From 765f14c80e2ea579d1331e3d13a359b4d9d7fd9e Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Wed, 17 Apr 2019 21:13:54 +0200
Subject: [PATCH] [Security] add MigratingPasswordEncoder

---
 src/Symfony/Component/Security/CHANGELOG.md   |  1 +
 .../Security/Core/Encoder/EncoderFactory.php  | 12 ++-
 .../Core/Encoder/MigratingPasswordEncoder.php | 71 ++++++++++++++++++
 .../Encoder/MigratingPasswordEncoderTest.php  | 73 +++++++++++++++++++
 4 files changed, 156 insertions(+), 1 deletion(-)
 create mode 100644 src/Symfony/Component/Security/Core/Encoder/MigratingPasswordEncoder.php
 create mode 100644 src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php

diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
index 78fba3fa99..982d753af5 100644
--- a/src/Symfony/Component/Security/CHANGELOG.md
+++ b/src/Symfony/Component/Security/CHANGELOG.md
@@ -5,6 +5,7 @@ CHANGELOG
 -----
 
  * Added method `needsRehash()` to `PasswordEncoderInterface` and `UserPasswordEncoderInterface`
+ * Added `MigratingPasswordEncoder`
 
 4.3.0
 -----
diff --git a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
index 150190dc4c..ad58fd0b7f 100644
--- a/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
+++ b/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php
@@ -85,7 +85,17 @@ class EncoderFactory implements EncoderFactoryInterface
     private function getEncoderConfigFromAlgorithm($config)
     {
         if ('auto' === $config['algorithm']) {
-            $config['algorithm'] = SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native';
+            $encoderChain = [];
+            // "plaintext" is not listed as any leaked hashes could then be used to authenticate directly
+            foreach ([SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native', 'pbkdf2', $config['hash_algorithm']] as $algo) {
+                $config['algorithm'] = $algo;
+                $encoderChain[] = $this->createEncoder($config);
+            }
+
+            return [
+                'class' => MigratingPasswordEncoder::class,
+                'arguments' => $encoderChain,
+            ];
         }
 
         switch ($config['algorithm']) {
diff --git a/src/Symfony/Component/Security/Core/Encoder/MigratingPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/MigratingPasswordEncoder.php
new file mode 100644
index 0000000000..77e6726808
--- /dev/null
+++ b/src/Symfony/Component/Security/Core/Encoder/MigratingPasswordEncoder.php
@@ -0,0 +1,71 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+/**
+ * Hashes passwords using the best available encoder.
+ * Validates them using a chain of encoders.
+ *
+ * /!\ Don't put a PlaintextPasswordEncoder in the list as that'd mean a leaked hash
+ * could be used to authenticate successfully without knowing the cleartext password.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class MigratingPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface
+{
+    private $bestEncoder;
+    private $extraEncoders;
+
+    public function __construct(PasswordEncoderInterface $bestEncoder, PasswordEncoderInterface ...$extraEncoders)
+    {
+        $this->bestEncoder = $bestEncoder;
+        $this->extraEncoders = $extraEncoders;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function encodePassword($raw, $salt)
+    {
+        return $this->bestEncoder->encodePassword($raw, $salt);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isPasswordValid($encoded, $raw, $salt)
+    {
+        if ($this->bestEncoder->isPasswordValid($encoded, $raw, $salt)) {
+            return true;
+        }
+
+        if (!$this->bestEncoder->needsRehash($encoded)) {
+            return false;
+        }
+
+        foreach ($this->extraEncoders as $encoder) {
+            if ($encoder->isPasswordValid($encoded, $raw, $salt)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return $this->bestEncoder->needsRehash($encoded);
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php
new file mode 100644
index 0000000000..245d6c182d
--- /dev/null
+++ b/src/Symfony/Component/Security/Core/Tests/Encoder/MigratingPasswordEncoderTest.php
@@ -0,0 +1,73 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Encoder;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Encoder\MigratingPasswordEncoder;
+use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
+use Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface;
+
+class MigratingPasswordEncoderTest extends TestCase
+{
+    public function testValidation()
+    {
+        $bestEncoder = new NativePasswordEncoder(4, 12000, 4);
+
+        $extraEncoder = $this->getMockBuilder(TestPasswordEncoderInterface::class)->getMock();
+        $extraEncoder->expects($this->never())->method('encodePassword');
+        $extraEncoder->expects($this->never())->method('isPasswordValid');
+        $extraEncoder->expects($this->never())->method('needsRehash');
+
+        $encoder = new MigratingPasswordEncoder($bestEncoder, $extraEncoder);
+
+        $this->assertTrue($encoder->needsRehash('foo'));
+
+        $hash = $encoder->encodePassword('foo', 'salt');
+        $this->assertFalse($encoder->needsRehash($hash));
+
+        $this->assertTrue($encoder->isPasswordValid($hash, 'foo', 'salt'));
+        $this->assertFalse($encoder->isPasswordValid($hash, 'bar', 'salt'));
+    }
+
+    public function testFallback()
+    {
+        $bestEncoder = new NativePasswordEncoder(4, 12000, 4);
+
+        $extraEncoder1 = $this->getMockBuilder(TestPasswordEncoderInterface::class)->getMock();
+        $extraEncoder1->expects($this->any())
+            ->method('isPasswordValid')
+            ->with('abc', 'foo', 'salt')
+            ->willReturn(true);
+
+        $encoder = new MigratingPasswordEncoder($bestEncoder, $extraEncoder1);
+
+        $this->assertTrue($encoder->isPasswordValid('abc', 'foo', 'salt'));
+
+        $extraEncoder2 = $this->getMockBuilder(TestPasswordEncoderInterface::class)->getMock();
+        $extraEncoder2->expects($this->any())
+            ->method('isPasswordValid')
+            ->willReturn(false);
+
+        $encoder = new MigratingPasswordEncoder($bestEncoder, $extraEncoder2);
+
+        $this->assertFalse($encoder->isPasswordValid('abc', 'foo', 'salt'));
+
+        $encoder = new MigratingPasswordEncoder($bestEncoder, $extraEncoder2, $extraEncoder1);
+
+        $this->assertTrue($encoder->isPasswordValid('abc', 'foo', 'salt'));
+    }
+}
+
+interface TestPasswordEncoderInterface extends PasswordEncoderInterface
+{
+    public function needsRehash(string $encoded): bool;
+}