feature #19843 [Security] Allow run-time configuration of hash algo (nicolas-grekas)

fabpot · fabpot · commit 5129c4cf7e29 · 2016-09-13T17:06:01.000-07:00
This PR was merged into the 3.2-dev branch. Discussion ---------- [Security] Allow run-time configuration of hash algo | Q | A | ------------- | --- | Branch? | master | New feature? | yes | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Required if we want run-time config with env vars. See #19681 Commits ------- 7903a46 [Security] Allow run-time configuration of hash algo
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -493,15 +493,8 @@ private function createEncoder($config, ContainerBuilder $container)
             );
         }
 
-        // message digest encoder
-        return array(
-            'class' => 'Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder',
-            'arguments' => array(
-                $config['algorithm'],
-                $config['encode_as_base64'],
-                $config['iterations'],
-            ),
-        );
+        // run-time configured encoder
+        return $config;
     }
 
     // Parses user providers and returns an array of their ids
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -191,12 +191,22 @@ public function testEncoders()
                 'arguments' => array(false),
             ),
             'JMS\FooBundle\Entity\User2' => array(
-                'class' => 'Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder',
-                'arguments' => array('sha1', false, 5),
+                'algorithm' => 'sha1',
+                'encode_as_base64' => false,
+                'iterations' => 5,
+                'hash_algorithm' => 'sha512',
+                'key_length' => 40,
+                'ignore_case' => false,
+                'cost' => 13,
             ),
             'JMS\FooBundle\Entity\User3' => array(
-                'class' => 'Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder',
-                'arguments' => array('md5', true, 5000),
+                'algorithm' => 'md5',
+                'hash_algorithm' => 'sha512',
+                'key_length' => 40,
+                'ignore_case' => false,
+                'encode_as_base64' => true,
+                'iterations' => 5000,
+                'cost' => 13,
             ),
             'JMS\FooBundle\Entity\User4' => new Reference('security.encoder.foo'),
             'JMS\FooBundle\Entity\User5' => array(
diff --git a/src/Symfony/Bundle/SecurityBundle/composer.json b/src/Symfony/Bundle/SecurityBundle/composer.json
@@ -17,7 +17,7 @@
     ],
     "require": {
         "php": ">=5.5.9",
-        "symfony/security": "~3.1,>=3.1.2",
+        "symfony/security": "~3.2",
         "symfony/http-kernel": "~3.1",
         "symfony/polyfill-php70": "~1.0"
     },
diff --git a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
@@ -69,6 +69,9 @@ public function getEncoder($user)
      */
     private function createEncoder(array $config)
     {
+        if (isset($config['algorithm'])) {
+            $config = $this->getEncoderConfigFromAlgorithm($config);
+        }
         if (!isset($config['class'])) {
             throw new \InvalidArgumentException(sprintf('"class" must be set in %s.', json_encode($config)));
         }
@@ -80,4 +83,41 @@ private function createEncoder(array $config)
 
         return $reflection->newInstanceArgs($config['arguments']);
     }
+
+    private function getEncoderConfigFromAlgorithm($config)
+    {
+        switch ($config['algorithm']) {
+            case 'plaintext':
+                return array(
+                    'class' => PlaintextPasswordEncoder::class,
+                    'arguments' => array($config['ignore_case']),
+                );
+
+            case 'pbkdf2':
+                return array(
+                    'class' => Pbkdf2PasswordEncoder::class,
+                    'arguments' => array(
+                        $config['hash_algorithm'],
+                        $config['encode_as_base64'],
+                        $config['iterations'],
+                        $config['key_length'],
+                    ),
+                );
+
+            case 'bcrypt':
+                return array(
+                    'class' => BCryptPasswordEncoder::class,
+                    'arguments' => array($config['cost']),
+                );
+        }
+
+        return array(
+            'class' => MessageDigestPasswordEncoder::class,
+            'arguments' => array(
+                $config['algorithm'],
+                $config['encode_as_base64'],
+                $config['iterations'],
+            ),
+        );
+    }
 }
