Skip to content

plain text admin password follow-up #2223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
monkeyiq merged 1 commit into from
Aug 30, 2024
Merged

plain text admin password follow-up #2223

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions docs/simplesamlphp-upgrade-notes-2.3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,12 @@ The following properties were marked `deprecated` and will be removed in a next

## BC break

- Plain-text admin-passwords are no longer allowed.
Please use the `bin/pwgen.php` script to generate a secure password hash.
- As of 2.3.1+ Plain-text admin-passwords are allowed again.
No change is needed to auth.adminpassword to upgrade from 2.2 to 2.3.1+.
In 2.3.0 only Plain-text admin-passwords were not allowed.

In either case you might like to use the `bin/pwgen.php` script to
generate a secure password hash for auth.adminpassword.

- The language codes `pt-br` and `zh-tw` have been renamed to `pt_BR` and `zh_TW`.
Please update your configuration to match the new names.
4 changes: 4 additions & 0 deletions modules/core/src/Auth/Source/AdminPassword.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

use SimpleSAML\Configuration;
use SimpleSAML\Error;
use SimpleSAML\Logger;
use SimpleSAML\Module\core\Auth\UserPassBase;
use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;

Expand Down Expand Up @@ -65,6 +66,9 @@ protected function login(string $username, string $password): array
// Continue to allow admin login when the config contains
// a password that is not hashed
if ($adminPassword === $password) {
Logger::deprecated('Please consider hashing the admin password stored in auth.adminpassword'
. ' in config.php. Using a plain text password in that config setting'
. ' will be removed in the future.');
return ['user' => ['admin']];
}
throw new Error\Error(Error\ErrorCodes::ADMINNOTHASHED);
Expand Down
9 changes: 9 additions & 0 deletions src/SimpleSAML/Logger.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,15 @@ public static function warning(string $string): void
self::log(self::WARNING, $string);
}

/**
* Log a warning about deprecated code.
*
* @param string $string The message to log.
*/
public static function deprecated(string $string): void
{
self::log(self::WARNING, 'DEPRECATION WARNING: ' . $string);
}

/**
* We reserve the notice level for statistics, so do not use this level for other kind of log messages.
Expand Down