[Security] add support for opportunistic password migrations

nicolas-grekas · nicolas-grekas · commit 2cfc5c7dd6ea · 2019-08-05T10:47:47.000+02:00
diff --git a/src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php b/src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php
@@ -14,6 +14,7 @@
 use Doctrine\Common\Persistence\ManagerRegistry;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
@@ -25,7 +26,7 @@
  * @author Fabien Potencier <fabien@symfony.com>
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  */
-class EntityUserProvider implements UserProviderInterface
+class EntityUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $registry;
     private $managerName;
@@ -107,6 +108,22 @@ public function supportsClass($class)
         return $class === $this->getClass() || is_subclass_of($class, $this->getClass());
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        $class = $this->getClass();
+        if (!$user instanceof $class) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
+        }
+
+        $repository = $this->getRepository();
+        if ($repository instanceof PasswordUpgraderInterface) {
+            $repository->upgradePassword($user, $newEncodedPassword);
+        }
+    }
+
     private function getObjectManager()
     {
         return $this->registry->getManager($this->managerName);
diff --git a/src/Symfony/Bridge/Doctrine/Tests/Security/User/EntityUserProviderTest.php b/src/Symfony/Bridge/Doctrine/Tests/Security/User/EntityUserProviderTest.php
@@ -16,6 +16,7 @@
 use Symfony\Bridge\Doctrine\Security\User\EntityUserProvider;
 use Symfony\Bridge\Doctrine\Test\DoctrineTestHelper;
 use Symfony\Bridge\Doctrine\Tests\Fixtures\User;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 
 class EntityUserProviderTest extends TestCase
 {
@@ -175,6 +176,23 @@ public function testLoadUserByUserNameShouldDeclineInvalidInterface()
         $provider->loadUserByUsername('name');
     }
 
+    public function testPasswordUpgrades()
+    {
+        $user = new User(1, 1, 'user1');
+
+        $repository = $this->getMockBuilder(PasswordUpgraderInterface::class)->getMock();
+        $repository->expects($this->once())
+            ->method('upgradePassword')
+            ->with($user, 'foobar');
+
+        $provider = new EntityUserProvider(
+            $this->getManager($this->getObjectManager($repository)),
+            'Symfony\Bridge\Doctrine\Tests\Fixtures\User'
+        );
+
+        $provider->upgradePassword($user, 'foobar');
+    }
+
     private function getManager($em, $name = null)
     {
         $manager = $this->getMockBuilder('Doctrine\Common\Persistence\ManagerRegistry')->getMock();
diff --git a/src/Symfony/Bridge/Doctrine/composer.json b/src/Symfony/Bridge/Doctrine/composer.json
@@ -33,7 +33,7 @@
         "symfony/property-access": "^3.4|^4.0|^5.0",
         "symfony/property-info": "^3.4|^4.0|^5.0",
         "symfony/proxy-manager-bridge": "^3.4|^4.0|^5.0",
-        "symfony/security-core": "^3.4|^4.0|^5.0",
+        "symfony/security-core": "^4.4|^5.0",
         "symfony/expression-language": "^3.4|^4.0|^5.0",
         "symfony/validator": "^3.4|^4.0|^5.0",
         "symfony/translation": "^3.4|^4.0|^5.0",
@@ -49,7 +49,8 @@
         "phpunit/phpunit": "<4.8.35|<5.4.3,>=5.0",
         "symfony/dependency-injection": "<3.4",
         "symfony/form": "<4.4",
-        "symfony/messenger": "<4.3"
+        "symfony/messenger": "<4.3",
+        "symfony/security-core": "<4.4"
     },
     "suggest": {
         "symfony/form": "",
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/guard.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/guard.xml
@@ -29,6 +29,7 @@
             <argument /> <!-- User Provider -->
             <argument /> <!-- Provider-shared Key -->
             <argument /> <!-- User Checker -->
+            <argument type="service" id="security.password_encoder" />
         </service>
 
         <service id="security.authentication.listener.guard"
diff --git a/src/Symfony/Component/Ldap/Security/LdapUserProvider.php b/src/Symfony/Component/Ldap/Security/LdapUserProvider.php
@@ -13,10 +13,12 @@
 
 use Symfony\Component\Ldap\Entry;
 use Symfony\Component\Ldap\Exception\ConnectionException;
+use Symfony\Component\Ldap\Exception\ExceptionInterface;
 use Symfony\Component\Ldap\LdapInterface;
 use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
@@ -27,7 +29,7 @@
  * @author Charles Sarrazin <charles@sarraz.in>
  * @author Robin Chalas <robin.chalas@gmail.com>
  */
-class LdapUserProvider implements UserProviderInterface
+class LdapUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $ldap;
     private $baseDn;
@@ -109,6 +111,30 @@ public function refreshUser(UserInterface $user)
         return new LdapUser($user->getEntry(), $user->getUsername(), $user->getPassword(), $user->getRoles());
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        if (!$user instanceof LdapUser) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
+        }
+
+        if (null === $this->passwordAttribute) {
+            return;
+        }
+
+        try {
+            if ($user->isEqualTo($this->loadUserByUsername($user->getUsername()))) {
+                $user->getEntry()->setAttribute($this->passwordAttribute, [$newEncodedPassword]);
+                $this->ldap->getEntryManager()->update($user->getEntry());
+                $user->setPassword($newEncodedPassword);
+            }
+        } catch (ExceptionInterface $e) {
+            // ignore failed password upgrades
+        }
+    }
+
     /**
      * {@inheritdoc}
      */
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -7,6 +7,9 @@ CHANGELOG
  * Deprecated class `LdapUserProvider`, use `Symfony\Component\Ldap\Security\LdapUserProvider` instead
  * Added method `needsRehash()` to `PasswordEncoderInterface` and `UserPasswordEncoderInterface`
  * Added `MigratingPasswordEncoder`
+ * Added and implemented `PasswordUpgraderInterface`, for opportunistic password migrations
+ * Added `Guard\PasswordAuthenticatedInterface`, an optional interface
+   for "guard" authenticators that deal with user passwords
 
 4.3.0
 -----
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
@@ -16,6 +16,7 @@
 use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -54,9 +55,15 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
-            if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+            $encoder = $this->encoderFactory->getEncoder($user);
+
+            if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
                 throw new BadCredentialsException('The presented password is invalid.');
             }
+
+            if ($this->userProvider instanceof PasswordUpgraderInterface && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {
+                $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));
+            }
         }
     }
 
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php
@@ -15,6 +15,10 @@
 use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
 use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\Tests\Encoder\TestPasswordEncoderInterface;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
+use Symfony\Component\Security\Core\User\User;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
 
 class DaoAuthenticationProviderTest extends TestCase
 {
@@ -247,6 +251,44 @@ public function testCheckAuthentication()
         $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
     }
 
+    public function testPasswordUpgrades()
+    {
+        $user = new User('user', 'pwd');
+
+        $encoder = $this->getMockBuilder(TestPasswordEncoderInterface::class)->getMock();
+        $encoder->expects($this->once())
+                ->method('isPasswordValid')
+                ->willReturn(true)
+        ;
+        $encoder->expects($this->once())
+                ->method('encodePassword')
+                ->willReturn('foobar')
+        ;
+        $encoder->expects($this->once())
+                ->method('needsRehash')
+                ->willReturn(true)
+        ;
+
+        $provider = $this->getProvider(null, null, $encoder);
+
+        $userProvider = ((array) $provider)[sprintf("\0%s\0userProvider", DaoAuthenticationProvider::class)];
+        $userProvider->expects($this->once())
+            ->method('upgradePassword')
+            ->with($user, 'foobar')
+        ;
+
+        $method = new \ReflectionMethod($provider, 'checkAuthentication');
+        $method->setAccessible(true);
+
+        $token = $this->getSupportedToken();
+        $token->expects($this->once())
+              ->method('getCredentials')
+              ->willReturn('foo')
+        ;
+
+        $method->invoke($provider, $user, $token);
+    }
+
     protected function getSupportedToken()
     {
         $mock = $this->getMockBuilder('Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken')->setMethods(['getCredentials', 'getUser', 'getProviderKey'])->disableOriginalConstructor()->getMock();
@@ -261,7 +303,7 @@ protected function getSupportedToken()
 
     protected function getProvider($user = null, $userChecker = null, $passwordEncoder = null)
     {
-        $userProvider = $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserProviderInterface')->getMock();
+        $userProvider = $this->getMockBuilder([UserProviderInterface::class, PasswordUpgraderInterface::class])->getMock();
         if (null !== $user) {
             $userProvider->expects($this->once())
                          ->method('loadUserByUsername')
diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php
@@ -14,7 +14,6 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Encoder\MigratingPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
-use Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface;
 
 class MigratingPasswordEncoderTest extends TestCase
 {
@@ -66,8 +65,3 @@ public function testFallback()
         $this->assertTrue($encoder->isPasswordValid('abc', 'foo', 'salt'));
     }
 }
-
-interface TestPasswordEncoderInterface extends PasswordEncoderInterface
-{
-    public function needsRehash(string $encoded): bool;
-}
diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/TestPasswordEncoderInterface.php b/src/Symfony/Component/Security/Core/Tests/Encoder/TestPasswordEncoderInterface.php
@@ -0,0 +1,19 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Encoder;
+
+use Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface;
+
+interface TestPasswordEncoderInterface extends PasswordEncoderInterface
+{
+    public function needsRehash(string $encoded): bool;
+}
diff --git a/src/Symfony/Component/Security/Core/Tests/User/ChainUserProviderTest.php b/src/Symfony/Component/Security/Core/Tests/User/ChainUserProviderTest.php
@@ -15,6 +15,8 @@
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\User\ChainUserProvider;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
+use Symfony\Component\Security\Core\User\User;
 
 class ChainUserProviderTest extends TestCase
 {
@@ -188,6 +190,28 @@ public function testAcceptsTraversable()
         $this->assertSame($account, $provider->refreshUser($this->getAccount()));
     }
 
+    public function testPasswordUpgrades()
+    {
+        $user = new User('user', 'pwd');
+
+        $provider1 = $this->getMockBuilder(PasswordUpgraderInterface::class)->getMock();
+        $provider1
+            ->expects($this->once())
+            ->method('upgradePassword')
+            ->willThrowException(new UnsupportedUserException('unsupported'))
+        ;
+
+        $provider2 = $this->getMockBuilder(PasswordUpgraderInterface::class)->getMock();
+        $provider2
+            ->expects($this->once())
+            ->method('upgradePassword')
+            ->with($user, 'foobar')
+        ;
+
+        $provider = new ChainUserProvider([$provider1, $provider2]);
+        $provider->upgradePassword($user, 'foobar');
+    }
+
     protected function getAccount()
     {
         return $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();
diff --git a/src/Symfony/Component/Security/Core/User/ChainUserProvider.php b/src/Symfony/Component/Security/Core/User/ChainUserProvider.php
@@ -22,7 +22,7 @@
  *
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  */
-class ChainUserProvider implements UserProviderInterface
+class ChainUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $providers;
 
@@ -104,4 +104,20 @@ public function supportsClass($class)
 
         return false;
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        foreach ($this->providers as $provider) {
+            if ($provider instanceof PasswordUpgraderInterface) {
+                try {
+                    $provider->upgradePassword($user, $newEncodedPassword);
+                } catch (UnsupportedUserException $e) {
+                    // ignore: password upgrades are opportunistic
+                }
+            }
+        }
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/User/PasswordUpgraderInterface.php b/src/Symfony/Component/Security/Core/User/PasswordUpgraderInterface.php
@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\User;
+
+/**
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+interface PasswordUpgraderInterface
+{
+    /**
+     * Upgrades the encoded password of a user, typically for using a better hash algorithm.
+     *
+     * This method should persist the new password in the user storage and update the $user object accordingly.
+     * Because you don't want your users not being able to log in, this method should be opportunistic:
+     * it's fine if it does nothing or if it fails without throwing any exception.
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void;
+}
diff --git a/src/Symfony/Component/Security/Guard/PasswordAuthenticatedInterface.php b/src/Symfony/Component/Security/Guard/PasswordAuthenticatedInterface.php
diff --git a/src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php b/src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;`
`17`	`17`	`use Symfony\Component\Security\Core\Exception\BadCredentialsException;`
`18`	`18`	`use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;`
	`19`	`+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;`
`19`	`20`	`use Symfony\Component\Security\Core\User\UserCheckerInterface;`
`20`	`21`	`use Symfony\Component\Security\Core\User\UserInterface;`
`21`	`22`	`use Symfony\Component\Security\Core\User\UserProviderInterface;`
`@@ -54,9 +55,15 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke`
`54`	`55`	`throw new BadCredentialsException('The presented password cannot be empty.');`
`55`	`56`	`}`
`56`	`57`
`57`		`- if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
	`58`	`+ $encoder = $this->encoderFactory->getEncoder($user);`
	`59`	`+`
	`60`	`+ if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
`58`	`61`	`throw new BadCredentialsException('The presented password is invalid.');`
`59`	`62`	`}`
	`63`	`+`
	`64`	`+ if ($this->userProvider instanceof PasswordUpgraderInterface && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {`
	`65`	`+ $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));`
	`66`	`+ }`
`60`	`67`	`}`
`61`	`68`	`}`
`62`	`69`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,6 @@`
`14`	`14`	`use PHPUnit\Framework\TestCase;`
`15`	`15`	`use Symfony\Component\Security\Core\Encoder\MigratingPasswordEncoder;`
`16`	`16`	`use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;`
`17`		`-use Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface;`
`18`	`17`
`19`	`18`	`class MigratingPasswordEncoderTest extends TestCase`
`20`	`19`	`{`
`@@ -66,8 +65,3 @@ public function testFallback()`
`66`	`65`	`$this->assertTrue($encoder->isPasswordValid('abc', 'foo', 'salt'));`
`67`	`66`	`}`
`68`	`67`	`}`
`69`		`-`
`70`		`-interface TestPasswordEncoderInterface extends PasswordEncoderInterface`
`71`		`-{`
`72`		`- public function needsRehash(string $encoded): bool;`
`73`		`-}`