From 765f14c80e2ea579d1331e3d13a359b4d9d7fd9e Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Wed, 17 Apr 2019 21:13:54 +0200 Subject: [PATCH] [Security] add MigratingPasswordEncoder --- src/Symfony/Component/Security/CHANGELOG.md | 1 + .../Security/Core/Encoder/EncoderFactory.php | 12 ++- .../Core/Encoder/MigratingPasswordEncoder.php | 71 ++++++++++++++++++ .../Encoder/MigratingPasswordEncoderTest.php | 73 +++++++++++++++++++ 4 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 src/Symfony/Component/Security/Core/Encoder/MigratingPasswordEncoder.php create mode 100644 src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md index 78fba3fa9972d..982d753af5091 100644 --- a/src/Symfony/Component/Security/CHANGELOG.md +++ b/src/Symfony/Component/Security/CHANGELOG.md @@ -5,6 +5,7 @@ CHANGELOG ----- * Added method `needsRehash()` to `PasswordEncoderInterface` and `UserPasswordEncoderInterface` + * Added `MigratingPasswordEncoder` 4.3.0 ----- diff --git a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php index 150190dc4c161..ad58fd0b7f9cc 100644 --- a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php +++ b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php @@ -85,7 +85,17 @@ private function createEncoder(array $config) private function getEncoderConfigFromAlgorithm($config) { if ('auto' === $config['algorithm']) { - $config['algorithm'] = SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native'; + $encoderChain = []; + // "plaintext" is not listed as any leaked hashes could then be used to authenticate directly + foreach ([SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native', 'pbkdf2', $config['hash_algorithm']] as $algo) { + $config['algorithm'] = $algo; + $encoderChain[] = $this->createEncoder($config); + } + + return [ + 'class' => MigratingPasswordEncoder::class, + 'arguments' => $encoderChain, + ]; } switch ($config['algorithm']) { diff --git a/src/Symfony/Component/Security/Core/Encoder/MigratingPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/MigratingPasswordEncoder.php new file mode 100644 index 0000000000000..77e6726808f9b --- /dev/null +++ b/src/Symfony/Component/Security/Core/Encoder/MigratingPasswordEncoder.php @@ -0,0 +1,71 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Symfony\Component\Security\Core\Encoder; + +/** + * Hashes passwords using the best available encoder. + * Validates them using a chain of encoders. + * + * /!\ Don't put a PlaintextPasswordEncoder in the list as that'd mean a leaked hash + * could be used to authenticate successfully without knowing the cleartext password. + * + * @author Nicolas Grekas + */ +final class MigratingPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface +{ + private $bestEncoder; + private $extraEncoders; + + public function __construct(PasswordEncoderInterface $bestEncoder, PasswordEncoderInterface ...$extraEncoders) + { + $this->bestEncoder = $bestEncoder; + $this->extraEncoders = $extraEncoders; + } + + /** + * {@inheritdoc} + */ + public function encodePassword($raw, $salt) + { + return $this->bestEncoder->encodePassword($raw, $salt); + } + + /** + * {@inheritdoc} + */ + public function isPasswordValid($encoded, $raw, $salt) + { + if ($this->bestEncoder->isPasswordValid($encoded, $raw, $salt)) { + return true; + } + + if (!$this->bestEncoder->needsRehash($encoded)) { + return false; + } + + foreach ($this->extraEncoders as $encoder) { + if ($encoder->isPasswordValid($encoded, $raw, $salt)) { + return true; + } + } + + return false; + } + + /** + * {@inheritdoc} + */ + public function needsRehash(string $encoded): bool + { + return $this->bestEncoder->needsRehash($encoded); + } +} diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php new file mode 100644 index 0000000000000..245d6c182d0fa --- /dev/null +++ b/src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php @@ -0,0 +1,73 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Symfony\Component\Security\Core\Tests\Encoder; + +use PHPUnit\Framework\TestCase; +use Symfony\Component\Security\Core\Encoder\MigratingPasswordEncoder; +use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder; +use Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface; + +class MigratingPasswordEncoderTest extends TestCase +{ + public function testValidation() + { + $bestEncoder = new NativePasswordEncoder(4, 12000, 4); + + $extraEncoder = $this->getMockBuilder(TestPasswordEncoderInterface::class)->getMock(); + $extraEncoder->expects($this->never())->method('encodePassword'); + $extraEncoder->expects($this->never())->method('isPasswordValid'); + $extraEncoder->expects($this->never())->method('needsRehash'); + + $encoder = new MigratingPasswordEncoder($bestEncoder, $extraEncoder); + + $this->assertTrue($encoder->needsRehash('foo')); + + $hash = $encoder->encodePassword('foo', 'salt'); + $this->assertFalse($encoder->needsRehash($hash)); + + $this->assertTrue($encoder->isPasswordValid($hash, 'foo', 'salt')); + $this->assertFalse($encoder->isPasswordValid($hash, 'bar', 'salt')); + } + + public function testFallback() + { + $bestEncoder = new NativePasswordEncoder(4, 12000, 4); + + $extraEncoder1 = $this->getMockBuilder(TestPasswordEncoderInterface::class)->getMock(); + $extraEncoder1->expects($this->any()) + ->method('isPasswordValid') + ->with('abc', 'foo', 'salt') + ->willReturn(true); + + $encoder = new MigratingPasswordEncoder($bestEncoder, $extraEncoder1); + + $this->assertTrue($encoder->isPasswordValid('abc', 'foo', 'salt')); + + $extraEncoder2 = $this->getMockBuilder(TestPasswordEncoderInterface::class)->getMock(); + $extraEncoder2->expects($this->any()) + ->method('isPasswordValid') + ->willReturn(false); + + $encoder = new MigratingPasswordEncoder($bestEncoder, $extraEncoder2); + + $this->assertFalse($encoder->isPasswordValid('abc', 'foo', 'salt')); + + $encoder = new MigratingPasswordEncoder($bestEncoder, $extraEncoder2, $extraEncoder1); + + $this->assertTrue($encoder->isPasswordValid('abc', 'foo', 'salt')); + } +} + +interface TestPasswordEncoderInterface extends PasswordEncoderInterface +{ + public function needsRehash(string $encoded): bool; +} pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy