feature #31140 [Security] Add NativePasswordEncoder (nicolas-grekas)

Robin Chalas · Robin Chalas · commit 89ec31141f1e · 2019-04-18T15:59:39.000+02:00
This PR was merged into the 4.3-dev branch. Discussion ---------- [Security] Add NativePasswordEncoder | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - This PR adds a new `NativePasswordEncoder` that defaults to the best available hashing algo to `password_hash()`. Best is determined by "us" or "php", the goal being that this will change in the future as new algos are published. This provides a native encoder that we should recommend using by default. Commits ------- 28f7961 [Security] Add NativePasswordEncoder
diff --git a/UPGRADE-4.3.md b/UPGRADE-4.3.md
@@ -174,7 +174,7 @@ Security
 SecurityBundle
 --------------
 
- * Configuring encoders using `argon2i` as algorithm has been deprecated, use `sodium` instead.
+ * Configuring encoders using `argon2i` as algorithm has been deprecated, use `auto` instead.
 
 TwigBridge
 ----------
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -4,11 +4,12 @@ CHANGELOG
 4.3.0
 -----
 
+ * Added new encoder types: `auto` (recommended), `native` and `sodium`
  * The normalization of the cookie names configured in the `logout.delete_cookies`
    option is deprecated and will be disabled in Symfony 5.0. This affects to cookies
    with dashes in their names. For example, starting from Symfony 5.0, the `my-cookie`
    name will delete `my-cookie` (with a dash) instead of `my_cookie` (with an underscore).
- * Deprecated configuring encoders using `argon2i` as algorithm, use `sodium` instead
+ * Deprecated configuring encoders using `argon2i` as algorithm, use `auto` instead
 
 4.2.0
 -----
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -394,9 +394,10 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
             ->children()
                 ->arrayNode('encoders')
                     ->example([
-                        'App\Entity\User1' => 'bcrypt',
+                        'App\Entity\User1' => 'auto',
                         'App\Entity\User2' => [
-                            'algorithm' => 'bcrypt',
+                            'algorithm' => 'auto',
+                            'time_cost' => 8,
                             'cost' => 13,
                         ],
                     ])
@@ -416,11 +417,14 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
                             ->integerNode('cost')
                                 ->min(4)
                                 ->max(31)
-                                ->defaultValue(13)
+                                ->defaultNull()
                             ->end()
                             ->scalarNode('memory_cost')->defaultNull()->end()
                             ->scalarNode('time_cost')->defaultNull()->end()
-                            ->scalarNode('threads')->defaultNull()->end()
+                            ->scalarNode('threads')
+                                ->defaultNull()
+                                ->setDeprecated('The "%path%.%node%" configuration key has no effect since Symfony 4.3 and will be removed in 5.0.')
+                            ->end()
                             ->scalarNode('id')->end()
                         ->end()
                     ->end()
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -30,6 +30,7 @@
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
+use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
@@ -559,20 +560,20 @@ private function createEncoder($config, ContainerBuilder $container)
         if ('bcrypt' === $config['algorithm']) {
             return [
                 'class' => 'Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder',
-                'arguments' => [$config['cost']],
+                'arguments' => [$config['cost'] ?? 13],
             ];
         }
 
         // Argon2i encoder
         if ('argon2i' === $config['algorithm']) {
-            @trigger_error('Configuring an encoder with "argon2i" as algorithm is deprecated since Symfony 4.3, use "sodium" instead.', E_USER_DEPRECATED);
+            @trigger_error('Configuring an encoder with "argon2i" as algorithm is deprecated since Symfony 4.3, use "auto" instead.', E_USER_DEPRECATED);
 
             if (!Argon2iPasswordEncoder::isSupported()) {
                 if (\extension_loaded('sodium') && !\defined('SODIUM_CRYPTO_PWHASH_SALTBYTES')) {
-                    throw new InvalidConfigurationException('The installed libsodium version does not have support for Argon2i. Use Bcrypt instead.');
+                    throw new InvalidConfigurationException('The installed libsodium version does not have support for Argon2i. Use "auto" instead.');
                 }
 
-                throw new InvalidConfigurationException('Argon2i algorithm is not supported. Install the libsodium extension or use BCrypt instead.');
+                throw new InvalidConfigurationException('Argon2i algorithm is not supported. Install the libsodium extension or use "auto" instead.');
             }
 
             return [
@@ -585,14 +586,28 @@ private function createEncoder($config, ContainerBuilder $container)
             ];
         }
 
+        if ('native' === $config['algorithm']) {
+            return [
+                'class' => NativePasswordEncoder::class,
+                'arguments' => [
+                    $config['time_cost'],
+                    (($config['memory_cost'] ?? 0) << 10) ?: null,
+                    $config['cost'],
+                ],
+            ];
+        }
+
         if ('sodium' === $config['algorithm']) {
             if (!SodiumPasswordEncoder::isSupported()) {
-                throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use BCrypt instead.');
+                throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
             }
 
             return [
                 'class' => SodiumPasswordEncoder::class,
-                'arguments' => [],
+                'arguments' => [
+                    $config['time_cost'],
+                    (($config['memory_cost'] ?? 0) << 10) ?: null,
+                ],
             ];
         }
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -283,7 +283,7 @@ public function testEncoders()
                 'hash_algorithm' => 'sha512',
                 'key_length' => 40,
                 'ignore_case' => false,
-                'cost' => 13,
+                'cost' => null,
                 'memory_cost' => null,
                 'time_cost' => null,
                 'threads' => null,
@@ -295,7 +295,7 @@ public function testEncoders()
                 'ignore_case' => false,
                 'encode_as_base64' => true,
                 'iterations' => 5000,
-                'cost' => 13,
+                'cost' => null,
                 'memory_cost' => null,
                 'time_cost' => null,
                 'threads' => null,
@@ -309,6 +309,22 @@ public function testEncoders()
                 'class' => 'Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder',
                 'arguments' => [15],
             ],
+            'JMS\FooBundle\Entity\User7' => [
+                'class' => 'Symfony\Component\Security\Core\Encoder\NativePasswordEncoder',
+                'arguments' => [8, 102400, 15],
+            ],
+            'JMS\FooBundle\Entity\User8' => [
+                'algorithm' => 'auto',
+                'hash_algorithm' => 'sha512',
+                'key_length' => 40,
+                'ignore_case' => false,
+                'encode_as_base64' => true,
+                'iterations' => 5000,
+                'cost' => null,
+                'memory_cost' => null,
+                'time_cost' => null,
+                'threads' => null,
+            ],
         ]], $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
@@ -332,7 +348,7 @@ public function testEncodersWithLibsodium()
                 'hash_algorithm' => 'sha512',
                 'key_length' => 40,
                 'ignore_case' => false,
-                'cost' => 13,
+                'cost' => null,
                 'memory_cost' => null,
                 'time_cost' => null,
                 'threads' => null,
@@ -344,7 +360,7 @@ public function testEncodersWithLibsodium()
                 'ignore_case' => false,
                 'encode_as_base64' => true,
                 'iterations' => 5000,
-                'cost' => 13,
+                'cost' => null,
                 'memory_cost' => null,
                 'time_cost' => null,
                 'threads' => null,
@@ -360,15 +376,27 @@ public function testEncodersWithLibsodium()
             ],
             'JMS\FooBundle\Entity\User7' => [
                 'class' => 'Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder',
-                'arguments' => [],
+                'arguments' => [8, 128 * 1024 * 1024],
+            ],
+            'JMS\FooBundle\Entity\User8' => [
+                'algorithm' => 'auto',
+                'hash_algorithm' => 'sha512',
+                'key_length' => 40,
+                'ignore_case' => false,
+                'encode_as_base64' => true,
+                'iterations' => 5000,
+                'cost' => null,
+                'memory_cost' => null,
+                'time_cost' => null,
+                'threads' => null,
             ],
         ]], $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
     /**
      * @group legacy
      *
-     * @expectedDeprecation Configuring an encoder with "argon2i" as algorithm is deprecated since Symfony 4.3, use "sodium" instead.
+     * @expectedDeprecation Configuring an encoder with "argon2i" as algorithm is deprecated since Symfony 4.3, use "auto" instead.
      */
     public function testEncodersWithArgon2i()
     {
@@ -390,7 +418,7 @@ public function testEncodersWithArgon2i()
                 'hash_algorithm' => 'sha512',
                 'key_length' => 40,
                 'ignore_case' => false,
-                'cost' => 13,
+                'cost' => null,
                 'memory_cost' => null,
                 'time_cost' => null,
                 'threads' => null,
@@ -402,7 +430,7 @@ public function testEncodersWithArgon2i()
                 'ignore_case' => false,
                 'encode_as_base64' => true,
                 'iterations' => 5000,
-                'cost' => 13,
+                'cost' => null,
                 'memory_cost' => null,
                 'time_cost' => null,
                 'threads' => null,
@@ -420,6 +448,18 @@ public function testEncodersWithArgon2i()
                 'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
                 'arguments' => [256, 1, 2],
             ],
+            'JMS\FooBundle\Entity\User8' => [
+                'algorithm' => 'auto',
+                'hash_algorithm' => 'sha512',
+                'key_length' => 40,
+                'ignore_case' => false,
+                'encode_as_base64' => true,
+                'iterations' => 5000,
+                'cost' => null,
+                'memory_cost' => null,
+                'time_cost' => null,
+                'threads' => null,
+            ],
         ]], $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
@@ -25,6 +25,15 @@
             'algorithm' => 'bcrypt',
             'cost' => 15,
         ],
+        'JMS\FooBundle\Entity\User7' => [
+            'algorithm' => 'native',
+            'time_cost' => 8,
+            'memory_cost' => 100,
+            'cost' => 15,
+        ],
+        'JMS\FooBundle\Entity\User8' => [
+            'algorithm' => 'auto',
+        ],
     ],
     'providers' => [
         'default' => [
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/sodium_encoder.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/sodium_encoder.php
@@ -6,6 +6,8 @@
     'encoders' => [
         'JMS\FooBundle\Entity\User7' => [
             'algorithm' => 'sodium',
+            'time_cost' => 8,
+            'memory_cost' => 128 * 1024,
         ],
     ],
 ]);
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml
@@ -18,6 +18,10 @@
 
         <encoder class="JMS\FooBundle\Entity\User6" algorithm="bcrypt" cost="15" />
 
+        <encoder class="JMS\FooBundle\Entity\User7" algorithm="native" time-cost="8" memory-cost="100" cost="15" />
+
+        <encoder class="JMS\FooBundle\Entity\User8" algorithm="auto" />
+
         <provider name="default">
             <memory>
                 <user name="foo" password="foo" roles="ROLE_USER" />
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/sodium_encoder.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/sodium_encoder.xml
@@ -10,7 +10,7 @@
     </imports>
 
     <sec:config>
-        <sec:encoder class="JMS\FooBundle\Entity\User7" algorithm="sodium" />
+        <sec:encoder class="JMS\FooBundle\Entity\User7" algorithm="sodium" time-cost="8" memory-cost="131072" />
     </sec:config>
 
 </container>
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml
@@ -18,6 +18,13 @@ security:
         JMS\FooBundle\Entity\User6:
             algorithm: bcrypt
             cost: 15
+        JMS\FooBundle\Entity\User7:
+            algorithm: native
+            time_cost: 8
+            memory_cost: 100
+            cost: 15
+        JMS\FooBundle\Entity\User8:
+            algorithm: auto
 
     providers:
         default:
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/sodium_encoder.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/sodium_encoder.yml
@@ -5,3 +5,5 @@ security:
     encoders:
         JMS\FooBundle\Entity\User7:
             algorithm: sodium
+            time_cost: 8
+            memory_cost: 131072
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -4,6 +4,8 @@ CHANGELOG
 4.3.0
 -----
 
+ * Added methods `__serialize` and `__unserialize` to the `TokenInterface`
+ * Added `SodiumPasswordEncoder` and `NativePasswordEncoder`
  * The `Role` and `SwitchUserRole` classes are deprecated and will be removed in 5.0. Use strings for roles
    instead.
  * The `getReachableRoles()` method of the `RoleHierarchyInterface` is deprecated and will be removed in 5.0.
@@ -19,8 +21,7 @@ CHANGELOG
  * Dispatch `AuthenticationFailureEvent` on `security.authentication.failure`
  * Dispatch `InteractiveLoginEvent` on `security.interactive_login`
  * Dispatch `SwitchUserEvent` on `security.switch_user`
- * deprecated `Argon2iPasswordEncoder`, use `SodiumPasswordEncoder` instead
- * Added methods `__serialize` and `__unserialize` to the `TokenInterface`
+ * Deprecated `Argon2iPasswordEncoder`, use `SodiumPasswordEncoder`
 
 4.2.0
 -----
diff --git a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
@@ -84,6 +84,10 @@ private function createEncoder(array $config)
 
     private function getEncoderConfigFromAlgorithm($config)
     {
+        if ('auto' === $config['algorithm']) {
+            $config['algorithm'] = SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native';
+        }
+
         switch ($config['algorithm']) {
             case 'plaintext':
                 return [
@@ -108,10 +112,23 @@ private function getEncoderConfigFromAlgorithm($config)
                     'arguments' => [$config['cost']],
                 ];
 
+            case 'native':
+                return [
+                    'class' => NativePasswordEncoder::class,
+                    'arguments' => [
+                        $config['time_cost'] ?? null,
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                        $config['cost'] ?? null,
+                    ],
+                ];
+
             case 'sodium':
                 return [
                     'class' => SodiumPasswordEncoder::class,
-                    'arguments' => [],
+                    'arguments' => [
+                        $config['time_cost'] ?? null,
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                    ],
                 ];
 
             /* @deprecated since Symfony 4.3 */
diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php
