Skip to content

Commit 686fe0e

Browse files
author
Robin Chalas
committed
[Security] Replace Argon2*PasswordEncoder by SodiumPasswordEncoder
This reverts commit dc95a6f.
1 parent 9a7a276 commit 686fe0e

20 files changed

+235
-301
lines changed

UPGRADE-4.3.md

+2-4
Original file line numberDiff line numberDiff line change
@@ -151,14 +151,12 @@ Security
151151
}
152152
```
153153

154-
* Using `Argon2iPasswordEncoder` while only the `argon2id` algorithm is supported
155-
is deprecated, use `Argon2idPasswordEncoder` instead
154+
* The `Argon2iPasswordEncoder` class has been deprecated, use `SodiumPasswordEncoder` instead.
156155

157156
SecurityBundle
158157
--------------
159158

160-
* Configuring encoders using `argon2i` as algorithm while only `argon2id` is
161-
supported is deprecated, use `argon2id` instead
159+
* Configuring encoders using `argon2i` as algorithm has been deprecated, use `sodium` instead.
162160

163161
TwigBridge
164162
----------

UPGRADE-5.0.md

+2-4
Original file line numberDiff line numberDiff line change
@@ -326,8 +326,7 @@ Security
326326
}
327327
```
328328

329-
* Using `Argon2iPasswordEncoder` while only the `argon2id` algorithm is supported
330-
now throws a `\LogicException`, use `Argon2idPasswordEncoder` instead
329+
* The `Argon2iPasswordEncoder` class has been removed, use `SodiumPasswordEncoder` instead.
331330

332331
SecurityBundle
333332
--------------
@@ -348,8 +347,7 @@ SecurityBundle
348347
changed to underscores.
349348
Before: `my-cookie` deleted the `my_cookie` cookie (with an underscore).
350349
After: `my-cookie` deletes the `my-cookie` cookie (with a dash).
351-
* Configuring encoders using `argon2i` as algorithm while only `argon2id` is supported
352-
now throws a `\LogicException`, use `argon2id` instead
350+
* Configuring encoders using `argon2i` as algorithm is not supported anymore, use `sodium` instead.
353351

354352
Serializer
355353
----------

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

+1-3
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,7 @@ CHANGELOG
88
option is deprecated and will be disabled in Symfony 5.0. This affects to cookies
99
with dashes in their names. For example, starting from Symfony 5.0, the `my-cookie`
1010
name will delete `my-cookie` (with a dash) instead of `my_cookie` (with an underscore).
11-
* Deprecated configuring encoders using `argon2i` as algorithm while only `argon2id` is supported,
12-
use `argon2id` instead
13-
11+
* Deprecated configuring encoders using `argon2i` as algorithm, use `sodium` instead
1412

1513
4.2.0
1614
-----

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

+8-13
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,8 @@
2929
use Symfony\Component\DependencyInjection\Reference;
3030
use Symfony\Component\HttpKernel\DependencyInjection\Extension;
3131
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
32-
use Symfony\Component\Security\Core\Encoder\Argon2idPasswordEncoder;
3332
use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
33+
use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
3434
use Symfony\Component\Security\Core\User\UserProviderInterface;
3535
use Symfony\Component\Security\Http\Controller\UserValueResolver;
3636
use Symfony\Component\Templating\PhpEngine;
@@ -565,14 +565,14 @@ private function createEncoder($config, ContainerBuilder $container)
565565

566566
// Argon2i encoder
567567
if ('argon2i' === $config['algorithm']) {
568+
@trigger_error('Configuring an encoder with "argon2i" as algorithm is deprecated since Symfony 4.3, use "sodium" instead.', E_USER_DEPRECATED);
569+
568570
if (!Argon2iPasswordEncoder::isSupported()) {
569571
if (\extension_loaded('sodium') && !\defined('SODIUM_CRYPTO_PWHASH_SALTBYTES')) {
570572
throw new InvalidConfigurationException('The installed libsodium version does not have support for Argon2i. Use Bcrypt instead.');
571573
}
572574

573575
throw new InvalidConfigurationException('Argon2i algorithm is not supported. Install the libsodium extension or use BCrypt instead.');
574-
} elseif (!\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
575-
@trigger_error('Configuring an encoder based on the "argon2i" algorithm while only "argon2id" is supported is deprecated since Symfony 4.3, use "argon2id" instead.', E_USER_DEPRECATED);
576576
}
577577

578578
return [
@@ -585,19 +585,14 @@ private function createEncoder($config, ContainerBuilder $container)
585585
];
586586
}
587587

588-
// Argon2id encoder
589-
if ('argon2id' === $config['algorithm']) {
590-
if (!Argon2idPasswordEncoder::isSupported()) {
591-
throw new InvalidConfigurationException('Argon2i algorithm is not supported. Install the libsodium extension or use BCrypt instead.');
588+
if ('sodium' === $config['algorithm']) {
589+
if (!SodiumPasswordEncoder::isSupported()) {
590+
throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use BCrypt instead.');
592591
}
593592

594593
return [
595-
'class' => Argon2idPasswordEncoder::class,
596-
'arguments' => [
597-
$config['memory_cost'],
598-
$config['time_cost'],
599-
$config['threads'],
600-
],
594+
'class' => SodiumPasswordEncoder::class,
595+
'arguments' => [],
601596
];
602597
}
603598

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php

+15-10
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,8 @@
1818
use Symfony\Component\DependencyInjection\ContainerBuilder;
1919
use Symfony\Component\DependencyInjection\Reference;
2020
use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
21-
use Symfony\Component\Security\Core\Encoder\Argon2idPasswordEncoder;
2221
use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
22+
use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
2323

2424
abstract class CompleteConfigurationTest extends TestCase
2525
{
@@ -314,11 +314,11 @@ public function testEncoders()
314314

315315
public function testEncodersWithLibsodium()
316316
{
317-
if (!Argon2iPasswordEncoder::isSupported() || \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
318-
$this->markTestSkipped('Argon2i algorithm is not supported.');
317+
if (!SodiumPasswordEncoder::isSupported()) {
318+
$this->markTestSkipped('Libsodium is not available.');
319319
}
320320

321-
$container = $this->getContainer('argon2i_encoder');
321+
$container = $this->getContainer('sodium_encoder');
322322

323323
$this->assertEquals([[
324324
'JMS\FooBundle\Entity\User1' => [
@@ -359,19 +359,24 @@ public function testEncodersWithLibsodium()
359359
'arguments' => [15],
360360
],
361361
'JMS\FooBundle\Entity\User7' => [
362-
'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
363-
'arguments' => [256, 1, 2],
362+
'class' => 'Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder',
363+
'arguments' => [],
364364
],
365365
]], $container->getDefinition('security.encoder_factory.generic')->getArguments());
366366
}
367367

368-
public function testEncodersWithArgon2id()
368+
/**
369+
* @group legacy
370+
*
371+
* @expectedDeprecation Configuring an encoder with "argon2i" as algorithm is deprecated since Symfony 4.3, use "sodium" instead.
372+
*/
373+
public function testEncodersWithArgon2i()
369374
{
370-
if (!Argon2idPasswordEncoder::isSupported()) {
375+
if (!Argon2iPasswordEncoder::isSupported()) {
371376
$this->markTestSkipped('Argon2i algorithm is not supported.');
372377
}
373378

374-
$container = $this->getContainer('argon2id_encoder');
379+
$container = $this->getContainer('argon2i_encoder');
375380

376381
$this->assertEquals([[
377382
'JMS\FooBundle\Entity\User1' => [
@@ -412,7 +417,7 @@ public function testEncodersWithArgon2id()
412417
'arguments' => [15],
413418
],
414419
'JMS\FooBundle\Entity\User7' => [
415-
'class' => 'Symfony\Component\Security\Core\Encoder\Argon2idPasswordEncoder',
420+
'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
416421
'arguments' => [256, 1, 2],
417422
],
418423
]], $container->getDefinition('security.encoder_factory.generic')->getArguments());

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/argon2id_encoder.php renamed to src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/sodium_encoder.php

+1-4
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,7 @@
55
$container->loadFromExtension('security', [
66
'encoders' => [
77
'JMS\FooBundle\Entity\User7' => [
8-
'algorithm' => 'argon2id',
9-
'memory_cost' => 256,
10-
'time_cost' => 1,
11-
'threads' => 2,
8+
'algorithm' => 'sodium',
129
],
1310
],
1411
]);

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/argon2id_encoder.xml renamed to src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/sodium_encoder.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
</imports>
1111

1212
<sec:config>
13-
<sec:encoder class="JMS\FooBundle\Entity\User7" algorithm="argon2id" memory_cost="256" time_cost="1" threads="2" />
13+
<sec:encoder class="JMS\FooBundle\Entity\User7" algorithm="sodium" />
1414
</sec:config>
1515

1616
</container>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/argon2id_encoder.yml

-10
This file was deleted.

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/sodium_encoder.yml

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
imports:
2+
- { resource: container1.yml }
3+
4+
security:
5+
encoders:
6+
JMS\FooBundle\Entity\User7:
7+
algorithm: sodium

src/Symfony/Bundle/SecurityBundle/Tests/Functional/UserPasswordEncoderCommandTest.php

+25-20
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,11 @@
1515
use Symfony\Bundle\SecurityBundle\Command\UserPasswordEncoderCommand;
1616
use Symfony\Component\Console\Application as ConsoleApplication;
1717
use Symfony\Component\Console\Tester\CommandTester;
18-
use Symfony\Component\Security\Core\Encoder\Argon2idPasswordEncoder;
1918
use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
2019
use Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder;
2120
use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
2221
use Symfony\Component\Security\Core\Encoder\Pbkdf2PasswordEncoder;
22+
use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
2323

2424
/**
2525
* Tests UserPasswordEncoderCommand.
@@ -71,9 +71,12 @@ public function testEncodePasswordBcrypt()
7171
$this->assertTrue($encoder->isPasswordValid($hash, 'password', null));
7272
}
7373

74+
/**
75+
* @group legacy
76+
*/
7477
public function testEncodePasswordArgon2i()
7578
{
76-
if (!Argon2iPasswordEncoder::isSupported() || !\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
79+
if (!Argon2iPasswordEncoder::isSupported()) {
7780
$this->markTestSkipped('Argon2i algorithm not available.');
7881
}
7982
$this->setupArgon2i();
@@ -87,30 +90,29 @@ public function testEncodePasswordArgon2i()
8790
$this->assertContains('Password encoding succeeded', $output);
8891

8992
$encoder = new Argon2iPasswordEncoder();
90-
preg_match('# Encoded password\s+(\$argon2i?\$[\w,=\$+\/]+={0,2})\s+#', $output, $matches);
93+
preg_match('# Encoded password\s+(\$argon2id?\$[\w,=\$+\/]+={0,2})\s+#', $output, $matches);
9194
$hash = $matches[1];
9295
$this->assertTrue($encoder->isPasswordValid($hash, 'password', null));
9396
}
9497

95-
public function testEncodePasswordArgon2id()
98+
public function testEncodePasswordSodium()
9699
{
97-
if (!Argon2idPasswordEncoder::isSupported()) {
98-
$this->markTestSkipped('Argon2id algorithm not available.');
100+
if (!SodiumPasswordEncoder::isSupported()) {
101+
$this->markTestSkipped('Libsodium is not available.');
99102
}
100-
$this->setupArgon2id();
103+
$this->setupSodium();
101104
$this->passwordEncoderCommandTester->execute([
102105
'command' => 'security:encode-password',
103106
'password' => 'password',
104-
'user-class' => 'Custom\Class\Argon2id\User',
107+
'user-class' => 'Custom\Class\Sodium\User',
105108
], ['interactive' => false]);
106109

107110
$output = $this->passwordEncoderCommandTester->getDisplay();
108111
$this->assertContains('Password encoding succeeded', $output);
109112

110-
$encoder = new Argon2idPasswordEncoder();
111-
preg_match('# Encoded password\s+(\$argon2id?\$[\w,=\$+\/]+={0,2})\s+#', $output, $matches);
113+
preg_match('# Encoded password\s+(\$?\$[\w,=\$+\/]+={0,2})\s+#', $output, $matches);
112114
$hash = $matches[1];
113-
$this->assertTrue($encoder->isPasswordValid($hash, 'password', null));
115+
$this->assertTrue((new SodiumPasswordEncoder())->isPasswordValid($hash, 'password', null));
114116
}
115117

116118
public function testEncodePasswordPbkdf2()
@@ -173,10 +175,13 @@ public function testEncodePasswordBcryptOutput()
173175
$this->assertNotContains(' Generated salt ', $this->passwordEncoderCommandTester->getDisplay());
174176
}
175177

178+
/**
179+
* @group legacy
180+
*/
176181
public function testEncodePasswordArgon2iOutput()
177182
{
178-
if (!Argon2iPasswordEncoder::isSupported() || !\defined('PASSWORD_ARGON2I') && Argon2idPasswordEncoder::isDefaultSodiumAlgorithm()) {
179-
$this->markTestSkipped('Argon2id algorithm not available.');
183+
if (!Argon2iPasswordEncoder::isSupported()) {
184+
$this->markTestSkipped('Argon2i algorithm not available.');
180185
}
181186

182187
$this->setupArgon2i();
@@ -189,17 +194,17 @@ public function testEncodePasswordArgon2iOutput()
189194
$this->assertNotContains(' Generated salt ', $this->passwordEncoderCommandTester->getDisplay());
190195
}
191196

192-
public function testEncodePasswordArgon2idOutput()
197+
public function testEncodePasswordSodiumOutput()
193198
{
194-
if (!Argon2idPasswordEncoder::isSupported()) {
195-
$this->markTestSkipped('Argon2id algorithm not available.');
199+
if (!SodiumPasswordEncoder::isSupported()) {
200+
$this->markTestSkipped('Libsodium is not available.');
196201
}
197202

198-
$this->setupArgon2id();
203+
$this->setupSodium();
199204
$this->passwordEncoderCommandTester->execute([
200205
'command' => 'security:encode-password',
201206
'password' => 'p@ssw0rd',
202-
'user-class' => 'Custom\Class\Argon2id\User',
207+
'user-class' => 'Custom\Class\Sodium\User',
203208
], ['interactive' => false]);
204209

205210
$this->assertNotContains(' Generated salt ', $this->passwordEncoderCommandTester->getDisplay());
@@ -298,10 +303,10 @@ private function setupArgon2i()
298303
$this->passwordEncoderCommandTester = new CommandTester($passwordEncoderCommand);
299304
}
300305

301-
private function setupArgon2id()
306+
private function setupSodium()
302307
{
303308
putenv('COLUMNS='.(119 + \strlen(PHP_EOL)));
304-
$kernel = $this->createKernel(['test_case' => 'PasswordEncode', 'root_config' => 'argon2id.yml']);
309+
$kernel = $this->createKernel(['test_case' => 'PasswordEncode', 'root_config' => 'sodium.yml']);
305310
$kernel->boot();
306311

307312
$application = new Application($kernel);

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordEncode/argon2id.yml

-7
This file was deleted.

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/PasswordEncode/sodium.yml

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
imports:
2+
- { resource: config.yml }
3+
4+
security:
5+
encoders:
6+
Custom\Class\Sodium\User:
7+
algorithm: sodium

src/Symfony/Component/Security/CHANGELOG.md

+1-3
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,7 @@ CHANGELOG
1919
* Dispatch `AuthenticationFailureEvent` on `security.authentication.failure`
2020
* Dispatch `InteractiveLoginEvent` on `security.interactive_login`
2121
* Dispatch `SwitchUserEvent` on `security.switch_user`
22-
* Added `Argon2idPasswordEncoder`
23-
* Deprecated using `Argon2iPasswordEncoder` while only the `argon2id` algorithm
24-
is supported, use `Argon2idPasswordEncoder` instead
22+
* deprecated `Argon2iPasswordEncoder`, use `SodiumPasswordEncoder` instead
2523

2624
4.2.0
2725
-----

0 commit comments

Comments
 (0)