[!!!][TASK] Drop extension rsaauth

Extension rsaauth that has been marked deprecated in v9 due
to its flaws and is dropped from core v10 with this patch.
People who still think not using https but using the
rsaauth extension approach is a good idea can fetch the
extension from ter using an upgrade wizard or
composer require friendsoftypo3/rsaauth.

Needs a typo3/testing-framework raise since the
acceptance tests still used loginSecurityLevel rsa:
composer require --dev typo3/testing-framework ~5.0.4

Resolves: #87470
Releases: master
Change-Id: Iefdd1c4e4b8725e0968875d4b8cb68103634783c
Reviewed-on: https://review.typo3.org/59470
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Build/tsconfig.json

@@ -80,10 +80,6 @@
                 "../typo3/sysext/recycler/Resources/Public/JavaScript/*",
                 "../typo3/sysext/recycler/Resources/Private/TypeScript/*"
             ],
-            "TYPO3/CMS/Rsaauth/*": [
-                "../typo3/sysext/rsaauth/Resources/Public/JavaScript/*",
-                "../typo3/sysext/rsaauth/Resources/Private/TypeScript/*"
-            ],
             "TYPO3/CMS/RteCkeditor/*": [
                 "../typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/*",
                 "../typo3/sysext/rte_ckeditor/Resources/Private/TypeScript/*"

composer.json

@@ -68,7 +68,7 @@
 		"fiunchinho/phpunit-randomizer": "^4.0",
 		"friendsofphp/php-cs-fixer": "^2.12.2",
 		"typo3/cms-styleguide": "~10.0.2",
-		"typo3/testing-framework": "~5.0.3"
+		"typo3/testing-framework": "~5.0.4"
 	},
 	"suggest": {
 		"ext-gd": "GDlib/Freetype is required for building images with text (GIFBUILDER) and can also be used to scale images",
@@ -142,7 +142,6 @@
 		"typo3/cms-recycler": "self.version",
 		"typo3/cms-redirects": "self.version",
 		"typo3/cms-reports": "self.version",
-		"typo3/cms-rsaauth": "self.version",
 		"typo3/cms-rte-ckeditor": "self.version",
 		"typo3/cms-scheduler": "self.version",
 		"typo3/cms-seo": "self.version",
@@ -183,7 +182,6 @@
 			"TYPO3\\CMS\\Recycler\\": "typo3/sysext/recycler/Classes/",
 			"TYPO3\\CMS\\Redirects\\": "typo3/sysext/redirects/Classes/",
 			"TYPO3\\CMS\\Reports\\": "typo3/sysext/reports/Classes/",
-			"TYPO3\\CMS\\Rsaauth\\": "typo3/sysext/rsaauth/Classes/",
 			"TYPO3\\CMS\\RteCKEditor\\": "typo3/sysext/rte_ckeditor/Classes/",
 			"TYPO3\\CMS\\Scheduler\\": "typo3/sysext/scheduler/Classes/",
 			"TYPO3\\CMS\\Seo\\": "typo3/sysext/seo/Classes/",
@@ -227,7 +225,6 @@
 			"TYPO3\\CMS\\Redirects\\Tests\\": "typo3/sysext/redirects/Tests/",
 			"TYPO3\\CMS\\Recordlist\\Tests\\": "typo3/sysext/recordlist/Tests/",
 			"TYPO3\\CMS\\Reports\\Tests\\": "typo3/sysext/reports/Tests/",
-			"TYPO3\\CMS\\Rsaauth\\Tests\\": "typo3/sysext/rsaauth/Tests/",
 			"TYPO3\\CMS\\Scheduler\\Tests\\": "typo3/sysext/scheduler/Tests/",
 			"TYPO3\\CMS\\Seo\\Tests\\": "typo3/sysext/seo/Tests/",
 			"TYPO3\\CMS\\Setup\\Tests\\": "typo3/sysext/setup/Tests/",

typo3/sysext/backend/Classes/Form/NodeFactory.php

@@ -74,8 +74,6 @@ class NodeFactory
         'inputDateTime' => Element\InputDateTimeElement::class,
         'inputLink' => Element\InputLinkElement::class,
         'hidden' => Element\InputHiddenElement::class,
-        // rsaInput is defined with a fallback so extensions can use it even if ext:rsaauth is not loaded
-        'rsaInput' => Element\InputTextElement::class,
         'imageManipulation' => Element\ImageManipulationElement::class,
         'none' => Element\NoneElement::class,
         'radio' => Element\RadioElement::class,

typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml

@@ -307,7 +307,7 @@ BE:
             description: 'Set the name for the cookie used for the back-end user session'
         loginSecurityLevel:
             type: text
-            description: 'Keywords that determines the security level of login to the backend. "normal" means the password from the login form is sent in clear-text, "rsa" uses RSA password encryption (only if the rsaauth extension is installed).'
+            description: 'Keywords that determines the security level of login to the backend. "normal" means the password from the login form is sent in clear-text. The client/server communication should be secured with HTTPS.'
         showRefreshLoginPopup:
             type: bool
             description: 'If set, the Ajax relogin will show a real popup window for relogin after the count down. Some auth services need this as they add custom validation to the login form. If it''s not set, the Ajax relogin will show an inline relogin window.'
@@ -421,7 +421,7 @@ FE:
             description: 'If activated, Frontend Users are locked to (a part of) their public IP (<code>$_SERVER[''REMOTE_ADDR'']</code>) for their session. Enhances security but may throw off users that may change IP during their session (in which case you can lower it to 2 or 3). The integer indicates how many parts of the IP address to include in the check for session (next to the user agent)..'
         loginSecurityLevel:
             type: text
-            description: 'See description for <a href="#BE-loginSecurityLevel">[BE][loginSecurityLevel]</a>. Default state for frontend is "normal". Alternative authentication services can implement higher levels if preferred. For example, "rsa" level uses RSA password encryption (only if the rsaauth extension is installed).'
+            description: 'See description for <a href="#BE-loginSecurityLevel">[BE][loginSecurityLevel]</a>. Default state for frontend is "normal". The client/server communication should be secured with HTTPS.'
         lifetime:
             type: int
             description: 'If >0 and the option permalogin is >=0, the cookie of FE users will have a lifetime of the number of seconds this value indicates. Otherwise it will be a session cookie (deleted when browser is shut down). Setting this value to 604800 will result in automatic login of FE users during a whole week, 86400 will keep the FE users logged in for a day.'

typo3/sysext/core/Documentation/Changelog/master/Breaking-87193-DeprecatedFunctionalityRemoved.rst

@@ -1351,6 +1351,7 @@ The following features have been removed:
 * Frontend, Backend and standalone install tool users who did not log in for multiple core versions and still use a :php:`M$`
   prefixed password can not log in anymore. Auto converting those user passwords during first login has been dropped, those
   users need their password being manually recovered or reset.
+* Extension :php:`rsaauth` has been dropped from core
 
 
 The following database tables have been removed:

typo3/sysext/core/Tests/Acceptance/Support/Extension/BackendCoreEnvironment.php

@@ -39,7 +39,6 @@ class BackendCoreEnvironment extends BackendEnvironment
             'filelist',
             'extensionmanager',
             'setup',
-            'rsaauth',
             'backend',
             'about',
             'belog',

typo3/sysext/core/composer.json

@@ -51,7 +51,7 @@
 		"fiunchinho/phpunit-randomizer": "^4.0",
 		"friendsofphp/php-cs-fixer": "^2.12.2",
 		"typo3/cms-styleguide": "~10.0.2",
-		"typo3/testing-framework": "~5.0.3"
+		"typo3/testing-framework": "~5.0.4"
 	},
 	"suggest": {
 		"ext-fileinfo": "Used for proper file type detection in the file abstraction layer",

typo3/sysext/extensionmanager/Tests/Unit/Utility/ListUtilityTest.php

@@ -49,7 +49,6 @@ protected function setUp()
                     'lang' => $this->getMockBuilder(Package::class)->disableOriginalConstructor()->getMock(),
                     'news' => $this->getMockBuilder(Package::class)->disableOriginalConstructor()->getMock(),
                     'saltedpasswords' => $this->getMockBuilder(Package::class)->disableOriginalConstructor()->getMock(),
-                    'rsaauth' => $this->getMockBuilder(Package::class)->disableOriginalConstructor()->getMock(),
                 ]));
         $this->inject($this->subject, 'packageManager', $packageManagerMock);
     }
@@ -65,42 +64,36 @@ public function getAvailableAndInstalledExtensionsDataProvider(): array
                     'lang' => [],
                     'news' => [],
                     'saltedpasswords' => [],
-                    'rsaauth' => []
                 ],
                 [
                     'lang' => ['installed' => true],
                     'news' => ['installed' => true],
                     'saltedpasswords' => ['installed' => true],
-                    'rsaauth' => ['installed' => true]
                 ]
             ],
             'different extension lists' => [
                 [
                     'lang' => [],
                     'news' => [],
                     'saltedpasswords' => [],
-                    'rsaauth' => []
                 ],
                 [
                     'lang' => ['installed' => true],
                     'news' => ['installed' => true],
                     'saltedpasswords' => ['installed' => true],
-                    'rsaauth' => ['installed' => true]
                 ]
             ],
             'different extension lists - set2' => [
                 [
                     'lang' => [],
                     'news' => [],
                     'saltedpasswords' => [],
-                    'rsaauth' => [],
                     'em' => []
                 ],
                 [
                     'lang' => ['installed' => true],
                     'news' => ['installed' => true],
                     'saltedpasswords' => ['installed' => true],
-                    'rsaauth' => ['installed' => true],
                     'em' => []
                 ]
             ],
@@ -110,15 +103,13 @@ public function getAvailableAndInstalledExtensionsDataProvider(): array
                     'fluid' => [],
                     'news' => [],
                     'saltedpasswords' => [],
-                    'rsaauth' => [],
                     'em' => []
                 ],
                 [
                     'lang' => ['installed' => true],
                     'fluid' => [],
                     'news' => ['installed' => true],
                     'saltedpasswords' => ['installed' => true],
-                    'rsaauth' => ['installed' => true],
                     'em' => []
                 ]
             ]
@@ -147,7 +138,6 @@ public function enrichExtensionsWithEmConfInformationDataProvider(): array
                     'lang' => ['property1' => 'oldvalue'],
                     'news' => [],
                     'saltedpasswords' => [],
-                    'rsaauth' => []
                 ],
                 [
                     'property1' => 'property value1'
@@ -156,7 +146,6 @@ public function enrichExtensionsWithEmConfInformationDataProvider(): array
                     'lang' => ['property1' => 'oldvalue'],
                     'news' => ['property1' => 'property value1'],
                     'saltedpasswords' => ['property1' => 'property value1'],
-                    'rsaauth' => ['property1' => 'property value1']
                 ]
             ]
         ];

typo3/sysext/install/Classes/Service/ClearTableService.php

@@ -57,10 +57,6 @@ class ClearTableService
             'name' => 'tx_extensionmanager_domain_model_extension',
             'description' => 'List of TER extensions',
         ],
-        [
-            'name' => 'tx_rsaauth_keys',
-            'description' => 'Login process key storage'
-        ],
     ];
 
     /**

typo3/sysext/install/Classes/Updates/RsaauthExtractionUpdate.php

@@ -0,0 +1,119 @@
+<?php
+namespace TYPO3\CMS\Install\Updates;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
+
+/**
+ * Installs and downloads EXT:rsaauth if requested
+ * @internal This class is only meant to be used within EXT:install and is not part of the TYPO3 Core API.
+ */
+class RsaauthExtractionUpdate extends AbstractDownloadExtensionUpdate
+{
+    /**
+     * @var \TYPO3\CMS\Install\Updates\ExtensionModel
+     */
+    protected $extension;
+
+    /**
+     * @var \TYPO3\CMS\Install\Updates\Confirmation
+     */
+    protected $confirmation;
+
+    public function __construct()
+    {
+        $this->extension = new ExtensionModel(
+          'rsaauth',
+            'Deprecated rsaauth extension',
+            '10.0.0',
+            'friendsoftypo3/rsaauth',
+            'Contains a service to authenticate TYPO3 BE and FE users using private/public key encryption of passwords.'
+        );
+
+        $this->confirmation = new Confirmation(
+            'Are you sure?',
+            'Do not install this extension. Use HTTPS instead. ' . $this->extension->getDescription(),
+            false
+        );
+    }
+
+    /**
+     * Return a confirmation message instance
+     *
+     * @return \TYPO3\CMS\Install\Updates\Confirmation
+     */
+    public function getConfirmation(): Confirmation
+    {
+        return $this->confirmation;
+    }
+
+    /**
+     * Return the identifier for this wizard
+     * This should be the same string as used in the ext_localconf class registration
+     *
+     * @return string
+     */
+    public function getIdentifier(): string
+    {
+        return 'rsaauthExtension';
+    }
+
+    /**
+     * Return the speaking name of this wizard
+     *
+     * @return string
+     */
+    public function getTitle(): string
+    {
+        return 'Install extension "rsaauth" from TER if the site is still not secured using HTTPS';
+    }
+
+    /**
+     * Return the description for this wizard
+     *
+     * @return string
+     */
+    public function getDescription(): string
+    {
+        return 'The extension "rsaauth" adds a public/private key based encryption for Backend and Frontend'
+               . ' login passwords. The approach is limited and has various flaws. The extension is fully'
+               . ' obsolete if the instance uses HTTPS.';
+    }
+
+    /**
+     * Is an update necessary?
+     * Is used to determine whether a wizard needs to be run.
+     *
+     * @return bool
+     */
+    public function updateNecessary(): bool
+    {
+        return !ExtensionManagementUtility::isLoaded('rsaauth');
+    }
+
+    /**
+     * Returns an array of class names of Prerequisite classes
+     * This way a wizard can define dependencies like "database up-to-date" or
+     * "reference index updated"
+     *
+     * @return string[]
+     */
+    public function getPrerequisites(): array
+    {
+        return [
+            DatabaseUpdatedPrerequisite::class
+        ];
+    }
+}

typo3/sysext/install/ext_localconf.php

@@ -38,6 +38,8 @@
     = \TYPO3\CMS\Install\Updates\Argon2iPasswordHashes::class;
 
 // v9->v10 wizards below this line
+$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ext/install']['update']['rsaauthExtension']
+    = \TYPO3\CMS\Install\Updates\RsaauthExtractionUpdate::class;
 
 $iconRegistry = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Core\Imaging\IconRegistry::class);
 $icons = [