Compare commits

...

4 Commits

Author SHA1 Message Date
Guy Sartorelli
8737806cd8
Merge 94dc070f5ad2df4cc69309960d08ceabd3e39ff8 into 730b891e106e8abb999910be303547edd3d2dd77 2024-09-25 22:21:30 +00:00
Guy Sartorelli
94dc070f5a
ENH Use symfony/validation logic 2024-09-26 10:21:02 +12:00
Guy Sartorelli
730b891e10
Merge branch '5' into 6
# Conflicts:
#	src/Security/Member.php
#	src/Security/PasswordValidator.php
#	tests/php/Forms/ConfirmedPasswordFieldTest.php
2024-09-26 09:23:56 +12:00
Guy Sartorelli
e34463875a
DEP Deprecate API that will be removed or renamed (#11401) 2024-09-25 16:11:39 +12:00
28 changed files with 543 additions and 430 deletions

View File

@ -28,7 +28,8 @@ SilverStripe\Dev\Backtrace:
- ['SilverStripe\Security\PasswordEncryptor_Blowfish', 'encryptA']
- ['SilverStripe\Security\PasswordEncryptor_Blowfish', 'encryptX']
- ['SilverStripe\Security\PasswordEncryptor_Blowfish', 'encryptY']
- ['SilverStripe\Security\PasswordValidator', 'validate']
- ['SilverStripe\Security\Validation\RulesPasswordValidator', 'validate']
- ['SilverStripe\Security\Validation\EntropyPasswordValidator', 'validate']
- ['SilverStripe\Security\RememberLoginHash', 'setToken']
- ['SilverStripe\Security\Security', 'encrypt_password']
- ['*', 'checkPassword']

View File

@ -2,12 +2,5 @@
Name: corepasswords
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Security\PasswordValidator:
properties:
MinLength: 8
HistoricCount: 6
# In the case someone uses `new PasswordValidator` instead of Injector, provide some safe defaults through config.
SilverStripe\Security\PasswordValidator:
min_length: 8
historic_count: 6
SilverStripe\Security\Validation\PasswordValidator:
class: 'SilverStripe\Security\Validation\EntropyPasswordValidator'

View File

@ -48,7 +48,7 @@
"symfony/mailer": "^7.0",
"symfony/mime": "^7.0",
"symfony/translation": "^7.0",
"symfony/validator": "^7.0",
"symfony/validator": "^7.1",
"symfony/yaml": "^7.0",
"ext-ctype": "*",
"ext-dom": "*",

View File

@ -4,14 +4,13 @@ namespace SilverStripe\Control\Email;
use Exception;
use RuntimeException;
use Egulias\EmailValidator\EmailValidator;
use Egulias\EmailValidator\Validation\RFCValidation;
use SilverStripe\Control\Director;
use SilverStripe\Core\Config\Configurable;
use SilverStripe\Core\Environment;
use SilverStripe\Core\Extensible;
use SilverStripe\Core\Injector\Injectable;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\Core\Validation\ConstraintValidator;
use SilverStripe\ORM\FieldType\DBField;
use SilverStripe\Model\ArrayData;
use SilverStripe\View\Requirements;
@ -22,6 +21,8 @@ use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Mime\Address;
use Symfony\Component\Mime\Email as SymfonyEmail;
use Symfony\Component\Mime\Part\AbstractPart;
use Symfony\Component\Validator\Constraints\Email as EmailConstraint;
use Symfony\Component\Validator\Constraints\NotBlank;
class Email extends SymfonyEmail
{
@ -63,16 +64,17 @@ class Email extends SymfonyEmail
private bool $dataHasBeenSet = false;
/**
* Checks for RFC822-valid email format.
*
* @copyright Cal Henderson <cal@iamcal.com>
* This code is licensed under a Creative Commons Attribution-ShareAlike 2.5 License
* http://creativecommons.org/licenses/by-sa/2.5/
* Checks for RFC valid email format.
*/
public static function is_valid_address(string $address): bool
{
$validator = new EmailValidator();
return $validator->isValid($address, new RFCValidation());
return ConstraintValidator::validate(
$address,
[
new EmailConstraint(mode: EmailConstraint::VALIDATION_MODE_STRICT),
new NotBlank()
]
)->isValid();
}
public static function getSendAllEmailsTo(): array
@ -117,7 +119,7 @@ class Email extends SymfonyEmail
$addresses = [];
if (is_array($config)) {
foreach ($config as $key => $val) {
if (filter_var($key, FILTER_VALIDATE_EMAIL)) {
if (static::is_valid_address($key)) {
$addresses[] = new Address($key, $val);
} else {
$addresses[] = new Address($val);

View File

@ -7,6 +7,8 @@ use BadMethodCallException;
use InvalidArgumentException;
use SilverStripe\Core\ClassInfo;
use SilverStripe\Core\ArrayLib;
use Symfony\Component\Validator\Constraints\Ip;
use Symfony\Component\Validator\Constraints\IpValidator;
/**
* Represents a HTTP-request, including a URL that is tokenised for parsing, and a request method
@ -810,7 +812,8 @@ class HTTPRequest implements ArrayAccess
*/
public function setIP($ip)
{
if (!filter_var($ip, FILTER_VALIDATE_IP)) {
// We can't use ConstraintValidator here because it relies on injector and the kernel may not have booted yet.
if (!IpValidator::checkIp($ip, Ip::ALL)) {
throw new InvalidArgumentException("Invalid ip $ip");
}
$this->ip = $ip;

View File

@ -3,7 +3,10 @@
namespace SilverStripe\Control\Middleware;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Core\Validation\ConstraintValidator;
use Symfony\Component\HttpFoundation\IpUtils;
use Symfony\Component\Validator\Constraints\Ip;
use Symfony\Component\Validator\Constraints\NotBlank;
/**
* This middleware will rewrite headers that provide IP and host details from an upstream proxy.
@ -220,14 +223,14 @@ class TrustedProxyMiddleware implements HTTPMiddleware
// Prioritise filters
$filters = [
FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE,
FILTER_FLAG_NO_PRIV_RANGE,
null
Ip::ALL_ONLY_PUBLIC,
Ip::ALL_NO_PRIVATE,
Ip::ALL
];
foreach ($filters as $filter) {
// Find best IP
foreach ($ips as $ip) {
if (filter_var($ip, FILTER_VALIDATE_IP, $filter ?? 0)) {
if (ConstraintValidator::validate($ip, [new Ip(version: $filter), new NotBlank()])->isValid()) {
return $ip;
}
}

View File

@ -2,9 +2,12 @@
namespace SilverStripe\Core;
use SilverStripe\Core\Validation\ConstraintValidator;
use SimpleXMLElement;
use SilverStripe\ORM\DB;
use SilverStripe\View\Parsers\URLSegmentFilter;
use Symfony\Component\Validator\Constraints\NotBlank;
use Symfony\Component\Validator\Constraints\Url;
/**
* Library of conversion functions, implemented as static methods.
@ -226,16 +229,14 @@ class Convert
/**
* Create a link if the string is a valid URL
*
* @param string $string The string to linkify
* @return string A link to the URL if string is a URL
*/
public static function linkIfMatch($string)
{
if (preg_match('/^[a-z+]+\:\/\/[a-zA-Z0-9$-_.+?&=!*\'()%]+$/', $string ?? '')) {
public static function linkIfMatch(
string $string,
array $protocols = ['file', 'ftp', 'http', 'https', 'imap', 'nntp']
): string {
if (ConstraintValidator::validate($string, [new Url(protocols: $protocols), new NotBlank()])->isValid()) {
return "<a style=\"white-space: nowrap\" href=\"$string\">$string</a>";
}
return $string;
}

View File

@ -10,6 +10,8 @@ use SilverStripe\Security\Authenticator;
use SilverStripe\Security\Security;
use SilverStripe\View\HTML;
use Closure;
use SilverStripe\Core\Validation\ConstraintValidator;
use Symfony\Component\Validator\Constraints\PasswordStrength;
/**
* Two masked input fields, checks for matching passwords.
@ -25,34 +27,33 @@ class ConfirmedPasswordField extends FormField
/**
* Minimum character length of the password.
*
* @var int
*/
public $minLength = null;
public int $minLength = 0;
/**
* Maximum character length of the password.
*
* @var int
* 0 means no maximum length.
*/
public $maxLength = null;
public int $maxLength = 0;
/**
* Enforces at least one digit and one alphanumeric
* character (in addition to {$minLength} and {$maxLength}
*
* @var boolean
* Enforces password strength validation based on entropy.
* See setMinPasswordStrength()
*/
public $requireStrongPassword = false;
public bool $requireStrongPassword = false;
/**
* Allow empty fields when entering the password for the first time
* If this is set to true then a random password may be generated if the field is empty
* depending on the value of $ConfirmedPasswordField::generateRandomPasswordOnEmtpy
*
* @var boolean
*/
public $canBeEmpty = false;
public bool $canBeEmpty = false;
/**
* Minimum password strength if requireStrongPassword is true
* See https://symfony.com/doc/current/reference/constraints/PasswordStrength.html#minscore
*/
private int $minPasswordStrength = PasswordStrength::STRENGTH_STRONG;
/**
* Callback used to generate a random password if $this->canBeEmpty is true and the field is left blank
@ -72,79 +73,54 @@ class ConfirmedPasswordField extends FormField
*
* Caution: The form field does not include any JavaScript or CSS when used outside of the CMS context,
* since the required frontend dependencies are included through CMS bundling.
*
* @param boolean $showOnClick
*/
protected $showOnClick = false;
protected bool $showOnClick = false;
/**
* Check if the existing password should be entered first
*
* @var bool
*/
protected $requireExistingPassword = false;
protected bool $requireExistingPassword = false;
/**
* A place to temporarily store the confirm password value
*
* @var string
*/
protected $confirmValue;
protected ?string $confirmValue = null;
/**
* Store value of "Current Password" field
*
* @var string
*/
protected $currentPasswordValue;
protected ?string $currentPasswordValue = null;
/**
* Title for the link that triggers the visibility of password fields.
*
* @var string
*/
public $showOnClickTitle;
public string $showOnClickTitle = '';
/**
* Child fields (_Password, _ConfirmPassword)
*
* @var FieldList
*/
public $children;
public FieldList $children;
protected $schemaDataType = FormField::SCHEMA_DATA_TYPE_STRUCTURAL;
/**
* @var PasswordField
*/
protected $passwordField = null;
protected ?PasswordField $passwordField;
protected ?PasswordField $confirmPasswordfield;
protected ?HiddenField $hiddenField = null;
/**
* @var PasswordField
*/
protected $confirmPasswordfield = null;
/**
* @var HiddenField
*/
protected $hiddenField = null;
/**
* @param string $name
* @param string $title
* @param mixed $value
* @param Form $form Ignored for ConfirmedPasswordField.
* @param boolean $showOnClick
* @param string $titleConfirmField Alternate title (not localizeable)
*/
public function __construct(
$name,
$title = null,
$value = "",
$form = null,
$showOnClick = false,
$titleConfirmField = null
string $name,
?string $title = null,
mixed $value = "",
?Form $form = null,
bool $showOnClick = false,
?string $titleConfirmField = null
) {
// Set field title
@ -528,14 +504,18 @@ class ConfirmedPasswordField extends FormField
}
if ($this->getRequireStrongPassword()) {
if (!preg_match('/^(([a-zA-Z]+\d+)|(\d+[a-zA-Z]+))[a-zA-Z0-9]*$/', $value ?? '')) {
$strongEnough = ConstraintValidator::validate(
$value,
new PasswordStrength(minScore: $this->getMinPasswordStrength())
)->isValid();
if (!$strongEnough) {
$validator->validationError(
$name,
_t(
'SilverStripe\\Forms\\Form.VALIDATIONSTRONGPASSWORD',
'Passwords must have at least one digit and one alphanumeric character'
__CLASS__ . '.VALIDATIONSTRONGPASSWORD',
'The password strength is too low. Please use a stronger password.'
),
"validation"
'validation'
);
return $this->extendValidationResult(false, $validator);
@ -637,24 +617,21 @@ class ConfirmedPasswordField extends FormField
/**
* Check if existing password is required
*
* @return bool
* If true, an extra form field will be added to enter the existing password
*/
public function getRequireExistingPassword()
public function getRequireExistingPassword(): bool
{
return $this->requireExistingPassword;
}
/**
* Set if the existing password should be required
*
* @param bool $show Flag to show or hide this field
* @return $this
* If true, an extra form field will be added to enter the existing password
*/
public function setRequireExistingPassword($show)
public function setRequireExistingPassword(bool $show): static
{
// Don't modify if already added / removed
if ((bool)$show === $this->requireExistingPassword) {
if ($show === $this->requireExistingPassword) {
return $this;
}
$this->requireExistingPassword = $show;
@ -670,79 +647,91 @@ class ConfirmedPasswordField extends FormField
}
/**
* @return PasswordField
* Get the FormField that represents the main password field
*/
public function getPasswordField()
public function getPasswordField(): PasswordField
{
return $this->passwordField;
}
/**
* @return PasswordField
* Get the FormField that represents the "confirm" password field
*/
public function getConfirmPasswordField()
public function getConfirmPasswordField(): PasswordField
{
return $this->confirmPasswordfield;
}
/**
* Set the minimum length required for passwords
*
* @param int $minLength
* @return $this
*/
public function setMinLength($minLength)
public function setMinLength(int $minLength): static
{
$this->minLength = (int) $minLength;
$this->minLength = $minLength;
return $this;
}
/**
* @return int
* Get the minimum length required for passwords
*/
public function getMinLength()
public function getMinLength(): int
{
return $this->minLength;
}
/**
* Set the maximum length required for passwords
*
* @param int $maxLength
* @return $this
* Set the maximum length required for passwords.
* 0 means no max length.
*/
public function setMaxLength($maxLength)
public function setMaxLength(int $maxLength): static
{
$this->maxLength = (int) $maxLength;
$this->maxLength = $maxLength;
return $this;
}
/**
* @return int
* Get the maximum length required for passwords.
* 0 means no max length.
*/
public function getMaxLength()
public function getMaxLength(): int
{
return $this->maxLength;
}
/**
* @param bool $requireStrongPassword
* @return $this
* Set whether password strength validation is enforced.
* See setMinPasswordStrength()
*/
public function setRequireStrongPassword($requireStrongPassword)
public function setRequireStrongPassword($requireStrongPassword): static
{
$this->requireStrongPassword = (bool) $requireStrongPassword;
return $this;
}
/**
* @return bool
* Get whether password strength validation is enforced.
* See setMinPasswordStrength()
*/
public function getRequireStrongPassword()
public function getRequireStrongPassword(): bool
{
return $this->requireStrongPassword;
}
/**
* Set minimum password strength. Only applies if requireStrongPassword is true
* See https://symfony.com/doc/current/reference/constraints/PasswordStrength.html#minscore
*/
public function setMinPasswordStrength(int $strength): static
{
$this->minPasswordStrength = $strength;
return $this;
}
public function getMinPasswordStrength(): int
{
return $this->minPasswordStrength;
}
/**
* Appends a warning to the right title, or removes that appended warning.
*/

View File

@ -2,52 +2,40 @@
namespace SilverStripe\Forms;
use SilverStripe\Core\Validation\ConstraintValidator;
use Symfony\Component\Validator\Constraints\Email as EmailConstraint;
/**
* Text input field with validation for correct email format according to RFC 2822.
* Text input field with validation for correct email format according to the relevant RFC.
*/
class EmailField extends TextField
{
protected $inputType = 'email';
/**
* {@inheritdoc}
*/
public function Type()
{
return 'email text';
}
/**
* Validates for RFC 2822 compliant email addresses.
*
* @see http://www.regular-expressions.info/email.html
* @see http://www.ietf.org/rfc/rfc2822.txt
* Validates for RFC compliant email addresses.
*
* @param Validator $validator
*
* @return string
*/
public function validate($validator)
{
$result = true;
$this->value = trim($this->value ?? '');
$pattern = '^[a-z0-9!#$%&\'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&\'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$';
$message = _t('SilverStripe\\Forms\\EmailField.VALIDATION', 'Please enter an email address');
$result = ConstraintValidator::validate(
$this->value,
new EmailConstraint(message: $message, mode: EmailConstraint::VALIDATION_MODE_STRICT),
$this->getName()
);
$validator->getResult()->combineAnd($result);
$isValid = $result->isValid();
// Escape delimiter characters.
$safePattern = str_replace('/', '\\/', $pattern ?? '');
if ($this->value && !preg_match('/' . $safePattern . '/i', $this->value ?? '')) {
$validator->validationError(
$this->name,
_t('SilverStripe\\Forms\\EmailField.VALIDATION', 'Please enter an email address'),
'validation'
);
$result = false;
}
return $this->extendValidationResult($result, $validator);
return $this->extendValidationResult($isValid, $validator);
}
public function getSchemaValidation()

View File

@ -7,10 +7,24 @@ use Symfony\Component\Validator\Constraints\Url;
/**
* Text input field with validation for a url
* Url must include a scheme, either http:// or https://
* Url must include a protocol (aka scheme) such as https:// or http://
*/
class UrlField extends TextField
{
/**
* The default set of protocols allowed for valid URLs
*/
private static array $default_protocols = ['https', 'http'];
/**
* The default value for whether a relative protocol (// on its own) is allowed
*/
private static bool $default_allow_relative_protocol = false;
private array $protocols = [];
private ?bool $allowRelativeProtocol = null;
public function Type()
{
return 'text url';
@ -18,15 +32,64 @@ class UrlField extends TextField
public function validate($validator)
{
$result = true;
if ($this->value && !ConstraintValidator::validate($this->value, new Url())->isValid()) {
$validator->validationError(
$this->name,
_t(__CLASS__ . '.INVALID', 'Please enter a valid URL'),
'validation'
);
$result = false;
$allowedProtocols = $this->getAllowedProtocols();
$message = _t(
__CLASS__ . '.INVALID_WITH_PROTOCOL',
'Please enter a valid URL including a protocol, e.g {protocol}://example.com',
['protocol' => $allowedProtocols[0]]
);
$result = ConstraintValidator::validate(
$this->value,
new Url(
message: $message,
protocols: $allowedProtocols,
relativeProtocol: $this->getAllowRelativeProtocol()
),
$this->getName()
);
$validator->getResult()->combineAnd($result);
$isValid = $result->isValid();
return $this->extendValidationResult($isValid, $validator);
}
/**
* Set which protocols valid URLs are allowed to have
*/
public function setAllowedProtocols(array $protocols): static
{
// Ensure the array isn't associative so we can use 0 index in validate().
$this->protocols = array_keys($protocols);
return $this;
}
/**
* Get which protocols valid URLs are allowed to have
*/
public function getAllowedProtocols(): array
{
if (empty($this->protocols)) {
return static::config()->get('default_protocols');
}
return $this->extendValidationResult($result, $validator);
return $this->protocols;
}
/**
* Set whether a relative protocol (// on its own) is allowed
*/
public function setAllowRelativeProtocol(?bool $allow): static
{
$this->allowRelativeProtocol = $allow;
return $this;
}
/**
* Get whether a relative protocol (// on its own) is allowed
*/
public function getAllowRelativeProtocol(): bool
{
if ($this->allowRelativeProtocol === null) {
return static::config()->get('default_allow_relative_protocol');
}
return $this->allowRelativeProtocol;
}
}

View File

@ -44,6 +44,8 @@ use SilverStripe\Forms\FormField;
use SilverStripe\Forms\SearchableDropdownField;
use SilverStripe\Forms\SearchableMultiDropdownField;
use SilverStripe\ORM\FieldType\DBForeignKey;
use SilverStripe\Security\Validation\PasswordValidator;
use SilverStripe\Security\Validation\RulesPasswordValidator;
/**
* The member class which represents the users of the system
@ -378,10 +380,8 @@ class Member extends DataObject
/**
* Set a {@link PasswordValidator} object to use to validate member's passwords.
*
* @param PasswordValidator $validator
*/
public static function set_password_validator(PasswordValidator $validator = null)
public static function set_password_validator(?PasswordValidator $validator = null)
{
// Override existing config
Config::modify()->remove(Injector::class, PasswordValidator::class);
@ -394,10 +394,8 @@ class Member extends DataObject
/**
* Returns the default {@link PasswordValidator}
*
* @return PasswordValidator|null
*/
public static function password_validator()
public static function password_validator(): ?PasswordValidator
{
if (Injector::inst()->has(PasswordValidator::class)) {
return Injector::inst()->get(PasswordValidator::class);
@ -1763,11 +1761,16 @@ class Member extends DataObject
{
$password = '';
$validator = Member::password_validator();
if ($length && $validator && $length < $validator->getMinLength()) {
throw new InvalidArgumentException('length argument is less than password validator minLength');
if ($validator instanceof RulesPasswordValidator) {
$validatorMinLength = $validator->getMinLength();
if ($length && $length < $validatorMinLength) {
throw new InvalidArgumentException('length argument is less than password validator minLength');
}
} else {
// Make sure the password is long enough to beat even very strict entropy tests
$validatorMinLength = 128;
}
$validatorMinLength = $validator ? $validator->getMinLength() : 0;
$len = $length ?: max($validatorMinLength, 20);
$len = max($length, $validatorMinLength, 20);
// The default PasswordValidator checks the password includes the following four character sets
$charsets = [
'abcdefghijklmnopqrstuvwyxz',

View File

@ -0,0 +1,33 @@
<?php
namespace SilverStripe\Security\Validation;
use SilverStripe\Core\Extensible;
use SilverStripe\Core\Validation\ConstraintValidator;
use SilverStripe\Core\Validation\ValidationResult;
use SilverStripe\Security\Member;
use Symfony\Component\Validator\Constraints\NotBlank;
use Symfony\Component\Validator\Constraints\PasswordStrength;
/**
* Validates passwords based on entropy.
*/
class EntropyPasswordValidator extends PasswordValidator
{
use Extensible;
/**
* The strength of a valid password.
* See https://symfony.com/doc/current/reference/constraints/PasswordStrength.html#minscore
*/
private static int $password_strength = PasswordStrength::STRENGTH_STRONG;
public function validate(string $password, Member $member): ValidationResult
{
$minScore = static::config()->get('password_strength');
$result = ConstraintValidator::validate($password, [new PasswordStrength(minScore: $minScore), new NotBlank()]);
$result->combineAnd(parent::validate($password, $member));
$this->extend('updateValidatePassword', $password, $member, $result, $this);
return $result;
}
}

View File

@ -0,0 +1,72 @@
<?php
namespace SilverStripe\Security\Validation;
use SilverStripe\Core\Config\Configurable;
use SilverStripe\Core\Injector\Injectable;
use SilverStripe\ORM\DataObject;
use SilverStripe\Core\Validation\ValidationResult;
use SilverStripe\Security\Member;
use SilverStripe\Security\MemberPassword;
/**
* Abstract validator with functionality for checking for reusing old passwords.
*/
abstract class PasswordValidator
{
use Injectable;
use Configurable;
/**
* Default number of previous passwords to check for a reusing old passwords.
*/
private static int $historic_count = 6;
protected ?int $historicalPasswordCount = null;
public function validate(string $password, Member $member): ValidationResult
{
$result = ValidationResult::create();
$historicCount = $this->getHistoricCount();
if ($historicCount) {
$idColumn = DataObject::getSchema()->sqlColumnForField(MemberPassword::class, 'MemberID');
$previousPasswords = MemberPassword::get()
->where([$idColumn => $member->ID])
->sort(['Created' => 'DESC', 'ID' => 'DESC'])
->limit($historicCount);
foreach ($previousPasswords as $previousPassword) {
if ($previousPassword->checkPassword($password)) {
$error = _t(
PasswordValidator::class . '.PREVPASSWORD',
'You\'ve already used that password in the past, please choose a new password'
);
$result->addError($error, 'bad', 'PREVIOUS_PASSWORD');
break;
}
}
}
return $result;
}
/**
* Get the number of previous passwords to check for a reusing old passwords.
*/
public function getHistoricCount(): int
{
if ($this->historicalPasswordCount !== null) {
return $this->historicalPasswordCount;
}
return $this->config()->get('historic_count') ?? 0;
}
/**
* Set the number of previous passwords to check for a reusing old passwords.
*/
public function setHistoricCount(int $count): static
{
$this->historicalPasswordCount = $count;
return $this;
}
}

View File

@ -1,36 +1,32 @@
<?php
namespace SilverStripe\Security;
namespace SilverStripe\Security\Validation;
use SilverStripe\Core\Config\Configurable;
use SilverStripe\Core\Extensible;
use SilverStripe\Core\Injector\Injectable;
use SilverStripe\Core\Validation\ValidationResult;
use SilverStripe\Security\Member;
/**
* This class represents a validator for member passwords.
* Validates passwords based on a set of regex rules about what the password must contain.
*
* <code>
* $pwdVal = new PasswordValidator();
* $pwdValidator->setMinLength(7);
* $pwdValidator->checkHistoricalPasswords(6);
* $pwdValidator->setHistoricCount(6);
* $pwdValidator->setMinTestScore(3);
* $pwdValidator->setTestNames(array("lowercase", "uppercase", "digits", "punctuation"));
*
* Member::set_password_validator($pwdValidator);
* </code>
*/
class PasswordValidator
class RulesPasswordValidator extends PasswordValidator
{
use Injectable;
use Configurable;
use Extensible;
/**
* @config
* @var array
* Regex to test the password against. See min_test_score.
*/
private static $character_strength_tests = [
private static array $character_strength_tests = [
'lowercase' => '/[a-z]/',
'uppercase' => '/[A-Z]/',
'digits' => '/[0-9]/',
@ -38,80 +34,62 @@ class PasswordValidator
];
/**
* @config
* @var int
* Default minimum number of characters for a valid password.
*/
private static $min_length = null;
private static int $min_length = 8;
/**
* @config
* @var int
* Default minimum test score for a valid password.
* The test score is the number of character_strength_tests that the password matches.
*/
private static $min_test_score = null;
private static int $min_test_score = 0;
/**
* @config
* @var int
*/
private static $historic_count = null;
protected ?int $minLength = null;
/**
* @var int
*/
protected $minLength = null;
/**
* @var int
*/
protected $minScore = null;
protected ?int $minScore = null;
/**
* @var string[]
*/
protected $testNames = null;
protected ?array $testNames = null;
/**
* @var int
* Get the minimum number of characters for a valid password.
*/
protected $historicalPasswordCount = null;
/**
* @return int
*/
public function getMinLength()
public function getMinLength(): int
{
if ($this->minLength !== null) {
return $this->minLength;
}
return $this->config()->get('min_length');
return $this->config()->get('min_length') ?? 0;
}
/**
* @param int $minLength
* @return $this
* Set the minimum number of characters for a valid password.
*/
public function setMinLength($minLength)
public function setMinLength(int $minLength): static
{
$this->minLength = $minLength;
return $this;
}
/**
* @return integer
* Get the minimum test score for a valid password.
* The test score is the number of character_strength_tests that the password matches.
*/
public function getMinTestScore()
public function getMinTestScore(): int
{
if ($this->minScore !== null) {
return $this->minScore;
}
return $this->config()->get('min_test_score');
return $this->config()->get('min_test_score') ?? 0;
}
/**
* @param int $minScore
* @return $this
* Set the minimum test score for a valid password.
* The test score is the number of character_strength_tests that the password matches.
*/
public function setMinTestScore($minScore)
public function setMinTestScore(int $minScore): static
{
$this->minScore = $minScore;
return $this;
@ -122,7 +100,7 @@ class PasswordValidator
*
* @return string[]
*/
public function getTestNames()
public function getTestNames(): array
{
if ($this->testNames !== null) {
return $this->testNames;
@ -134,51 +112,22 @@ class PasswordValidator
* Set list of tests to use for this validator
*
* @param string[] $testNames
* @return $this
*/
public function setTestNames($testNames)
public function setTestNames(array $testNames): static
{
$this->testNames = $testNames;
return $this;
}
/**
* @return int
*/
public function getHistoricCount()
{
if ($this->historicalPasswordCount !== null) {
return $this->historicalPasswordCount;
}
return $this->config()->get('historic_count');
}
/**
* @param int $count
* @return $this
*/
public function setHistoricCount($count)
{
$this->historicalPasswordCount = $count;
return $this;
}
/**
* Gets all possible tests
*
* @return array
*/
public function getTests()
public function getTests(): array
{
return $this->config()->get('character_strength_tests');
}
/**
* @param string $password
* @param Member $member
* @return ValidationResult
*/
public function validate($password, $member)
public function validate(string $password, Member $member): ValidationResult
{
$valid = ValidationResult::create();
@ -222,23 +171,7 @@ class PasswordValidator
}
}
$historicCount = $this->getHistoricCount();
if ($historicCount) {
$previousPasswords = MemberPassword::get()
->where(['"MemberPassword"."MemberID"' => $member->ID])
->sort('"Created" DESC, "ID" DESC')
->limit($historicCount);
foreach ($previousPasswords as $previousPassword) {
if ($previousPassword->checkPassword($password)) {
$error = _t(
__CLASS__ . '.PREVPASSWORD',
'You\'ve already used that password in the past, please choose a new password'
);
$valid->addError($error, 'bad', 'PREVIOUS_PASSWORD');
break;
}
}
}
$valid->combineAnd(parent::validate($password, $member));
$this->extend('updateValidatePassword', $password, $member, $valid, $this);

View File

@ -11,7 +11,6 @@ use SilverStripe\Forms\Form;
use SilverStripe\Forms\ReadonlyField;
use SilverStripe\Forms\RequiredFields;
use SilverStripe\Security\Member;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\View\SSViewer;
use Closure;
use PHPUnit\Framework\Attributes\DataProvider;
@ -24,9 +23,7 @@ class ConfirmedPasswordFieldTest extends SapphireTest
{
parent::setUp();
PasswordValidator::singleton()
->setMinLength(0)
->setTestNames([]);
Member::set_password_validator(null);
}
public function testSetValue()
@ -214,10 +211,10 @@ class ConfirmedPasswordFieldTest extends SapphireTest
return [
'valid: within min and max' => [3, 8, true],
'invalid: lower than min with max' => [8, 12, false, 'Passwords must be 8 to 12 characters long'],
'valid: greater than min' => [3, null, true],
'invalid: lower than min' => [8, null, false, 'Passwords must be at least 8 characters long'],
'valid: less than max' => [null, 8, true],
'invalid: greater than max' => [null, 4, false, 'Passwords must be at most 4 characters long'],
'valid: greater than min' => [3, 0, true],
'invalid: lower than min' => [8, 0, false, 'Passwords must be at least 8 characters long'],
'valid: less than max' => [0, 8, true],
'invalid: greater than max' => [0, 4, false, 'Passwords must be at most 4 characters long'],
];
}
@ -236,7 +233,7 @@ class ConfirmedPasswordFieldTest extends SapphireTest
$this->assertFalse($result, 'Validate method should return its result');
$this->assertFalse($validator->getResult()->isValid());
$this->assertStringContainsString(
'Passwords must have at least one digit and one alphanumeric character',
'The password strength is too low. Please use a stronger password.',
json_encode($validator->getResult()->__serialize())
);
}

View File

@ -4,9 +4,7 @@ namespace SilverStripe\Forms\Tests;
use SilverStripe\Dev\FunctionalTest;
use SilverStripe\Forms\EmailField;
use Exception;
use PHPUnit\Framework\AssertionFailedError;
use SilverStripe\Forms\Tests\EmailFieldTest\TestValidator;
use SilverStripe\Forms\FieldsValidator;
class EmailFieldTest extends FunctionalTest
{
@ -40,21 +38,14 @@ class EmailFieldTest extends FunctionalTest
$field = new EmailField("MyEmail");
$field->setValue($email);
$val = new TestValidator();
try {
$field->validate($val);
// If we expect failure and processing gets here without an exception, the test failed
$this->assertTrue($expectSuccess, $checkText . " (/$email/ passed validation, but not expected to)");
} catch (Exception $e) {
if ($e instanceof AssertionFailedError) {
// re-throw assertion failure
throw $e;
} elseif ($expectSuccess) {
$this->fail(
$checkText . ": " . $e->getMessage() . " (/$email/ did not pass validation, but was expected to)"
);
}
if ($expectSuccess) {
$message = $checkText . " (/$email/ did not pass validation, but was expected to)";
} else {
$message = $checkText . " (/$email/ passed validation, but not expected to)";
}
$result = $field->validate(new FieldsValidator());
$this->assertSame($expectSuccess, $result, $message);
}
/**

View File

@ -1,27 +0,0 @@
<?php
namespace SilverStripe\Forms\Tests\EmailFieldTest;
use Exception;
use SilverStripe\Forms\Validator;
use SilverStripe\Core\Validation\ValidationResult;
class TestValidator extends Validator
{
public function validationError(
$fieldName,
$message,
$messageType = ValidationResult::TYPE_ERROR,
$cast = ValidationResult::CAST_TEXT
) {
throw new Exception($message);
}
public function javascript()
{
}
public function php($data)
{
}
}

View File

@ -18,7 +18,6 @@ use SilverStripe\Security\MemberAuthenticator\CMSMemberAuthenticator;
use SilverStripe\Security\MemberAuthenticator\CMSMemberLoginForm;
use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
use SilverStripe\Security\MemberAuthenticator\MemberLoginForm;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\Security\Security;
class MemberAuthenticatorTest extends SapphireTest
@ -43,10 +42,8 @@ class MemberAuthenticatorTest extends SapphireTest
}
DefaultAdminService::setDefaultAdmin('admin', 'password');
// Enforce dummy validation (this can otherwise be influenced by recipe config)
PasswordValidator::singleton()
->setMinLength(0)
->setTestNames([]);
// Enforce no password validation
Member::set_password_validator(null);
}
protected function tearDown(): void

View File

@ -6,7 +6,6 @@ use SilverStripe\ORM\DataObject;
use SilverStripe\Security\Group;
use SilverStripe\Security\MemberCsvBulkLoader;
use SilverStripe\Security\Member;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\Security\Security;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
@ -18,10 +17,7 @@ class MemberCsvBulkLoaderTest extends SapphireTest
protected function setUp(): void
{
parent::setUp();
PasswordValidator::singleton()
->setMinLength(0)
->setTestNames([]);
Member::set_password_validator(null);
}
public function testNewImport()

View File

@ -28,7 +28,6 @@ use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
use SilverStripe\Security\MemberAuthenticator\SessionAuthenticationHandler;
use SilverStripe\Security\MemberPassword;
use SilverStripe\Security\PasswordEncryptor_Blowfish;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\Security\Permission;
use SilverStripe\Security\RememberLoginHash;
use SilverStripe\Security\Security;
@ -36,6 +35,8 @@ use SilverStripe\Security\Tests\MemberTest\FieldsExtension;
use SilverStripe\SessionManager\Models\LoginSession;
use ReflectionMethod;
use PHPUnit\Framework\Attributes\DataProvider;
use SilverStripe\Security\Validation\EntropyPasswordValidator;
use SilverStripe\Security\Validation\RulesPasswordValidator;
class MemberTest extends FunctionalTest
{
@ -74,10 +75,6 @@ class MemberTest extends FunctionalTest
Member::config()->set('unique_identifier_field', 'Email');
PasswordValidator::singleton()
->setMinLength(0)
->setTestNames([]);
i18n::set_locale('en_US');
}
@ -1767,11 +1764,23 @@ class MemberTest extends FunctionalTest
$this->assertNotNull(Member::get()->find('Email', 'trimmed@test.com'));
}
public function testChangePasswordToBlankIsValidated()
public static function provideChangePasswordToBlankIsValidated(): array
{
Member::set_password_validator(new PasswordValidator());
// override setup() function which setMinLength(0)
PasswordValidator::singleton()->setMinLength(8);
return [
[
'validatorClass' => RulesPasswordValidator::class,
],
[
'validatorClass' => EntropyPasswordValidator::class,
],
];
}
#[DataProvider('provideChangePasswordToBlankIsValidated')]
public function testChangePasswordToBlankIsValidated(string $validatorClass): void
{
$validator = new $validatorClass();
Member::set_password_validator($validator);
// 'test' member has a password defined in yml
$member = $this->objFromFixture(Member::class, 'test');
$result = $member->changePassword('');
@ -1893,34 +1902,57 @@ class MemberTest extends FunctionalTest
];
}
public function testGenerateRandomPassword()
public static function provideGenerateRandomPassword(): array
{
return [
[
'validatorClass' => RulesPasswordValidator::class,
],
[
'validatorClass' => EntropyPasswordValidator::class,
],
];
}
#[DataProvider('provideGenerateRandomPassword')]
public function testGenerateRandomPassword(string $validatorClass): void
{
$member = new Member();
// no password validator
Member::set_password_validator(null);
// password length is same as length argument
// password length is min 128 chars long
$password = $member->generateRandomPassword(5);
$this->assertSame(5, strlen($password));
// default to 20 if not length argument
$password = $member->generateRandomPassword();
$this->assertSame(20, strlen($password));
$this->assertSame(128, strlen($password));
// password length can be longer
$password = $member->generateRandomPassword(130);
$this->assertSame(130, strlen($password));
// password validator
$validator = new PasswordValidator();
$validator = new $validatorClass();
Member::set_password_validator($validator);
// Password length of 20 even if validator minLength is less than 20
$validator->setMinLength(10);
if ($validator instanceof RulesPasswordValidator) {
// Password length of 20 even if validator minLength is less than 20
$validator->setMinLength(10);
$minLengthInMember = 20;
} else {
$minLengthInMember = 128;
}
$password = $member->generateRandomPassword();
$this->assertSame(20, strlen($password));
// Password length of 25 if passing length argument, and validator minlength is less than length argument
$password = $member->generateRandomPassword(25);
$this->assertSame(25, strlen($password));
// Password length is validator minLength if validator minLength is greater than 20 and no length argument
$validator->setMinLength(30);
$password = $member->generateRandomPassword();
$this->assertSame(30, strlen($password));
// Exception throw if length argument is less than validator minLength
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('length argument is less than password validator minLength');
$password = $member->generateRandomPassword(15);
$this->assertSame($minLengthInMember, strlen($password));
// Password length of 256 if passing length argument, and validator minlength is less than length argument
$password = $member->generateRandomPassword(256);
$this->assertSame(256, strlen($password));
if ($validator instanceof RulesPasswordValidator) {
// Password length is validator minLength if validator minLength is greater than 20 and no length argument
$validator->setMinLength(30);
$password = $member->generateRandomPassword();
$this->assertSame(30, strlen($password));
// Exception throw if length argument is less than validator minLength
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('length argument is less than password validator minLength');
$password = $member->generateRandomPassword(15);
} else {
// No exception for entropy validator
$password = $member->generateRandomPassword(15);
}
}
}

View File

@ -3,9 +3,9 @@
namespace SilverStripe\Security\Tests\MemberTest;
use SilverStripe\Dev\TestOnly;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\Security\Validation\RulesPasswordValidator;
class TestPasswordValidator extends PasswordValidator implements TestOnly
class TestPasswordValidator extends RulesPasswordValidator implements TestOnly
{
public function __construct()
{

View File

@ -4,11 +4,12 @@ namespace SilverStripe\Security\Tests\MemberTest;
use SilverStripe\Dev\TestOnly;
use SilverStripe\Core\Validation\ValidationResult;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\Security\Member;
use SilverStripe\Security\Validation\PasswordValidator;
class VerySpecificPasswordValidator extends PasswordValidator implements TestOnly
{
public function validate($password, $member)
public function validate(string $password, Member $member): ValidationResult
{
$result = ValidationResult::create();
if (strlen($password ?? '') !== 17) {

View File

@ -22,7 +22,6 @@ use SilverStripe\Core\Validation\ValidationResult;
use SilverStripe\Security\LoginAttempt;
use SilverStripe\Security\Member;
use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\Security\Security;
use SilverStripe\Security\SecurityToken;
@ -60,11 +59,6 @@ class SecurityTest extends FunctionalTest
Member::config()->set('unique_identifier_field', 'Email');
PasswordValidator::config()
->remove('min_length')
->remove('historic_count')
->remove('min_test_score');
Member::set_password_validator(null);
parent::setUp();

View File

@ -0,0 +1,42 @@
<?php
namespace SilverStripe\Security\Tests\Validation;
use PHPUnit\Framework\Attributes\DataProvider;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\Security\Member;
use SilverStripe\Security\Validation\EntropyPasswordValidator;
/**
* EntropyPasswordValidator uses a third-party for its validation so we don't need rigorous testing here.
* Just test that stupid simple passwords don't pass, and complex ones do.
*/
class EntropyPasswordValidatorTest extends SapphireTest
{
protected $usesDatabase = false;
public static function provideValidate(): array
{
return [
[
'password' => '',
'expected' => false,
],
[
'password' => 'password123',
'expected' => false,
],
[
'password' => 'This is a really long and complex PASSWORD',
'expected' => true,
],
];
}
#[DataProvider('provideValidate')]
public function testValidate(string $password, bool $expected): void
{
$validator = new EntropyPasswordValidator();
$this->assertSame($expected, $validator->validate($password, new Member())->isValid());
}
}

View File

@ -0,0 +1,40 @@
<?php
namespace SilverStripe\Security\Tests\Validation;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\Security\Member;
use SilverStripe\Security\Tests\Validation\RulesPasswordValidatorTest\DummyPasswordValidator;
class PasswordValidatorTest extends SapphireTest
{
/**
* {@inheritDoc}
* @var bool
*/
protected $usesDatabase = true;
public function testValidate()
{
$validator = new DummyPasswordValidator;
$validator->setHistoricCount(3);
Member::set_password_validator($validator);
$member = new Member;
$member->FirstName = 'Repeat';
$member->Surname = 'Password-Man';
$member->Password = 'honk';
$member->write();
// Create a set of used passwords
$member->changePassword('foobar');
$member->changePassword('foobaz');
$member->changePassword('barbaz');
$this->assertFalse($member->changePassword('barbaz')->isValid());
$this->assertFalse($member->changePassword('foobaz')->isValid());
$this->assertFalse($member->changePassword('foobar')->isValid());
$this->assertTrue($member->changePassword('honk')->isValid());
$this->assertTrue($member->changePassword('newpassword')->isValid());
}
}

View File

@ -0,0 +1,11 @@
<?php
namespace SilverStripe\Security\Tests\Validation\RulesPasswordValidatorTest;
use SilverStripe\Dev\TestOnly;
use SilverStripe\Security\Validation\PasswordValidator;
class DummyPasswordValidator extends PasswordValidator implements TestOnly
{
// no-op, just need a concrete class instead of an abstract one.
}

View File

@ -1,24 +1,20 @@
<?php
namespace SilverStripe\Security\Tests;
namespace SilverStripe\Security\Tests\Validation;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\Security\Member;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\Security\Validation\RulesPasswordValidator;
class PasswordValidatorTest extends SapphireTest
class RulesPasswordValidatorTest extends SapphireTest
{
/**
* {@inheritDoc}
* @var bool
*/
protected $usesDatabase = true;
protected $usesDatabase = false;
protected function setUp(): void
{
parent::setUp();
PasswordValidator::config()
RulesPasswordValidator::config()
->remove('min_length')
->remove('historic_count')
->set('min_test_score', 0);
@ -26,7 +22,7 @@ class PasswordValidatorTest extends SapphireTest
public function testValidate()
{
$v = new PasswordValidator();
$v = new RulesPasswordValidator();
$r = $v->validate('', new Member());
$this->assertTrue($r->isValid(), 'Empty password is valid by default');
@ -36,7 +32,7 @@ class PasswordValidatorTest extends SapphireTest
public function testValidateMinLength()
{
$v = new PasswordValidator();
$v = new RulesPasswordValidator();
$v->setMinLength(4);
$r = $v->validate('123', new Member());
@ -50,7 +46,7 @@ class PasswordValidatorTest extends SapphireTest
public function testValidateMinScore()
{
// Set both score and set of tests
$v = new PasswordValidator();
$v = new RulesPasswordValidator();
$v->setMinTestScore(3);
$v->setTestNames(["lowercase", "uppercase", "digits", "punctuation"]);
@ -61,7 +57,7 @@ class PasswordValidatorTest extends SapphireTest
$this->assertTrue($r->isValid(), 'Passing enough tests');
// Ensure min score without tests works (uses default tests)
$v = new PasswordValidator();
$v = new RulesPasswordValidator();
$v->setMinTestScore(3);
$r = $v->validate('aA', new Member());
@ -75,31 +71,4 @@ class PasswordValidatorTest extends SapphireTest
$r = $v->validate('aA1!', new Member());
$this->assertTrue($r->isValid(), 'Passing enough tests');
}
/**
* Test that a certain number of historical passwords are checked if specified
*/
public function testHistoricalPasswordCount()
{
$validator = new PasswordValidator;
$validator->setHistoricCount(3);
Member::set_password_validator($validator);
$member = new Member;
$member->FirstName = 'Repeat';
$member->Surname = 'Password-Man';
$member->Password = 'honk';
$member->write();
// Create a set of used passwords
$member->changePassword('foobar');
$member->changePassword('foobaz');
$member->changePassword('barbaz');
$this->assertFalse($member->changePassword('barbaz')->isValid());
$this->assertFalse($member->changePassword('foobaz')->isValid());
$this->assertFalse($member->changePassword('foobar')->isValid());
$this->assertTrue($member->changePassword('honk')->isValid());
$this->assertTrue($member->changePassword('newpassword')->isValid());
}
}

View File

@ -3,23 +3,11 @@
namespace SilverStripe\Security\Tests;
use SilverStripe\Control\Controller;
use SilverStripe\Control\NullHTTPRequest;
use SilverStripe\Core\Config\Config;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\ORM\FieldType\DBDatetime;
use SilverStripe\Core\Validation\ValidationResult;
use SilverStripe\Security\Authenticator;
use SilverStripe\Security\DefaultAdminService;
use SilverStripe\Security\IdentityStore;
use SilverStripe\Security\LoginAttempt;
use SilverStripe\Security\Member;
use SilverStripe\Security\MemberAuthenticator\CMSMemberAuthenticator;
use SilverStripe\Security\MemberAuthenticator\CMSMemberLoginForm;
use SilverStripe\Security\MemberAuthenticator\MemberAuthenticator;
use SilverStripe\Security\MemberAuthenticator\MemberLoginForm;
use SilverStripe\Security\PasswordValidator;
use SilverStripe\Security\Security;
use SilverStripe\Versioned\Versioned;
class VersionedMemberAuthenticatorTest extends SapphireTest
@ -42,10 +30,8 @@ class VersionedMemberAuthenticatorTest extends SapphireTest
return;
}
// Enforce dummy validation (this can otherwise be influenced by recipe config)
PasswordValidator::singleton()
->setMinLength(0)
->setTestNames([]);
// Remove password validation
Member::set_password_validator(null);
}
protected function tearDown(): void