From 5df8ce645c9d63e5ef7b4518fcb3d8314e47a461 Mon Sep 17 00:00:00 2001 From: Guy Sartorelli Date: Tue, 19 Sep 2023 14:05:53 +1200 Subject: [PATCH] ENH Deprecate old password encryptors --- src/Security/PasswordEncryptor_LegacyPHPHash.php | 13 +++++++++++++ .../PasswordEncryptor_MySQLOldPassword.php | 12 ++++++++++++ src/Security/PasswordEncryptor_MySQLPassword.php | 12 ++++++++++++ src/Security/PasswordEncryptor_None.php | 14 +++++++++++++- tests/php/Security/PasswordEncryptorTest.php | 3 ++- 5 files changed, 52 insertions(+), 2 deletions(-) diff --git a/src/Security/PasswordEncryptor_LegacyPHPHash.php b/src/Security/PasswordEncryptor_LegacyPHPHash.php index 66df864f978..d8657ff2a52 100644 --- a/src/Security/PasswordEncryptor_LegacyPHPHash.php +++ b/src/Security/PasswordEncryptor_LegacyPHPHash.php @@ -2,15 +2,28 @@ namespace SilverStripe\Security; +use SilverStripe\Dev\Deprecation; + /** * Legacy implementation for SilverStripe 2.1 - 2.3, * which had a design flaw in password hashing that caused * the hashes to differ between architectures due to * floating point precision problems in base_convert(). * See http://open.silverstripe.org/ticket/3004 + * + * @deprecated 5.2.0 Use SilverStripe\Security\PasswordEncryptor_PHPHash instead. */ class PasswordEncryptor_LegacyPHPHash extends PasswordEncryptor_PHPHash { + public function __construct() + { + Deprecation::notice( + '5.2.0', + 'Use SilverStripe\Security\PasswordEncryptor_PHPHash instead.', + Deprecation::SCOPE_CLASS + ); + } + public function encrypt($password, $salt = null, $member = null) { $password = parent::encrypt($password, $salt, $member); diff --git a/src/Security/PasswordEncryptor_MySQLOldPassword.php b/src/Security/PasswordEncryptor_MySQLOldPassword.php index d5de3d7cc36..2190313a900 100644 --- a/src/Security/PasswordEncryptor_MySQLOldPassword.php +++ b/src/Security/PasswordEncryptor_MySQLOldPassword.php @@ -2,13 +2,25 @@ namespace SilverStripe\Security; +use SilverStripe\Dev\Deprecation; use SilverStripe\ORM\DB; /** * Uses MySQL's OLD_PASSWORD encyrption. Requires an active DB connection. + * + * @deprecated 5.2.0 Use another subclass of SilverStripe\Security\PasswordEncryptor instead. */ class PasswordEncryptor_MySQLOldPassword extends PasswordEncryptor { + public function __construct() + { + Deprecation::notice( + '5.2.0', + 'Use another subclass of SilverStripe\Security\PasswordEncryptor instead.', + Deprecation::SCOPE_CLASS + ); + } + public function encrypt($password, $salt = null, $member = null) { return DB::prepared_query("SELECT OLD_PASSWORD(?)", [$password])->value(); diff --git a/src/Security/PasswordEncryptor_MySQLPassword.php b/src/Security/PasswordEncryptor_MySQLPassword.php index 3e65f695b1b..f5b9fb506b2 100644 --- a/src/Security/PasswordEncryptor_MySQLPassword.php +++ b/src/Security/PasswordEncryptor_MySQLPassword.php @@ -2,13 +2,25 @@ namespace SilverStripe\Security; +use SilverStripe\Dev\Deprecation; use SilverStripe\ORM\DB; /** * Uses MySQL's PASSWORD encryption. Requires an active DB connection. + * + * @deprecated 5.2.0 Use another subclass of SilverStripe\Security\PasswordEncryptor instead. */ class PasswordEncryptor_MySQLPassword extends PasswordEncryptor { + public function __construct() + { + Deprecation::notice( + '5.2.0', + 'Use another subclass of SilverStripe\Security\PasswordEncryptor instead.', + Deprecation::SCOPE_CLASS + ); + } + public function encrypt($password, $salt = null, $member = null) { return DB::prepared_query("SELECT PASSWORD(?)", [$password])->value(); diff --git a/src/Security/PasswordEncryptor_None.php b/src/Security/PasswordEncryptor_None.php index 7d794ae17ef..d860545c27b 100644 --- a/src/Security/PasswordEncryptor_None.php +++ b/src/Security/PasswordEncryptor_None.php @@ -2,13 +2,25 @@ namespace SilverStripe\Security; +use SilverStripe\Dev\Deprecation; + /** * Cleartext passwords (used in SilverStripe 2.1). - * Also used when Security::$encryptPasswords is set to FALSE. * Not recommended. + * + * @deprecated 5.2.0 Use another subclass of SilverStripe\Security\PasswordEncryptor instead. */ class PasswordEncryptor_None extends PasswordEncryptor { + public function __construct() + { + Deprecation::notice( + '5.2.0', + 'Use another subclass of SilverStripe\Security\PasswordEncryptor instead.', + Deprecation::SCOPE_CLASS + ); + } + public function encrypt($password, $salt = null, $member = null) { return $password; diff --git a/tests/php/Security/PasswordEncryptorTest.php b/tests/php/Security/PasswordEncryptorTest.php index ccfcac1d39d..95b91d0f0d0 100644 --- a/tests/php/Security/PasswordEncryptorTest.php +++ b/tests/php/Security/PasswordEncryptorTest.php @@ -5,6 +5,7 @@ use SilverStripe\Security\PasswordEncryptor_Blowfish; use SilverStripe\Security\PasswordEncryptor; use SilverStripe\Core\Config\Config; +use SilverStripe\Dev\Deprecation; use SilverStripe\Dev\SapphireTest; use SilverStripe\Security\PasswordEncryptor_LegacyPHPHash; use SilverStripe\Security\PasswordEncryptor_NotFoundException; @@ -155,7 +156,7 @@ public function testEncryptorLegacyPHPHashCheck() 'encryptors', ['test_sha1legacy' => [PasswordEncryptor_LegacyPHPHash::class => 'sha1']] ); - $e = PasswordEncryptor::create_for_algorithm('test_sha1legacy'); + $e = Deprecation::withNoReplacement(fn() => PasswordEncryptor::create_for_algorithm('test_sha1legacy')); // precomputed hashes for 'mypassword' from different architectures $amdHash = 'h1fj0a6m4o6k0sosks88oo08ko4gc4s'; $intelHash = 'h1fj0a6m4o0g04ocg00o4kwoc4wowws';