Password Policy

Spomky · Spomky · commit 1b69f77f594c · 2023-05-16T09:39:50.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -98,6 +98,7 @@ public function getConfigTreeBuilder(): TreeBuilder
         $this->addFirewallsSection($rootNode, $this->factories);
         $this->addAccessControlSection($rootNode);
         $this->addRoleHierarchySection($rootNode);
+        $this->addPasswordPolicySection($rootNode);
 
         return $tb;
     }
@@ -461,6 +462,21 @@ private function addPasswordHashersSection(ArrayNodeDefinition $rootNode): void
         ->end();
     }
 
+    private function addPasswordPolicySection(ArrayNodeDefinition $rootNode): void
+    {
+        $rootNode
+            ->fixXmlConfig('password_policy')
+            ->children()
+                ->arrayNode('password_policies')
+                    ->treatNullLike([])
+                    ->treatFalseLike([])
+                    ->treatTrueLike([])
+                    ->prototype('scalar')->end()
+                ->end()
+            ->end()
+        ;
+    }
+
     private function getAccessDecisionStrategies(): array
     {
         return [
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -190,6 +190,13 @@ public function load(array $configs, ContainerBuilder $container)
         $container->getDefinition('security.access_listener')->setArgument(3, false);
         $container->getDefinition('security.authorization_checker')->setArgument(2, false);
         $container->getDefinition('security.authorization_checker')->setArgument(3, false);
+
+        if (!$config['password_policies']) {
+            $container->removeDefinition('security.password_policy_listener');
+        } else {
+            $policyServices = array_map(static fn (string $id) => new Definition($id), $config['password_policies']);
+            $container->getDefinition('security.password_policy_listener')->setArgument(0, $policyServices);
+        }
     }
 
     /**
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
@@ -45,6 +45,7 @@
 use Symfony\Component\Security\Http\Controller\SecurityTokenValueResolver;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
+use Symfony\Component\Security\Http\EventListener\PasswordPolicyListener;
 use Symfony\Component\Security\Http\Firewall;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 use Symfony\Component\Security\Http\HttpUtils;
@@ -298,5 +299,11 @@
         ->set('cache.security_is_granted_attribute_expression_language')
             ->parent('cache.system')
             ->tag('cache.pool')
+
+        ->set('security.password_policy_listener', PasswordPolicyListener::class)
+            ->args([
+                [],
+            ])
+            ->tag('kernel.event_subscriber')
     ;
 };
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/PasswordPolicyTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/PasswordPolicyTest.php
@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
+
+use Symfony\Component\HttpFoundation\JsonResponse;
+
+class PasswordPolicyTest extends AbstractWebTestCase
+{
+    public function testLoginFailBecauseThePasswordIsBlacklisted()
+    {
+        // Given
+        $client = $this->createClient(['test_case' => 'PasswordPolicy', 'root_config' => 'config.yml']);
+
+        // When
+        $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "foo"}}');
+        $response = $client->getResponse();
+
+        // Then
+        $this->assertInstanceOf(JsonResponse::class, $response);
+        $this->assertSame(401, $response->getStatusCode());
+        $this->assertSame(['error' => 'The password shall be reset.'], json_decode($response->getContent(), true));
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/BlocklistPasswordPolicy.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/BlocklistPasswordPolicy.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\app\PasswordPolicy;
+
+use Symfony\Component\Security\Http\Authenticator\Passport\Policy\PolicyInterface;
+
+final class BlocklistPasswordPolicy implements PolicyInterface
+{
+    public function verify(#[\SensitiveParameter] string $plaintextPassword): void
+    {
+        if ('foo' === $plaintextPassword) {
+            throw new PasswordResetRequiredException();
+        }
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/PasswordResetRequiredException.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/PasswordResetRequiredException.php
@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\app\PasswordPolicy;
+
+use Symfony\Component\Security\Core\Exception\PolicyException;
+
+final class PasswordResetRequiredException extends PolicyException
+{
+    public function getMessageKey(): string
+    {
+        return 'The password shall be reset.';
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/bundles.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/bundles.php
@@ -0,0 +1,16 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+return [
+    new Symfony\Bundle\SecurityBundle\SecurityBundle(),
+    new Symfony\Bundle\FrameworkBundle\FrameworkBundle(),
+    new Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\TestBundle(),
+];
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/config.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/config.yml
@@ -0,0 +1,30 @@
+imports:
+    - { resource: ./../config/framework.yml }
+
+framework:
+    http_method_override: false
+    serializer: ~
+
+security:
+    password_policies:
+        - 'Symfony\Bundle\SecurityBundle\Tests\Functional\app\PasswordPolicy\BlocklistPasswordPolicy'
+
+    password_hashers:
+        Symfony\Component\Security\Core\User\InMemoryUser: plaintext
+
+    providers:
+        in_memory:
+            memory:
+                users:
+                    dunglas: { password: foo, roles: [ROLE_USER] }
+
+    firewalls:
+        main:
+            pattern: ^/
+            json_login:
+                check_path:    /chk
+                username_path: user.login
+                password_path: user.password
+
+    access_control:
+        - { path: ^/foo, roles: ROLE_USER }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/routing.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordPolicy/routing.yml
@@ -0,0 +1,3 @@
+login_check:
+    path: /chk
+    defaults: { _controller: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\JsonLoginBundle\Controller\TestController::loginCheckAction }
diff --git a/src/Symfony/Component/Security/Core/Exception/PolicyException.php b/src/Symfony/Component/Security/Core/Exception/PolicyException.php
@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Exception;
+
+class PolicyException extends AuthenticationException
+{
+    public function getMessageKey(): string
+    {
+        return 'The password does not fulfill the password policy.';
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Authenticator/Passport/Policy/PolicyInterface.php b/src/Symfony/Component/Security/Http/Authenticator/Passport/Policy/PolicyInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authenticator\Passport\Policy;
+
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+
+interface PolicyInterface
+{
+    /**
+     * @throws AuthenticationException
+     */
+    public function verify(#[\SensitiveParameter] string $plaintextPassword): void;
+}
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -1,6 +1,10 @@
 CHANGELOG
 =========
 
+6.4
+---
+* Add Password Policy to allow verifying the password using a custom security policy (e.g. password not compromised, change required by IT service, etc.)
+
 6.3
 ---
 
diff --git a/src/Symfony/Component/Security/Http/EventListener/PasswordPolicyListener.php b/src/Symfony/Component/Security/Http/EventListener/PasswordPolicyListener.php
@@ -0,0 +1,52 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
+use Symfony\Component\Security\Http\Authenticator\Passport\Policy\PolicyInterface;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+
+final class PasswordPolicyListener implements EventSubscriberInterface
+{
+    /**
+     * @param PolicyInterface[] $policies
+     */
+    public function __construct(private readonly array $policies)
+    {
+    }
+
+    public function checkPassport(CheckPassportEvent $event): void
+    {
+        $passport = $event->getPassport();
+        if (!$passport->hasBadge(PasswordCredentials::class)) {
+            return;
+        }
+
+        $badge = $passport->getBadge(PasswordCredentials::class);
+        if ($badge->isResolved()) {
+            return;
+        }
+
+        $plaintextPassword = $badge->getPassword();
+        foreach ($this->policies as $policy) {
+            $policy->verify($plaintextPassword);
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            CheckPassportEvent::class => ['checkPassport', 512],
+        ];
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordPolicyListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordPolicyListenerTest.php
@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Tests\EventListener;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Exception\PolicyException;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\Policy\PolicyInterface;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Component\Security\Http\EventListener\PasswordPolicyListener;
+
+class PasswordPolicyListenerTest extends TestCase
+{
+    /**
+     * @param array<PolicyInterface> $policies
+     *
+     * @dataProvider providePassport
+     */
+    public function testPasswordIsNotAcceptable(Passport $passport, array $policies, string $expectedMessage)
+    {
+        // Given
+        $event = new CheckPassportEvent($this->createMock(AuthenticatorInterface::class), $passport);
+        $listener = new PasswordPolicyListener($policies);
+
+        try {
+            // When
+            $listener->checkPassport($event);
+            $this->fail('Expected exception to be thrown');
+        } catch (PolicyException $e) {
+            // Then
+            $this->assertSame($expectedMessage, $e->getMessageKey());
+        }
+    }
+
+    public static function providePassport(): iterable
+    {
+        yield [
+            new Passport(
+                new UserBadge('test', fn () => new InMemoryUser('test', 'qwerty')),
+                new PasswordCredentials('qwerty')
+            ),
+            [new class() implements PolicyInterface {
+                public function verify(string $plaintextPassword): void
+                {
+                    throw new PolicyException();
+                }
+            }],
+            'The password does not fulfill the password policy.',
+        ];
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+login_check:`
	`2`	`+ path: /chk`
	`3`	`+ defaults: { _controller: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\JsonLoginBundle\Controller\TestController::loginCheckAction }`