Support security encoder and argon2 & co. (see #536)

Toflar · leofeyer · commit a9726fa7121f · 2019-06-27T16:26:54.000+02:00
Description ----------- In Symfony 4.3, a new security encoder named `auto` was introduced. It will choose the best password hashing algorithm based on what Symfony and/or the PHP community decides. Currently this would mean as of PHP 7.2 if you did compile your PHP using libsodium, you'll have argon2 available. I wanted to make sure my setup benefits from the strongest algorithms available so I've implemented the `auto` configuration by default and it will fall back to the current `bcrypt` configuration in case you are not yet on Symfony 4.3. Of course `auto` may still take `bcrypt` in case your system does not support libsodium. While implementing I noticed that we still use the password hashing API directly instead of relying on the Symfony components. This means you can configure a different algorithm in the security configuration but it will never work 😄 So I fixed this by replacing all our direct password hashing API calls with the underlying Symfony security components. BTW: I had to remove the usage of `password_needs_rehash()` to completely rely on the Symfony encoder configured. This means right now you cannot automatically upgrade which is why currently the `SodiumPasswordEncoder` will also verify bcrypt passwords. Symfony will address this in 4.4 so we can (symfony/symfony#31843) completely rely on what Symfony is doing very soon. As of now, there are only `bcrypt` and `argon2` anyway and those will be handled properly. Commits ------- c2c97083 Make sure the password widgets use the configured security encoder and support argon2 and others 12883f1b Replaced direct usage of password_* methods f7872ee9 Fixed class usage 55aa55d9 Fixed UserPasswordCommand tests 62b6531e Fix the coding style
diff --git a/README.md b/README.md
@@ -36,8 +36,8 @@ Install Contao and all its dependencies by executing the following command:
 
 ```
 composer require \
-    contao/core-bundle:4.7.* \
-    contao/installation-bundle:^4.7 \
+    contao/core-bundle:4.8.* \
+    contao/installation-bundle:^4.8 \
     php-http/guzzle6-adapter:^1.1
 ```
 
@@ -80,7 +80,7 @@ security:
 
     encoders:
         Contao\User:
-            algorithm: bcrypt
+            algorithm: auto
 
     firewalls:
         dev:
diff --git a/src/Command/UserPasswordCommand.php b/src/Command/UserPasswordCommand.php
@@ -12,6 +12,7 @@
 
 namespace Contao\CoreBundle\Command;
 
+use Contao\BackendUser;
 use Contao\Config;
 use Contao\CoreBundle\Framework\ContaoFramework;
 use Doctrine\DBAL\Connection;
@@ -26,6 +27,7 @@
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Question\Question;
 use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 
 /**
  * Changes the password of a Contao back end user.
@@ -42,10 +44,16 @@ class UserPasswordCommand extends Command
      */
     private $connection;
 
-    public function __construct(ContaoFramework $framework, Connection $connection)
+    /**
+     * @var EncoderFactoryInterface
+     */
+    private $encoderFactory;
+
+    public function __construct(ContaoFramework $framework, Connection $connection, EncoderFactoryInterface $encoderFactory)
     {
         $this->framework = $framework;
         $this->connection = $connection;
+        $this->encoderFactory = $encoderFactory;
 
         parent::__construct();
     }
@@ -150,6 +158,8 @@ private function validateAndHashPassword(string $password): string
             );
         }
 
-        return password_hash($password, PASSWORD_DEFAULT);
+        $encoder = $this->encoderFactory->getEncoder(BackendUser::class);
+
+        return $encoder->encodePassword($password, null);
     }
 }
diff --git a/src/DependencyInjection/Compiler/MakeServicesPublicPass.php b/src/DependencyInjection/Compiler/MakeServicesPublicPass.php
@@ -47,6 +47,7 @@ public function process(ContainerBuilder $container): void
         static $aliases = [
             'database_connection',
             'swiftmailer.mailer',
+            'security.encoder_factory',
         ];
 
         foreach ($aliases as $alias) {
diff --git a/src/Resources/config/commands.yml b/src/Resources/config/commands.yml
@@ -52,6 +52,7 @@ services:
         arguments:
             - '@contao.framework'
             - '@database_connection'
+            - '@security.encoder_factory'
 
     contao.command.version:
         class: Contao\CoreBundle\Command\VersionCommand
diff --git a/src/Resources/contao/config/default.php b/src/Resources/contao/config/default.php
@@ -53,7 +53,6 @@
 // Encryption
 $GLOBALS['TL_CONFIG']['encryptionMode']   = 'cfb';
 $GLOBALS['TL_CONFIG']['encryptionCipher'] = 'rijndael-256';
-$GLOBALS['TL_CONFIG']['bcryptCost']       = 10;
 
 // File uploads
 $GLOBALS['TL_CONFIG']['uploadTypes']
diff --git a/src/Resources/contao/controllers/BackendPassword.php b/src/Resources/contao/controllers/BackendPassword.php
@@ -81,8 +81,10 @@ public function run()
 			// Save the data
 			else
 			{
+				$encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(BackendUser::class);
+
 				// Make sure the password has been changed
-				if (password_verify($pw, $this->User->password))
+				if ($encoder->isPasswordValid($this->User->password, $pw, null))
 				{
 					Message::addError($GLOBALS['TL_LANG']['MSC']['pw_change']);
 				}
@@ -112,7 +114,7 @@ public function run()
 
 					$objUser = UserModel::findByPk($this->User->id);
 					$objUser->pwChange = '';
-					$objUser->password = password_hash($pw, PASSWORD_DEFAULT);
+					$objUser->password = $encoder->encodePassword($pw, null);
 					$objUser->save();
 
 					Message::addConfirmation($GLOBALS['TL_LANG']['MSC']['pw_changed']);
diff --git a/src/Resources/contao/forms/FormPassword.php b/src/Resources/contao/forms/FormPassword.php
@@ -138,8 +138,9 @@ protected function validator($varInput)
 		if (!$this->hasErrors())
 		{
 			$this->blnSubmitInput = true;
+			$encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(FrontendUser::class);
 
-			return password_hash($varInput, PASSWORD_DEFAULT);
+			return $encoder->encodePassword($varInput, null);
 		}
 
 		return '';
diff --git a/src/Resources/contao/library/Contao/Encryption.php b/src/Resources/contao/library/Contao/Encryption.php
@@ -168,7 +168,9 @@ protected static function initialize()
 	 */
 	public static function hash($strPassword)
 	{
-		return password_hash($strPassword, PASSWORD_DEFAULT);
+		$encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(User::class);
+
+		return $encoder->encodePassword($strPassword, null);
 	}
 
 	/**
@@ -212,7 +214,9 @@ public static function test($strHash)
 	 */
 	public static function verify($strPassword, $strHash)
 	{
-		return password_verify($strPassword, $strHash);
+		$encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(User::class);
+
+		return $encoder->isPasswordValid($strHash, $strPassword, null);
 	}
 
 	/**
diff --git a/src/Resources/contao/library/Contao/User.php b/src/Resources/contao/library/Contao/User.php
@@ -495,20 +495,6 @@ public static function loadUserByUsername($username)
 			}
 		}
 
-		// Check if a passwords needs rehashing (see contao/core#8820)
-		if ($isLogin)
-		{
-			$blnAuthenticated = password_verify($request->request->get('password'), $user->password);
-			$blnNeedsRehash = password_needs_rehash($user->password, PASSWORD_DEFAULT);
-
-			// Re-hash the password if the algorithm has changed
-			if ($blnAuthenticated && $blnNeedsRehash)
-			{
-				$user->password = password_hash($request->request->get('password'), PASSWORD_DEFAULT);
-				$user->save();
-			}
-		}
-
 		$user->setUserFromDb();
 
 		return $user;
diff --git a/src/Resources/contao/modules/ModuleChangePassword.php b/src/Resources/contao/modules/ModuleChangePassword.php
@@ -143,11 +143,16 @@ protected function compile()
 				$objWidget->validate();
 
 				// Validate the old password
-				if ($strKey == 'oldPassword' && !password_verify($objWidget->value, $objMember->password))
+				if ($strKey == 'oldPassword')
 				{
-					$objWidget->value = '';
-					$objWidget->addError($GLOBALS['TL_LANG']['MSC']['oldPasswordWrong']);
-					sleep(2); // Wait 2 seconds while brute forcing :)
+					$encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(FrontendUser::class);
+
+					if (!$encoder->isPasswordValid($objMember->password, $objWidget->value, null))
+					{
+						$objWidget->value = '';
+						$objWidget->addError($GLOBALS['TL_LANG']['MSC']['oldPasswordWrong']);
+						sleep(2); // Wait 2 seconds while brute forcing :)
+					}
 				}
 
 				if ($objWidget->hasErrors())
diff --git a/src/Resources/contao/modules/ModuleCloseAccount.php b/src/Resources/contao/modules/ModuleCloseAccount.php
@@ -80,8 +80,10 @@ protected function compile()
 		{
 			$objWidget->validate();
 
+			$encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(FrontendUser::class);
+
 			// Validate the password
-			if (!$objWidget->hasErrors() && !password_verify($objWidget->value, $this->User->password))
+			if (!$objWidget->hasErrors() && !$encoder->isPasswordValid($this->User->password, $objWidget->value, null))
 			{
 				$objWidget->value = '';
 				$objWidget->addError($GLOBALS['TL_LANG']['ERR']['invalidPass']);
diff --git a/src/Resources/contao/modules/ModuleRegistration.php b/src/Resources/contao/modules/ModuleRegistration.php
@@ -218,10 +218,12 @@ protected function compile()
 			if (Input::post('FORM_SUBMIT') == $strFormId)
 			{
 				$objWidget->validate();
+
 				$varValue = $objWidget->value;
+				$encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(FrontendUser::class);
 
 				// Check whether the password matches the username
-				if ($objWidget instanceof FormPassword && password_verify(Input::post('username'), $varValue))
+				if ($objWidget instanceof FormPassword && $encoder->isPasswordValid($varValue, Input::post('username'), null))
 				{
 					$objWidget->addError($GLOBALS['TL_LANG']['ERR']['passwordName']);
 				}
diff --git a/src/Resources/contao/widgets/Password.php b/src/Resources/contao/widgets/Password.php
@@ -135,7 +135,9 @@ protected function validator($varInput)
 			$this->blnSubmitInput = true;
 			Message::addConfirmation($GLOBALS['TL_LANG']['MSC']['pw_changed']);
 
-			return password_hash($varInput, PASSWORD_DEFAULT);
+			$encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(BackendUser::class);
+
+			return $encoder->encodePassword($varInput, null);
 		}
 
 		return '';
diff --git a/tests/Command/UserPasswordCommandTest.php b/tests/Command/UserPasswordCommandTest.php
diff --git a/tests/DependencyInjection/Compiler/MakeServicesPublicPassTest.php b/tests/DependencyInjection/Compiler/MakeServicesPublicPassTest.php
diff --git a/tests/Functional/app/config/security.yml b/tests/Functional/app/config/security.yml

Original file line number	Diff line number	Diff line change
`@@ -81,8 +81,10 @@ public function run()`
`81`	`81`	`// Save the data`
`82`	`82`	`else`
`83`	`83`	`{`
	`84`	`+ $encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(BackendUser::class);`
	`85`	`+`
`84`	`86`	`// Make sure the password has been changed`
`85`		`- if (password_verify($pw, $this->User->password))`
	`87`	`+ if ($encoder->isPasswordValid($this->User->password, $pw, null))`
`86`	`88`	`{`
`87`	`89`	`Message::addError($GLOBALS['TL_LANG']['MSC']['pw_change']);`
`88`	`90`	`}`
`@@ -112,7 +114,7 @@ public function run()`
`112`	`114`
`113`	`115`	`$objUser = UserModel::findByPk($this->User->id);`
`114`	`116`	`$objUser->pwChange = '';`
`115`		`- $objUser->password = password_hash($pw, PASSWORD_DEFAULT);`
	`117`	`+ $objUser->password = $encoder->encodePassword($pw, null);`
`116`	`118`	`$objUser->save();`
`117`	`119`
`118`	`120`	`Message::addConfirmation($GLOBALS['TL_LANG']['MSC']['pw_changed']);`
Original file line number	Diff line number	Diff line change
`@@ -138,8 +138,9 @@ protected function validator($varInput)`
`138`	`138`	`if (!$this->hasErrors())`
`139`	`139`	`{`
`140`	`140`	`$this->blnSubmitInput = true;`
	`141`	`+ $encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(FrontendUser::class);`
`141`	`142`
`142`		`- return password_hash($varInput, PASSWORD_DEFAULT);`
	`143`	`+ return $encoder->encodePassword($varInput, null);`
`143`	`144`	`}`
`144`	`145`
`145`	`146`	`return '';`
Original file line number	Diff line number	Diff line change
`@@ -168,7 +168,9 @@ protected static function initialize()`
`168`	`168`	`*/`
`169`	`169`	`public static function hash($strPassword)`
`170`	`170`	`{`
`171`		`- return password_hash($strPassword, PASSWORD_DEFAULT);`
	`171`	`+ $encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(User::class);`
	`172`	`+`
	`173`	`+ return $encoder->encodePassword($strPassword, null);`
`172`	`174`	`}`
`173`	`175`
`174`	`176`	`/**`
`@@ -212,7 +214,9 @@ public static function test($strHash)`
`212`	`214`	`*/`
`213`	`215`	`public static function verify($strPassword, $strHash)`
`214`	`216`	`{`
`215`		`- return password_verify($strPassword, $strHash);`
	`217`	`+ $encoder = System::getContainer()->get('security.encoder_factory')->getEncoder(User::class);`
	`218`	`+`
	`219`	`+ return $encoder->isPasswordValid($strHash, $strPassword, null);`
`216`	`220`	`}`
`217`	`221`
`218`	`222`	`/**`