first commit

2024-07-15 12:33:27 +02:00
commit ce50ae282b
22084 changed files with 2623791 additions and 0 deletions
--- a/core/modules/phpass/phpass.info.yml
+++ b/core/modules/phpass/phpass.info.yml
@@ -0,0 +1,10 @@
+name: Password Compatibility
+type: module
+description: 'Provides the password checking algorithm for user accounts created with Drupal prior to version 10.1.0.'
+package: Core
+# version: VERSION
+
+# Information added by Drupal.org packaging script on 2024-07-04
+version: '10.3.1'
+project: 'drupal'
+datestamp: 1720094222
--- a/core/modules/phpass/phpass.module
+++ b/core/modules/phpass/phpass.module
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ * @file
+ * Provides the password checking algorithm used prior to version 10.1.0.
+ */
+
+use Drupal\Core\Form\FormStateInterface;
+use Drupal\Core\Routing\RouteMatchInterface;
+
+/**
+ * Implements hook_help().
+ */
+function phpass_help($route_name, RouteMatchInterface $route_match) {
+  switch ($route_name) {
+    case 'help.page.phpass':
+      $output = '';
+      $output .= '<h2>' . t('About') . '</h2>';
+      $output .= '<p>' . t('The Password Compatibility module provides the password checking algorithm for user accounts created with Drupal prior to version 10.1.0. For more information, see the <a href=":phpass">online documentation for the Password Compatibility module</a>.', [':phpass' => 'https://www.drupal.org/docs/core-modules-and-themes/core-modules/password-compatibility-module']) . '</p>';
+      $output .= '<p>' . t('Drupal 10.1.0 and later use a different algorithm to compute the hashed password. This provides better security against brute-force attacks. The hashed passwords are different from the ones computed with Drupal versions before 10.1.0.') . '</p>';
+      $output .= '<p>' . t('When the Password Compatibility module is installed, a user can log in with a username and password created before Drupal 10.1.0. The first time these credentials are used, a new hash is computed and saved. From then on, the user will be able to log in with the same username and password whether or not this module is installed.') . '</p>';
+      $output .= '<p>' . t('Passwords created before Drupal 10.1.0 <strong>will not work</strong> unless they are used at least once while this module is installed. Make sure that you can log in before uninstalling this module.') . '</p>';
+      return $output;
+
+  }
+}
+
+/**
+ * Implements hook_form_FORM_ID_alter() for system_modules_uninstall_confirm_form.
+ */
+function phpass_form_system_modules_uninstall_confirm_form_alter(array &$form, FormStateInterface $form_state): void {
+  $modules = \Drupal::keyValueExpirable('modules_uninstall')
+    ->get(\Drupal::currentUser()->id());
+  if (!in_array('phpass', $modules)) {
+    return;
+  }
+  \Drupal::messenger()->addWarning(t('Make sure that you can log in before uninstalling the Password Compatibility module. For more information, see the <a href=":phpass">online documentation for the Password Compatibility module</a>.', [
+    ':phpass' => 'https://www.drupal.org/docs/core-modules-and-themes/core-modules/password-compatibility-module',
+  ]));
+}
--- a/core/modules/phpass/phpass.services.yml
+++ b/core/modules/phpass/phpass.services.yml
@@ -0,0 +1,6 @@
+services:
+  phpass.password:
+    public: false
+    class: Drupal\phpass\Password\PhpassHashedPassword
+    decorates: password
+    arguments: ['@.inner']
--- a/core/modules/phpass/src/Password/PhpassHashedPassword.php
+++ b/core/modules/phpass/src/Password/PhpassHashedPassword.php
@@ -0,0 +1,12 @@
+<?php
+
+namespace Drupal\phpass\Password;
+
+use Drupal\Core\Password\PhpassHashedPasswordBase;
+
+/**
+ * Legacy password hashing framework.
+ *
+ * @see https://www.drupal.org/node/3322420
+ */
+class PhpassHashedPassword extends PhpassHashedPasswordBase {}
--- a/core/modules/phpass/tests/src/Functional/GenericTest.php
+++ b/core/modules/phpass/tests/src/Functional/GenericTest.php
@@ -0,0 +1,14 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\phpass\Functional;
+
+use Drupal\Tests\system\Functional\Module\GenericModuleTestBase;
+
+/**
+ * Generic module test for phpass.
+ *
+ * @group phpass
+ */
+class GenericTest extends GenericModuleTestBase {}
--- a/core/modules/phpass/tests/src/Unit/LegacyPasswordHashingTest.php
+++ b/core/modules/phpass/tests/src/Unit/LegacyPasswordHashingTest.php
@@ -0,0 +1,129 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\phpass\Unit;
+
+use Drupal\phpass\Password\PhpassHashedPassword;
+use Drupal\Tests\UnitTestCase;
+
+/**
+ * Unit tests for password hashing API.
+ *
+ * Legacy tests, deprecated in drupal:10.1.0 and removed from drupal:11.0.0 as
+ * soon as PhpassHashedPassword::__construct() with $corePassword parameter is
+ * enforced to be an instance of Drupal\Core\Password\PhpPassword.
+ *
+ * @see https://www.drupal.org/node/3322420
+ *
+ * @coversDefaultClass \Drupal\phpass\Password\PhpassHashedPassword
+ * @group phpass
+ * @group legacy
+ */
+class LegacyPasswordHashingTest extends UnitTestCase {
+
+  /**
+   * The raw password.
+   *
+   * @var string
+   */
+  protected $password;
+
+  /**
+   * The md5 password.
+   *
+   * @var string
+   */
+  protected $md5HashedPassword;
+
+  /**
+   * The hashed password.
+   *
+   * @var string
+   */
+  protected $hashedPassword;
+
+  /**
+   * The password hasher under test.
+   *
+   * @var \Drupal\Core\Password\PhpassHashedPassword
+   */
+  protected $passwordHasher;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp(): void {
+    parent::setUp();
+    $this->expectDeprecation('Calling Drupal\Core\Password\PhpassHashedPasswordBase::__construct() with numeric $countLog2 as the first parameter is deprecated in drupal:10.1.0 and is removed from drupal:11.0.0. Use PhpassHashedPasswordInterface::__construct() with $corePassword parameter set to an instance of Drupal\Core\Password\PhpPassword instead. See https://www.drupal.org/node/3322420');
+    $this->password = $this->randomMachineName();
+    $this->passwordHasher = new PhpassHashedPassword(1);
+    $this->hashedPassword = $this->passwordHasher->hash($this->password);
+    $this->md5HashedPassword = 'U' . $this->passwordHasher->hash(md5($this->password));
+  }
+
+  /**
+   * Tests a password needs update.
+   *
+   * @covers ::needsRehash
+   */
+  public function testPasswordNeedsUpdate(): void {
+    // The md5 password should be flagged as needing an update.
+    $this->assertTrue($this->passwordHasher->needsRehash($this->md5HashedPassword), 'Upgraded md5 password hash needs a new hash.');
+  }
+
+  /**
+   * Tests password hashing.
+   *
+   * @covers ::hash
+   * @covers ::getCountLog2
+   * @covers ::base64Encode
+   * @covers ::check
+   * @covers ::generateSalt
+   * @covers ::needsRehash
+   */
+  public function testPasswordHashing(): void {
+    $this->assertSame(PhpassHashedPassword::MIN_HASH_COUNT, $this->passwordHasher->getCountLog2($this->hashedPassword), 'Hashed password has the minimum number of log2 iterations.');
+    $this->assertNotEquals($this->hashedPassword, $this->md5HashedPassword, 'Password hashes not the same.');
+    $this->assertTrue($this->passwordHasher->check($this->password, $this->md5HashedPassword), 'Password check succeeds.');
+    $this->assertTrue($this->passwordHasher->check($this->password, $this->hashedPassword), 'Password check succeeds.');
+    // Since the log2 setting hasn't changed and the user has a valid password,
+    // userNeedsNewHash() should return FALSE.
+    $this->assertFalse($this->passwordHasher->needsRehash($this->hashedPassword), 'Does not need a new hash.');
+  }
+
+  /**
+   * Tests password rehashing.
+   *
+   * @covers ::__construct
+   * @covers ::hash
+   * @covers ::getCountLog2
+   * @covers ::check
+   * @covers ::needsRehash
+   */
+  public function testPasswordRehashing(): void {
+    // Increment the log2 iteration to MIN + 1.
+    $password_hasher = new PhpassHashedPassword(PhpassHashedPassword::MIN_HASH_COUNT + 1);
+    $this->assertTrue($password_hasher->needsRehash($this->hashedPassword), 'Needs a new hash after incrementing the log2 count.');
+    // Re-hash the password.
+    $rehashed_password = $password_hasher->hash($this->password);
+    $this->assertSame(PhpassHashedPassword::MIN_HASH_COUNT + 1, $password_hasher->getCountLog2($rehashed_password), 'Re-hashed password has the correct number of log2 iterations.');
+    $this->assertNotEquals($rehashed_password, $this->hashedPassword, 'Password hash changed again.');
+
+    // Now the hash should be OK.
+    $this->assertFalse($password_hasher->needsRehash($rehashed_password), 'Re-hashed password does not need a new hash.');
+    $this->assertTrue($password_hasher->check($this->password, $rehashed_password), 'Password check succeeds with re-hashed password.');
+    $this->assertTrue($this->passwordHasher->check($this->password, $rehashed_password), 'Password check succeeds with re-hashed password with original hasher.');
+  }
+
+  /**
+   * Tests password validation when the hash is NULL.
+   *
+   * @covers ::check
+   */
+  public function testEmptyHash(): void {
+    $this->assertFalse($this->passwordHasher->check($this->password, NULL));
+    $this->assertFalse($this->passwordHasher->check($this->password, ''));
+  }
+
+}
--- a/core/modules/phpass/tests/src/Unit/PasswordVerifyTest.php
+++ b/core/modules/phpass/tests/src/Unit/PasswordVerifyTest.php
@@ -0,0 +1,184 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\phpass\Unit;
+
+use Drupal\phpass\Password\PhpassHashedPassword;
+use Drupal\Core\Password\PasswordInterface;
+use Drupal\Core\Password\PhpPassword;
+use Drupal\Tests\UnitTestCase;
+
+/**
+ * Unit tests for password hashing API.
+ *
+ * @coversDefaultClass \Drupal\phpass\Password\PhpassHashedPassword
+ * @group phpass
+ */
+class PasswordVerifyTest extends UnitTestCase {
+
+  /**
+   * Tests that hash() is forwarded to corePassword instance.
+   *
+   * @covers ::hash
+   */
+  public function testPasswordHash(): void {
+    $samplePassword = $this->randomMachineName();
+    $sampleHash = $this->randomMachineName();
+
+    $corePassword = $this->prophesize(PasswordInterface::class);
+    $corePassword->hash($samplePassword)->willReturn($sampleHash);
+
+    $passwordService = new PhpassHashedPassword($corePassword->reveal());
+    $result = $passwordService->hash($samplePassword);
+
+    $this->assertSame($sampleHash, $result, 'Calls to hash() are forwarded to core password service.');
+  }
+
+  /**
+   * Tests that needsRehash() is forwarded to corePassword instance.
+   *
+   * @covers ::needsRehash
+   */
+  public function testPasswordNeedsRehash(): void {
+    $sampleHash = $this->randomMachineName();
+
+    $corePassword = $this->prophesize(PasswordInterface::class);
+    $corePassword->needsRehash($sampleHash)->willReturn(TRUE);
+
+    $passwordService = new PhpassHashedPassword($corePassword->reveal());
+    $result = $passwordService->needsRehash($sampleHash);
+    $this->assertTrue($result, 'Calls to needsRehash() are forwarded to core password service.');
+  }
+
+  /**
+   * Tests that check() is forwarded to corePassword instance if hash settings are not recognized.
+   *
+   * @covers ::check
+   */
+  public function testPasswordCheckUnknownHash(): void {
+    $samplePassword = $this->randomMachineName();
+    $sampleHash = $this->randomMachineName();
+
+    $corePassword = $this->prophesize(PasswordInterface::class);
+    $corePassword->check($samplePassword, $sampleHash)->willReturn(TRUE);
+
+    $passwordService = new PhpassHashedPassword($corePassword->reveal());
+    $result = $passwordService->check($samplePassword, $sampleHash);
+    $this->assertTrue($result, 'Calls to check() are forwarded to core password service if hash settings are not recognized.');
+  }
+
+  /**
+   * Tests that check() verifies passwords if hash settings are supported.
+   *
+   * @covers ::check
+   * @covers ::crypt
+   * @covers ::getCountLog2
+   * @covers ::enforceLog2Boundaries
+   * @covers ::base64Encode
+   */
+  public function testPasswordCheckSupported(): void {
+    $validPassword = 'valid password';
+
+    // cspell:disable
+    $passwordHash = '$S$5TOxWPdvJRs0P/xZBdrrPlGgzViOS0drHu3jaIjitesfttrp18bk';
+    $passwordLayered = 'U$S$5vNHDQyLqCTvsYBLWBUWXJWhA0m3DTpBh04acFEOGB.bKBclhKgo';
+    // cspell:enable
+
+    $invalidPassword = 'invalid password';
+
+    $corePassword = $this->prophesize(PasswordInterface::class);
+    $corePassword->check()->shouldNotBeCalled();
+
+    $passwordService = new PhpassHashedPassword($corePassword->reveal());
+
+    $result = $passwordService->check($validPassword, $passwordHash);
+    $this->assertTrue($result, 'Accepts valid passwords created prior to 10.1.x');
+    $result = $passwordService->check($invalidPassword, $passwordHash);
+    $this->assertFalse($result, 'Rejects invalid passwords created prior to 10.1.x');
+
+    $result = $passwordService->check($validPassword, $passwordLayered);
+    $this->assertTrue($result, 'Accepts valid passwords migrated from sites running 6.x');
+    $result = $passwordService->check($invalidPassword, $passwordLayered);
+    $this->assertFalse($result, 'Rejects invalid passwords migrated from sites running 6.x');
+  }
+
+  /**
+   * Tests the hash count boundaries are enforced.
+   *
+   * @covers ::enforceLog2Boundaries
+   */
+  public function testWithinBounds(): void {
+    $hasher = new PhpassHashedPasswordLog2BoundariesDouble();
+    $this->assertEquals(PhpassHashedPassword::MIN_HASH_COUNT, $hasher->enforceLog2Boundaries(1), "Min hash count enforced");
+    $this->assertEquals(PhpassHashedPassword::MAX_HASH_COUNT, $hasher->enforceLog2Boundaries(100), "Max hash count enforced");
+  }
+
+  /**
+   * Verifies that passwords longer than 512 bytes are not hashed.
+   *
+   * @covers ::crypt
+   *
+   * @dataProvider providerLongPasswords
+   */
+  public function testLongPassword($password, $allowed): void {
+    // cspell:disable
+    $bogusHash = '$S$5TOxWPdvJRs0P/xZBdrrPlGgzViOS0drHu3jaIjitesfttrp18bk';
+    // cspell:enable
+
+    $passwordService = new PhpassHashedPassword(new PhpPassword());
+
+    if ($allowed) {
+      $hash = $passwordService->hash($password);
+      $this->assertNotFalse($hash);
+      $result = $passwordService->check($password, $hash);
+      $this->assertTrue($result);
+    }
+    else {
+      $result = $passwordService->check($password, $bogusHash);
+      $this->assertFalse($result);
+    }
+  }
+
+  /**
+   * Provides the test matrix for testLongPassword().
+   */
+  public static function providerLongPasswords() {
+    // '512 byte long password is allowed.'
+    $passwords['allowed'] = [str_repeat('x', PasswordInterface::PASSWORD_MAX_LENGTH), TRUE];
+    // 513 byte long password is not allowed.
+    $passwords['too_long'] = [str_repeat('x', PasswordInterface::PASSWORD_MAX_LENGTH + 1), FALSE];
+
+    // Check a string of 3-byte UTF-8 characters, 510 byte long password is
+    // allowed.
+    $len = (int) floor(PasswordInterface::PASSWORD_MAX_LENGTH / 3);
+    $diff = PasswordInterface::PASSWORD_MAX_LENGTH % 3;
+    $passwords['utf8'] = [str_repeat('€', $len), TRUE];
+    // 512 byte long password is allowed.
+    $passwords['ut8_extended'] = [$passwords['utf8'][0] . str_repeat('x', $diff), TRUE];
+
+    // Check a string of 3-byte UTF-8 characters, 513 byte long password is
+    // allowed.
+    $passwords['utf8_too_long'] = [str_repeat('€', $len + 1), FALSE];
+    return $passwords;
+  }
+
+}
+
+/**
+ * Test double for test coverage of enforceLog2Boundaries().
+ */
+class PhpassHashedPasswordLog2BoundariesDouble extends PhpassHashedPassword {
+
+  public function __construct() {
+    // Noop.
+  }
+
+  /**
+   * Exposes this method as public for tests.
+   */
+  public function enforceLog2Boundaries($count_log2) {
+    return parent::enforceLog2Boundaries($count_log2);
+  }
+
+}