Deprecate the blacklist validator

rollerworks · Oct 9, 2021 · c02d783 · c02d783
1 parent 9899022
commit c02d783
Show file tree

Hide file tree

Showing 17 changed files with 57 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -48,14 +48,23 @@ Validates the passwords strength-level (weak, medium, strong etc).
 
 Validates the passwords using explicitly configured requirements (letters, caseDiff, numbers, requireSpecialCharacter).
 
-### [Password blacklisting](docs/blacklist.md)
+### [Password blacklisting](docs/blacklist.md) (deprecated)
+
+⚠️ **DEPRECATED**
+
+> This validator is deprecated in favor of the [PasswordCommonList Validator](https://github.com/rollerworks/password-common-list).
+> 
+> The PasswordCommonList validator contains a big list of commonly used passwords, many that are known to be insecure.
+> As updating the list of forbidden passwords is not something done regularly this is recommended over manually updating.
+> 
+> Alternatively the Symfony [NotCompromisedPassword] validator can be used for a more regularly updated list.
 
 There are times you want forbid (blacklist) a password from usage.
 
 Passwords are blacklisted using providers which can either be an array or
 (flat-file) database (which you can update regularly).
 
-With the default installation the following providers can be used.
+With the default installation the following providers can be used:
 
 * Noop: Default provider, does nothing.
 
@@ -65,14 +74,9 @@ With the default installation the following providers can be used.
 
 * Pdo: Provides the blacklist using the PDO extension.
 
-But building your own is also possible.
-__Documentation on this is currently missing,
-see current providers for more information.__
-
 ### PwnedPassword (deprecated)
 
-⚠️ **This validator is deprecated in favor of the Symfony [NotCompromisedPassword](https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html)
-validator.**
+⚠️ **This validator is deprecated in favor of the Symfony [NotCompromisedPassword] validator.**
 
 Validates that the requested password was not found in a trove of compromised passwords found at <https://haveibeenpwned.com/>.
 
@@ -107,6 +111,7 @@ please read the [Contributing Guidelines][3]. If you're submitting
 a pull request, please follow the guidelines in the [Submitting a Patch][4] section.
 
 [1]: https://github.com/rollerworks/PasswordStrengthBundle
+[NotCompromisedPassword]: https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html
 [2]: https://getcomposer.org/doc/00-intro.md
 [3]: https://github.com/rollerworks/contributing
 [4]: https://contributing.readthedocs.org/en/latest/code/patches.html
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -0,0 +1,11 @@
+UPGRADE
+=======
+
+## Upgrade from 1.6 to 1.7
+
+* The blacklist validator was deprecated in favor of the [PasswordCommonList Validator](https://github.com/rollerworks/password-common-list).
+
+## Upgrade from 1.3 to 1.4
+
+* The PwnedPassword validator is deprecated in favor of the Symfony [NotCompromisedPassword](https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html) validator
+
diff --git a/docs/blacklist.md b/docs/blacklist.md
@@ -1,6 +1,15 @@
 Password blacklisting
 =====================
 
+⚠️ **DEPRECATED**
+
+> This validator is deprecated in favor of the [PasswordCommonList Validator](https://github.com/rollerworks/password-common-list).
+>
+> The PasswordCommonList validator contains a big list of commonly used passwords, many that are known to be insecure.
+> As updating the list of forbidden passwords is not something done regularly this is recommended over manually updating.
+>
+> Alternatively the Symfony [NotCompromisedPassword] validator can be used for a more regularly updated list.
+
 Usage of the `Rollerworks\Component\PasswordStrength\Validator\Constraints\Blacklist`
 constraint works different then other strength validators.
 
@@ -192,3 +201,5 @@ To get started you can use the bad/leaked passwords databases provider by
 
 Its recommended to use at least the 500-worst-passwords database.
 Especially when not enforcing strong passwords using the [PasswordStrengthValidator](strength-validation.md).
+
+[NotCompromisedPassword]: https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html
diff --git a/src/Command/BlacklistCommand.php b/src/Command/BlacklistCommand.php
@@ -14,6 +14,7 @@
 use Psr\Container\ContainerInterface;
 use Rollerworks\Component\PasswordStrength\Blacklist\BlacklistProviderInterface;
 use Rollerworks\Component\PasswordStrength\Blacklist\UpdatableBlacklistProviderInterface;
+use Rollerworks\Component\PasswordStrength\Validator\Constraints\Blacklist;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
@@ -41,6 +42,8 @@ public function __construct(ContainerInterface $providers)
 
     protected function initialize(InputInterface $input, OutputInterface $output)
     {
+        trigger_deprecation('rollerworks/password-strength-validator', '1.7', 'The Blacklist validator is deprecated and will be removed in the next major version. Use the NotInPasswordCommonList from rollerworks/password-common-list package instead, or use the NotCompromisedPassword validator from the symfony/validator package instead.', Blacklist::class);
+
         $this->blacklistProvider = $this->providers->get($input->getOption('provider'));
 
         if (! $this->blacklistProvider instanceof UpdatableBlacklistProviderInterface) {

diff --git a/src/Validator/Constraints/Blacklist.php b/src/Validator/Constraints/Blacklist.php
@@ -14,9 +14,13 @@
 use Attribute;
 use Symfony\Component\Validator\Constraint;
 
+trigger_deprecation('rollerworks/password-strength-validator', '1.7', 'The Blacklist validator is deprecated and will be removed in the next major version. Use the NotInPasswordCommonList from rollerworks/password-common-list package instead, or use the NotCompromisedPassword validator from the symfony/validator package instead.', Blacklist::class);
+
 /**
  * @Annotation
  * @Target({"PROPERTY", "METHOD", "ANNOTATION"})
+ *
+ * @deprecated since rollerworks/password-strength-validator 1.7 The Blacklist validator is deprecated and will be removed in the next major version. Use the NotInPasswordCommonList from rollerworks/password-common-list package instead, or use the NotCompromisedPassword validator from the symfony/validator package instead.
  */
 #[Attribute(Attribute::TARGET_PROPERTY | Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)]
 class Blacklist extends Constraint

diff --git a/tests/Blacklist/ArrayProviderTest.php b/tests/Blacklist/ArrayProviderTest.php
@@ -16,6 +16,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class ArrayProviderTest extends TestCase
 {

diff --git a/tests/Blacklist/ChainProviderTest.php b/tests/Blacklist/ChainProviderTest.php
@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class ChainProviderTest extends TestCase
 {

diff --git a/tests/Blacklist/LazyChainProviderTest.php b/tests/Blacklist/LazyChainProviderTest.php
@@ -18,6 +18,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class LazyChainProviderTest extends TestCase
 {

diff --git a/tests/Blacklist/NoopProviderTest.php b/tests/Blacklist/NoopProviderTest.php
@@ -16,6 +16,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class NoopProviderTest extends TestCase
 {

diff --git a/tests/Blacklist/SqliteProviderTest.php b/tests/Blacklist/SqliteProviderTest.php
@@ -16,6 +16,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class SqliteProviderTest extends TestCase
 {

diff --git a/tests/Command/BlacklistCommandTest.php b/tests/Command/BlacklistCommandTest.php
@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistCommandTest extends BlacklistCommandTestCase
 {

diff --git a/tests/Command/BlacklistCommandTestCase.php b/tests/Command/BlacklistCommandTestCase.php
@@ -15,6 +15,10 @@
 use Rollerworks\Component\PasswordStrength\Blacklist\SqliteProvider;
 use Rollerworks\Component\PasswordStrength\Tests\BlackListMockProviderTrait;
 
+/**
+ * @internal
+ * @group legacy
+ */
 abstract class BlacklistCommandTestCase extends TestCase
 {
     use BlackListMockProviderTrait;

diff --git a/tests/Command/BlacklistDeleteCommandTest.php b/tests/Command/BlacklistDeleteCommandTest.php
@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistDeleteCommandTest extends BlacklistCommandTestCase
 {

diff --git a/tests/Command/BlacklistListCommandTest.php b/tests/Command/BlacklistListCommandTest.php
@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistListCommandTest extends BlacklistCommandTestCase
 {

diff --git a/tests/Command/BlacklistPurgeCommandTest.php b/tests/Command/BlacklistPurgeCommandTest.php
@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistPurgeCommandTest extends BlacklistCommandTestCase
 {

diff --git a/tests/Command/BlacklistUpdateCommandTest.php b/tests/Command/BlacklistUpdateCommandTest.php
@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistUpdateCommandTest extends BlacklistCommandTestCase
 {

diff --git a/tests/Validator/BlacklistValidationTest.php b/tests/Validator/BlacklistValidationTest.php
@@ -21,6 +21,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistValidationTest extends ConstraintValidatorTestCase
 {
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,7 @@ @@
     /**
      * @internal
+     * @group legacy
      */
     final class ArrayProviderTest extends TestCase
     {
@@ Expand Down @@