ENH Deprecate old password encryptors (#10948)

This commit is contained in:
Guy Sartorelli 2023-09-19 18:22:08 +12:00 committed by GitHub
parent 9ccba6bc73
commit b3b1d07616
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 52 additions and 2 deletions

View File

@ -2,15 +2,28 @@
namespace SilverStripe\Security; namespace SilverStripe\Security;
use SilverStripe\Dev\Deprecation;
/** /**
* Legacy implementation for SilverStripe 2.1 - 2.3, * Legacy implementation for SilverStripe 2.1 - 2.3,
* which had a design flaw in password hashing that caused * which had a design flaw in password hashing that caused
* the hashes to differ between architectures due to * the hashes to differ between architectures due to
* floating point precision problems in base_convert(). * floating point precision problems in base_convert().
* See http://open.silverstripe.org/ticket/3004 * See http://open.silverstripe.org/ticket/3004
*
* @deprecated 5.2.0 Use SilverStripe\Security\PasswordEncryptor_PHPHash instead.
*/ */
class PasswordEncryptor_LegacyPHPHash extends PasswordEncryptor_PHPHash class PasswordEncryptor_LegacyPHPHash extends PasswordEncryptor_PHPHash
{ {
public function __construct()
{
Deprecation::notice(
'5.2.0',
'Use SilverStripe\Security\PasswordEncryptor_PHPHash instead.',
Deprecation::SCOPE_CLASS
);
}
public function encrypt($password, $salt = null, $member = null) public function encrypt($password, $salt = null, $member = null)
{ {
$password = parent::encrypt($password, $salt, $member); $password = parent::encrypt($password, $salt, $member);

View File

@ -2,13 +2,25 @@
namespace SilverStripe\Security; namespace SilverStripe\Security;
use SilverStripe\Dev\Deprecation;
use SilverStripe\ORM\DB; use SilverStripe\ORM\DB;
/** /**
* Uses MySQL's OLD_PASSWORD encyrption. Requires an active DB connection. * Uses MySQL's OLD_PASSWORD encyrption. Requires an active DB connection.
*
* @deprecated 5.2.0 Use another subclass of SilverStripe\Security\PasswordEncryptor instead.
*/ */
class PasswordEncryptor_MySQLOldPassword extends PasswordEncryptor class PasswordEncryptor_MySQLOldPassword extends PasswordEncryptor
{ {
public function __construct()
{
Deprecation::notice(
'5.2.0',
'Use another subclass of SilverStripe\Security\PasswordEncryptor instead.',
Deprecation::SCOPE_CLASS
);
}
public function encrypt($password, $salt = null, $member = null) public function encrypt($password, $salt = null, $member = null)
{ {
return DB::prepared_query("SELECT OLD_PASSWORD(?)", [$password])->value(); return DB::prepared_query("SELECT OLD_PASSWORD(?)", [$password])->value();

View File

@ -2,13 +2,25 @@
namespace SilverStripe\Security; namespace SilverStripe\Security;
use SilverStripe\Dev\Deprecation;
use SilverStripe\ORM\DB; use SilverStripe\ORM\DB;
/** /**
* Uses MySQL's PASSWORD encryption. Requires an active DB connection. * Uses MySQL's PASSWORD encryption. Requires an active DB connection.
*
* @deprecated 5.2.0 Use another subclass of SilverStripe\Security\PasswordEncryptor instead.
*/ */
class PasswordEncryptor_MySQLPassword extends PasswordEncryptor class PasswordEncryptor_MySQLPassword extends PasswordEncryptor
{ {
public function __construct()
{
Deprecation::notice(
'5.2.0',
'Use another subclass of SilverStripe\Security\PasswordEncryptor instead.',
Deprecation::SCOPE_CLASS
);
}
public function encrypt($password, $salt = null, $member = null) public function encrypt($password, $salt = null, $member = null)
{ {
return DB::prepared_query("SELECT PASSWORD(?)", [$password])->value(); return DB::prepared_query("SELECT PASSWORD(?)", [$password])->value();

View File

@ -2,13 +2,25 @@
namespace SilverStripe\Security; namespace SilverStripe\Security;
use SilverStripe\Dev\Deprecation;
/** /**
* Cleartext passwords (used in SilverStripe 2.1). * Cleartext passwords (used in SilverStripe 2.1).
* Also used when Security::$encryptPasswords is set to FALSE.
* Not recommended. * Not recommended.
*
* @deprecated 5.2.0 Use another subclass of SilverStripe\Security\PasswordEncryptor instead.
*/ */
class PasswordEncryptor_None extends PasswordEncryptor class PasswordEncryptor_None extends PasswordEncryptor
{ {
public function __construct()
{
Deprecation::notice(
'5.2.0',
'Use another subclass of SilverStripe\Security\PasswordEncryptor instead.',
Deprecation::SCOPE_CLASS
);
}
public function encrypt($password, $salt = null, $member = null) public function encrypt($password, $salt = null, $member = null)
{ {
return $password; return $password;

View File

@ -5,6 +5,7 @@ namespace SilverStripe\Security\Tests;
use SilverStripe\Security\PasswordEncryptor_Blowfish; use SilverStripe\Security\PasswordEncryptor_Blowfish;
use SilverStripe\Security\PasswordEncryptor; use SilverStripe\Security\PasswordEncryptor;
use SilverStripe\Core\Config\Config; use SilverStripe\Core\Config\Config;
use SilverStripe\Dev\Deprecation;
use SilverStripe\Dev\SapphireTest; use SilverStripe\Dev\SapphireTest;
use SilverStripe\Security\PasswordEncryptor_LegacyPHPHash; use SilverStripe\Security\PasswordEncryptor_LegacyPHPHash;
use SilverStripe\Security\PasswordEncryptor_NotFoundException; use SilverStripe\Security\PasswordEncryptor_NotFoundException;
@ -155,7 +156,7 @@ class PasswordEncryptorTest extends SapphireTest
'encryptors', 'encryptors',
['test_sha1legacy' => [PasswordEncryptor_LegacyPHPHash::class => 'sha1']] ['test_sha1legacy' => [PasswordEncryptor_LegacyPHPHash::class => 'sha1']]
); );
$e = PasswordEncryptor::create_for_algorithm('test_sha1legacy'); $e = Deprecation::withNoReplacement(fn() => PasswordEncryptor::create_for_algorithm('test_sha1legacy'));
// precomputed hashes for 'mypassword' from different architectures // precomputed hashes for 'mypassword' from different architectures
$amdHash = 'h1fj0a6m4o6k0sosks88oo08ko4gc4s'; $amdHash = 'h1fj0a6m4o6k0sosks88oo08ko4gc4s';
$intelHash = 'h1fj0a6m4o0g04ocg00o4kwoc4wowws'; $intelHash = 'h1fj0a6m4o0g04ocg00o4kwoc4wowws';