Add support for the password-hasher component

Author: stof

DependencyInjection/Compiler/ConfigurePasswordHasherPass.php

@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * This file is part of the FOSUserBundle package.
+ *
+ * (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FOS\UserBundle\DependencyInjection\Compiler;
+
+use FOS\UserBundle\Util\PasswordUpdater;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+
+/**
+ * @internal
+ */
+final class ConfigurePasswordHasherPass implements CompilerPassInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function process(ContainerBuilder $container)
+    {
+        if ($container->has('security.password_hasher_factory')) {
+            return;
+        }
+
+        // If we don't have the new service for password-hasher, use the old implementation based on the EncoderFactoryInterface
+        $def = $container->getDefinition('fos_user.util.password_updater');
+
+        $def->setClass(PasswordUpdater::class);
+        $def->setArgument(0, new Reference('security.encoder_factory'));
+    }
+}

FOSUserBundle.php

@@ -16,6 +16,7 @@
 use Doctrine\Bundle\MongoDBBundle\DependencyInjection\Compiler\DoctrineMongoDBMappingsPass;
 use FOS\UserBundle\DependencyInjection\Compiler\CheckForMailerPass;
 use FOS\UserBundle\DependencyInjection\Compiler\CheckForSessionPass;
+use FOS\UserBundle\DependencyInjection\Compiler\ConfigurePasswordHasherPass;
 use FOS\UserBundle\DependencyInjection\Compiler\InjectRememberMeServicesPass;
 use FOS\UserBundle\DependencyInjection\Compiler\InjectUserCheckerPass;
 use FOS\UserBundle\DependencyInjection\Compiler\ValidationPass;
@@ -33,6 +34,7 @@ class FOSUserBundle extends Bundle
     public function build(ContainerBuilder $container)
     {
         parent::build($container);
+        $container->addCompilerPass(new ConfigurePasswordHasherPass());
         $container->addCompilerPass(new ValidationPass());
         $container->addCompilerPass(new InjectUserCheckerPass());
         $container->addCompilerPass(new InjectRememberMeServicesPass());

Resources/config/util.xml

@@ -18,8 +18,8 @@
 
         <service id="FOS\UserBundle\Util\TokenGeneratorInterface" alias="fos_user.util.token_generator" public="false" />
 
-        <service id="fos_user.util.password_updater" class="FOS\UserBundle\Util\PasswordUpdater" public="false">
-            <argument type="service" id="security.encoder_factory" />
+        <service id="fos_user.util.password_updater" class="FOS\UserBundle\Util\HashingPasswordUpdater" public="false">
+            <argument type="service" id="security.password_hasher_factory" />
         </service>
 
         <service id="FOS\UserBundle\Util\PasswordUpdaterInterface" alias="fos_user.util.password_updater" public="false" />

Tests/Util/HashingPasswordUpdaterTest.php

@@ -0,0 +1,106 @@
+<?php
+
+/*
+ * This file is part of the FOSUserBundle package.
+ *
+ * (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FOS\UserBundle\Tests\Util;
+
+use FOS\UserBundle\Tests\TestUser;
+use FOS\UserBundle\Util\HashingPasswordUpdater;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;
+use Symfony\Component\PasswordHasher\LegacyPasswordHasherInterface;
+use Symfony\Component\PasswordHasher\PasswordHasherInterface;
+
+class HashingPasswordUpdaterTest extends TestCase
+{
+    /**
+     * @var HashingPasswordUpdater
+     */
+    private $updater;
+    private $passwordHasherFactory;
+
+    protected function setUp(): void
+    {
+        if (!interface_exists(PasswordHasherFactoryInterface::class)) {
+            self::markTestSkipped('This test requires having the password-hasher component.');
+        }
+
+        $this->passwordHasherFactory = $this->getMockBuilder(PasswordHasherFactoryInterface::class)->getMock();
+
+        $this->updater = new HashingPasswordUpdater($this->passwordHasherFactory);
+    }
+
+    public function testUpdatePassword()
+    {
+        $hasher = $this->getMockBuilder(PasswordHasherInterface::class)->getMock();
+        $user = new TestUser();
+        $user->setPlainPassword('password');
+
+        $this->passwordHasherFactory->expects($this->once())
+            ->method('getPasswordHasher')
+            ->with($user)
+            ->will($this->returnValue($hasher));
+
+        $hasher->expects($this->once())
+            ->method('hash')
+            ->with('password', $this->identicalTo(null))
+            ->will($this->returnValue('hashedPassword'));
+
+        $this->updater->hashPassword($user);
+        $this->assertSame('hashedPassword', $user->getPassword(), '->updatePassword() sets hashed password');
+        $this->assertNull($user->getSalt());
+        $this->assertNull($user->getPlainPassword(), '->updatePassword() erases credentials');
+    }
+
+    public function testUpdatePasswordWithLegacyHasher()
+    {
+        $hasher = $this->getMockBuilder(LegacyPasswordHasherInterface::class)->getMock();
+        $user = new TestUser();
+        $user->setPlainPassword('password');
+        $user->setSalt('old_salt');
+
+        $this->passwordHasherFactory->expects($this->once())
+            ->method('getPasswordHasher')
+            ->with($user)
+            ->will($this->returnValue($hasher));
+
+        $hasher->expects($this->once())
+            ->method('hash')
+            ->with('password', $this->isType('string'))
+            ->will($this->returnValue('hashedPassword'));
+
+        $this->updater->hashPassword($user);
+        $this->assertSame('hashedPassword', $user->getPassword(), '->updatePassword() sets hashed password');
+        $this->assertNotNull($user->getSalt());
+        $this->assertNull($user->getPlainPassword(), '->updatePassword() erases credentials');
+    }
+
+    public function testDoesNotUpdateWithEmptyPlainPassword()
+    {
+        $user = new TestUser();
+        $user->setPassword('hash');
+
+        $user->setPlainPassword('');
+
+        $this->updater->hashPassword($user);
+        $this->assertSame('hash', $user->getPassword());
+    }
+
+    public function testDoesNotUpdateWithoutPlainPassword()
+    {
+        $user = new TestUser();
+        $user->setPassword('hash');
+
+        $user->setPlainPassword(null);
+
+        $this->updater->hashPassword($user);
+        $this->assertSame('hash', $user->getPassword());
+    }
+}

Tests/Util/PasswordUpdaterTest.php

@@ -81,7 +81,7 @@ public function testUpdatePasswordWithBCrypt()
         $this->assertNull($user->getPlainPassword(), '->updatePassword() erases credentials');
     }
 
-    public function testDoesNotUpdateWithoutPlainPassword()
+    public function testDoesNotUpdateWithEmptyPlainPassword()
     {
         $user = new TestUser();
         $user->setPassword('hash');
@@ -92,6 +92,17 @@ public function testDoesNotUpdateWithoutPlainPassword()
         $this->assertSame('hash', $user->getPassword());
     }
 
+    public function testDoesNotUpdateWithoutPlainPassword()
+    {
+        $user = new TestUser();
+        $user->setPassword('hash');
+
+        $user->setPlainPassword(null);
+
+        $this->updater->hashPassword($user);
+        $this->assertSame('hash', $user->getPassword());
+    }
+
     private function getMockPasswordEncoder()
     {
         return $this->getMockBuilder('Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface')->getMock();

Util/HashingPasswordUpdater.php

@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * This file is part of the FOSUserBundle package.
+ *
+ * (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FOS\UserBundle\Util;
+
+use FOS\UserBundle\Model\UserInterface;
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;
+use Symfony\Component\PasswordHasher\LegacyPasswordHasherInterface;
+
+/**
+ * Class updating the hashed password in the user when there is a new password.
+ *
+ * @author Christophe Coevoet <stof@notk.org>
+ */
+class HashingPasswordUpdater implements PasswordUpdaterInterface
+{
+    private $passwordHasherFactory;
+
+    public function __construct(PasswordHasherFactoryInterface $passwordHasherFactory)
+    {
+        $this->passwordHasherFactory = $passwordHasherFactory;
+    }
+
+    public function hashPassword(UserInterface $user)
+    {
+        $plainPassword = $user->getPlainPassword();
+
+        if (null === $plainPassword || '' === $plainPassword) {
+            return;
+        }
+
+        $hasher = $this->passwordHasherFactory->getPasswordHasher($user);
+
+        if (!$hasher instanceof LegacyPasswordHasherInterface) {
+            $user->setSalt(null);
+        } else {
+            $salt = rtrim(str_replace('+', '.', base64_encode(random_bytes(32))), '=');
+            $user->setSalt($salt);
+        }
+
+        $hashedPassword = $hasher->hash($plainPassword, $user->getSalt());
+        $user->setPassword($hashedPassword);
+        $user->eraseCredentials();
+    }
+}

Util/PasswordUpdater.php

@@ -34,7 +34,7 @@ public function hashPassword(UserInterface $user)
     {
         $plainPassword = $user->getPlainPassword();
 
-        if (0 === strlen($plainPassword)) {
+        if (null === $plainPassword || '' === $plainPassword) {
             return;
         }