[Security] add password rehashing capabilities

nicolas-grekas · nicolas-grekas · commit ff7152217109 · 2019-04-17T23:17:11.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -558,6 +558,8 @@ private function createEncoder($config, ContainerBuilder $container)
 
         // bcrypt encoder
         if ('bcrypt' === $config['algorithm']) {
+            @trigger_error('Configuring an encoder with "bcrypt" as algorithm is deprecated since Symfony 4.4, use "auto" instead.', E_USER_DEPRECATED);
+
             return [
                 'class' => 'Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder',
                 'arguments' => [$config['cost'] ?? 13],
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -1,6 +1,14 @@
 CHANGELOG
 =========
 
+4.4.0
+-----
+
+ * Added `ChainPasswordEncoder`
+ * Added method `PasswordEncoderInterface::needsRehash()`
+ * Added method `UserProviderInterface::upgradePassword()`
+ * Deprecated `BCryptPasswordEncoder`, use `NativePasswordEncoder` instead
+
 4.3.0
 -----
 
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
@@ -30,13 +30,15 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider
 {
     private $encoderFactory;
     private $userProvider;
+    private $canUpgradePassword;
 
     public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, string $providerKey, EncoderFactoryInterface $encoderFactory, bool $hideUserNotFoundExceptions = true)
     {
         parent::__construct($userChecker, $providerKey, $hideUserNotFoundExceptions);
 
         $this->encoderFactory = $encoderFactory;
         $this->userProvider = $userProvider;
+        $this->canUpgradePassword = method_exists($userProvider, 'upgradePassword');
     }
 
     /**
@@ -54,9 +56,15 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
-            if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+            $encoder = $this->encoderFactory->getEncoder($user);
+
+            if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
                 throw new BadCredentialsException('The presented password is invalid.');
             }
+
+            if ($this->canUpgradePassword && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {
+                $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));
+            }
         }
     }
 
diff --git a/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php
@@ -11,11 +11,15 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+@trigger_error(sprintf('The "%s" class is deprecated since Symfony 4.4, use "%s" instead.', BCryptPasswordEncoder::class, NativePasswordEncoder::class), E_USER_DEPRECATED);
+
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 
 /**
  * @author Elnur Abdurrakhimov <elnur@elnur.pro>
  * @author Terje Bråten <terje@braten.be>
+ *
+ * @deprecated since Symfony 4.4, use NativePasswordEncoder instead
  */
 class BCryptPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface
 {
diff --git a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
@@ -20,6 +20,14 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
 {
     const MAX_PASSWORD_LENGTH = 4096;
 
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return false;
+    }
+
     /**
      * Demerges a merge password and salt string.
      *
diff --git a/src/Symfony/Component/Security/Core/Encoder/ChainPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/ChainPasswordEncoder.php
@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+/**
+ * Hashes passwords using the best available encoder.
+ * Validates them using a chain of encoders.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class ChainPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface
+{
+    private $bestEncoder;
+    private $extraEncoders;
+
+    public function __construct(PasswordEncoderInterface $bestEncoder, PasswordEncoderInterface ...$extraEncoders)
+    {
+        $this->bestEncoder = $bestEncoder;
+        $this->extraEncoder = $extraEncoder;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function encodePassword($raw, $salt)
+    {
+        return $this->bestEncoder->encodePassword($raw, $salt);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isPasswordValid($encoded, $raw, $salt)
+    {
+        if ($this->bestEncoder->isPasswordValid($encoded, $raw, $salt)) {
+            return true;
+        }
+
+        foreach ($this->extraEncoders as $encoder) {
+            if ($encoder->isPasswordValid($encoded, $raw, $salt)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return $this->bestEncoder->needsRehash($encoded);
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
@@ -85,7 +85,16 @@ private function createEncoder(array $config)
     private function getEncoderConfigFromAlgorithm($config)
     {
         if ('auto' === $config['algorithm']) {
-            $config['algorithm'] = SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native';
+            $encoderChain = [];
+            foreach ([SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native', 'pbkdf2', $config['hash_algorithm'], 'plaintext'] as $algo) {
+                $config['algorithm'] = $algo;
+                $encoderChain[] = $this->createEncoder($config);
+            }
+
+            return [
+                'class' => ChainPasswordEncoder::class,
+                'arguments' => $encoderChain,
+            ];
         }
 
         switch ($config['algorithm']) {
@@ -106,6 +115,7 @@ private function getEncoderConfigFromAlgorithm($config)
                     ],
                 ];
 
+            /* @deprecated since Symfony 4.4 */
             case 'bcrypt':
                 return [
                     'class' => BCryptPasswordEncoder::class,
diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
@@ -89,4 +89,12 @@ public function isPasswordValid($encoded, $raw, $salt)
 
         return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded);
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return password_needs_rehash($encoded, $this->algo, $this->options);
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php b/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php
@@ -17,6 +17,8 @@
  * PasswordEncoderInterface is the interface for all encoders.
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ *
+ * @method bool needsRehash(string $encoded)
  */
 interface PasswordEncoderInterface
 {
diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
@@ -94,4 +94,20 @@ public function isPasswordValid($encoded, $raw, $salt)
 
         throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        if (\function_exists('sodium_crypto_pwhash_str_needs_rehash')) {
+            return \sodium_crypto_pwhash_str_needs_rehash($encoded, $this->opsLimit, $this->memLimit);
+        }
+
+        if (\extension_loaded('libsodium')) {
+            return \Sodium\crypto_pwhash_str_needs_rehash($encoded, $this->opsLimit, $this->memLimit);
+        }
+
+        throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/User/UserProviderInterface.php b/src/Symfony/Component/Security/Core/User/UserProviderInterface.php
@@ -30,6 +30,8 @@
  * @see UserInterface
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ *
+ * @method bool upgradePassword(UserInterface $user, string $newEncodedPassword)
  */
 interface UserProviderInterface
 {

Original file line number	Diff line number	Diff line change
`@@ -30,13 +30,15 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider`
`30`	`30`	`{`
`31`	`31`	`private $encoderFactory;`
`32`	`32`	`private $userProvider;`
	`33`	`+ private $canUpgradePassword;`
`33`	`34`
`34`	`35`	`public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, string $providerKey, EncoderFactoryInterface $encoderFactory, bool $hideUserNotFoundExceptions = true)`
`35`	`36`	`{`
`36`	`37`	`parent::__construct($userChecker, $providerKey, $hideUserNotFoundExceptions);`
`37`	`38`
`38`	`39`	`$this->encoderFactory = $encoderFactory;`
`39`	`40`	`$this->userProvider = $userProvider;`
	`41`	`+ $this->canUpgradePassword = method_exists($userProvider, 'upgradePassword');`
`40`	`42`	`}`
`41`	`43`
`42`	`44`	`/**`
`@@ -54,9 +56,15 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke`
`54`	`56`	`throw new BadCredentialsException('The presented password cannot be empty.');`
`55`	`57`	`}`
`56`	`58`
`57`		`- if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
	`59`	`+ $encoder = $this->encoderFactory->getEncoder($user);`
	`60`	`+`
	`61`	`+ if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
`58`	`62`	`throw new BadCredentialsException('The presented password is invalid.');`
`59`	`63`	`}`
	`64`	`+`
	`65`	`+ if ($this->canUpgradePassword && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {`
	`66`	`+ $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));`
	`67`	`+ }`
`60`	`68`	`}`
`61`	`69`	`}`
`62`	`70`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,14 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface`
`20`	`20`	`{`
`21`	`21`	`const MAX_PASSWORD_LENGTH = 4096;`
`22`	`22`
	`23`	`+ /**`
	`24`	`+ * {@inheritdoc}`
	`25`	`+ */`
	`26`	`+ public function needsRehash(string $encoded): bool`
	`27`	`+ {`
	`28`	`+ return false;`
	`29`	`+ }`
	`30`	`+`
`23`	`31`	`/**`
`24`	`32`	`* Demerges a merge password and salt string.`
`25`	`33`	`*`
Original file line number	Diff line number	Diff line change
`@@ -89,4 +89,12 @@ public function isPasswordValid($encoded, $raw, $salt)`
`89`	`89`
`90`	`90`	`return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded);`
`91`	`91`	`}`
	`92`	`+`
	`93`	`+ /**`
	`94`	`+ * {@inheritdoc}`
	`95`	`+ */`
	`96`	`+ public function needsRehash(string $encoded): bool`
	`97`	`+ {`
	`98`	`+ return password_needs_rehash($encoded, $this->algo, $this->options);`
	`99`	`+ }`
`92`	`100`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@`
`17`	`17`	`* PasswordEncoderInterface is the interface for all encoders.`
`18`	`18`	`*`
`19`	`19`	`* @author Fabien Potencier <[email protected]>`
	`20`	`+ *`
	`21`	`+ * @method bool needsRehash(string $encoded)`
`20`	`22`	`*/`
`21`	`23`	`interface PasswordEncoderInterface`
`22`	`24`	`{`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,8 @@`
`30`	`30`	`* @see UserInterface`
`31`	`31`	`*`
`32`	`32`	`* @author Fabien Potencier <[email protected]>`
	`33`	`+ *`
	`34`	`+ * @method bool upgradePassword(UserInterface $user, string $newEncodedPassword)`
`33`	`35`	`*/`
`34`	`36`	`interface UserProviderInterface`
`35`	`37`	`{`