refactor #56 Deprecate the blacklist validator (sstok)

This PR was merged into the main branch.
labels: deprecation

Discussion
----------

| Q             | A
| ------------- | ---
| Branch?       | main
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | yes
| Fixed tickets | 
| License       | MIT

The PasswordCommonList validator contains a big list of commonly used passwords, many that are known to be insecure.
As updating the list of forbidden passwords is not something done regularly this is recommended over manually updating.

Alternatively the Symfony NotCompromisedPassword validator can be used for a more regularly updated list.

**Note:** The PasswordCommonList is a rather big package (the list is around 20 MB of size), and therefor maintained as a separate package.

Commits
-------

c02d783 Deprecate the blacklist validator

README.md

@@ -48,14 +48,23 @@ Validates the passwords strength-level (weak, medium, strong etc).
 
 Validates the passwords using explicitly configured requirements (letters, caseDiff, numbers, requireSpecialCharacter).
 
-### [Password blacklisting](docs/blacklist.md)
+### [Password blacklisting](docs/blacklist.md) (deprecated)
+
+⚠️ **DEPRECATED**
+
+> This validator is deprecated in favor of the [PasswordCommonList Validator](https://github.com/rollerworks/password-common-list).
+> 
+> The PasswordCommonList validator contains a big list of commonly used passwords, many that are known to be insecure.
+> As updating the list of forbidden passwords is not something done regularly this is recommended over manually updating.
+> 
+> Alternatively the Symfony [NotCompromisedPassword] validator can be used for a more regularly updated list.
 
 There are times you want forbid (blacklist) a password from usage.
 
 Passwords are blacklisted using providers which can either be an array or
 (flat-file) database (which you can update regularly).
 
-With the default installation the following providers can be used.
+With the default installation the following providers can be used:
 
 * Noop: Default provider, does nothing.
 
@@ -65,14 +74,9 @@ With the default installation the following providers can be used.
 
 * Pdo: Provides the blacklist using the PDO extension.
 
-But building your own is also possible.
-__Documentation on this is currently missing,
-see current providers for more information.__
-
 ### PwnedPassword (deprecated)
 
-⚠️ **This validator is deprecated in favor of the Symfony [NotCompromisedPassword](https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html)
-validator.**
+⚠️ **This validator is deprecated in favor of the Symfony [NotCompromisedPassword] validator.**
 
 Validates that the requested password was not found in a trove of compromised passwords found at <https://haveibeenpwned.com/>.
 
@@ -107,6 +111,7 @@ please read the [Contributing Guidelines][3]. If you're submitting
 a pull request, please follow the guidelines in the [Submitting a Patch][4] section.
 
 [1]: https://github.com/rollerworks/PasswordStrengthBundle
+[NotCompromisedPassword]: https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html
 [2]: https://getcomposer.org/doc/00-intro.md
 [3]: https://github.com/rollerworks/contributing
 [4]: https://contributing.readthedocs.org/en/latest/code/patches.html

UPGRADE.md

@@ -0,0 +1,11 @@
+UPGRADE
+=======
+
+## Upgrade from 1.6 to 1.7
+
+* The blacklist validator was deprecated in favor of the [PasswordCommonList Validator](https://github.com/rollerworks/password-common-list).
+
+## Upgrade from 1.3 to 1.4
+
+* The PwnedPassword validator is deprecated in favor of the Symfony [NotCompromisedPassword](https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html) validator
+

docs/blacklist.md

@@ -1,6 +1,15 @@
 Password blacklisting
 =====================
 
+⚠️ **DEPRECATED**
+
+> This validator is deprecated in favor of the [PasswordCommonList Validator](https://github.com/rollerworks/password-common-list).
+>
+> The PasswordCommonList validator contains a big list of commonly used passwords, many that are known to be insecure.
+> As updating the list of forbidden passwords is not something done regularly this is recommended over manually updating.
+>
+> Alternatively the Symfony [NotCompromisedPassword] validator can be used for a more regularly updated list.
+
 Usage of the `Rollerworks\Component\PasswordStrength\Validator\Constraints\Blacklist`
 constraint works different then other strength validators.
 
@@ -192,3 +201,5 @@ To get started you can use the bad/leaked passwords databases provider by
 
 Its recommended to use at least the 500-worst-passwords database.
 Especially when not enforcing strong passwords using the [PasswordStrengthValidator](strength-validation.md).
+
+[NotCompromisedPassword]: https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html

src/Command/BlacklistCommand.php

@@ -14,6 +14,7 @@
 use Psr\Container\ContainerInterface;
 use Rollerworks\Component\PasswordStrength\Blacklist\BlacklistProviderInterface;
 use Rollerworks\Component\PasswordStrength\Blacklist\UpdatableBlacklistProviderInterface;
+use Rollerworks\Component\PasswordStrength\Validator\Constraints\Blacklist;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
@@ -41,6 +42,8 @@ public function __construct(ContainerInterface $providers)
 
     protected function initialize(InputInterface $input, OutputInterface $output)
     {
+        trigger_deprecation('rollerworks/password-strength-validator', '1.7', 'The Blacklist validator is deprecated and will be removed in the next major version. Use the NotInPasswordCommonList from rollerworks/password-common-list package instead, or use the NotCompromisedPassword validator from the symfony/validator package instead.', Blacklist::class);
+
         $this->blacklistProvider = $this->providers->get($input->getOption('provider'));
 
         if (! $this->blacklistProvider instanceof UpdatableBlacklistProviderInterface) {

src/Validator/Constraints/Blacklist.php

@@ -14,9 +14,13 @@
 use Attribute;
 use Symfony\Component\Validator\Constraint;
 
+trigger_deprecation('rollerworks/password-strength-validator', '1.7', 'The Blacklist validator is deprecated and will be removed in the next major version. Use the NotInPasswordCommonList from rollerworks/password-common-list package instead, or use the NotCompromisedPassword validator from the symfony/validator package instead.', Blacklist::class);
+
 /**
  * @Annotation
  * @Target({"PROPERTY", "METHOD", "ANNOTATION"})
+ *
+ * @deprecated since rollerworks/password-strength-validator 1.7 The Blacklist validator is deprecated and will be removed in the next major version. Use the NotInPasswordCommonList from rollerworks/password-common-list package instead, or use the NotCompromisedPassword validator from the symfony/validator package instead.
  */
 #[Attribute(Attribute::TARGET_PROPERTY | Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)]
 class Blacklist extends Constraint

tests/Blacklist/ArrayProviderTest.php

@@ -16,6 +16,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class ArrayProviderTest extends TestCase
 {

tests/Blacklist/ChainProviderTest.php

@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class ChainProviderTest extends TestCase
 {

tests/Blacklist/LazyChainProviderTest.php

@@ -18,6 +18,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class LazyChainProviderTest extends TestCase
 {

tests/Blacklist/NoopProviderTest.php

@@ -16,6 +16,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class NoopProviderTest extends TestCase
 {

tests/Blacklist/SqliteProviderTest.php

@@ -16,6 +16,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class SqliteProviderTest extends TestCase
 {

tests/Command/BlacklistCommandTest.php

@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistCommandTest extends BlacklistCommandTestCase
 {

tests/Command/BlacklistCommandTestCase.php

@@ -15,6 +15,10 @@
 use Rollerworks\Component\PasswordStrength\Blacklist\SqliteProvider;
 use Rollerworks\Component\PasswordStrength\Tests\BlackListMockProviderTrait;
 
+/**
+ * @internal
+ * @group legacy
+ */
 abstract class BlacklistCommandTestCase extends TestCase
 {
     use BlackListMockProviderTrait;

tests/Command/BlacklistDeleteCommandTest.php

@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistDeleteCommandTest extends BlacklistCommandTestCase
 {

tests/Command/BlacklistListCommandTest.php

@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistListCommandTest extends BlacklistCommandTestCase
 {

tests/Command/BlacklistPurgeCommandTest.php

@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistPurgeCommandTest extends BlacklistCommandTestCase
 {

tests/Command/BlacklistUpdateCommandTest.php

@@ -17,6 +17,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistUpdateCommandTest extends BlacklistCommandTestCase
 {

tests/Validator/BlacklistValidationTest.php

@@ -21,6 +21,7 @@
 
 /**
  * @internal
+ * @group legacy
  */
 final class BlacklistValidationTest extends ConstraintValidatorTestCase
 {