3/cms-reports": "self.version",
"typo3/cms-rsaauth": "self.version",
"typo3/cms-rte-ckeditor": "self.version",
"typo3/cms-scheduler": "self.version",
"typo3/cms-seo": "self.version",
......@@ -183,7 +182,6 @@
"TYPO3\\CMS\\Recycler\\": "typo3/sysext/recycler/Classes/",
"TYPO3\\CMS\\Redirects\\": "typo3/sysext/redirects/Classes/",
"TYPO3\\CMS\\Reports\\": "typo3/sysext/reports/Classes/",
"TYPO3\\CMS\\Rsaauth\\": "typo3/sysext/rsaauth/Classes/",
"TYPO3\\CMS\\RteCKEditor\\": "typo3/sysext/rte_ckeditor/Classes/",
"TYPO3\\CMS\\Scheduler\\": "typo3/sysext/scheduler/Classes/",
"TYPO3\\CMS\\Seo\\": "typo3/sysext/seo/Classes/",
......@@ -227,7 +225,6 @@
"TYPO3\\CMS\\Redirects\\Tests\\": "typo3/sysext/redirects/Tests/",
"TYPO3\\CMS\\Recordlist\\Tests\\": "typo3/sysext/recordlist/Tests/",
"TYPO3\\CMS\\Reports\\Tests\\": "typo3/sysext/reports/Tests/",
"TYPO3\\CMS\\Rsaauth\\Tests\\": "typo3/sysext/rsaauth/Tests/",
"TYPO3\\CMS\\Scheduler\\Tests\\": "typo3/sysext/scheduler/Tests/",
"TYPO3\\CMS\\Seo\\Tests\\": "typo3/sysext/seo/Tests/",
"TYPO3\\CMS\\Setup\\Tests\\": "typo3/sysext/setup/Tests/",
......
......@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "6189051a464f1004eb6a4d1d5637fdf3",
"content-hash": "db9fd312d43898646dee6e003739ad67",
"packages": [
{
"name": "cogpowered/finediff",
......@@ -5015,16 +5015,16 @@
},
{
"name": "typo3/testing-framework",
"version": "5.0.3",
"version": "5.0.4",
"source": {
"type": "git",
"url": "https://github.com/TYPO3/testing-framework.git",
"reference": "9c47cb61fd9c7522c65ca45ff97e3b5a26c6fa22"
"reference": "3b69abce0899ba75cdc36a6fc5b9f05c8d7b09e7"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/TYPO3/testing-framework/zipball/9c47cb61fd9c7522c65ca45ff97e3b5a26c6fa22",
"reference": "9c47cb61fd9c7522c65ca45ff97e3b5a26c6fa22",
"url": "https://api.github.com/repos/TYPO3/testing-framework/zipball/3b69abce0899ba75cdc36a6fc5b9f05c8d7b09e7",
"reference": "3b69abce0899ba75cdc36a6fc5b9f05c8d7b09e7",
"shasum": ""
},
"require": {
......@@ -5071,7 +5071,7 @@
"tests",
"typo3"
],
"time": "2019-01-11T12:54:17+00:00"
"time": "2019-01-17T14:51:59+00:00"
},
{
"name": "webmozart/assert",
......
......@@ -74,8 +74,6 @@ class NodeFactory
'inputDateTime' => Element\InputDateTimeElement::class,
'inputLink' => Element\InputLinkElement::class,
'hidden' => Element\InputHiddenElement::class,
// rsaInput is defined with a fallback so extensions can use it even if ext:rsaauth is not loaded
'rsaInput' => Element\InputTextElement::class,
'imageManipulation' => Element\ImageManipulationElement::class,
'none' => Element\NoneElement::class,
'radio' => Element\RadioElement::class,
......
......@@ -307,7 +307,7 @@ BE:
description: 'Set the name for the cookie used for the back-end user session'
loginSecurityLevel:
type: text
description: 'Keywords that determines the security level of login to the backend. "normal" means the password from the login form is sent in clear-text, "rsa" uses RSA password encryption (only if the rsaauth extension is installed).'
description: 'Keywords that determines the security level of login to the backend. "normal" means the password from the login form is sent in clear-text. The client/server communication should be secured with HTTPS.'
showRefreshLoginPopup:
type: bool
description: 'If set, the Ajax relogin will show a real popup window for relogin after the count down. Some auth services need this as they add custom validation to the login form. If it''s not set, the Ajax relogin will show an inline relogin window.'
......@@ -421,7 +421,7 @@ FE:
description: 'If activated, Frontend Users are locked to (a part of) their public IP (<code>$_SERVER[''REMOTE_ADDR'']</code>) for their session. Enhances security but may throw off users that may change IP during their session (in which case you can lower it to 2 or 3). The integer indicates how many parts of the IP address to include in the check for session (next to the user agent)..'
loginSecurityLevel:
type: text
description: 'See description for <a href="#BE-loginSecurityLevel">[BE][loginSecurityLevel]</a>. Default state for frontend is "normal". Alternative authentication services can implement higher levels if preferred. For example, "rsa" level uses RSA password encryption (only if the rsaauth extension is installed).'
description: 'See description for <a href="#BE-loginSecurityLevel">[BE][loginSecurityLevel]</a>. Default state for frontend is "normal". The client/server communication should be secured with HTTPS.'
lifetime:
type: int
description: 'If >0 and the option permalogin is >=0, the cookie of FE users will have a lifetime of the number of seconds this value indicates. Otherwise it will be a session cookie (deleted when browser is shut down). Setting this value to 604800 will result in automatic login of FE users during a whole week, 86400 will keep the FE users logged in for a day.'
......
......@@ -1351,6 +1351,7 @@ The following features have been removed:
* Frontend, Backend and standalone install tool users who did not log in for multiple core versions and still use a :php:`M$`
prefixed password can not log in anymore. Auto converting those user passwords during first login has been dropped, those
users need their password being manually recovered or reset.
* Extension :php:`rsaauth` has been dropped from core
The following database tables have been removed:
......
......@@ -39,7 +39,6 @@ class BackendCoreEnvironment extends BackendEnvironment
'filelist',
'extensionmanager',
'setup',
'rsaauth',
'backend',
'about',
'belog',
......
......@@ -51,7 +51,7 @@
"fiunchinho/phpunit-randomizer": "^4.0",
"friendsofphp/php-cs-fixer": "^2.12.2",
"typo3/cms-styleguide": "~10.0.2",
"typo3/testing-framework": "~5.0.3"
"typo3/testing-framework": "~5.0.4"
},
"suggest": {
"ext-fileinfo": "Used for proper file type detection in the file abstraction layer",
......
......@@ -49,7 +49,6 @@ class ListUtilityTest extends UnitTestCase
'lang' => $this->getMockBuilder(Package::class)->disableOriginalConstructor()->getMock(),
'news' => $this->getMockBuilder(Package::class)->disableOriginalConstructor()->getMock(),
'saltedpasswords' => $this->getMockBuilder(Package::class)->disableOriginalConstructor()->getMock(),
'rsaauth' => $this->getMockBuilder(Package::class)->disableOriginalConstructor()->getMock(),
]));
$this->inject($this->subject, 'packageManager', $packageManagerMock);
}
......@@ -65,13 +64,11 @@ class ListUtilityTest extends UnitTestCase
'lang' => [],
'news' => [],
'saltedpasswords' => [],
'rsaauth' => []
],
[
'lang' => ['installed' => true],
'news' => ['installed' => true],
'saltedpasswords' => ['installed' => true],
'rsaauth' => ['installed' => true]
]
],
'different extension lists' => [
......@@ -79,13 +76,11 @@ class ListUtilityTest extends UnitTestCase
'lang' => [],
'news' => [],
'saltedpasswords' => [],
'rsaauth' => []
],
[
'lang' => ['installed' => true],
'news' => ['installed' => true],
'saltedpasswords' => ['installed' => true],
'rsaauth' => ['installed' => true]
]
],
'different extension lists - set2' => [
......@@ -93,14 +88,12 @@ class ListUtilityTest extends UnitTestCase
'lang' => [],
'news' => [],
'saltedpasswords' => [],
'rsaauth' => [],
'em' => []
],
[
'lang' => ['installed' => true],
'news' => ['installed' => true],
'saltedpasswords' => ['installed' => true],
'rsaauth' => ['installed' => true],
'em' => []
]
],
......@@ -110,7 +103,6 @@ class ListUtilityTest extends UnitTestCase
'fluid' => [],
'news' => [],
'saltedpasswords' => [],
'rsaauth' => [],
'em' => []
],
[
......@@ -118,7 +110,6 @@ class ListUtilityTest extends UnitTestCase
'fluid' => [],
'news' => ['installed' => true],
'saltedpasswords' => ['installed' => true],
'rsaauth' => ['installed' => true],
'em' => []
]
]
......@@ -147,7 +138,6 @@ class ListUtilityTest extends UnitTestCase
'lang' => ['property1' => 'oldvalue'],
'news' => [],
'saltedpasswords' => [],
'rsaauth' => []
],
[
'property1' => 'property value1'
......@@ -156,7 +146,6 @@ class ListUtilityTest extends UnitTestCase
'lang' => ['property1' => 'oldvalue'],
'news' => ['property1' => 'property value1'],
'saltedpasswords' => ['property1' => 'property value1'],
'rsaauth' => ['property1' => 'property value1']
]
]
];
......
......@@ -57,10 +57,6 @@ class ClearTableService
'name' => 'tx_extensionmanager_domain_model_extension',
'description' => 'List of TER extensions',
],
[
'name' => 'tx_rsaauth_keys',
'description' => 'Login process key storage'
],
];
/**
......
<?php
namespace TYPO3\CMS\Install\Updates;
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
/**
* Installs and downloads EXT:rsaauth if requested
* @internal This class is only meant to be used within EXT:install and is not part of the TYPO3 Core API.
*/
class RsaauthExtractionUpdate extends AbstractDownloadExtensionUpdate
{
/**
* @var \TYPO3\CMS\Install\Updates\ExtensionModel
*/
protected $extension;
/**
* @var \TYPO3\CMS\Install\Updates\Confirmation
*/
protected $confirmation;
public function __construct()
{
$this->extension = new ExtensionModel(
'rsaauth',
'Deprecated rsaauth extension',
'10.0.0',
'friendsoftypo3/rsaauth',
'Contains a service to authenticate TYPO3 BE and FE users using private/public key encryption of passwords.'
);
$this->confirmation = new Confirmation(
'Are you sure?',
'Do not install this extension. Use HTTPS instead. ' . $this->extension->getDescription(),
false
);
}
/**
* Return a confirmation message instance
*
* @return \TYPO3\CMS\Install\Updates\Confirmation
*/
public function getConfirmation(): Confirmation
{
return $this->confirmation;
}
/**
* Return the identifier for this wizard
* This should be the same string as used in the ext_localconf class registration
*
* @return string
*/
public function getIdentifier(): string
{
return 'rsaauthExtension';
}
/**
* Return the speaking name of this wizard
*
* @return string
*/
public function getTitle(): string
{
return 'Install extension "rsaauth" from TER if the site is still not secured using HTTPS';
}
/**
* Return the description for this wizard
*
* @return string
*/
public function getDescription(): string
{
return 'The extension "rsaauth" adds a public/private key based encryption for Backend and Frontend'
. ' login passwords. The approach is limited and has various flaws. The extension is fully'
. ' obsolete if the instance uses HTTPS.';
}
/**
* Is an update necessary?
* Is used to determine whether a wizard needs to be run.
*
* @return bool
*/
public function updateNecessary(): bool
{
return !ExtensionManagementUtility::isLoaded('rsaauth');
}
/**
* Returns an array of class names of Prerequisite classes
* This way a wizard can define dependencies like "database up-to-date" or
* "reference index updated"
*
* @return string[]
*/
public function getPrerequisites(): array
{
return [
DatabaseUpdatedPrerequisite::class
];
}
}
......@@ -38,6 +38,8 @@ $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ext/install']['update']['argon2iPassw
= \TYPO3\CMS\Install\Updates\Argon2iPasswordHashes::class;
// v9->v10 wizards below this line
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ext/install']['update']['rsaauthExtension']
= \TYPO3\CMS\Install\Updates\RsaauthExtractionUpdate::class;
$iconRegistry = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Core\Imaging\IconRegistry::class);
$icons = [
......
/.gitattributes export-ignore
/Resources/Private/TypeScript/ export-ignore
/Tests/ export-ignore
<?php
namespace TYPO3\CMS\Rsaauth\Backend;
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
/**
* This class contains an abstract SSL backend for the TYPO3 RSA authentication
* service.
*
* There are two steps:
* - prepare data for encoding
* - decode incoming data
*
* To prepare data for encoding, the createNewKeyPair() method should be called.
* This method returns an instance of \TYPO3\CMS\Rsaauth\Keypair class, which contains
* the private and public keys. Public key is sent to the client to encode data.
* Private key should be stored somewhere (preferably in user's session).
*
* To decode data, the decrypt() method should be called with the private key
* created at the previous step and the data to decode. If the data is decoded
* successfully, the result is a string. Otherwise it is NULL.
*/
abstract class AbstractBackend
{
/**
* Error message for the last operation. Derived classes should always set
* or clear this variable inside the createNewKeyPair() or decypt().
*
* @var string
*/
protected $error = '';
/**
* Creates a new key pair for the encryption or gets the existing key pair (if one already has been generated).
*
* There should only be one key pair per request because the second private key would overwrites the first private
* key. So the submitting the form with the first public key would not work anymore.
*
* @return \TYPO3\CMS\Rsaauth\Keypair|null a key pair or NULL in case of error
*/
abstract public function createNewKeyPair();
/**
* Decripts the data using the private key.
*
* @param string $privateKey The private key (obtained from a call to createNewKeyPair())
* @param string $data Data to decrypt (base64-encoded)
* @return string Decrypted data or NULL in case of an error
*/
abstract public function decrypt($privateKey, $data);
/**
* Checks if this backend is available for calling.
*
* @return bool
*/
abstract public function isAvailable();
/**
* Retrieves an error message.
*
* @return string An error message or empty string if there were no error
*/
public function getLastError()
{
return $this->error;
}
}
<?php
namespace TYPO3\CMS\Rsaauth\Backend;
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
/**
* This class contains a factory for the RSA backends.
*/
class BackendFactory
{
/**
* A list of all available backends. Currently this list cannot be extended.
* This is for security reasons to avoid inserting some dummy backend to
* the list.
*
* @var array
*/
protected static $availableBackends = [
PhpBackend::class,
CommandLineBackend::class
];
/**
* A flag that tells if the factory is initialized. This is to prevent
* continuous creation of backends in case if none of them is available.
*
* @var bool
*/
protected static $initialized = false;
/**
* A selected backend. This member is set in the getBackend() function. It
* will not be an abstract backend as shown below but a real class, which is
* derived from the AbstractBackend.
*
* @var AbstractBackend
*/
protected static $selectedBackend;
/**
* Obtains a backend. This function will return a non-abstract class, which
* is derived from the AbstractBackend. Applications should
* not use any methods that are not declared in the AbstractBackend.
*
* @return AbstractBackend A backend
*/
public static function getBackend()
{
if (!self::$initialized) {
// Backend does not exist yet. Create it.
foreach (self::$availableBackends as $backend) {
$backendObject = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance($backend);
// Check that it is derived from the proper base class
if ($backendObject instanceof AbstractBackend) {
/** @var AbstractBackend $backendObject */
if ($backendObject->isAvailable()) {
// The backend is available, save it and stop the loop
self::$selectedBackend = $backendObject;
self::$initialized = true;
break;
}
// Attempt to force destruction of the object
unset($backendObject);
}
}
}
return self::$selectedBackend;
}
}
<?php
namespace TYPO3\CMS\Rsaauth\Backend;
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
use TYPO3\CMS\Core\Core\Environment;
use TYPO3\CMS\Core\Utility\CommandUtility;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Core\Utility\StringUtility;
/**
* This class contains an OpenSSL backend for the TYPO3 RSA authentication
* service. It uses shell version of OpenSSL to perform tasks. See class
* \TYPO3\CMS\Rsaauth\Backend\AbstractBackend for the information on using backends.
*/
class CommandLineBackend extends AbstractBackend
{
/**
* @var int
*/
const DEFAULT_EXPONENT = 65537;
/**
* A path to the openssl binary or FALSE if the binary does not exist
*
* @var string|bool
*/
protected $opensslPath;
/**
* Temporary directory. It is best of it is outside of the web site root and
* not publicly readable.
* For now we use Environment::getVarPath() . '/transient' (stored in the variable without the trailing slash).
*
* @var string
*/
protected $temporaryDirectory;
/**
* Creates an instance of this class. It obtains a path to the OpenSSL
* binary.
*/
public function __construct()
{
$this->opensslPath = CommandUtility::getCommand('openssl');
// Get temporary directory from the configuration
$path = trim(GeneralUtility::makeInstance(ExtensionConfiguration::class)->get('rsaauth', 'temporaryDirectory'));
if ($path !== '' && $path[0] === '/' && @is_dir($path) && is_writable($path)) {
$this->