Merge pull request #21 from paragonie/ga

Migrate off Travis CI

.github/workflows/ci.yml

@@ -0,0 +1,105 @@
+name: CI
+
+on: [push]
+
+jobs:
+  old:
+    name: PHP ${{ matrix.php-versions }} Test on ${{ matrix.operating-system }}
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: ['ubuntu-16.04']
+        php-versions: ['7.0']
+        phpunit-versions: ['7.5.20']
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: mbstring, intl
+          ini-values: post_max_size=256M, max_execution_time=180
+          tools: psalm, phpunit:${{ matrix.phpunit-versions }}
+
+      - name: Fix permissions
+        run: sudo chmod -R 0777 .
+
+      - name: Install dependencies
+        run: composer self-update --1; composer install
+
+      - name: PHPUnit tests
+        uses: php-actions/phpunit@v2
+        with:
+          memory_limit: 256M
+
+  moderate:
+    name: PHP ${{ matrix.php-versions }} Test on ${{ matrix.operating-system }}
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: ['ubuntu-latest']
+        php-versions: ['7.1', '7.2', '7.3']
+        phpunit-versions: ['latest']
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: mbstring, intl, sodium
+          ini-values: post_max_size=256M, max_execution_time=180
+          tools: psalm, phpunit:${{ matrix.phpunit-versions }}
+
+      - name: Fix permissions
+        run: sudo chmod -R 0777 .
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: PHPUnit tests
+        uses: php-actions/phpunit@v2
+        timeout-minutes: 30
+        with:
+          memory_limit: 256M
+
+  modern:
+    name: PHP ${{ matrix.php-versions }} Test on ${{ matrix.operating-system }}
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system: ['ubuntu-latest']
+        php-versions: ['7.4', '8.0']
+        phpunit-versions: ['latest']
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: mbstring, intl, sodium
+          ini-values: post_max_size=256M, max_execution_time=180
+          tools: psalm, phpunit:${{ matrix.phpunit-versions }}
+
+      - name: Fix permissions
+        run: sudo chmod -R 0777 .
+
+      - name: Install dependencies
+        run: composer install
+
+      - name: PHPUnit tests
+        uses: php-actions/phpunit@v2
+        timeout-minutes: 30
+        with:
+          memory_limit: 256M
+
+      - name: Install Psalm
+        run: composer require --dev vimeo/psalm:^4
+
+      - name: Static Analysis
+        run: vendor/bin/psalm

README.md

@@ -1,5 +1,7 @@
 # Password Lock
 
+[![Build Status](https://github.com/paragonie/password_lock/actions/workflows/ci.yml/badge.svg)](https://github.com/paragonie/password_lock/actions)
+
 **MIT Licensed** - feel free to use to enhance the security of any of your PHP projects
 
 Wraps Bcrypt-SHA384 in Authenticated Encryption. Published by [Paragon Initiative Enterprises](https://paragonie.com). Check out our other [open source projects](https://paragonie.com/projects) too.

composer.json

@@ -28,12 +28,12 @@
         ]
     },
     "require": {
-        "php": "^7",
+        "php": "^7|^8",
         "defuse/php-encryption": "^2",
         "paragonie/constant_time_encoding": "^2"
     },
     "require-dev": {
-        "phpunit/phpunit": "^6",
-        "vimeo/psalm": "^0|^1"
+        "phpunit/phpunit": "^6|^7|^8|^9",
+        "vimeo/psalm": "^1|^2|^3|^4"
     }
 }

phpunit.xml.dist

@@ -9,16 +9,10 @@
      processIsolation="false"
      stopOnError="false"
      stopOnFailure="false"
-     syntaxCheck="true"
 >
     <testsuites>
         <testsuite name="HPKP Builder Test Suite">
             <directory suffix="Test.php">./tests</directory>
         </testsuite>
     </testsuites>
-    <filter>
-        <whitelist processUncoveredFilesFromWhitelist="true">
-            <directory suffix=".php">./src</directory>
-        </whitelist>
-    </filter>
 </phpunit>

psalm.xml

@@ -3,8 +3,12 @@
        useDocblockTypes="true">
     <projectFiles>
         <directory name="src" />
+        <ignoreFiles>
+            <directory name="vendor" />
+        </ignoreFiles>
     </projectFiles>
     <issueHandlers>
+        <DocblockTypeContradiction errorLevel="info" />
         <RedundantConditionGivenDocblockType errorLevel="suppress" />
     </issueHandlers>
 </psalm>

src/PasswordLock.php

@@ -2,11 +2,17 @@
 declare(strict_types=1);
 namespace ParagonIE\PasswordLock;
 
-use \Defuse\Crypto\Crypto;
-use \Defuse\Crypto\Key;
-use \ParagonIE\ConstantTime\Base64;
-use \ParagonIE\ConstantTime\Binary;
+use Defuse\Crypto\Crypto;
+use Defuse\Crypto\Exception\EnvironmentIsBrokenException;
+use Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException;
+use Defuse\Crypto\Key;
+use ParagonIE\ConstantTime\Base64;
+use ParagonIE\ConstantTime\Binary;
 
+/**
+ * Class PasswordLock
+ * @package ParagonIE\PasswordLock
+ */
 class PasswordLock
 {
     /**
@@ -16,8 +22,9 @@ class PasswordLock
      * @param string $password
      * @param Key $aesKey
      * @return string
-     * @throws \Exception
-     * @throws \InvalidArgumentException
+     *
+     * @throws EnvironmentIsBrokenException
+     * @psalm-suppress InvalidArgument
      */
     public static function hashAndEncrypt(string $password, Key $aesKey): string
     {
@@ -29,7 +36,7 @@ public static function hashAndEncrypt(string $password, Key $aesKey): string
             PASSWORD_DEFAULT
         );
         if (!\is_string($hash)) {
-            throw new \Exception("Unknown hashing error.");
+            throw new EnvironmentIsBrokenException("Unknown hashing error.");
         }
         return Crypto::encrypt($hash, $aesKey);
     }
@@ -41,20 +48,22 @@ public static function hashAndEncrypt(string $password, Key $aesKey): string
      * @param string $ciphertext
      * @param string $aesKey - must be exactly 16 bytes
      * @return bool
-     * @throws \Exception
+     *
      * @throws \InvalidArgumentException
+     * @throws EnvironmentIsBrokenException
+     * @throws WrongKeyOrModifiedCiphertextException
      */
     public static function decryptAndVerifyLegacy(string $password, string $ciphertext, string $aesKey): bool
     {
         if (Binary::safeStrlen($aesKey) !== 16) {
-            throw new \Exception("Encryption keys must be 16 bytes long");
+            throw new \InvalidArgumentException("Encryption keys must be 16 bytes long");
         }
         $hash = Crypto::legacyDecrypt(
             $ciphertext,
             $aesKey
         );
         if (!\is_string($hash)) {
-            throw new \Exception("Unknown hashing error.");
+            throw new EnvironmentIsBrokenException("Unknown hashing error.");
         }
         return \password_verify(
             Base64::encode(
@@ -72,8 +81,9 @@ public static function decryptAndVerifyLegacy(string $password, string $cipherte
      * @param string $ciphertext
      * @param Key $aesKey
      * @return bool
-     * @throws \Exception
-     * @throws \InvalidArgumentException
+     *
+     * @throws EnvironmentIsBrokenException
+     * @throws WrongKeyOrModifiedCiphertextException
      */
     public static function decryptAndVerify(string $password, string $ciphertext, Key $aesKey): bool
     {
@@ -82,7 +92,7 @@ public static function decryptAndVerify(string $password, string $ciphertext, Ke
             $aesKey
         );
         if (!\is_string($hash)) {
-            throw new \Exception("Unknown hashing error.");
+            throw new EnvironmentIsBrokenException("Unknown hashing error.");
         }
         return \password_verify(
             Base64::encode(
@@ -99,6 +109,9 @@ public static function decryptAndVerify(string $password, string $ciphertext, Ke
      * @param  Key $oldKey
      * @param Key $newKey
      * @return string
+     *
+     * @throws EnvironmentIsBrokenException
+     * @throws WrongKeyOrModifiedCiphertextException
      */
     public static function rotateKey(string $ciphertext, Key $oldKey, Key $newKey): string
     {

tests/PasswordLockTest.php

@@ -1,9 +1,10 @@
 <?php
 declare(strict_types=1);
 
-use \ParagonIE\PasswordLock\PasswordLock;
-use \Defuse\Crypto\Key;
+use ParagonIE\PasswordLock\PasswordLock;
+use Defuse\Crypto\Key;
 use PHPUnit\Framework\TestCase;
+use Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException;
 
 /**
  * @backupGlobals disabled
@@ -25,16 +26,19 @@ public function testHash()
             PasswordLock::decryptAndVerify('YELLOW SUBMARINF', $password, $key)
         );
     }
-
-    /**
-     * @expectedException \Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException
-     */
+
     public function testBitflip()
     {
-        $key = Key::createNewRandomKey();
-        $password = PasswordLock::hashAndEncrypt('YELLOW SUBMARINE', $key);
-        $password[0] = (\ord($password[0]) === 0 ? 255 : 0);
-
-        PasswordLock::decryptAndVerify('YELLOW SUBMARINE', $password, $key);
+        $failed = false;
+        try {
+            $key = Key::createNewRandomKey();
+            $password = PasswordLock::hashAndEncrypt('YELLOW SUBMARINE', $key);
+            $password[0] = (\ord($password[0]) === 0 ? 255 : 0);
+
+            PasswordLock::decryptAndVerify('YELLOW SUBMARINE', $password, $key);
+        } catch (WrongKeyOrModifiedCiphertextException $ex) {
+            $failed = true;
+        }
+        $this->assertTrue($failed, 'Bitflips should break the decryption');
     }
 }