symfony
diff --git a/‎composer.json
Lines changed: 1 addition & 0 deletions b/‎composer.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Tests/Functional/Bundle/TestBundle/TestBundle.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/Tests/Functional/Bundle/TestBundle/TestBundle.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/composer.json
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/composer.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
Lines changed: 3 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
Lines changed: 71 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
Lines changed: 71 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Lines changed: 127 additions & 3 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Lines changed: 127 additions & 3 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/console.php
Lines changed: 11 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/console.php
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/schema/security-1.0.xsd
Lines changed: 25 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/schema/security-1.0.xsd
Lines changed: 25 additions & 0 deletions
@@ -86,6 +86,7 @@
         "symfony/security-csrf": "self.version",
         "symfony/security-guard": "self.version",
         "symfony/security-http": "self.version",
+        "symfony/security-password": "self.version",
         "symfony/semaphore": "self.version",
         "symfony/sendgrid-mailer": "self.version",
         "symfony/serializer": "self.version",
 
@@ -37,6 +37,6 @@ public function build(ContainerBuilder $container)
         $extension->setCustomConfig(new CustomConfig());
 
         $container->addCompilerPass(new AnnotationReaderPass(), PassConfig::TYPE_AFTER_REMOVING);
-        $container->addCompilerPass(new CheckTypeDeclarationsPass(true), PassConfig::TYPE_AFTER_REMOVING, -100);
+        $container->addCompilerPass(new CheckTypeDeclarationsPass(false), PassConfig::TYPE_AFTER_REMOVING, -100);
     }
 }
@@ -50,7 +50,7 @@
         "symfony/messenger": "^5.2",
         "symfony/mime": "^4.4|^5.0",
         "symfony/process": "^4.4|^5.0",
-        "symfony/security-bundle": "^5.1",
+        "symfony/security-bundle": "^5.3",
         "symfony/security-csrf": "^4.4|^5.0",
         "symfony/security-http": "^4.4|^5.0",
         "symfony/serializer": "^5.2",
 
@@ -23,13 +23,16 @@
 use Symfony\Component\Console\Style\SymfonyStyle;
 use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Security\Core\Encoder\SelfSaltingEncoderInterface;
+use Symfony\Component\Security\Password\Command\UserPasswordHashCommand;
 
 /**
  * Encode a user's password.
  *
  * @author Sarah Khalil <[email protected]>
  *
  * @final
+ *
+ * @deprecated since Symfony 5.3, use {@link UserPasswordHashCommand} instead
  */
 class UserPasswordEncoderCommand extends Command
 {
 
@@ -65,6 +65,25 @@ public function getConfigTreeBuilder()
                     return $v;
                 })
             ->end()
+            ->beforeNormalization()
+                ->ifTrue(function ($v) {
+                    if (($v['encoders'] ?? false)) {
+                        trigger_deprecation('symfony/security-bundle', '5.3', 'The child node "encoders" at path "security" is deprecated, use "password_hashers" instead.');
+
+                        return true;
+                    }
+
+                    if ($v['password_hashers'] ?? false) {
+                        return true;
+                    }
+                })
+                ->then(function ($v) {
+                    $v['password_hashers'] = array_merge($v['password_hashers'] ?? [], $v['encoders'] ?? []);
+                    $v['encoders'] = array_merge($v['password_hashers'] ?? [], $v['encoders'] ?? []);
+
+                    return $v;
+                })
+            ->end()
             ->children()
                 ->scalarNode('access_denied_url')->defaultNull()->example('/foo/error403')->end()
                 ->enumNode('session_fixation_strategy')
@@ -94,6 +113,7 @@ public function getConfigTreeBuilder()
         ;
 
         $this->addEncodersSection($rootNode);
+        $this->addPasswordHashersSection($rootNode);
         $this->addProvidersSection($rootNode);
         $this->addFirewallsSection($rootNode, $this->factories);
         $this->addAccessControlSection($rootNode);
@@ -401,6 +421,57 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
         ;
     }
 
+    private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
+    {
+        $rootNode
+            ->fixXmlConfig('password_hasher')
+            ->children()
+                ->arrayNode('password_hashers')
+                    ->example([
+                        'App\Entity\User1' => 'auto',
+                        'App\Entity\User2' => [
+                            'algorithm' => 'auto',
+                            'time_cost' => 8,
+                            'cost' => 13,
+                        ],
+                    ])
+                    ->requiresAtLeastOneElement()
+                    ->useAttributeAsKey('class')
+                    ->prototype('array')
+                        ->canBeUnset()
+                        ->performNoDeepMerging()
+                        ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
+                        ->children()
+                            ->scalarNode('algorithm')
+                                ->cannotBeEmpty()
+                                ->validate()
+                                    ->ifTrue(function ($v) { return !\is_string($v); })
+                                    ->thenInvalid('You must provide a string value.')
+                                ->end()
+                            ->end()
+                            ->arrayNode('migrate_from')
+                                ->prototype('scalar')->end()
+                                ->beforeNormalization()->castToArray()->end()
+                            ->end()
+                            ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
+                            ->scalarNode('key_length')->defaultValue(40)->end()
+                            ->booleanNode('ignore_case')->defaultFalse()->end()
+                            ->booleanNode('encode_as_base64')->defaultTrue()->end()
+                            ->scalarNode('iterations')->defaultValue(5000)->end()
+                            ->integerNode('cost')
+                                ->min(4)
+                                ->max(31)
+                                ->defaultNull()
+                            ->end()
+                            ->scalarNode('memory_cost')->defaultNull()->end()
+                            ->scalarNode('time_cost')->defaultNull()->end()
+                            ->scalarNode('id')->end()
+                        ->end()
+                    ->end()
+                ->end()
+        ->end();
+    }
+
     private function getAccessDecisionStrategies()
     {
         $strategies = [
 
@@ -38,6 +38,10 @@
 use Symfony\Component\Security\Core\User\ChainUserProvider;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Component\Security\Password\Hasher\NativePasswordHasher;
+use Symfony\Component\Security\Password\Hasher\Pbkdf2PasswordHasher;
+use Symfony\Component\Security\Password\Hasher\PlaintextPasswordHasher;
+use Symfony\Component\Security\Password\Hasher\SodiumPasswordHasher;
 use Twig\Extension\AbstractExtension;
 
 /**
@@ -166,13 +170,22 @@ public function load(array $configs, ContainerBuilder $container)
         $container->getDefinition('security.authentication.guard_handler')
             ->replaceArgument(2, $this->statelessFirewallKeys);
 
+        // @deprecated since Symfony 5.3
         if ($config['encoders']) {
             $this->createEncoders($config['encoders'], $container);
         }
 
+        if ($config['password_hashers']) {
+            $this->createHashers($config['password_hashers'], $container);
+        }
+
         if (class_exists(Application::class)) {
             $loader->load('console.php');
+
+            // @deprecated since Symfony 5.3
             $container->getDefinition('security.command.user_password_encoder')->replaceArgument(1, array_keys($config['encoders']));
+
+            $container->getDefinition('security.command.user_password_hash')->replaceArgument(1, array_keys($config['password_hashers']));
         }
 
         $container->registerForAutoconfiguration(VoterInterface::class)
@@ -717,6 +730,117 @@ private function createEncoder(array $config)
         if ('native' === $config['algorithm']) {
             return [
                 'class' => NativePasswordEncoder::class,
+                'arguments' => [
+                        $config['time_cost'],
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                        $config['cost'],
+                    ] + (isset($config['native_algorithm']) ? [3 => $config['native_algorithm']] : []),
+            ];
+        }
+
+        if ('sodium' === $config['algorithm']) {
+            if (!SodiumPasswordEncoder::isSupported()) {
+                throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
+            }
+
+            return [
+                'class' => SodiumPasswordEncoder::class,
+                'arguments' => [
+                    $config['time_cost'],
+                    (($config['memory_cost'] ?? 0) << 10) ?: null,
+                ],
+            ];
+        }
+
+        // run-time configured encoder
+        return $config;
+    }
+
+    private function createHashers(array $hashers, ContainerBuilder $container)
+    {
+        $hasherMap = [];
+        foreach ($hashers as $class => $hasher) {
+            $hasherMap[$class] = $this->createHasher($hasher);
+        }
+
+        $container
+            ->getDefinition('security.hasher_factory.generic')
+            ->setArguments([$hasherMap])
+        ;
+    }
+
+    private function createHasher(array $config)
+    {
+        // a custom hasher service
+        if (isset($config['id'])) {
+            return new Reference($config['id']);
+        }
+
+        if ($config['migrate_from'] ?? false) {
+            return $config;
+        }
+
+        // plaintext hasher
+        if ('plaintext' === $config['algorithm']) {
+            $arguments = [$config['ignore_case']];
+
+            return [
+                'class' => PlaintextPasswordHasher::class,
+                'arguments' => $arguments,
+            ];
+        }
+
+        // pbkdf2 hasher
+        if ('pbkdf2' === $config['algorithm']) {
+            return [
+                'class' => Pbkdf2PasswordHasher::class,
+                'arguments' => [
+                    $config['hash_algorithm'],
+                    $config['encode_as_base64'],
+                    $config['iterations'],
+                    $config['key_length'],
+                ],
+            ];
+        }
+
+        // bcrypt hasher
+        if ('bcrypt' === $config['algorithm']) {
+            $config['algorithm'] = 'native';
+            $config['native_algorithm'] = \PASSWORD_BCRYPT;
+
+            return $this->createHasher($config);
+        }
+
+        // Argon2i hasher
+        if ('argon2i' === $config['algorithm']) {
+            if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                $config['algorithm'] = 'sodium';
+            } elseif (\defined('PASSWORD_ARGON2I')) {
+                $config['algorithm'] = 'native';
+                $config['native_algorithm'] = \PASSWORD_ARGON2I;
+            } else {
+                throw new InvalidConfigurationException(sprintf('Algorithm "argon2i" is not available. Either use "%s" or upgrade to PHP 7.2+ instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id", "auto' : 'auto'));
+            }
+
+            return $this->createHasher($config);
+        }
+
+        if ('argon2id' === $config['algorithm']) {
+            if (($hasSodium = SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                $config['algorithm'] = 'sodium';
+            } elseif (\defined('PASSWORD_ARGON2ID')) {
+                $config['algorithm'] = 'native';
+                $config['native_algorithm'] = \PASSWORD_ARGON2ID;
+            } else {
+                throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium ? 'argon2i", "auto' : 'auto'));
+            }
+
+            return $this->createHasher($config);
+        }
+
+        if ('native' === $config['algorithm']) {
+            return [
+                'class' => NativePasswordHasher::class,
                 'arguments' => [
                     $config['time_cost'],
                     (($config['memory_cost'] ?? 0) << 10) ?: null,
@@ -726,20 +850,20 @@ private function createEncoder(array $config)
         }
 
         if ('sodium' === $config['algorithm']) {
-            if (!SodiumPasswordEncoder::isSupported()) {
+            if (!SodiumPasswordHasher::isSupported()) {
                 throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
             }
 
             return [
-                'class' => SodiumPasswordEncoder::class,
+                'class' => SodiumPasswordHasher::class,
                 'arguments' => [
                     $config['time_cost'],
                     (($config['memory_cost'] ?? 0) << 10) ?: null,
                 ],
             ];
         }
 
-        // run-time configured encoder
+        // run-time configured hasher
         return $config;
     }
 
 
@@ -12,6 +12,7 @@
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
 use Symfony\Bundle\SecurityBundle\Command\UserPasswordEncoderCommand;
+use Symfony\Component\Security\Password\Command\UserPasswordHashCommand;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
@@ -21,5 +22,15 @@
                 abstract_arg('encoders user classes'),
             ])
             ->tag('console.command', ['command' => 'security:encode-password'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use "security.command.user_password_hash" instead.')
+    ;
+
+    $container->services()
+        ->set('security.command.user_password_hash', UserPasswordHashCommand::class)
+        ->args([
+            service('security.hasher_factory'),
+            abstract_arg('hashers user classes'),
+        ])
+        ->tag('console.command', ['command' => 'security:hash-password'])
     ;
 };
@@ -34,7 +34,7 @@
                 abstract_arg('User Provider'),
                 abstract_arg('Provider-shared Key'),
                 abstract_arg('User Checker'),
-                service('security.password_encoder'),
+                service('security.password_hasher'),
             ])
 
         ->set('security.authentication.listener.guard', GuardAuthenticationListener::class)
 
@@ -11,6 +11,8 @@
             <xsd:element name="access-decision-manager" type="access_decision_manager" minOccurs="0" maxOccurs="1" />
             <xsd:element name="encoders" type="encoders" minOccurs="0" maxOccurs="1" />
             <xsd:element name="encoder" type="encoder" minOccurs="0" maxOccurs="unbounded" />
+            <xsd:element name="password_hashers" type="password_hashers" minOccurs="0" maxOccurs="1" />
+            <xsd:element name="password_hasher" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="providers" type="providers" minOccurs="0" maxOccurs="1" />
             <xsd:element name="provider" type="provider" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="firewalls" type="firewalls" minOccurs="0" maxOccurs="1" />
@@ -31,6 +33,12 @@
         </xsd:sequence>
     </xsd:complexType>
 
+    <xsd:complexType name="password_hashers">
+        <xsd:sequence>
+            <xsd:element name="password_hasher" type="password_hasher" minOccurs="1" maxOccurs="unbounded" />
+        </xsd:sequence>
+    </xsd:complexType>
+
     <xsd:complexType name="providers">
         <xsd:sequence>
             <xsd:element name="provider" type="provider" minOccurs="1" maxOccurs="unbounded" />
@@ -84,6 +92,23 @@
         <xsd:attribute name="id" type="xsd:string" />
     </xsd:complexType>
 
+    <xsd:complexType name="password_hasher">
+        <xsd:sequence>
+            <xsd:element name="migrate-from" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+        </xsd:sequence>
+        <xsd:attribute name="class" type="xsd:string" use="required" />
+        <xsd:attribute name="algorithm" type="xsd:string" />
+        <xsd:attribute name="hash-algorithm" type="xsd:string" />
+        <xsd:attribute name="key-length" type="xsd:string" />
+        <xsd:attribute name="ignore-case" type="xsd:boolean" />
+        <xsd:attribute name="encode-as-base64" type="xsd:boolean" />
+        <xsd:attribute name="iterations" type="xsd:string" />
+        <xsd:attribute name="cost" type="xsd:integer" />
+        <xsd:attribute name="memory-cost" type="xsd:string" />
+        <xsd:attribute name="time-cost" type="xsd:string" />
+        <xsd:attribute name="id" type="xsd:string" />
+    </xsd:complexType>
+
     <xsd:complexType name="provider">
         <xsd:choice minOccurs="0" maxOccurs="1">
             <xsd:element name="chain" type="chain" />
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,6 @@ public function build(ContainerBuilder $container)`
`37`	`37`	`$extension->setCustomConfig(new CustomConfig());`
`38`	`38`
`39`	`39`	`$container->addCompilerPass(new AnnotationReaderPass(), PassConfig::TYPE_AFTER_REMOVING);`
`40`		`- $container->addCompilerPass(new CheckTypeDeclarationsPass(true), PassConfig::TYPE_AFTER_REMOVING, -100);`
	`40`	`+ $container->addCompilerPass(new CheckTypeDeclarationsPass(false), PassConfig::TYPE_AFTER_REMOVING, -100);`
`41`	`41`	`}`
`42`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,13 +23,16 @@`
`23`	`23`	`use Symfony\Component\Console\Style\SymfonyStyle;`
`24`	`24`	`use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;`
`25`	`25`	`use Symfony\Component\Security\Core\Encoder\SelfSaltingEncoderInterface;`
	`26`	`+use Symfony\Component\Security\Password\Command\UserPasswordHashCommand;`
`26`	`27`
`27`	`28`	`/**`
`28`	`29`	`* Encode a user's password.`
`29`	`30`	`*`
`30`	`31`	`* @author Sarah Khalil <[email protected]>`
`31`	`32`	`*`
`32`	`33`	`* @final`
	`34`	`+ *`
	`35`	`+ * @deprecated since Symfony 5.3, use {@link UserPasswordHashCommand} instead`
`33`	`36`	`*/`
`34`	`37`	`class UserPasswordEncoderCommand extends Command`
`35`	`38`	`{`