[Security] add password rehashing capabilities

nicolas-grekas · nicolas-grekas · commit 846ad0e4de50 · 2019-05-09T16:13:07.000+02:00
diff --git a/src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php b/src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php
@@ -25,7 +25,7 @@
  * @author Fabien Potencier <fabien@symfony.com>
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  */
-class EntityUserProvider implements UserProviderInterface
+class EntityUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $registry;
     private $managerName;
@@ -107,6 +107,22 @@ public function supportsClass($class)
         return $class === $this->getClass() || is_subclass_of($class, $this->getClass());
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        $class = $this->getClass();
+        if (!$user instanceof $class) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
+        }
+
+        $repository = $this->getRepository();
+        if ($repository instanceof PasswordUpgraderInterface) {
+            $repository->upgradePassword($user, $newEncodedPassword);
+        }
+    }
+
     private function getObjectManager()
     {
         return $this->registry->getManager($this->managerName);
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -1,6 +1,14 @@
 CHANGELOG
 =========
 
+4.4.0
+-----
+
+ * Added `ChainPasswordEncoder`
+ * Added method `PasswordEncoderInterface::needsRehash()`
+ * Added and implemented `PasswordUpgraderInterface`
+ * Deprecated `BCryptPasswordEncoder`, use `NativePasswordEncoder` instead
+
 4.3.0
 -----
 
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
@@ -16,6 +16,7 @@
 use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -54,9 +55,15 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
-            if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+            $encoder = $this->encoderFactory->getEncoder($user);
+
+            if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
                 throw new BadCredentialsException('The presented password is invalid.');
             }
+
+            if ($this->userProvider instanceof PasswordUpgraderInterface && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {
+                $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));
+            }
         }
     }
 
diff --git a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
@@ -20,6 +20,14 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
 {
     const MAX_PASSWORD_LENGTH = 4096;
 
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return false;
+    }
+
     /**
      * Demerges a merge password and salt string.
      *
diff --git a/src/Symfony/Component/Security/Core/Encoder/ChainPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/ChainPasswordEncoder.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+/**
+ * Hashes passwords using the best available encoder.
+ * Validates them using a chain of encoders.
+ *
+ * /!\ Don't put a PlaintextPasswordEncoder in the list as that'd mean a leaked hash
+ * could be used to authenticate successfully without knowing the cleartext password.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class ChainPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface
+{
+    private $bestEncoder;
+    private $extraEncoders;
+
+    public function __construct(PasswordEncoderInterface $bestEncoder, PasswordEncoderInterface ...$extraEncoders)
+    {
+        $this->bestEncoder = $bestEncoder;
+        $this->extraEncoders = $extraEncoders;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function encodePassword($raw, $salt)
+    {
+        return $this->bestEncoder->encodePassword($raw, $salt);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isPasswordValid($encoded, $raw, $salt)
+    {
+        if ($this->bestEncoder->isPasswordValid($encoded, $raw, $salt)) {
+            return true;
+        }
+
+        foreach ($this->extraEncoders as $encoder) {
+            if ($encoder->isPasswordValid($encoded, $raw, $salt)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return $this->bestEncoder->needsRehash($encoded);
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
@@ -85,7 +85,17 @@ private function createEncoder(array $config)
     private function getEncoderConfigFromAlgorithm($config)
     {
         if ('auto' === $config['algorithm']) {
-            $config['algorithm'] = SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native';
+            $encoderChain = [];
+            // "plaintext" is not listed as any leaked hashes could then be used to authenticate directly
+            foreach ([SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native', 'pbkdf2', $config['hash_algorithm']] as $algo) {
+                $config['algorithm'] = $algo;
+                $encoderChain[] = $this->createEncoder($config);
+            }
+
+            return [
+                'class' => ChainPasswordEncoder::class,
+                'arguments' => $encoderChain,
+            ];
         }
 
         switch ($config['algorithm']) {
diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
@@ -87,4 +87,12 @@ public function isPasswordValid($encoded, $raw, $salt)
 
         return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded);
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return password_needs_rehash($encoded, $this->algo, $this->options);
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php b/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php
@@ -17,6 +17,8 @@
  * PasswordEncoderInterface is the interface for all encoders.
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ *
+ * @method bool needsRehash(string $encoded)
  */
 interface PasswordEncoderInterface
 {
diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
@@ -94,4 +94,20 @@ public function isPasswordValid($encoded, $raw, $salt)
 
         throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        if (\function_exists('sodium_crypto_pwhash_str_needs_rehash')) {
+            return \sodium_crypto_pwhash_str_needs_rehash($encoded, $this->opsLimit, $this->memLimit);
+        }
+
+        if (\extension_loaded('libsodium')) {
+            return \Sodium\crypto_pwhash_str_needs_rehash($encoded, $this->opsLimit, $this->memLimit);
+        }
+
+        throw new LogicException('Libsodium is not available. You should either install the sodium extension, upgrade to PHP 7.2+ or use a different encoder.');
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/User/ChainUserProvider.php b/src/Symfony/Component/Security/Core/User/ChainUserProvider.php
@@ -22,7 +22,7 @@
  *
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  */
-class ChainUserProvider implements UserProviderInterface
+class ChainUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $providers;
 
@@ -104,4 +104,16 @@ public function supportsClass($class)
 
         return false;
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        foreach ($this->providers as $provider) {
+            if ($provider instanceof PasswordUpgraderInterface) {
+                $provider->upgradePassword($user, $newEncodedPassword);
+            }
+        }
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/User/InMemoryUserProvider.php b/src/Symfony/Component/Security/Core/User/InMemoryUserProvider.php
@@ -22,7 +22,7 @@
  *
  * @author Fabien Potencier <fabien@symfony.com>
  */
-class InMemoryUserProvider implements UserProviderInterface
+class InMemoryUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $users;
 
@@ -90,6 +90,19 @@ public function supportsClass($class)
         return 'Symfony\Component\Security\Core\User\User' === $class;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        if (!$user instanceof User) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
+        }
+
+        $this->getUser($user->getUsername())->setPassword($newEncodedPassword);
+        $user->setPassword($newEncodedPassword);
+    }
+
     /**
      * Returns the user by given username.
      *
diff --git a/src/Symfony/Component/Security/Core/User/LdapUserProvider.php b/src/Symfony/Component/Security/Core/User/LdapUserProvider.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\Ldap\Entry;
 use Symfony\Component\Ldap\Exception\ConnectionException;
+use Symfony\Component\Ldap\Exception\ExceptionInterface;
 use Symfony\Component\Ldap\LdapInterface;
 use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
@@ -24,7 +25,7 @@
  * @author Grégoire Pineau <lyrixx@lyrixx.info>
  * @author Charles Sarrazin <charles@sarraz.in>
  */
-class LdapUserProvider implements UserProviderInterface
+class LdapUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     private $ldap;
     private $baseDn;
@@ -34,6 +35,7 @@ class LdapUserProvider implements UserProviderInterface
     private $uidKey;
     private $defaultSearch;
     private $passwordAttribute;
+    private $entry;
 
     public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null)
     {
@@ -89,6 +91,11 @@ public function loadUserByUsername($username)
         } catch (InvalidArgumentException $e) {
         }
 
+        if (null !== $this->entry) {
+            // Keep $entry around when called from upgradePassword()
+            $this->entry = $entry;
+        }
+
         return $this->loadUser($username, $entry);
     }
 
@@ -112,6 +119,35 @@ public function supportsClass($class)
         return 'Symfony\Component\Security\Core\User\User' === $class;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        if (!$user instanceof User) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
+        }
+
+        if (null === $this->passwordAttribute) {
+            return;
+        }
+
+        try {
+            // Tell loadUserByUsername() to keep the $entry around
+            $this->entry = true;
+
+            if ($user->isEqualTo($this->loadUserByUsername($user->getUsername())) && \is_object($this->entry)) {
+                $this->entry->setAttribute($this->passwordAttribute, [$newEncodedPassword]);
+                $this->ldap->getEntryManager()->update($this->entry);
+                $user->setPassword($newEncodedPassword);
+            }
+        } catch (ExceptionInterface $e) {
+            // ignore failed password upgrades
+        } finally {
+            $this->entry = null;
+        }
+    }
+
     /**
      * Loads a user from an LDAP entry.
      *
diff --git a/src/Symfony/Component/Security/Core/User/PasswordUpgraderInterface.php b/src/Symfony/Component/Security/Core/User/PasswordUpgraderInterface.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\User;
+
+/**
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+interface PasswordUpgraderInterface
+{
+    /**
+     * Upgrades the encoded password of a user, typically for using a better hash algorithm.
+     *
+     * This method should persist the new password in the user storage and update the $user object accordingly.
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void;
+}
diff --git a/src/Symfony/Component/Security/Core/User/User.php b/src/Symfony/Component/Security/Core/User/User.php
@@ -157,4 +157,9 @@ public function isEqualTo(UserInterface $user)
 
         return true;
     }
+
+    public function setPassword(string $password)
+    {
+        $this->password = $password;
+    }
 }
diff --git a/src/Symfony/Component/Security/Guard/AuthenticatorInterface.php b/src/Symfony/Component/Security/Guard/AuthenticatorInterface.php
@@ -94,14 +94,15 @@ public function getUser($credentials, UserProviderInterface $userProvider);
      *
      * The *credentials* are the return value from getCredentials()
      *
-     * @param mixed         $credentials
-     * @param UserInterface $user
+     * @param mixed                     $credentials
+     * @param UserInterface             $user
+     * @param PasswordUpgraderInterface $userProvider
      *
      * @return bool
      *
      * @throws AuthenticationException
      */
-    public function checkCredentials($credentials, UserInterface $user);
+    public function checkCredentials($credentials, UserInterface $user/*, PasswordUpgraderInterface $passwordUpgrader = null*/);
 
     /**
      * Create an authenticated token for the given user.
diff --git a/src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php b/src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;`
`17`	`17`	`use Symfony\Component\Security\Core\Exception\BadCredentialsException;`
`18`	`18`	`use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;`
	`19`	`+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;`
`19`	`20`	`use Symfony\Component\Security\Core\User\UserCheckerInterface;`
`20`	`21`	`use Symfony\Component\Security\Core\User\UserInterface;`
`21`	`22`	`use Symfony\Component\Security\Core\User\UserProviderInterface;`
`@@ -54,9 +55,15 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke`
`54`	`55`	`throw new BadCredentialsException('The presented password cannot be empty.');`
`55`	`56`	`}`
`56`	`57`
`57`		`- if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
	`58`	`+ $encoder = $this->encoderFactory->getEncoder($user);`
	`59`	`+`
	`60`	`+ if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
`58`	`61`	`throw new BadCredentialsException('The presented password is invalid.');`
`59`	`62`	`}`
	`63`	`+`
	`64`	`+ if ($this->userProvider instanceof PasswordUpgraderInterface && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {`
	`65`	`+ $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));`
	`66`	`+ }`
`60`	`67`	`}`
`61`	`68`	`}`
`62`	`69`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,14 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface`
`20`	`20`	`{`
`21`	`21`	`const MAX_PASSWORD_LENGTH = 4096;`
`22`	`22`
	`23`	`+ /**`
	`24`	`+ * {@inheritdoc}`
	`25`	`+ */`
	`26`	`+ public function needsRehash(string $encoded): bool`
	`27`	`+ {`
	`28`	`+ return false;`
	`29`	`+ }`
	`30`	`+`
`23`	`31`	`/**`
`24`	`32`	`* Demerges a merge password and salt string.`
`25`	`33`	`*`
Original file line number	Diff line number	Diff line change
`@@ -87,4 +87,12 @@ public function isPasswordValid($encoded, $raw, $salt)`
`87`	`87`
`88`	`88`	`return \strlen($raw) <= self::MAX_PASSWORD_LENGTH && password_verify($raw, $encoded);`
`89`	`89`	`}`
	`90`	`+`
	`91`	`+ /**`
	`92`	`+ * {@inheritdoc}`
	`93`	`+ */`
	`94`	`+ public function needsRehash(string $encoded): bool`
	`95`	`+ {`
	`96`	`+ return password_needs_rehash($encoded, $this->algo, $this->options);`
	`97`	`+ }`
`90`	`98`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@`
`17`	`17`	`* PasswordEncoderInterface is the interface for all encoders.`
`18`	`18`	`*`
`19`	`19`	`* @author Fabien Potencier <fabien@symfony.com>`
	`20`	`+ *`
	`21`	`+ * @method bool needsRehash(string $encoded)`
`20`	`22`	`*/`
`21`	`23`	`interface PasswordEncoderInterface`
`22`	`24`	`{`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@`
`22`	`22`	`*`
`23`	`23`	`* @author Johannes M. Schmitt <schmittjoh@gmail.com>`
`24`	`24`	`*/`
`25`		`-class ChainUserProvider implements UserProviderInterface`
	`25`	`+class ChainUserProvider implements UserProviderInterface, PasswordUpgraderInterface`
`26`	`26`	`{`
`27`	`27`	`private $providers;`
`28`	`28`
`@@ -104,4 +104,16 @@ public function supportsClass($class)`
`104`	`104`
`105`	`105`	`return false;`
`106`	`106`	`}`
	`107`	`+`
	`108`	`+ /**`
	`109`	`+ * {@inheritdoc}`
	`110`	`+ */`
	`111`	`+ public function upgradePassword(UserInterface $user, string $newEncodedPassword): void`
	`112`	`+ {`
	`113`	`+ foreach ($this->providers as $provider) {`
	`114`	`+ if ($provider instanceof PasswordUpgraderInterface) {`
	`115`	`+ $provider->upgradePassword($user, $newEncodedPassword);`
	`116`	`+ }`
	`117`	`+ }`
	`118`	`+ }`
`107`	`119`	`}`