namespace Symfony\Component\Security\Core\Exception;

final class CompromisedPasswordPolicyException extends PolicyException

{

public function getMessageKey(): string

{

return 'Compromised password.';

}

}

namespace Symfony\Component\Security\Core\Exception;

class PolicyException extends AuthenticationException

{

public function getMessageKey(): string

{

return 'The password does not fulfill the password policy.';

}

}

namespace Symfony\Component\Security\Http\Authenticator\Passport\Policy;

use Symfony\Component\Security\Core\Exception\CompromisedPasswordPolicyException;

use Symfony\Contracts\HttpClient\HttpClientInterface;

final class NotCompromisedPasswordPolicy implements PolicyInterface

{

private const DEFAULT_API_ENDPOINT = 'https://api.pwnedpasswords.com/range/%s';

private readonly string $endpoint;

public function __construct(

private readonly HttpClientInterface $httpClient,

private readonly bool $skipOnError = false,

string $endpoint = null

) {

$this->endpoint = $endpoint ?? self::DEFAULT_API_ENDPOINT;

}

public function verify(#[\SensitiveParameter] string $plaintextPassword): void

{

$hash = mb_strtoupper(sha1($plaintextPassword));

$hashPrefix = mb_substr($hash, 0, 5);

$url = sprintf($this->endpoint, $hashPrefix);

try {

$result = $this->httpClient->request('GET', $url, [

'headers' => [

'Add-Padding' => 'true',

],

])->getContent();

} catch (\Throwable $exception) {

if ($this->skipOnError) {

return;

}

throw $exception;

}

foreach (explode("\r\n", $result) as $line) {

if (!str_contains($line, ':')) {

continue;

}

[$hashSuffix, $count] = explode(':', $line);

if ($hashPrefix.$hashSuffix === $hash && (int) $count >= 1) {

throw new CompromisedPasswordPolicyException();

}

}

}

}

namespace Symfony\Component\Security\Http\Authenticator\Passport\Policy;

use Symfony\Component\Security\Core\Exception\AuthenticationException;

interface PolicyInterface

{

/**

public function verify(#[\SensitiveParameter] string $plaintextPassword): void;

}

6.4

* Add Password Policy to allow verifying the password using a custom security policy (e.g. password not compromised, change required by IT service, etc.)

* Add `ConstraintBadge` to allow the validation of the authentication material (e.g. username, password) using constraints

namespace Symfony\Component\Security\Http\EventListener;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;

use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;

use Symfony\Component\Security\Http\Authenticator\Passport\Policy\PolicyInterface;

use Symfony\Component\Security\Http\Event\CheckPassportEvent;

final class PasswordPolicyListener implements EventSubscriberInterface

{

/**

public function __construct(

private readonly array $policies = [],

) {

}

public function checkPassport(CheckPassportEvent $event): void

{

$passport = $event->getPassport();

if (!$passport->hasBadge(PasswordCredentials::class)) {

return;

}

$badge = $passport->getBadge(PasswordCredentials::class);

if ($badge->isResolved()) {

return;

}

foreach ($this->policies as $policy) {

$policy->verify($badge->getPassword());

}

}

public static function getSubscribedEvents(): array

{

return [

CheckPassportEvent::class => ['checkPassport', 512],

];

}

}

namespace Symfony\Component\Security\Http\Tests\EventListener\PasswordPolicy;

use PHPUnit\Framework\TestCase;

use Symfony\Component\HttpClient\MockHttpClient;

use Symfony\Component\HttpClient\Response\MockResponse;

use Symfony\Component\Security\Core\Exception\PolicyException;

use Symfony\Component\Security\Core\User\InMemoryUser;

use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;

use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;

use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;

use Symfony\Component\Security\Http\Authenticator\Passport\Passport;

use Symfony\Component\Security\Http\Authenticator\Passport\Policy\NotCompromisedPasswordPolicy;

use Symfony\Component\Security\Http\Authenticator\Passport\Policy\PolicyInterface;

use Symfony\Component\Security\Http\Event\CheckPassportEvent;

use Symfony\Component\Security\Http\EventListener\PasswordPolicyListener;

class PasswordPolicyListenerTest extends TestCase

{

/**

public function testPasswordIsNotAcceptable(Passport $passport, array $policy, string $expectedMessage)

{

// Given

$event = new CheckPassportEvent($this->createMock(AuthenticatorInterface::class), $passport);

$listener = new PasswordPolicyListener($policy);

try {

// When

$listener->checkPassport($event);

$this->fail('Expected exception to be thrown');

} catch (PolicyException $e) {

// Then

$this->assertSame($expectedMessage, $e->getMessageKey());

}

}

public static function providePassport(): iterable

{

// We use a real response from haveibeenpwned.com with the password "qwerty" to test the NotCompromisedPasswordPolicy

$data = preg_replace('~\R~u', "\r\n", file_get_contents(__DIR__.'/qwerty.txt'));

$httpClient = new MockHttpClient();

$httpClient->setResponseFactory(fn () => new MockResponse($data, ['http_code' => 200]));

yield [

new Passport(

new UserBadge('test', fn () => new InMemoryUser('test', 'qwerty')),

new PasswordCredentials('qwerty')

),

[new NotCompromisedPasswordPolicy($httpClient)],

'Compromised password.',

];

yield [

new Passport(

new UserBadge('test', fn () => new InMemoryUser('test', 'qwerty')),

new PasswordCredentials('qwerty')

),

[new class() implements PolicyInterface {

public function verify(string $plaintextPassword): void

{

throw new PolicyException();

}

}],

'The password does not fulfill the password policy.',

];

yield [

new Passport(

new UserBadge('test', fn () => new InMemoryUser('test', 'qwerty')),

new PasswordCredentials('too short pwd')

),

[new class() implements PolicyInterface {

public function verify(string $plaintextPassword): void

{

if (mb_strlen($plaintextPassword) < 15) {

throw new PolicyException();

}

}

}],

'The password does not fulfill the password policy.',

];

}

}