Skip to content

Commit dfa4a53

Browse files
eddielauSergey Nosov
eddielau
authored and
Sergey Nosov
committed
MAGETWO-47050: Magento 2: encryption keys generated in the admin interface are very weak
- changed key generation algorithm
1 parent 630d4e2 commit dfa4a53

File tree

2 files changed

+31
-5
lines changed

2 files changed

+31
-5
lines changed

app/code/Magento/EncryptionKey/Model/ResourceModel/Key/Change.php

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,12 +44,20 @@ class Change extends \Magento\Framework\Model\ResourceModel\Db\AbstractDb
4444
*/
4545
protected $writer;
4646

47+
/**
48+
* Random
49+
*
50+
* @var \Magento\Framework\Math\Random
51+
*/
52+
protected $random;
53+
4754
/**
4855
* @param \Magento\Framework\Model\ResourceModel\Db\Context $context
4956
* @param \Magento\Framework\Filesystem $filesystem
5057
* @param \Magento\Config\Model\Config\Structure $structure
5158
* @param \Magento\Framework\Encryption\EncryptorInterface $encryptor
5259
* @param \Magento\Framework\App\DeploymentConfig\Writer $writer
60+
* @param \Magento\Framework\Math\Random $random
5361
* @param string $connectionName
5462
*/
5563
public function __construct(
@@ -58,13 +66,15 @@ public function __construct(
5866
\Magento\Config\Model\Config\Structure $structure,
5967
\Magento\Framework\Encryption\EncryptorInterface $encryptor,
6068
\Magento\Framework\App\DeploymentConfig\Writer $writer,
69+
\Magento\Framework\Math\Random $random,
6170
$connectionName = null
6271
) {
6372
$this->encryptor = clone $encryptor;
6473
parent::__construct($context, $connectionName);
6574
$this->directory = $filesystem->getDirectoryWrite(DirectoryList::CONFIG);
6675
$this->structure = $structure;
6776
$this->writer = $writer;
77+
$this->random = $random;
6878
}
6979

7080
/**
@@ -92,7 +102,7 @@ public function changeEncryptionKey($key = null)
92102
}
93103

94104
if (null === $key) {
95-
$key = md5(time());
105+
$key = md5($this->random->getRandomString(ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE));
96106
}
97107
$this->encryptor->setNewKey($key);
98108

app/code/Magento/EncryptionKey/Test/Unit/Model/ResourceModel/Key/ChangeTest.php

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,8 @@ class ChangeTest extends \PHPUnit_Framework_TestCase
2929
protected $tansactionMock;
3030
/** @var |\PHPUnit_Framework_MockObject_MockObject */
3131
protected $objRelationMock;
32+
/** @var \Magento\Framework\Math\Random|\PHPUnit_Framework_MockObject_MockObject */
33+
protected $randomMock;
3234
/** @var \Magento\EncryptionKey\Model\ResourceModel\Key\Change */
3335
protected $model;
3436

@@ -72,6 +74,7 @@ public function setUp()
7274
->disableOriginalConstructor()
7375
->setMethods([])
7476
->getMock();
77+
$this->randomMock = $this->getMock('Magento\Framework\Math\Random', [], [], '', false);
7578

7679
$helper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
7780

@@ -85,20 +88,20 @@ public function setUp()
8588
'adapterInterface' => $this->adapterMock,
8689
'resource' => $this->resourceMock,
8790
'transactionManager' => $this->tansactionMock,
88-
'relationProcessor' => $this->objRelationMock
91+
'relationProcessor' => $this->objRelationMock,
92+
'random' => $this->randomMock
8993
]
9094
);
9195
}
9296

93-
public function testChangeEncryptionKey()
97+
private function setUpChangeEncryptionKey()
9498
{
9599
$paths = ['path1', 'path2'];
96100
$table = ['item1', 'item2'];
97101
$values = [
98102
'key1' => 'value1',
99103
'key2' => 'value2'
100104
];
101-
$key = 'key';
102105

103106
$this->writerMock->expects($this->once())->method('checkIfWritable')->willReturn(true);
104107
$this->resourceMock->expects($this->atLeastOnce())->method('getConnection')->willReturn($this->adapterMock);
@@ -112,10 +115,23 @@ public function testChangeEncryptionKey()
112115
$this->selectMock->expects($this->any())->method('update')->willReturnSelf();
113116
$this->writerMock->expects($this->once())->method('saveConfig');
114117
$this->adapterMock->expects($this->once())->method('getTransactionLevel')->willReturn(1);
118+
}
115119

120+
public function testChangeEncryptionKey()
121+
{
122+
$this->setUpChangeEncryptionKey();
123+
$this->randomMock->expects($this->never())->method('getRandomString');
124+
$key = 'key';
116125
$this->assertEquals($key, $this->model->changeEncryptionKey($key));
117126
}
118127

128+
public function testChangeEncryptionKeyAutogenerate()
129+
{
130+
$this->setUpChangeEncryptionKey();
131+
$this->randomMock->expects($this->once())->method('getRandomString')->willReturn('abc');
132+
$this->assertEquals(md5('abc'), $this->model->changeEncryptionKey());
133+
}
134+
119135
public function testChangeEncryptionKeyThrowsException()
120136
{
121137
$key = 'key';
@@ -127,6 +143,6 @@ public function testChangeEncryptionKeyThrowsException()
127143
return;
128144
}
129145

130-
$this->fail('An excpected exception was not signaled.');
146+
$this->fail('An expected exception was not signaled.');
131147
}
132148
}

0 commit comments

Comments
 (0)