bug #41022 [PasswordHasher] Improved BC layer (derrabus)

derrabus · derrabus · commit 87f177afcb99 · 2021-05-04T19:56:31.000+02:00
This PR was merged into the 5.3-dev branch.

Discussion
----------

[PasswordHasher] Improved BC layer

| Q             | A
| ------------- | ---
| Branch?       | 5.3
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #41020, Fix #41024
| License       | MIT
| Doc PR        | N/A

Commits
-------

0caad4f72d [PasswordHasher] Improved BC layer
diff --git a/Encoder/EncoderFactory.php b/Encoder/EncoderFactory.php
@@ -13,6 +13,8 @@
 
 use Symfony\Component\PasswordHasher\Hasher\PasswordHasherAwareInterface;
 use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactory;
+use Symfony\Component\PasswordHasher\LegacyPasswordHasherInterface;
+use Symfony\Component\PasswordHasher\PasswordHasherInterface;
 use Symfony\Component\Security\Core\Exception\LogicException;
 
 trigger_deprecation('symfony/security-core', '5.3', 'The "%s" class is deprecated, use "%s" instead.', EncoderFactory::class, PasswordHasherFactory::class);
@@ -60,7 +62,13 @@ public function getEncoder($user)
         }
 
         if (!$this->encoders[$encoderKey] instanceof PasswordEncoderInterface) {
-            $this->encoders[$encoderKey] = $this->createEncoder($this->encoders[$encoderKey]);
+            if ($this->encoders[$encoderKey] instanceof LegacyPasswordHasherInterface) {
+                $this->encoders[$encoderKey] = new LegacyPasswordHasherEncoder($this->encoders[$encoderKey]);
+            } elseif ($this->encoders[$encoderKey] instanceof PasswordHasherInterface) {
+                $this->encoders[$encoderKey] = new PasswordHasherEncoder($this->encoders[$encoderKey]);
+            } else {
+                $this->encoders[$encoderKey] = $this->createEncoder($this->encoders[$encoderKey]);
+            }
         }
 
         return $this->encoders[$encoderKey];
diff --git a/Encoder/LegacyPasswordHasherEncoder.php b/Encoder/LegacyPasswordHasherEncoder.php
@@ -0,0 +1,52 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+use Symfony\Component\PasswordHasher\Exception\InvalidPasswordException;
+use Symfony\Component\PasswordHasher\LegacyPasswordHasherInterface;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+
+/**
+ * Forward compatibility for new new PasswordHasher component.
+ *
+ * @author Alexander M. Turek <me@derrabus.de>
+ *
+ * @internal To be removed in Symfony 6
+ */
+final class LegacyPasswordHasherEncoder implements PasswordEncoderInterface
+{
+    private $passwordHasher;
+
+    public function __construct(LegacyPasswordHasherInterface $passwordHasher)
+    {
+        $this->passwordHasher = $passwordHasher;
+    }
+
+    public function encodePassword(string $raw, ?string $salt): string
+    {
+        try {
+            return $this->passwordHasher->hash($raw, $salt);
+        } catch (InvalidPasswordException $e) {
+            throw new BadCredentialsException($e->getMessage(), $e->getCode(), $e);
+        }
+    }
+
+    public function isPasswordValid(string $encoded, string $raw, ?string $salt): bool
+    {
+        return $this->passwordHasher->verify($encoded, $raw, $salt);
+    }
+
+    public function needsRehash(string $encoded): bool
+    {
+        return $this->passwordHasher->needsRehash($encoded);
+    }
+}
diff --git a/Encoder/PasswordHasherAdapter.php b/Encoder/PasswordHasherAdapter.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+use Symfony\Component\PasswordHasher\LegacyPasswordHasherInterface;
+
+/**
+ * Forward compatibility for new new PasswordHasher component.
+ *
+ * @author Alexander M. Turek <me@derrabus.de>
+ *
+ * @internal To be removed in Symfony 6
+ */
+final class PasswordHasherAdapter implements LegacyPasswordHasherInterface
+{
+    private $passwordEncoder;
+
+    public function __construct(PasswordEncoderInterface $passwordEncoder)
+    {
+        $this->passwordEncoder = $passwordEncoder;
+    }
+
+    public function hash(string $plainPassword, ?string $salt = null): string
+    {
+        return $this->passwordEncoder->encodePassword($plainPassword, $salt);
+    }
+
+    public function verify(string $hashedPassword, string $plainPassword, ?string $salt = null): bool
+    {
+        return $this->passwordEncoder->isPasswordValid($hashedPassword, $plainPassword, $salt);
+    }
+
+    public function needsRehash(string $hashedPassword): bool
+    {
+        return $this->passwordEncoder->needsRehash($hashedPassword);
+    }
+}
diff --git a/Encoder/PasswordHasherEncoder.php b/Encoder/PasswordHasherEncoder.php
@@ -0,0 +1,60 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+use Symfony\Component\PasswordHasher\Exception\InvalidPasswordException;
+use Symfony\Component\PasswordHasher\PasswordHasherInterface;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+
+/**
+ * Forward compatibility for new new PasswordHasher component.
+ *
+ * @author Alexander M. Turek <me@derrabus.de>
+ *
+ * @internal To be removed in Symfony 6
+ */
+final class PasswordHasherEncoder implements PasswordEncoderInterface, SelfSaltingEncoderInterface
+{
+    private $passwordHasher;
+
+    public function __construct(PasswordHasherInterface $passwordHasher)
+    {
+        $this->passwordHasher = $passwordHasher;
+    }
+
+    public function encodePassword(string $raw, ?string $salt): string
+    {
+        if (null !== $salt) {
+            throw new \InvalidArgumentException('This password hasher does not support passing a salt.');
+        }
+
+        try {
+            return $this->passwordHasher->hash($raw);
+        } catch (InvalidPasswordException $e) {
+            throw new BadCredentialsException($e->getMessage(), $e->getCode(), $e);
+        }
+    }
+
+    public function isPasswordValid(string $encoded, string $raw, ?string $salt): bool
+    {
+        if (null !== $salt) {
+            throw new \InvalidArgumentException('This password hasher does not support passing a salt.');
+        }
+
+        return $this->passwordHasher->verify($encoded, $raw);
+    }
+
+    public function needsRehash(string $encoded): bool
+    {
+        return $this->passwordHasher->needsRehash($encoded);
+    }
+}
diff --git a/Tests/Encoder/EncoderFactoryTest.php b/Tests/Encoder/EncoderFactoryTest.php
@@ -12,17 +12,20 @@
 namespace Symfony\Component\Security\Core\Tests\Encoder;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\PasswordHasher\Hasher\MessageDigestPasswordHasher;
+use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherAwareInterface;
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactory;
+use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
 use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
 use Symfony\Component\Security\Core\Encoder\EncoderFactory;
 use Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\MigratingPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
+use Symfony\Component\Security\Core\Encoder\SelfSaltingEncoderInterface;
 use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
 use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Core\User\UserInterface;
-use Symfony\Component\PasswordHasher\Hasher\PasswordHasherAwareInterface;
-use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactory;
-use Symfony\Component\PasswordHasher\Hasher\MessageDigestPasswordHasher;
 
 /**
  * @group legacy
@@ -193,6 +196,28 @@ public function testHasherAwareCompat()
         $expectedEncoder = new MessageDigestPasswordHasher('sha1');
         $this->assertEquals($expectedEncoder->hash('foo', ''), $encoder->hash('foo', ''));
     }
+
+    public function testLegacyPasswordHasher()
+    {
+        $factory = new EncoderFactory([
+            SomeUser::class => new PlaintextPasswordHasher(),
+        ]);
+
+        $encoder = $factory->getEncoder(new SomeUser());
+        self::assertNotInstanceOf(SelfSaltingEncoderInterface::class, $encoder);
+        self::assertSame('foo{bar}', $encoder->encodePassword('foo', 'bar'));
+    }
+
+    public function testPasswordHasher()
+    {
+        $factory = new EncoderFactory([
+            SomeUser::class => new NativePasswordHasher(),
+        ]);
+
+        $encoder = $factory->getEncoder(new SomeUser());
+        self::assertInstanceOf(SelfSaltingEncoderInterface::class, $encoder);
+        self::assertTrue($encoder->isPasswordValid($encoder->encodePassword('foo', null), 'foo', null));
+    }
 }
 
 class SomeUser implements UserInterface
@@ -236,7 +261,6 @@ public function getEncoderName(): ?string
     }
 }
 
-
 class HasherAwareUser extends SomeUser implements PasswordHasherAwareInterface
 {
     public $hasherName = 'encoder_name';
