[TASK] Extract request processing from RsaEncryptionEncoder

* Deprecate now unused methods * Update JavaScript to properly use JSON objects Change-Id: Ibb76c140eb0bdbbc3f1d155e3d6f273c26d90a42 Resolves: #84407 Releases: master Reviewed-on: https://review.typo3.org/56307 Tested-by: TYPO3com <no-reply@typo3.com> Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by: Benni Mack <benni@typo3.org> Tested-by: Benni Mack <benni@typo3.org>
TYPO3 · Mar 20, 2018 · 35f04e6 · 35f04e6
1 parent 94f3faa
commit 35f04e6
Show file tree

Hide file tree

Showing 9 changed files with 164 additions and 21 deletions.
diff --git a/...Changelog/master/Deprecation-84407-AJAXRequestMethodsInRsaEncryptionEncoder.rst b/...Changelog/master/Deprecation-84407-AJAXRequestMethodsInRsaEncryptionEncoder.rst
@@ -0,0 +1,42 @@
+.. include:: ../../Includes.txt
+
+==================================================================
+Deprecation: #84407 - AJAX request methods in RsaEncryptionEncoder
+==================================================================
+
+See :issue:`84407`
+
+Description
+===========
+
+All methods related to AJAX requests in :php:`\TYPO3\CMS\Rsaauth\RsaEncryptionEncoder` have been
+deprecated:
+
+* :php:`getRsaPublicKey()`
+* :php:`getRsaPublicKeyAjaxHandler()`
+
+The ``rsa_publickey`` AJAX route has been adapted to use the
+:php:`\TYPO3\CMS\Rsaauth\Controller\RsaPublicKeyGenerationController` which was already used for
+RSA key retrieval via eID in the frontend.
+
+
+Impact
+======
+
+Calling one of the above methods on an instance of :php:`RsaEncryptionEncoder` will throw a
+deprecation warning in v9 and a PHP fatal in v10.
+
+
+Affected Installations
+======================
+
+All extensions that call the deprecated methods are affected.
+
+
+Migration
+=========
+
+Extensions should not use the deprecated methods but directly request a key pair via the RSA
+backend API.
+
+.. index:: Backend, Frontend, PHP-API, FullyScanned
diff --git a/...r/Deprecation-84407-RSAPublicKeyGenerationWithoutContentTypeApplicationJson.rst b/...r/Deprecation-84407-RSAPublicKeyGenerationWithoutContentTypeApplicationJson.rst
@@ -0,0 +1,48 @@
+.. include:: ../../Includes.txt
+
+========================================================================================
+Deprecation: #84407 - RSA public key generation without "Content-Type: application/json"
+========================================================================================
+
+See :issue:`84407`
+
+Description
+===========
+
+The default response of the :php:`RsaPublicKeyGenerationController` eID script was broken since it
+claimed to return a JSON response but in fact returned a simple string containing a concatenation of
+public key modulus and exponent.
+
+The eID script now returns a proper JSON response if requested with the
+`Content-Type: application/json` HTTP header:
+
+.. code-block:: javascript
+
+    {
+        "publicKeyModulus": "ABC...",
+        "exponent": "10..."
+    }
+
+
+Impact
+======
+
+Extensions performing custom AJAX requests against the :php:`RsaPublicKeyGenerationController`
+eID script without the `Content-Type: application/json` HTTP header will trigger a deprecation
+warning in v9 and an error response in v10.
+
+
+Affected Installations
+======================
+
+Sites which do not use the default RSA encryption JavaScript to handle form value encryption.
+
+
+Migration
+=========
+
+The default RSA encryption JavaScript has been migrated, custom implementations must add the
+`Content-Type: application/json` HTTP header to AJAX requests and parse the JSON response
+accordingly.
+
+.. index:: Backend, Frontend, JavaScript, PHP-API, FullyScanned, ext:rsaauth
diff --git a/typo3/sysext/install/Configuration/ExtensionScanner/Php/MethodCallMatcher.php b/typo3/sysext/install/Configuration/ExtensionScanner/Php/MethodCallMatcher.php
@@ -2011,4 +2011,18 @@
             'Deprecation-84338-ProtectedMethodsAndPropertiesInTableController.rst',
         ],
     ],
+    'TYPO3\CMS\Rsaauth\RsaEncryptionEncoder->getRsaPublicKey' => [
+        'numberOfMandatoryArguments' => 0,
+        'maximumNumberOfArguments' => 0,
+        'restFiles' => [
+            'Deprecation-84407-AJAXRequestMethodsInRsaEncryptionEncoder.rst',
+        ],
+    ],
+    'TYPO3\CMS\Rsaauth\RsaEncryptionEncoder->getRsaPublicKeyAjaxHandler' => [
+        'numberOfMandatoryArguments' => 0,
+        'maximumNumberOfArguments' => 0,
+        'restFiles' => [
+            'Deprecation-84407-AJAXRequestMethodsInRsaEncryptionEncoder.rst',
+        ],
+    ],
 ];
diff --git a/typo3/sysext/rsaauth/Classes/Controller/RsaPublicKeyGenerationController.php b/typo3/sysext/rsaauth/Classes/Controller/RsaPublicKeyGenerationController.php
@@ -34,6 +34,7 @@ public function processRequest(ServerRequestInterface $request): ResponseInterfa
     {
         /** @var \TYPO3\CMS\Rsaauth\Backend\AbstractBackend $backend */
         $backend = BackendFactory::getBackend();
+
         if ($backend === null) {
             // add a HTTP 500 error code, if an error occurred
             return new JsonResponse(null, 500);
@@ -43,10 +44,25 @@ public function processRequest(ServerRequestInterface $request): ResponseInterfa
         $storage = StorageFactory::getStorage();
         $storage->put($keyPair->getPrivateKey());
         session_commit();
-        $content = $keyPair->getPublicKeyModulus() . ':' . sprintf('%x', $keyPair->getExponent()) . ':';
 
-        $response = new Response('php://temp', 200, ['Content-Type' => 'application/json; charset=utf-8']);
-        $response->getBody()->write($content);
+        switch ($request->getHeaderLine('content-type')) {
+            case 'application/json':
+                $data = [
+                    'publicKeyModulus' => $keyPair->getPublicKeyModulus(),
+                    'exponent' => sprintf('%x', $keyPair->getExponent()),
+                ];
+                $response = new JsonResponse($data);
+                break;
+
+            default:
+                trigger_error('Requesting RSA public keys without "Content-Type: application/json" will be removed in v10. Add this header to your AJAX request.', E_USER_DEPRECATED);
+
+                $content = $keyPair->getPublicKeyModulus() . ':' . sprintf('%x', $keyPair->getExponent()) . ':';
+                $response = new Response('php://temp', 200, ['Content-Type' => 'application/json; charset=utf-8']);
+                $response->getBody()->write($content);
+                break;
+        }
+
         return $response;
     }
 }
diff --git a/typo3/sysext/rsaauth/Classes/RsaEncryptionEncoder.php b/typo3/sysext/rsaauth/Classes/RsaEncryptionEncoder.php
@@ -89,9 +89,13 @@ public function isAvailable()
      * Gets RSA Public Key.
      *
      * @return Keypair|null
+     *
+     * @deprecated since TYPO3 v9. Will be removed in v10.
      */
     public function getRsaPublicKey()
     {
+        trigger_error('Method getRsaPublicKey() will be removed in v10.', E_USER_DEPRECATED);
+
         $keyPair = null;
         $backend = Backend\BackendFactory::getBackend();
         if ($backend !== null) {
@@ -108,9 +112,13 @@ public function getRsaPublicKey()
      * Ajax handler to return a RSA public key.
      *
      * @return ResponseInterface
+     *
+     * @deprecated since TYPO3 v9. Will be removed in v10.
      */
     public function getRsaPublicKeyAjaxHandler(): ResponseInterface
     {
+        trigger_error('Method getRsaPublicKeyAjaxHandler() will be removed in v10.', E_USER_DEPRECATED);
+
         $keyPair = $this->getRsaPublicKey();
         if ($keyPair !== null) {
             return new HtmlResponse(

diff --git a/typo3/sysext/rsaauth/Configuration/Backend/AjaxRoutes.php b/typo3/sysext/rsaauth/Configuration/Backend/AjaxRoutes.php
@@ -7,7 +7,7 @@
     // Get RSA public key
     'rsa_publickey' => [
         'path' => '/rsa/publickey',
-        'target' => \TYPO3\CMS\Rsaauth\RsaEncryptionEncoder::class . '::getRsaPublicKeyAjaxHandler',
+        'target' => \TYPO3\CMS\Rsaauth\Controller\RsaPublicKeyGenerationController::class . '::processRequest',
         'access' => 'public',
         'parameters' => [
             'skipSessionUpdate' => 1

diff --git a/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryption.js b/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryption.js
@@ -46,7 +46,15 @@
           TYPO3RsaEncryptionPublicKeyUrl, // defined in PHP
           rsaEncryption,
           function(response) {
-            rsaEncryption.handlePublicKeyResponse(response, rsaEncryption);
+            var keyData = null;
+
+            try {
+              keyData = JSON.parse(response.responseText);
+            } catch (e) {
+              // Nothing to do here, error will be handled by callback
+            }
+
+            rsaEncryption.handlePublicKeyResponse(keyData, rsaEncryption);
           }
         );
 
@@ -91,18 +99,19 @@
       };
 
       rsaEncryption.xhr.open('GET', url, true);
+      rsaEncryption.xhr.setRequestHeader('Content-Type', 'application/json');
       rsaEncryption.xhr.send('');
     };
 
-    this.handlePublicKeyResponse = function(response, rsaEncryption) {
-      var publicKey = response.responseText.split(':');
-      if (!publicKey[0] || !publicKey[1]) {
+    this.handlePublicKeyResponse = function(keyData, rsaEncryption) {
+      if (!keyData) {
         alert('No public key could be generated. Please inform your TYPO3 administrator to check the OpenSSL settings.');
         return false;
       }
 
       var rsa = new RSAKey();
-      rsa.setPublic(publicKey[0], publicKey[1]);
+      rsa.setPublic(keyData.publicKeyModulus, keyData.exponent);
+
       for (var i = rsaEncryption.fields.length; i--;) {
         var field = rsaEncryption.fields[i];
         var encryptedValue = rsa.encrypt(field.value);

diff --git a/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryptionModule.js b/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryptionModule.js
@@ -75,7 +75,9 @@ define(['jquery', './RsaLibrary'], function($) {
 
         $.ajax({
           url: TYPO3.settings.ajaxUrls['rsa_publickey'],
-          success: RsaEncryption.handlePublicKeyResponse
+          contentType: 'application/json',
+          success: RsaEncryption.handlePublicKeyResponse,
+          error: RsaEncryption.handlePublicKeyError,
         });
 
         return false;
@@ -87,19 +89,14 @@ define(['jquery', './RsaLibrary'], function($) {
     },
 
     /**
-     * Parses the Json response and triggers submission of the form
+     * Triggers submission of the form
      *
-     * @param {Object} response Ajax response object
+     * @param {Object} key data object
      */
-    handlePublicKeyResponse: function(response) {
-      var publicKey = response.split(':');
-      if (!publicKey[0] || !publicKey[1]) {
-        alert('No public key could be generated. Please inform your TYPO3 administrator to check the OpenSSL settings.');
-        return;
-      }
-
+    handlePublicKeyResponse: function(keyData) {
       var rsa = new RSAKey();
-      rsa.setPublic(publicKey[0], publicKey[1]);
+      rsa.setPublic(keyData.publicKeyModulus, keyData.exponent);
+
       RsaEncryption.$currentForm.find(':input[data-rsa-encryption]').each(function() {
         var $this = $(this);
         var encryptedValue = rsa.encrypt($this.val());
@@ -144,6 +141,15 @@ define(['jquery', './RsaLibrary'], function($) {
         // Submit the form
         RsaEncryption.$currentForm.trigger('submit');
       }
+    },
+
+    /**
+     * Handles errors on public key retrieval
+     *
+     * @param {Object} response Ajax response object
+     */
+    handlePublicKeyError: function() {
+      alert('No public key could be generated. Please inform your TYPO3 administrator to check the OpenSSL settings.');
     }
   };
 

diff --git a/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryptionWithLib.min.js b/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryptionWithLib.min.js