Skip to content

Commit fa542fe

Browse files
stevebaumanstevebauman
committed
Add SensitiveParameter annotations to password parameters
1 parent 68928b9 commit fa542fe

File tree

6 files changed

+36
-30
lines changed

6 files changed

+36
-30
lines changed

src/Auth/Guard.php

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
use LdapRecord\Configuration\DomainConfiguration;
77
use LdapRecord\Events\DispatcherInterface;
88
use LdapRecord\LdapInterface;
9+
use SensitiveParameter;
910

1011
class Guard
1112
{
@@ -39,7 +40,7 @@ public function __construct(LdapInterface $connection, DomainConfiguration $conf
3940
* @throws UsernameRequiredException
4041
* @throws PasswordRequiredException
4142
*/
42-
public function attempt(string $username, string $password, bool $stayBound = false): bool
43+
public function attempt(string $username, #[SensitiveParameter] string $password, bool $stayBound = false): bool
4344
{
4445
switch (true) {
4546
case empty($username):
@@ -73,7 +74,7 @@ public function attempt(string $username, string $password, bool $stayBound = fa
7374
* @throws BindException
7475
* @throws \LdapRecord\ConnectionException
7576
*/
76-
public function bind(?string $username = null, ?string $password = null): void
77+
public function bind(?string $username = null, #[SensitiveParameter] ?string $password = null): void
7778
{
7879
$this->fireAuthEvent('binding', $username, $password);
7980

@@ -104,7 +105,7 @@ public function bind(?string $username = null, ?string $password = null): void
104105
*
105106
* @throws \LdapRecord\ConnectionException
106107
*/
107-
protected function authenticate(?string $username = null, ?string $password = null): bool
108+
protected function authenticate(?string $username = null, #[SensitiveParameter] ?string $password = null): bool
108109
{
109110
if ($this->configuration->get('use_sasl') ?? false) {
110111
return $this->connection->saslBind(

src/Connection.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
use LdapRecord\Query\Builder;
1212
use LdapRecord\Query\Cache;
1313
use Psr\SimpleCache\CacheInterface;
14+
use SensitiveParameter;
1415

1516
class Connection
1617
{
@@ -211,7 +212,7 @@ public function setGuardResolver(Closure $callback): void
211212
* @throws Auth\BindException
212213
* @throws LdapRecordException
213214
*/
214-
public function connect(?string $username = null, ?string $password = null): void
215+
public function connect(?string $username = null, #[SensitiveParameter] ?string $password = null): void
215216
{
216217
$attempt = function () use ($username, $password) {
217218
$this->dispatch(new Events\Connecting($this));

src/Ldap.php

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
namespace LdapRecord;
44

55
use LDAP\Connection as RawLdapConnection;
6+
use SensitiveParameter;
67

78
class Ldap implements LdapInterface
89
{
@@ -270,7 +271,7 @@ public function parseResult(mixed $result, int &$errorCode = 0, ?string &$dn = n
270271
/**
271272
* {@inheritdoc}
272273
*/
273-
public function bind(?string $dn = null, ?string $password = null, ?array $controls = null): LdapResultResponse
274+
public function bind(?string $dn = null, #[SensitiveParameter] ?string $password = null, ?array $controls = null): LdapResultResponse
274275
{
275276
/** @var \LDAP\Result $result */
276277
$result = $this->executeFailableOperation(function () use ($dn, $password, $controls) {
@@ -287,7 +288,7 @@ public function bind(?string $dn = null, ?string $password = null, ?array $contr
287288
/**
288289
* {@inheritDoc}
289290
*/
290-
public function saslBind(?string $dn = null, ?string $password = null, array $options = []): bool
291+
public function saslBind(?string $dn = null, #[SensitiveParameter] ?string $password = null, array $options = []): bool
291292
{
292293
return $this->executeFailableOperation(function () use ($dn, $password, $options) {
293294
$options = array_merge([

src/LdapInterface.php

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
namespace LdapRecord;
44

55
use LDAP\Connection;
6+
use SensitiveParameter;
67

78
/**
89
* @see https://ldap.com/ldap-oid-reference-guide
@@ -501,7 +502,7 @@ public function parseResult(mixed $result, int &$errorCode = 0, ?string &$dn = n
501502
*
502503
* @throws LdapRecordException
503504
*/
504-
public function bind(?string $dn = null, ?string $password = null, ?array $controls = null): LdapResultResponse;
505+
public function bind(?string $dn = null, #[SensitiveParameter] ?string $password = null, ?array $controls = null): LdapResultResponse;
505506

506507
/**
507508
* Bind to the LDAP directory using SASL.
@@ -516,7 +517,7 @@ public function bind(?string $dn = null, ?string $password = null, ?array $contr
516517
* @see https://php.net/manual/en/function.ldap-sasl-bind.php
517518
* @see https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml
518519
*/
519-
public function saslBind(?string $dn = null, ?string $password = null, array $options = []): bool;
520+
public function saslBind(?string $dn = null, #[SensitiveParameter] ?string $password = null, array $options = []): bool;
520521

521522
/**
522523
* Adds an entry to the current connection.

src/Models/Attributes/Password.php

Lines changed: 18 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
use InvalidArgumentException;
66
use LdapRecord\LdapRecordException;
77
use ReflectionMethod;
8+
use SensitiveParameter;
89

910
class Password
1011
{
@@ -17,127 +18,127 @@ class Password
1718
/**
1819
* Make an encoded password for transmission over LDAP.
1920
*/
20-
public static function encode(string $password): string
21+
public static function encode(#[SensitiveParameter] string $password): string
2122
{
2223
return iconv('UTF-8', 'UTF-16LE', '"'.$password.'"');
2324
}
2425

2526
/**
2627
* Make a salted md5 password.
2728
*/
28-
public static function smd5(string $password, ?string $salt = null): string
29+
public static function smd5(#[SensitiveParameter] string $password, ?string $salt = null): string
2930
{
3031
return '{SMD5}'.static::makeHash($password, 'md5', null, $salt ?? random_bytes(4));
3132
}
3233

3334
/**
3435
* Make a salted SHA password.
3536
*/
36-
public static function ssha(string $password, ?string $salt = null): string
37+
public static function ssha(#[SensitiveParameter] string $password, ?string $salt = null): string
3738
{
3839
return '{SSHA}'.static::makeHash($password, 'sha1', null, $salt ?? random_bytes(4));
3940
}
4041

4142
/**
4243
* Make a salted SSHA256 password.
4344
*/
44-
public static function ssha256(string $password, ?string $salt = null): string
45+
public static function ssha256(#[SensitiveParameter] string $password, ?string $salt = null): string
4546
{
4647
return '{SSHA256}'.static::makeHash($password, 'hash', 'sha256', $salt ?? random_bytes(4));
4748
}
4849

4950
/**
5051
* Make a salted SSHA384 password.
5152
*/
52-
public static function ssha384(string $password, ?string $salt = null): string
53+
public static function ssha384(#[SensitiveParameter] string $password, ?string $salt = null): string
5354
{
5455
return '{SSHA384}'.static::makeHash($password, 'hash', 'sha384', $salt ?? random_bytes(4));
5556
}
5657

5758
/**
5859
* Make a salted SSHA512 password.
5960
*/
60-
public static function ssha512(string $password, ?string $salt = null): string
61+
public static function ssha512(#[SensitiveParameter] string $password, ?string $salt = null): string
6162
{
6263
return '{SSHA512}'.static::makeHash($password, 'hash', 'sha512', $salt ?? random_bytes(4));
6364
}
6465

6566
/**
6667
* Make a non-salted SHA password.
6768
*/
68-
public static function sha(string $password): string
69+
public static function sha(#[SensitiveParameter] string $password): string
6970
{
7071
return '{SHA}'.static::makeHash($password, 'sha1');
7172
}
7273

7374
/**
7475
* Make a non-salted SHA256 password.
7576
*/
76-
public static function sha256(string $password): string
77+
public static function sha256(#[SensitiveParameter] string $password): string
7778
{
7879
return '{SHA256}'.static::makeHash($password, 'hash', 'sha256');
7980
}
8081

8182
/**
8283
* Make a non-salted SHA384 password.
8384
*/
84-
public static function sha384(string $password): string
85+
public static function sha384(#[SensitiveParameter] string $password): string
8586
{
8687
return '{SHA384}'.static::makeHash($password, 'hash', 'sha384');
8788
}
8889

8990
/**
9091
* Make a non-salted SHA512 password.
9192
*/
92-
public static function sha512(string $password): string
93+
public static function sha512(#[SensitiveParameter] string $password): string
9394
{
9495
return '{SHA512}'.static::makeHash($password, 'hash', 'sha512');
9596
}
9697

9798
/**
9899
* Make a non-salted md5 password.
99100
*/
100-
public static function md5(string $password): string
101+
public static function md5(#[SensitiveParameter] string $password): string
101102
{
102103
return '{MD5}'.static::makeHash($password, 'md5');
103104
}
104105

105106
/**
106107
* Make a non-salted NThash password.
107108
*/
108-
public static function nthash(string $password): string
109+
public static function nthash(#[SensitiveParameter] string $password): string
109110
{
110111
return '{NTHASH}'.strtoupper(hash('md4', iconv('UTF-8', 'UTF-16LE', $password)));
111112
}
112113

113114
/**
114115
* Crypt password with an MD5 salt.
115116
*/
116-
public static function md5Crypt(string $password, ?string $salt = null): string
117+
public static function md5Crypt(#[SensitiveParameter] string $password, ?string $salt = null): string
117118
{
118119
return '{CRYPT}'.static::makeCrypt($password, static::CRYPT_SALT_TYPE_MD5, $salt);
119120
}
120121

121122
/**
122123
* Crypt password with a SHA256 salt.
123124
*/
124-
public static function sha256Crypt(string $password, ?string $salt = null): string
125+
public static function sha256Crypt(#[SensitiveParameter] string $password, ?string $salt = null): string
125126
{
126127
return '{CRYPT}'.static::makeCrypt($password, static::CRYPT_SALT_TYPE_SHA256, $salt);
127128
}
128129

129130
/**
130131
* Crypt a password with a SHA512 salt.
131132
*/
132-
public static function sha512Crypt(string $password, ?string $salt = null): string
133+
public static function sha512Crypt(#[SensitiveParameter] string $password, ?string $salt = null): string
133134
{
134135
return '{CRYPT}'.static::makeCrypt($password, static::CRYPT_SALT_TYPE_SHA512, $salt);
135136
}
136137

137138
/**
138139
* Make a new password hash.
139140
*/
140-
protected static function makeHash(string $password, string $method, ?string $algo = null, ?string $salt = null): string
141+
protected static function makeHash(#[SensitiveParameter] string $password, string $method, ?string $algo = null, ?string $salt = null): string
141142
{
142143
$params = $algo ? [$algo, $password.$salt] : [$password.$salt];
143144

@@ -147,7 +148,7 @@ protected static function makeHash(string $password, string $method, ?string $al
147148
/**
148149
* Make a hashed password.
149150
*/
150-
protected static function makeCrypt(string $password, int $type, ?string $salt = null): string
151+
protected static function makeCrypt(#[SensitiveParameter] string $password, int $type, ?string $salt = null): string
151152
{
152153
return crypt($password, $salt ?? static::makeCryptSalt($type));
153154
}

src/Models/Concerns/HasPassword.php

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
use LdapRecord\ConnectionException;
66
use LdapRecord\LdapRecordException;
77
use LdapRecord\Models\Attributes\Password;
8+
use SensitiveParameter;
89

910
/** @mixin \LdapRecord\Models\Model */
1011
trait HasPassword
@@ -14,7 +15,7 @@ trait HasPassword
1415
*
1516
* @throws ConnectionException
1617
*/
17-
public function setPasswordAttribute(array|string $password): void
18+
public function setPasswordAttribute(#[SensitiveParameter] array|string $password): void
1819
{
1920
$this->assertSecureConnection();
2021

@@ -49,7 +50,7 @@ public function setPasswordAttribute(array|string $password): void
4950
*
5051
* @throws ConnectionException
5152
*/
52-
public function setUnicodepwdAttribute(array|string $password): void
53+
public function setUnicodepwdAttribute(#[SensitiveParameter] array|string $password): void
5354
{
5455
$this->setPasswordAttribute($password);
5556
}
@@ -97,7 +98,7 @@ public function getPasswordHashMethod(): string
9798
/**
9899
* Set the changed password.
99100
*/
100-
protected function setChangedPassword(string $oldPassword, string $newPassword, string $attribute): void
101+
protected function setChangedPassword(#[SensitiveParameter] string $oldPassword, #[SensitiveParameter] string $newPassword, string $attribute): void
101102
{
102103
// Create batch modification for removing the old password.
103104
$this->addModification(
@@ -121,7 +122,7 @@ protected function setChangedPassword(string $oldPassword, string $newPassword,
121122
/**
122123
* Set the password on the model.
123124
*/
124-
protected function setPassword(string $password, string $attribute): void
125+
protected function setPassword(#[SensitiveParameter] string $password, string $attribute): void
125126
{
126127
if (! $this->exists) {
127128
$this->setRawAttribute($attribute, $password);
@@ -143,7 +144,7 @@ protected function setPassword(string $password, string $attribute): void
143144
*
144145
* @throws LdapRecordException
145146
*/
146-
protected function getHashedPassword(string $method, string $password, ?string $salt = null): string
147+
protected function getHashedPassword(string $method, #[SensitiveParameter] string $password, ?string $salt = null): string
147148
{
148149
if (! method_exists(Password::class, $method)) {
149150
throw new LdapRecordException("Password hashing method [{$method}] does not exist.");

0 commit comments

Comments
 (0)