Allow rehashing passwords when possible and needed

nicolas-grekas · weaverryan · commit d81a55b51f8f · 2019-08-18T13:08:29.000-04:00
diff --git a/.travis.yml b/.travis.yml
@@ -12,6 +12,7 @@ env:
     global:
         - PHPUNIT_FLAGS="-v"
         - SYMFONY_PHPUNIT_DIR="$HOME/symfony-bridge/.phpunit"
+        - SYMFONY_REQUIRE='>=3.4'
 
 matrix:
     fast_finish: true
@@ -23,6 +24,8 @@ matrix:
           env: MAKER_TEST_VERSION=dev
 
 before_install:
+    - find ~/.phpenv -name xdebug.ini -delete
+    - composer global require --no-progress --no-scripts --no-plugins symfony/flex dev-master
     - composer update
 
 install:
diff --git a/appveyor.yml b/appveyor.yml
@@ -49,6 +49,7 @@ install:
     - IF %PHP%==0 echo @php %%~dp0composer.phar %%* > composer.bat
     - appveyor-retry appveyor DownloadFile https://getcomposer.org/composer.phar
     - cd C:\projects\maker-bundle
+    - composer global require --no-progress --no-scripts --no-plugins symfony/flex dev-master
     - IF %dependencies%==highest appveyor-retry composer update --no-progress --no-suggest --ansi
     - vendor/bin/simple-phpunit install
 
diff --git a/phpunit.xml.dist b/phpunit.xml.dist
@@ -10,8 +10,6 @@
     <php>
         <ini name="error_reporting" value="-1" />
         <env name="TEST_DATABASE_DSN" value="mysql://root:@127.0.0.1:3306/test_maker" />
-        <!-- See #237 -->
-        <env name="SYMFONY_DEPRECATIONS_HELPER" value="weak_vendors" />
     </php>
 
     <testsuites>
diff --git a/src/Doctrine/EntityClassGenerator.php b/src/Doctrine/EntityClassGenerator.php
@@ -26,7 +26,7 @@ public function __construct(Generator $generator)
         $this->generator = $generator;
     }
 
-    public function generateEntityClass(ClassNameDetails $entityClassDetails, bool $apiResource): string
+    public function generateEntityClass(ClassNameDetails $entityClassDetails, bool $apiResource, bool $withPasswordUpgrade = false): string
     {
         $repoClassDetails = $this->generator->createClassNameDetails(
             $entityClassDetails->getRelativeName(),
@@ -51,6 +51,7 @@ public function generateEntityClass(ClassNameDetails $entityClassDetails, bool $
                 'entity_full_class_name' => $entityClassDetails->getFullName(),
                 'entity_class_name' => $entityClassDetails->getShortName(),
                 'entity_alias' => $entityAlias,
+                'with_password_upgrade' => $withPasswordUpgrade,
             ]
         );
 
diff --git a/src/Doctrine/EntityRegenerator.php b/src/Doctrine/EntityRegenerator.php
@@ -234,6 +234,7 @@ private function generateRepository(ClassMetadata $metadata)
                 'entity_full_class_name' => $metadata->name,
                 'entity_class_name' => $entityClassName,
                 'entity_alias' => strtolower($entityClassName[0]),
+                'with_password_upgrade' => false,
             ]
         );
 
diff --git a/src/Maker/MakeUser.php b/src/Maker/MakeUser.php
@@ -33,6 +33,7 @@
 use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Yaml\Yaml;
 
 /**
@@ -107,7 +108,6 @@ class_exists(DoctrineBundle::class)
         $userWillHavePassword = $io->confirm('Does this app need to hash/check user passwords?');
         $input->setOption('with-password', $userWillHavePassword);
 
-        $useArgon2Encoder = false;
         if ($userWillHavePassword && !class_exists(NativePasswordEncoder::class) && Argon2iPasswordEncoder::isSupported()) {
             $io->writeln('The newer <comment>Argon2i</comment> password hasher requires PHP 7.2, libsodium or paragonie/sodium_compat. Your system DOES support this algorithm.');
             $io->writeln('You should use <comment>Argon2i</comment> unless your production system will not support it.');
@@ -138,7 +138,8 @@ public function generate(InputInterface $input, ConsoleStyle $io, Generator $gen
             $entityClassGenerator = new EntityClassGenerator($generator);
             $classPath = $entityClassGenerator->generateEntityClass(
                 $userClassNameDetails,
-                false // api resource
+                false, // api resource
+                $userClassConfiguration->hasPassword() && interface_exists(PasswordUpgraderInterface::class) // security user
             );
         } else {
             $classPath = $generator->generateClass($userClassNameDetails->getFullName(), 'Class.tpl.php');
diff --git a/src/Resources/skeleton/authenticator/LoginFormAuthenticator.tpl.php b/src/Resources/skeleton/authenticator/LoginFormAuthenticator.tpl.php
@@ -17,9 +17,10 @@
 use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator;
+<?= ($password_authenticated = $user_needs_encoder && interface_exists('Symfony\Component\Security\Guard\PasswordAuthenticatedInterface')) ? "use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;\n" : '' ?>
 use Symfony\Component\Security\Http\Util\TargetPathTrait;
 
-class <?= $class_name; ?> extends AbstractFormLoginAuthenticator
+class <?= $class_name; ?> extends AbstractFormLoginAuthenticator<?= $password_authenticated ? " implements PasswordAuthenticatedInterface\n" : "\n" ?>
 {
     use TargetPathTrait;
 
@@ -85,6 +86,16 @@ public function checkCredentials($credentials, UserInterface $user)
         throw new \Exception('TODO: check the credentials inside '.__FILE__);\n" ?>
     }
 
+<?php if ($password_authenticated): ?>
+    /**
+     * Used to upgrade (rehash) the user's password automatically over time.
+     */
+    public function getPassword($credentials): ?string
+    {
+        return $credentials['password'];
+    }
+
+<?php endif ?>
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
     {
         if ($targetPath = $this->getTargetPath($request->getSession(), $providerKey)) {
diff --git a/src/Resources/skeleton/doctrine/Repository.tpl.php b/src/Resources/skeleton/doctrine/Repository.tpl.php
@@ -5,20 +5,39 @@
 use <?= $entity_full_class_name; ?>;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Common\Persistence\ManagerRegistry;
+<?= $with_password_upgrade ? "use Symfony\Component\Security\Core\Exception\UnsupportedUserException;\n" : '' ?>
+<?= $with_password_upgrade ? "use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;\n" : '' ?>
+<?= $with_password_upgrade ? "use Symfony\Component\Security\Core\User\UserInterface;\n" : '' ?>
 
 /**
  * @method <?= $entity_class_name; ?>|null find($id, $lockMode = null, $lockVersion = null)
  * @method <?= $entity_class_name; ?>|null findOneBy(array $criteria, array $orderBy = null)
  * @method <?= $entity_class_name; ?>[]    findAll()
  * @method <?= $entity_class_name; ?>[]    findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null)
  */
-class <?= $class_name; ?> extends ServiceEntityRepository
+class <?= $class_name; ?> extends ServiceEntityRepository<?= $with_password_upgrade ? " implements PasswordUpgraderInterface\n" : "\n" ?>
 {
     public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, <?= $entity_class_name; ?>::class);
     }
 
+<?php if ($with_password_upgrade): ?>
+    /**
+     * Used to upgrade (rehash) the user's password automatically over time.
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        if (!$user instanceof User) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
+        }
+
+        $user->setPassword($newEncodedPassword);
+        $this->_em->persist($user);
+        $this->_em->flush();
+    }
+
+<?php endif ?>
     // /**
     //  * @return <?= $entity_class_name ?>[] Returns an array of <?= $entity_class_name ?> objects
     //  */
diff --git a/src/Resources/skeleton/security/UserProvider.tpl.php b/src/Resources/skeleton/security/UserProvider.tpl.php
@@ -4,10 +4,11 @@
 
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+<?= ($password_upgrader = interface_exists('Symfony\Component\Security\Core\User\PasswordUpgraderInterface')) ? "use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;\n" : '' ?>
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
-class <?= $class_name ?> implements UserProviderInterface
+class <?= $class_name ?> implements UserProviderInterface<?= $password_upgrader ? ", PasswordUpgraderInterface\n" : "\n" ?>
 {
     /**
      * Symfony calls this method if you use features like switch_user
@@ -60,4 +61,16 @@ public function supportsClass($class)
     {
         return <?= $user_short_name ?>::class === $class;
     }
+<?php if ($password_upgrader): ?>
+
+    /**
+     * Upgrades the encoded password of a user, typically for using a better hash algorithm.
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        // TODO: when encoded passwords are in use, this method should:
+        // 1. persist the new password in the user storage
+        // 2. update the $user object with $user->setPassword($newEncodedPassword);
+    }
+<?php endif ?>
 }
diff --git a/src/Test/MakerTestCase.php b/src/Test/MakerTestCase.php
@@ -36,7 +36,12 @@ protected function executeMakerCommand(MakerTestDetails $testDetails)
             if ('.php' === substr($file, -4)) {
                 $csProcess = $testEnv->runPhpCSFixer($file);
 
-                $this->assertTrue($csProcess->isSuccessful(), sprintf('File "%s" has a php-cs problem: %s', $file, $csProcess->getOutput()));
+                $this->assertTrue($csProcess->isSuccessful(), sprintf(
+                    "File '%s' has a php-cs problem: %s\n\n%s",
+                    $file,
+                    $csProcess->getErrorOutput(),
+                    file_get_contents($testEnv->getPath().'/'.$file)
+                ));
             }
 
             if ('.twig' === substr($file, -5)) {

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ public function __construct(Generator $generator)`
`26`	`26`	`$this->generator = $generator;`
`27`	`27`	`}`
`28`	`28`
`29`		`- public function generateEntityClass(ClassNameDetails $entityClassDetails, bool $apiResource): string`
	`29`	`+ public function generateEntityClass(ClassNameDetails $entityClassDetails, bool $apiResource, bool $withPasswordUpgrade = false): string`
`30`	`30`	`{`
`31`	`31`	`$repoClassDetails = $this->generator->createClassNameDetails(`
`32`	`32`	`$entityClassDetails->getRelativeName(),`
`@@ -51,6 +51,7 @@ public function generateEntityClass(ClassNameDetails $entityClassDetails, bool $`
`51`	`51`	`'entity_full_class_name' => $entityClassDetails->getFullName(),`
`52`	`52`	`'entity_class_name' => $entityClassDetails->getShortName(),`
`53`	`53`	`'entity_alias' => $entityAlias,`
	`54`	`+ 'with_password_upgrade' => $withPasswordUpgrade,`
`54`	`55`	`]`
`55`	`56`	`);`
`56`	`57`
Original file line number	Diff line number	Diff line change
`@@ -234,6 +234,7 @@ private function generateRepository(ClassMetadata $metadata)`
`234`	`234`	`'entity_full_class_name' => $metadata->name,`
`235`	`235`	`'entity_class_name' => $entityClassName,`
`236`	`236`	`'entity_alias' => strtolower($entityClassName[0]),`
	`237`	`+ 'with_password_upgrade' => false,`
`237`	`238`	`]`
`238`	`239`	`);`
`239`	`240`