Fix #87: security helper converted into component and improved

apps/advanced/common/models/User.php

@@ -3,7 +3,7 @@
 
 use yii\base\NotSupportedException;
 use yii\db\ActiveRecord;
-use yii\helpers\Security;
+use Yii;
 use yii\web\IdentityInterface;
 
 /**
@@ -147,7 +147,7 @@ public function validateAuthKey($authKey)
      */
     public function validatePassword($password)
     {
-        return Security::validatePassword($password, $this->password_hash);
+        return Yii::$app->getSecurity()->validatePassword($password, $this->password_hash);
     }
 
     /**
@@ -157,23 +157,23 @@ public function validatePassword($password)
      */
     public function setPassword($password)
     {
-        $this->password_hash = Security::generatePasswordHash($password);
+        $this->password_hash = Yii::$app->getSecurity()->generatePasswordHash($password);
     }
 
     /**
      * Generates "remember me" authentication key
      */
     public function generateAuthKey()
     {
-        $this->auth_key = Security::generateRandomKey();
+        $this->auth_key = Yii::$app->getSecurity()->generateRandomKey();
     }
 
     /**
      * Generates new password reset token
      */
     public function generatePasswordResetToken()
     {
-        $this->password_reset_token = Security::generateRandomKey() . '_' . time();
+        $this->password_reset_token = Yii::$app->getSecurity()->generateRandomKey() . '_' . time();
     }
 
     /**

apps/advanced/common/tests/templates/fixtures/user.php

@@ -1,21 +1,19 @@
 <?php
 
-use yii\helpers\Security;
-
 return [
     'username' => 'userName',
     'auth_key' => function ($fixture, $faker, $index) {
-        $fixture['auth_key'] = Security::generateRandomKey();
+        $fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomKey();
 
         return $fixture;
     },
     'password_hash' => function ($fixture, $faker, $index) {
-        $fixture['password_hash'] = Security::generatePasswordHash('password_' . $index);
+        $fixture['password_hash'] = Yii::$app->getSecurity()->generatePasswordHash('password_' . $index);
 
         return $fixture;
     },
     'password_reset_token' => function ($fixture, $faker, $index) {
-        $fixture['password_reset_token'] = Security::generateRandomKey() . '_' . time();
+        $fixture['password_reset_token'] = Yii::$app->getSecurity()->generateRandomKey() . '_' . time();
 
         return $fixture;
     },

docs/guide-es/intro-upgrade-from-v1.md

@@ -350,7 +350,6 @@ Yii 2.0 introduce muchos helpers estáticos comúnmente utilizados, incluyendo:
 * [[yii\helpers\StringHelper]]
 * [[yii\helpers\FileHelper]]
 * [[yii\helpers\Json]]
-* [[yii\helpers\Security]]
 
 Por favor, consulta la sección [Información General de Helpers](helper-overview.md) para más detalles.
 

docs/guide-fr/intro-upgrade-from-v1.md

@@ -348,7 +348,6 @@ Yii 2.0 introduit de nombreuses assistants couramment utilisés, sous la forme d
 * [[yii\helpers\StringHelper]]
 * [[yii\helpers\FileHelper]]
 * [[yii\helpers\Json]]
-* [[yii\helpers\Security]]
 
 Merci de lire la partie [Assistants](helper-overview.md) pour plus de détails.
 

docs/guide-pt-BR/intro-upgrade-from-v1.md

@@ -398,7 +398,6 @@ O Yii 2.0 introduz muitas classes de helper estáticas comumente usadas, incluin
 * [[yii\helpers\StringHelper]]
 * [[yii\helpers\FileHelper]]
 * [[yii\helpers\Json]]
-* [[yii\helpers\Security]]
 
 Por favor consulte a seção [Visão Geral](helper-overview.md) dos helpers para mais detalhes.
 

docs/guide-ru/intro-upgrade-from-v1.md

@@ -344,7 +344,6 @@ public function behaviors()
 * [[yii\helpers\StringHelper]]
 * [[yii\helpers\FileHelper]]
 * [[yii\helpers\Json]]
-* [[yii\helpers\Security]]
 
 Более детальная информация представлена в разделе [Хелперы](helper-overview.md).
 

docs/guide-zh-CN/intro-upgrade-from-v1.md

@@ -317,7 +317,6 @@ Yii 2.0 很多常用的静态助手类，包括：
 * [[yii\helpers\StringHelper]]
 * [[yii\helpers\FileHelper]]
 * [[yii\helpers\Json]]
-* [[yii\helpers\Security]]
 
 请参考 [助手一览](helper-overview.md) 章节来了解更多。
 

docs/guide/intro-upgrade-from-v1.md

@@ -349,7 +349,6 @@ Yii 2.0 introduces many commonly used static helper classes, including.
 * [[yii\helpers\StringHelper]]
 * [[yii\helpers\FileHelper]]
 * [[yii\helpers\Json]]
-* [[yii\helpers\Security]]
 
 Please refer to the [Helper Overview](helper-overview.md) section for more details.
 

docs/guide/security-authentication.md

@@ -65,14 +65,14 @@ class User extends ActiveRecord implements IdentityInterface
 ```
 
 Two of the outlined methods are simple: `findIdentity` is provided with an  ID value and returns a model instance associated with that ID. The `getId` method returns the ID itself.
-Two of the other methods--`getAuthKey` and `validateAuthKey`--are used to provide extra security to the "remember me" cookie. The `getAuthKey` method should return a string that is unique for each user. You can create reliably create a unique string using `Security::generateRandomKey()`. It's a good idea to also save this as part of the user's record:
+Two of the other methods--`getAuthKey` and `validateAuthKey`--are used to provide extra security to the "remember me" cookie. The `getAuthKey` method should return a string that is unique for each user. You can create reliably create a unique string using `Yii::$app->getSecurity()->generateRandomKey()`. It's a good idea to also save this as part of the user's record:
 
 ```php
 public function beforeSave($insert)
 {
     if (parent::beforeSave($insert)) {
         if ($this->isNewRecord) {
-            $this->auth_key = Security::generateRandomKey();
+            $this->auth_key = Yii::$app->getSecurity()->generateRandomKey();
         }
         return true;
     }

docs/guide/security-passwords.md

@@ -17,7 +17,7 @@ When a user provides a password for the first time (e.g., upon registration), th
 
 
 ```php
-$hash = \yii\helpers\Security::generatePasswordHash($password);
+$hash = Yii::$app->getSecurity()->generatePasswordHash($password);
 ```
 
 The hash can then be associated with the corresponding model attribute, so it can be stored in the database for later use.
@@ -26,8 +26,7 @@ When a user attempts to log in, the submitted password must be verified against
 
 
 ```php
-use yii\helpers\Security;
-if (Security::validatePassword($password, $hash)) {
+if (Yii::$app->getSecurity()->validatePassword($password, $hash)) {
     // all good, logging user in
 } else {
     // wrong password
@@ -43,7 +42,7 @@ Yii security helper makes generating pseudorandom data simple:
 
 
 ```php
-$key = \yii\helpers\Security::generateRandomKey();
+$key = Yii::$app->getSecurity()->generateRandomKey();
 ```
 
 Note that you need to have the `openssl` extension installed in order to generate cryptographically secure random data.
@@ -57,15 +56,15 @@ For example, we need to store some information in our database but we need to ma
 
 ```php
 // $data and $secretKey are obtained from the form
-$encryptedData = \yii\helpers\Security::encrypt($data, $secretKey);
+$encryptedData = Yii::$app->getSecurity()->encrypt($data, $secretKey);
 // store $encryptedData to database
 ```
 
 Subsequently when user wants to read the data:
 
 ```php
 // $secretKey is obtained from user input, $encryptedData is from the database
-$data = \yii\helpers\Security::decrypt($encryptedData, $secretKey);
+$data = Yii::$app->getSecurity()->decrypt($encryptedData, $secretKey);
 ```
 
 Confirming data integrity
@@ -78,14 +77,14 @@ Prefix the data with a hash generated from the secret key and data
 
 ```php
 // $secretKey our application or user secret, $genuineData obtained from a reliable source 
-$data = \yii\helpers\Security::hashData($genuineData, $secretKey);
+$data = Yii::$app->getSecurity()->hashData($genuineData, $secretKey);
 ```
 
 Checks if the data integrity has been compromised
 
 ```php
 // $secretKey our application or user secret, $data obtained from an unreliable source 
-$data = \yii\helpers\Security::validateData($data, $secretKey);
+$data = Yii::$app->getSecurity()->validateData($data, $secretKey);
 ```
 
 

extensions/faker/README.md

@@ -69,18 +69,16 @@ After you set all needed fields in callback, you need to return $fixture array b
 Another example of valid template:
 
 ```php
-use yii\helpers\Security;
-
 return [
     'name' => 'firstName',
     'phone' => 'phoneNumber',
     'city' => 'city',
     'password' => function ($fixture, $faker, $index) {
-        $fixture['password'] = Security::generatePasswordHash('password_' . $index);
+        $fixture['password'] = Yii::$app->getSecurity()->generatePasswordHash('password_' . $index);
         return $fixture;
     },
     'auth_key' => function ($fixture, $faker, $index) {
-        $fixture['auth_key'] = Security::generateRandomKey();
+        $fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomKey();
         return $fixture;
     },
 ];

framework/CHANGELOG.md

@@ -65,6 +65,7 @@ Yii Framework 2 Change Log
 - Bug: URL encoding for the route parameter added to `\yii\web\UrlManager` (klimov-paul)
 - Bug: Fixed the bug that requesting protected or private action methods would cause 500 error instead of 404 (qiangxue)
 - Bug: Fixed Object of class Imagick could not be converted to string in CaptchaAction (eXprojects, cebe)
+- Enh #87: Helper `yii\helpers\Security` converted into application component, cryptographic strength improved (klimov-paul)
 - Enh #422: Added Support for BIT(M) data type default values in Schema (cebe)
 - Enh #1452: Added `Module::getInstance()` to allow accessing the module instance from anywhere within the module (qiangxue)
 - Enh #2264: `CookieCollection::has()` will return false for expired or removed cookies (qiangxue)

framework/UPGRADE.md

@@ -72,3 +72,21 @@ Upgrade from Yii 2.0 Beta
 
 * `mail` component was renamed to `mailer`, `yii\log\EmailTarget::$mail` was renamed to `yii\log\EmailTarget::$mailer`.
   Please update all references in the code and config files.
+
+* Static helper `yii\helpers\Security` has been converted into an application component. You should change all usage of
+  its methods to a new syntax, for example: instead of `yii\helpers\Security::hashData()` use `Yii::$app->getSecurity()->hashData()`.
+  Default encryption and hash parameters has been upgraded. If you need to decrypt/validate data that was encrypted/hashed
+  before, use the following configuration of the 'security' component:
+  ```
+  return [
+      'components' => [
+          'security' => [
+              'cryptBlockSize' => 16,
+              'cryptKeySize' => 24,
+              'derivationIterations' => 1000,
+          ],
+          // ...
+      ],
+      // ...
+  ];
+  ```

framework/base/Application.php

@@ -30,6 +30,7 @@
  * read-only.
  * @property string $runtimePath The directory that stores runtime files. Defaults to the "runtime"
  * subdirectory under [[basePath]].
+ * @property \yii\base\Security $security The security application component.
  * @property string $timeZone The time zone used by this application.
  * @property string $uniqueId The unique ID of the module. This property is read-only.
  * @property \yii\web\UrlManager $urlManager The URL manager for this application. This property is read-only.
@@ -591,6 +592,15 @@ public function getAssetManager()
         return $this->get('assetManager');
     }
 
+    /**
+     * Returns the security component.
+     * @return \yii\base\Security security component
+     */
+    public function getSecurity()
+    {
+        return $this->get('security');
+    }
+
     /**
      * Returns the core application components.
      * @see set
@@ -605,6 +615,7 @@ public function coreComponents()
             'mailer' => ['class' => 'yii\swiftmailer\Mailer'],
             'urlManager' => ['class' => 'yii\web\UrlManager'],
             'assetManager' => ['class' => 'yii\web\AssetManager'],
+            'security' => ['class' => 'yii\base\Security'],
         ];
     }