[Security] add password rehashing capabilities

nicolas-grekas · nicolas-grekas · commit 41bc2c0a6d15 · 2019-05-21T17:28:38.000+02:00
diff --git a/src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php b/src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php
@@ -14,6 +14,7 @@
 use Doctrine\Common\Persistence\ManagerRegistry;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
@@ -25,7 +26,7 @@
  * @author Fabien Potencier <fabien@symfony.com>
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  */
-class EntityUserProvider implements UserProviderInterface
+class EntityUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $registry;
     private $managerName;
@@ -107,6 +108,22 @@ public function supportsClass($class)
         return $class === $this->getClass() || is_subclass_of($class, $this->getClass());
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        $class = $this->getClass();
+        if (!$user instanceof $class) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
+        }
+
+        $repository = $this->getRepository();
+        if ($repository instanceof PasswordUpgraderInterface) {
+            $repository->upgradePassword($user, $newEncodedPassword);
+        }
+    }
+
     private function getObjectManager()
     {
         return $this->registry->getManager($this->managerName);
diff --git a/src/Symfony/Bridge/Doctrine/composer.json b/src/Symfony/Bridge/Doctrine/composer.json
@@ -32,7 +32,7 @@
         "symfony/property-access": "~3.4|~4.0",
         "symfony/property-info": "~3.4|~4.0",
         "symfony/proxy-manager-bridge": "~3.4|~4.0",
-        "symfony/security": "~3.4|~4.0",
+        "symfony/security": "^4.4",
         "symfony/expression-language": "~3.4|~4.0",
         "symfony/validator": "~3.4|~4.0",
         "symfony/translation": "~3.4|~4.0",
@@ -48,7 +48,8 @@
         "phpunit/phpunit": "<4.8.35|<5.4.3,>=5.0",
         "symfony/dependency-injection": "<3.4",
         "symfony/form": "<4.3",
-        "symfony/messenger": "<4.2"
+        "symfony/messenger": "<4.2",
+        "symfony/security-core": "<4.4"
     },
     "suggest": {
         "symfony/form": "",
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -1,6 +1,13 @@
 CHANGELOG
 =========
 
+4.4.0
+-----
+
+ * Added `ChainPasswordEncoder`
+ * Added methods `PasswordEncoderInterface::needsRehash()` and `UserPasswordEncoderInterface::needsRehash()`
+ * Added and implemented `PasswordUpgraderInterface`
+
 4.3.0
 -----
 
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
@@ -16,6 +16,7 @@
 use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -54,9 +55,15 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
-            if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+            $encoder = $this->encoderFactory->getEncoder($user);
+
+            if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
                 throw new BadCredentialsException('The presented password is invalid.');
             }
+
+            if ($this->userProvider instanceof PasswordUpgraderInterface && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {
+                $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));
+            }
         }
     }
 
diff --git a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
@@ -20,6 +20,14 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
 {
     const MAX_PASSWORD_LENGTH = 4096;
 
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return false;
+    }
+
     /**
      * Demerges a merge password and salt string.
      *
diff --git a/src/Symfony/Component/Security/Core/Encoder/ChainPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/ChainPasswordEncoder.php
@@ -0,0 +1,71 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+/**
+ * Hashes passwords using the best available encoder.
+ * Validates them using a chain of encoders.
+ *
+ * /!\ Don't put a PlaintextPasswordEncoder in the list as that'd mean a leaked hash
+ * could be used to authenticate successfully without knowing the cleartext password.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class ChainPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface
+{
+    private $bestEncoder;
+    private $extraEncoders;
+
+    public function __construct(PasswordEncoderInterface $bestEncoder, PasswordEncoderInterface ...$extraEncoders)
+    {
+        $this->bestEncoder = $bestEncoder;
+        $this->extraEncoders = $extraEncoders;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function encodePassword($raw, $salt)
+    {
+        return $this->bestEncoder->encodePassword($raw, $salt);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isPasswordValid($encoded, $raw, $salt)
+    {
+        if ($this->bestEncoder->isPasswordValid($encoded, $raw, $salt)) {
+            return true;
+        }
+
+        if (!$this->bestEncoder->needsRehash($encoded)) {
+            return false;
+        }
+
+        foreach ($this->extraEncoders as $encoder) {
+            if ($encoder->isPasswordValid($encoded, $raw, $salt)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return $this->bestEncoder->needsRehash($encoded);
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
@@ -85,7 +85,19 @@ private function createEncoder(array $config)
     private function getEncoderConfigFromAlgorithm($config)
     {
         if ('auto' === $config['algorithm']) {
-            $config['algorithm'] = SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native';
+            $encoderChain = [];
+            // "plaintext" is not listed as any leaked hashes could then be used to authenticate directly
+            foreach (['sodium', 'native', 'pbkdf2', $config['hash_algorithm']] as $algo) {
+                if ('sodium' !== $algo || SodiumPasswordEncoder::isSupported()) {
+                    $config['algorithm'] = $algo;
+                    $encoderChain[] = $this->createEncoder($config);
+                }
+            }
+
+            return [
+                'class' => ChainPasswordEncoder::class,
+                'arguments' => $encoderChain,
+            ];
         }
 
         switch ($config['algorithm']) {
diff --git a/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php
@@ -65,6 +65,6 @@ public function encodePassword($raw, $salt)
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
-        return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
+        return '$' !== substr($encoded, 0, 1) && !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
@@ -87,4 +87,12 @@ public function isPasswordValid($encoded, $raw, $salt)
 
         return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded);
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return password_needs_rehash($encoded, $this->algo, $this->options);
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php b/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php
@@ -17,6 +17,8 @@
  * PasswordEncoderInterface is the interface for all encoders.
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ *
+ * @method bool needsRehash(string $encoded)
  */
 interface PasswordEncoderInterface
 {
diff --git a/src/Symfony/Component/Security/Core/Encoder/Pbkdf2PasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/Pbkdf2PasswordEncoder.php
@@ -72,6 +72,6 @@ public function encodePassword($raw, $salt)
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
-        return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
+        return '$' !== substr($encoded, 0, 1) && !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
@@ -94,4 +94,20 @@ public function isPasswordValid($encoded, $raw, $salt)
 
         throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        if (\function_exists('sodium_crypto_pwhash_str_needs_rehash')) {
+            return \sodium_crypto_pwhash_str_needs_rehash($encoded, $this->opsLimit, $this->memLimit);
+        }
+
+        if (\extension_loaded('libsodium')) {
+            return \Sodium\crypto_pwhash_str_needs_rehash($encoded, $this->opsLimit, $this->memLimit);
+        }
+
+        throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php
@@ -46,4 +46,14 @@ public function isPasswordValid(UserInterface $user, $raw)
 
         return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(UserInterface $user, string $encoded): bool
+    {
+        $encoder = $this->encoderFactory->getEncoder($user);
+
+        return method_exists($encoder, 'needsRehash') && $encoder->needsRehash($encoded);
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoderInterface.php b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoderInterface.php
@@ -17,6 +17,8 @@
  * UserPasswordEncoderInterface is the interface for the password encoder service.
  *
  * @author Ariel Ferrandini <arielferrandini@gmail.com>
+ *
+ * @method bool needsRehash(UserInterface $user, string $encoded)
  */
 interface UserPasswordEncoderInterface
 {
diff --git a/src/Symfony/Component/Security/Core/User/ChainUserProvider.php b/src/Symfony/Component/Security/Core/User/ChainUserProvider.php
@@ -22,7 +22,7 @@
  *
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  */
-class ChainUserProvider implements UserProviderInterface
+class ChainUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $providers;
 
@@ -104,4 +104,16 @@ public function supportsClass($class)
 
         return false;
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        foreach ($this->providers as $provider) {
+            if ($provider instanceof PasswordUpgraderInterface) {
+                $provider->upgradePassword($user, $newEncodedPassword);
+            }
+        }
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/User/InMemoryUserProvider.php b/src/Symfony/Component/Security/Core/User/InMemoryUserProvider.php
@@ -22,7 +22,7 @@
  *
  * @author Fabien Potencier <fabien@symfony.com>
  */
-class InMemoryUserProvider implements UserProviderInterface
+class InMemoryUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $users;
 
@@ -90,6 +90,19 @@ public function supportsClass($class)
         return 'Symfony\Component\Security\Core\User\User' === $class;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        if (!$user instanceof User) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
+        }
+
+        $this->getUser($user->getUsername())->setPassword($newEncodedPassword);
+        $user->setPassword($newEncodedPassword);
+    }
+
     /**
      * Returns the user by given username.
      *
diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php
diff --git a/src/Symfony/Component/Security/Core/User/PasswordUpgraderInterface.php b/src/Symfony/Component/Security/Core/User/PasswordUpgraderInterface.php
diff --git a/src/Symfony/Component/Security/Core/User/User.php b/src/Symfony/Component/Security/Core/User/User.php
diff --git a/src/Symfony/Component/Security/Guard/AuthenticatorInterface.php b/src/Symfony/Component/Security/Guard/AuthenticatorInterface.php
diff --git a/src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php b/src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;`
`17`	`17`	`use Symfony\Component\Security\Core\Exception\BadCredentialsException;`
`18`	`18`	`use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;`
	`19`	`+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;`
`19`	`20`	`use Symfony\Component\Security\Core\User\UserCheckerInterface;`
`20`	`21`	`use Symfony\Component\Security\Core\User\UserInterface;`
`21`	`22`	`use Symfony\Component\Security\Core\User\UserProviderInterface;`
`@@ -54,9 +55,15 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke`
`54`	`55`	`throw new BadCredentialsException('The presented password cannot be empty.');`
`55`	`56`	`}`
`56`	`57`
`57`		`- if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
	`58`	`+ $encoder = $this->encoderFactory->getEncoder($user);`
	`59`	`+`
	`60`	`+ if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
`58`	`61`	`throw new BadCredentialsException('The presented password is invalid.');`
`59`	`62`	`}`
	`63`	`+`
	`64`	`+ if ($this->userProvider instanceof PasswordUpgraderInterface && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {`
	`65`	`+ $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));`
	`66`	`+ }`
`60`	`67`	`}`
`61`	`68`	`}`
`62`	`69`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,14 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface`
`20`	`20`	`{`
`21`	`21`	`const MAX_PASSWORD_LENGTH = 4096;`
`22`	`22`
	`23`	`+ /**`
	`24`	`+ * {@inheritdoc}`
	`25`	`+ */`
	`26`	`+ public function needsRehash(string $encoded): bool`
	`27`	`+ {`
	`28`	`+ return false;`
	`29`	`+ }`
	`30`	`+`
`23`	`31`	`/**`
`24`	`32`	`* Demerges a merge password and salt string.`
`25`	`33`	`*`
Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,6 @@ public function encodePassword($raw, $salt)`
`65`	`65`	`*/`
`66`	`66`	`public function isPasswordValid($encoded, $raw, $salt)`
`67`	`67`	`{`
`68`		`- return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));`
	`68`	`+ return '$' !== substr($encoded, 0, 1) && !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));`
`69`	`69`	`}`
`70`	`70`	`}`
Original file line number	Diff line number	Diff line change
`@@ -87,4 +87,12 @@ public function isPasswordValid($encoded, $raw, $salt)`
`87`	`87`
`88`	`88`	`return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded);`
`89`	`89`	`}`
	`90`	`+`
	`91`	`+ /**`
	`92`	`+ * {@inheritdoc}`
	`93`	`+ */`
	`94`	`+ public function needsRehash(string $encoded): bool`
	`95`	`+ {`
	`96`	`+ return password_needs_rehash($encoded, $this->algo, $this->options);`
	`97`	`+ }`
`90`	`98`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@`
`17`	`17`	`* PasswordEncoderInterface is the interface for all encoders.`
`18`	`18`	`*`
`19`	`19`	`* @author Fabien Potencier <[email protected]>`
	`20`	`+ *`
	`21`	`+ * @method bool needsRehash(string $encoded)`
`20`	`22`	`*/`
`21`	`23`	`interface PasswordEncoderInterface`
`22`	`24`	`{`
Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,6 @@ public function encodePassword($raw, $salt)`
`72`	`72`	`*/`
`73`	`73`	`public function isPasswordValid($encoded, $raw, $salt)`
`74`	`74`	`{`
`75`		`- return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));`
	`75`	`+ return '$' !== substr($encoded, 0, 1) && !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));`
`76`	`76`	`}`
`77`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,4 +46,14 @@ public function isPasswordValid(UserInterface $user, $raw)`
`46`	`46`
`47`	`47`	`return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());`
`48`	`48`	`}`
	`49`	`+`
	`50`	`+ /**`
	`51`	`+ * {@inheritdoc}`
	`52`	`+ */`
	`53`	`+ public function needsRehash(UserInterface $user, string $encoded): bool`
	`54`	`+ {`
	`55`	`+ $encoder = $this->encoderFactory->getEncoder($user);`
	`56`	`+`
	`57`	`+ return method_exists($encoder, 'needsRehash') && $encoder->needsRehash($encoded);`
	`58`	`+ }`
`49`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@`
`22`	`22`	`*`
`23`	`23`	`* @author Johannes M. Schmitt <[email protected]>`
`24`	`24`	`*/`
`25`		`-class ChainUserProvider implements UserProviderInterface`
	`25`	`+class ChainUserProvider implements UserProviderInterface, PasswordUpgraderInterface`
`26`	`26`	`{`
`27`	`27`	`private $providers;`
`28`	`28`
`@@ -104,4 +104,16 @@ public function supportsClass($class)`
`104`	`104`
`105`	`105`	`return false;`
`106`	`106`	`}`
	`107`	`+`
	`108`	`+ /**`
	`109`	`+ * {@inheritdoc}`
	`110`	`+ */`
	`111`	`+ public function upgradePassword(UserInterface $user, string $newEncodedPassword): void`
	`112`	`+ {`
	`113`	`+ foreach ($this->providers as $provider) {`
	`114`	`+ if ($provider instanceof PasswordUpgraderInterface) {`
	`115`	`+ $provider->upgradePassword($user, $newEncodedPassword);`
	`116`	`+ }`
	`117`	`+ }`
	`118`	`+ }`
`107`	`119`	`}`