Skip to content

Commit c5c981c

Browse files
chalasrchalasr
committed
[Security] Extract password hashing from security-core - using the right naming
1 parent 386555b commit c5c981c

File tree

137 files changed

+4064
-490
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

137 files changed

+4064
-490
lines changed

UPGRADE-5.3.md

+11
Original file line numberDiff line numberDiff line change
@@ -69,8 +69,19 @@ PropertyInfo
6969
Security
7070
--------
7171

72+
* Deprecate all classes in the `Core\Encoder\` sub-namespace, use the `PasswordHasher` component instead
7273
* Deprecated voters that do not return a valid decision when calling the `vote` method
7374

75+
SecurityBundle
76+
--------------
77+
78+
* Deprecate `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command,
79+
use `UserPasswordHashCommand` and `user:hash-password` instead
80+
* Deprecate the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases,
81+
use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead
82+
* Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
83+
use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
84+
7485
Serializer
7586
----------
7687

UPGRADE-6.0.md

+11
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,7 @@ Routing
166166
Security
167167
--------
168168

169+
* Drop all classes in the `Core\Encoder\` sub-namespace, use the `PasswordHasher` component instead
169170
* Drop support for `SessionInterface $session` as constructor argument of `SessionTokenStorage`, inject a `\Symfony\Component\HttpFoundation\RequestStack $requestStack` instead
170171
* Drop support for `session` provided by the ServiceLocator injected in `UsageTrackingTokenStorage`, provide a `request_stack` service instead
171172
* Make `SessionTokenStorage` throw a `SessionNotFoundException` when called outside a request context
@@ -179,6 +180,16 @@ Security
179180
* Removed the `AbstractRememberMeServices::$providerKey` property in favor of `AbstractRememberMeServices::$firewallName`
180181
* `AccessDecisionManager` now throw an exception when a voter does not return a valid decision.
181182

183+
SecurityBundle
184+
--------------
185+
186+
* Remove the `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command,
187+
use `UserPasswordHashCommand` and `user:hash-password` instead
188+
* Remove the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases,
189+
use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead
190+
* Remove the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
191+
use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
192+
182193
Serializer
183194
----------
184195

composer.json

+1
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,7 @@
8686
"symfony/monolog-bridge": "self.version",
8787
"symfony/notifier": "self.version",
8888
"symfony/options-resolver": "self.version",
89+
"symfony/password-hasher": "self.version",
8990
"symfony/process": "self.version",
9091
"symfony/property-access": "self.version",
9192
"symfony/property-info": "self.version",

src/Symfony/Bundle/FrameworkBundle/composer.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@
5151
"symfony/messenger": "^5.2",
5252
"symfony/mime": "^4.4|^5.0",
5353
"symfony/process": "^4.4|^5.0",
54-
"symfony/security-bundle": "^5.2",
54+
"symfony/security-bundle": "^5.3",
5555
"symfony/serializer": "^5.2",
5656
"symfony/stopwatch": "^4.4|^5.0",
5757
"symfony/string": "^5.0",

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

+10
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,16 @@
11
CHANGELOG
22
=========
33

4+
5.3
5+
---
6+
7+
* Deprecate `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command,
8+
use `UserPasswordHashCommand` and `user:hash-password` instead
9+
* Deprecate the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases,
10+
use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead
11+
* Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
12+
use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
13+
414
5.2.0
515
-----
616

src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php

+5
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
use Symfony\Component\Console\Output\OutputInterface;
2222
use Symfony\Component\Console\Question\Question;
2323
use Symfony\Component\Console\Style\SymfonyStyle;
24+
use Symfony\Component\PasswordHasher\Command\UserPasswordHashCommand;
2425
use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
2526
use Symfony\Component\Security\Core\Encoder\SelfSaltingEncoderInterface;
2627

@@ -30,6 +31,8 @@
3031
* @author Sarah Khalil <mkhalil.sarah@gmail.com>
3132
*
3233
* @final
34+
*
35+
* @deprecated since Symfony 5.3, use {@link UserPasswordHashCommand} instead
3336
*/
3437
class UserPasswordEncoderCommand extends Command
3538
{
@@ -107,6 +110,8 @@ protected function execute(InputInterface $input, OutputInterface $output): int
107110
$io = new SymfonyStyle($input, $output);
108111
$errorIo = $output instanceof ConsoleOutputInterface ? new SymfonyStyle($input, $output->getErrorOutput()) : $io;
109112

113+
$errorIo->caution('The use of the "security:encode-password" command is deprecated since version 5.3 and will be removed in 6.0. Use "security:hash-password" instead.');
114+
110115
$input->isInteractive() ? $errorIo->title('Symfony Password Encoder Utility') : $errorIo->newLine();
111116

112117
$password = $input->getArgument('password');

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

+69
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,23 @@ public function getConfigTreeBuilder()
6565
return $v;
6666
})
6767
->end()
68+
->beforeNormalization()
69+
->ifTrue(function ($v) {
70+
if ($v['encoders'] ?? false) {
71+
trigger_deprecation('symfony/security-bundle', '5.3', 'The child node "encoders" at path "security" is deprecated, use "password_hashers" instead.');
72+
73+
return true;
74+
}
75+
76+
return $v['password_hashers'] ?? false;
77+
})
78+
->then(function ($v) {
79+
$v['password_hashers'] = array_merge($v['password_hashers'] ?? [], $v['encoders'] ?? []);
80+
$v['encoders'] = $v['password_hashers'];
81+
82+
return $v;
83+
})
84+
->end()
6885
->children()
6986
->scalarNode('access_denied_url')->defaultNull()->example('/foo/error403')->end()
7087
->enumNode('session_fixation_strategy')
@@ -94,6 +111,7 @@ public function getConfigTreeBuilder()
94111
;
95112

96113
$this->addEncodersSection($rootNode);
114+
$this->addPasswordHashersSection($rootNode);
97115
$this->addProvidersSection($rootNode);
98116
$this->addFirewallsSection($rootNode, $this->factories);
99117
$this->addAccessControlSection($rootNode);
@@ -401,6 +419,57 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
401419
;
402420
}
403421

422+
private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
423+
{
424+
$rootNode
425+
->fixXmlConfig('password_hasher')
426+
->children()
427+
->arrayNode('password_hashers')
428+
->example([
429+
'App\Entity\User1' => 'auto',
430+
'App\Entity\User2' => [
431+
'algorithm' => 'auto',
432+
'time_cost' => 8,
433+
'cost' => 13,
434+
],
435+
])
436+
->requiresAtLeastOneElement()
437+
->useAttributeAsKey('class')
438+
->prototype('array')
439+
->canBeUnset()
440+
->performNoDeepMerging()
441+
->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
442+
->children()
443+
->scalarNode('algorithm')
444+
->cannotBeEmpty()
445+
->validate()
446+
->ifTrue(function ($v) { return !\is_string($v); })
447+
->thenInvalid('You must provide a string value.')
448+
->end()
449+
->end()
450+
->arrayNode('migrate_from')
451+
->prototype('scalar')->end()
452+
->beforeNormalization()->castToArray()->end()
453+
->end()
454+
->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
455+
->scalarNode('key_length')->defaultValue(40)->end()
456+
->booleanNode('ignore_case')->defaultFalse()->end()
457+
->booleanNode('encode_as_base64')->defaultTrue()->end()
458+
->scalarNode('iterations')->defaultValue(5000)->end()
459+
->integerNode('cost')
460+
->min(4)
461+
->max(31)
462+
->defaultNull()
463+
->end()
464+
->scalarNode('memory_cost')->defaultNull()->end()
465+
->scalarNode('time_cost')->defaultNull()->end()
466+
->scalarNode('id')->end()
467+
->end()
468+
->end()
469+
->end()
470+
->end();
471+
}
472+
404473
private function getAccessDecisionStrategies()
405474
{
406475
$strategies = [

0 commit comments

Comments
 (0)