symfony
diff --git a/‎composer.json
Lines changed: 1 addition & 0 deletions b/‎composer.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/composer.json
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/composer.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
Lines changed: 10 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
Lines changed: 5 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
Lines changed: 69 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
Lines changed: 69 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Lines changed: 130 additions & 5 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Lines changed: 130 additions & 5 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/console.php
Lines changed: 12 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/console.php
Lines changed: 12 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php
Lines changed: 1 addition & 1 deletion
@@ -86,6 +86,7 @@
         "symfony/monolog-bridge": "self.version",
         "symfony/notifier": "self.version",
         "symfony/options-resolver": "self.version",
+        "symfony/password-hasher": "self.version",
         "symfony/process": "self.version",
         "symfony/property-access": "self.version",
         "symfony/property-info": "self.version",
 
@@ -51,7 +51,7 @@
         "symfony/messenger": "^5.2",
         "symfony/mime": "^4.4|^5.0",
         "symfony/process": "^4.4|^5.0",
-        "symfony/security-bundle": "^5.2",
+        "symfony/security-bundle": "^5.3",
         "symfony/serializer": "^5.2",
         "symfony/stopwatch": "^4.4|^5.0",
         "symfony/string": "^5.0",
 
@@ -1,6 +1,16 @@
 CHANGELOG
 =========
 
+5.3
+---
+
+ * Deprecate `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command,
+   use `UserPasswordHashCommand` and `user:hash-password` instead.
+ * Deprecate the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases,
+   use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead.
+ * Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
+   use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead.
+
 5.2.0
 -----
 
 
@@ -21,6 +21,7 @@
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Question\Question;
 use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\PasswordHasher\Command\UserPasswordHashCommand;
 use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Security\Core\Encoder\SelfSaltingEncoderInterface;
 
@@ -30,6 +31,8 @@
  * @author Sarah Khalil <mkhalil.sarah@gmail.com>
  *
  * @final
+ *
+ * @deprecated since Symfony 5.3, use {@link UserPasswordHashCommand} instead
  */
 class UserPasswordEncoderCommand extends Command
 {
@@ -107,6 +110,8 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         $io = new SymfonyStyle($input, $output);
         $errorIo = $output instanceof ConsoleOutputInterface ? new SymfonyStyle($input, $output->getErrorOutput()) : $io;
 
+        $errorIo->caution('The use of the "security:encode-password" command is deprecated since version 5.3 and will be removed in 6.0. Use "security:hash-password" instead.');
+
         $input->isInteractive() ? $errorIo->title('Symfony Password Encoder Utility') : $errorIo->newLine();
 
         $password = $input->getArgument('password');
 
@@ -65,6 +65,23 @@ public function getConfigTreeBuilder()
                     return $v;
                 })
             ->end()
+            ->beforeNormalization()
+                ->ifTrue(function ($v) {
+                    if ($v['encoders'] ?? false) {
+                        trigger_deprecation('symfony/security-bundle', '5.3', 'The child node "encoders" at path "security" is deprecated, use "password_hashers" instead.');
+
+                        return true;
+                    }
+
+                    return $v['password_hashers'] ?? false;
+                })
+                ->then(function ($v) {
+                    $v['password_hashers'] = array_merge($v['password_hashers'] ?? [], $v['encoders'] ?? []);
+                    $v['encoders'] = $v['password_hashers'];
+
+                    return $v;
+                })
+            ->end()
             ->children()
                 ->scalarNode('access_denied_url')->defaultNull()->example('/foo/error403')->end()
                 ->enumNode('session_fixation_strategy')
@@ -94,6 +111,7 @@ public function getConfigTreeBuilder()
         ;
 
         $this->addEncodersSection($rootNode);
+        $this->addPasswordHashersSection($rootNode);
         $this->addProvidersSection($rootNode);
         $this->addFirewallsSection($rootNode, $this->factories);
         $this->addAccessControlSection($rootNode);
@@ -401,6 +419,57 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
         ;
     }
 
+    private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
+    {
+        $rootNode
+            ->fixXmlConfig('password_hasher')
+            ->children()
+                ->arrayNode('password_hashers')
+                    ->example([
+                        'App\Entity\User1' => 'auto',
+                        'App\Entity\User2' => [
+                            'algorithm' => 'auto',
+                            'time_cost' => 8,
+                            'cost' => 13,
+                        ],
+                    ])
+                    ->requiresAtLeastOneElement()
+                    ->useAttributeAsKey('class')
+                    ->prototype('array')
+                        ->canBeUnset()
+                        ->performNoDeepMerging()
+                        ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
+                        ->children()
+                            ->scalarNode('algorithm')
+                                ->cannotBeEmpty()
+                                ->validate()
+                                    ->ifTrue(function ($v) { return !\is_string($v); })
+                                    ->thenInvalid('You must provide a string value.')
+                                ->end()
+                            ->end()
+                            ->arrayNode('migrate_from')
+                                ->prototype('scalar')->end()
+                                ->beforeNormalization()->castToArray()->end()
+                            ->end()
+                            ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
+                            ->scalarNode('key_length')->defaultValue(40)->end()
+                            ->booleanNode('ignore_case')->defaultFalse()->end()
+                            ->booleanNode('encode_as_base64')->defaultTrue()->end()
+                            ->scalarNode('iterations')->defaultValue(5000)->end()
+                            ->integerNode('cost')
+                                ->min(4)
+                                ->max(31)
+                                ->defaultNull()
+                            ->end()
+                            ->scalarNode('memory_cost')->defaultNull()->end()
+                            ->scalarNode('time_cost')->defaultNull()->end()
+                            ->scalarNode('id')->end()
+                        ->end()
+                    ->end()
+                ->end()
+        ->end();
+    }
+
     private function getAccessDecisionStrategies()
     {
         $strategies = [
 
@@ -32,6 +32,10 @@
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
+use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
+use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
+use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
+use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
@@ -105,6 +109,7 @@ public function load(array $configs, ContainerBuilder $container)
         $loader = new PhpFileLoader($container, new FileLocator(\dirname(__DIR__).'/Resources/config'));
 
         $loader->load('security.php');
+        $loader->load('password_hasher.php');
         $loader->load('security_listeners.php');
         $loader->load('security_rememberme.php');
 
@@ -166,13 +171,22 @@ public function load(array $configs, ContainerBuilder $container)
         $container->getDefinition('security.authentication.guard_handler')
             ->replaceArgument(2, $this->statelessFirewallKeys);
 
+        // @deprecated since Symfony 5.3
         if ($config['encoders']) {
             $this->createEncoders($config['encoders'], $container);
         }
 
+        if ($config['password_hashers']) {
+            $this->createHashers($config['password_hashers'], $container);
+        }
+
         if (class_exists(Application::class)) {
             $loader->load('console.php');
+
+            // @deprecated since Symfony 5.3
             $container->getDefinition('security.command.user_password_encoder')->replaceArgument(1, array_keys($config['encoders']));
+
+            $container->getDefinition('security.command.user_password_hash')->replaceArgument(1, array_keys($config['password_hashers']));
         }
 
         $container->registerForAutoconfiguration(VoterInterface::class)
@@ -689,7 +703,7 @@ private function createEncoder(array $config)
 
         // Argon2i encoder
         if ('argon2i' === $config['algorithm']) {
-            if (SodiumPasswordEncoder::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+            if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
                 $config['algorithm'] = 'sodium';
             } elseif (\defined('PASSWORD_ARGON2I')) {
                 $config['algorithm'] = 'native';
@@ -702,7 +716,7 @@ private function createEncoder(array $config)
         }
 
         if ('argon2id' === $config['algorithm']) {
-            if (($hasSodium = SodiumPasswordEncoder::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+            if (($hasSodium = SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
                 $config['algorithm'] = 'sodium';
             } elseif (\defined('PASSWORD_ARGON2ID')) {
                 $config['algorithm'] = 'native';
@@ -717,6 +731,117 @@ private function createEncoder(array $config)
         if ('native' === $config['algorithm']) {
             return [
                 'class' => NativePasswordEncoder::class,
+                'arguments' => [
+                        $config['time_cost'],
+                        (($config['memory_cost'] ?? 0) << 10) ?: null,
+                        $config['cost'],
+                    ] + (isset($config['native_algorithm']) ? [3 => $config['native_algorithm']] : []),
+            ];
+        }
+
+        if ('sodium' === $config['algorithm']) {
+            if (!SodiumPasswordHasher::isSupported()) {
+                throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
+            }
+
+            return [
+                'class' => SodiumPasswordEncoder::class,
+                'arguments' => [
+                    $config['time_cost'],
+                    (($config['memory_cost'] ?? 0) << 10) ?: null,
+                ],
+            ];
+        }
+
+        // run-time configured encoder
+        return $config;
+    }
+
+    private function createHashers(array $hashers, ContainerBuilder $container)
+    {
+        $hasherMap = [];
+        foreach ($hashers as $class => $hasher) {
+            $hasherMap[$class] = $this->createHasher($hasher);
+        }
+
+        $container
+            ->getDefinition('security.password_hasher_factory')
+            ->setArguments([$hasherMap])
+        ;
+    }
+
+    private function createHasher(array $config)
+    {
+        // a custom hasher service
+        if (isset($config['id'])) {
+            return new Reference($config['id']);
+        }
+
+        if ($config['migrate_from'] ?? false) {
+            return $config;
+        }
+
+        // plaintext hasher
+        if ('plaintext' === $config['algorithm']) {
+            $arguments = [$config['ignore_case']];
+
+            return [
+                'class' => PlaintextPasswordHasher::class,
+                'arguments' => $arguments,
+            ];
+        }
+
+        // pbkdf2 hasher
+        if ('pbkdf2' === $config['algorithm']) {
+            return [
+                'class' => Pbkdf2PasswordHasher::class,
+                'arguments' => [
+                    $config['hash_algorithm'],
+                    $config['encode_as_base64'],
+                    $config['iterations'],
+                    $config['key_length'],
+                ],
+            ];
+        }
+
+        // bcrypt hasher
+        if ('bcrypt' === $config['algorithm']) {
+            $config['algorithm'] = 'native';
+            $config['native_algorithm'] = \PASSWORD_BCRYPT;
+
+            return $this->createHasher($config);
+        }
+
+        // Argon2i hasher
+        if ('argon2i' === $config['algorithm']) {
+            if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                $config['algorithm'] = 'sodium';
+            } elseif (\defined('PASSWORD_ARGON2I')) {
+                $config['algorithm'] = 'native';
+                $config['native_algorithm'] = \PASSWORD_ARGON2I;
+            } else {
+                throw new InvalidConfigurationException(sprintf('Algorithm "argon2i" is not available. Either use "%s" or upgrade to PHP 7.2+ instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id", "auto' : 'auto'));
+            }
+
+            return $this->createHasher($config);
+        }
+
+        if ('argon2id' === $config['algorithm']) {
+            if (($hasSodium = SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
+                $config['algorithm'] = 'sodium';
+            } elseif (\defined('PASSWORD_ARGON2ID')) {
+                $config['algorithm'] = 'native';
+                $config['native_algorithm'] = \PASSWORD_ARGON2ID;
+            } else {
+                throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium ? 'argon2i", "auto' : 'auto'));
+            }
+
+            return $this->createHasher($config);
+        }
+
+        if ('native' === $config['algorithm']) {
+            return [
+                'class' => NativePasswordHasher::class,
                 'arguments' => [
                     $config['time_cost'],
                     (($config['memory_cost'] ?? 0) << 10) ?: null,
@@ -726,20 +851,20 @@ private function createEncoder(array $config)
         }
 
         if ('sodium' === $config['algorithm']) {
-            if (!SodiumPasswordEncoder::isSupported()) {
+            if (!SodiumPasswordHasher::isSupported()) {
                 throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
             }
 
             return [
-                'class' => SodiumPasswordEncoder::class,
+                'class' => SodiumPasswordHasher::class,
                 'arguments' => [
                     $config['time_cost'],
                     (($config['memory_cost'] ?? 0) << 10) ?: null,
                 ],
             ];
         }
 
-        // run-time configured encoder
+        // run-time configured hasher
         return $config;
     }
 
 
@@ -12,6 +12,7 @@
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
 use Symfony\Bundle\SecurityBundle\Command\UserPasswordEncoderCommand;
+use Symfony\Component\PasswordHasher\Command\UserPasswordHashCommand;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
@@ -20,6 +21,16 @@
                 service('security.encoder_factory'),
                 abstract_arg('encoders user classes'),
             ])
-            ->tag('console.command')
+            ->tag('console.command', ['command' => 'security:encode-password'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use "security.command.user_password_hash" instead.')
+    ;
+
+    $container->services()
+        ->set('security.command.user_password_hash', UserPasswordHashCommand::class)
+        ->args([
+            service('security.password_hasher_factory'),
+            abstract_arg('list of user classes'),
+        ])
+        ->tag('console.command')
     ;
 };
@@ -34,7 +34,7 @@
                 abstract_arg('User Provider'),
                 abstract_arg('Provider-shared Key'),
                 abstract_arg('User Checker'),
-                service('security.password_encoder'),
+                service('security.password_hasher'),
             ])
 
         ->set('security.authentication.listener.guard', GuardAuthenticationListener::class)