Merge pull request #4125 from magento-arcticfoxes/2.3-qwerty-pr

Fixed issues:
- MC-5843: Add Argon2ID support

Author: dvoskoboinikov

app/code/Magento/Customer/Console/Command/UpgradeHashAlgorithmCommand.php

@@ -13,6 +13,9 @@
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Output\OutputInterface;
 
+/**
+ * Upgrade users passwords to the new algorithm
+ */
 class UpgradeHashAlgorithmCommand extends Command
 {
     /**
@@ -65,8 +68,11 @@ protected function execute(InputInterface $input, OutputInterface $output)
             $customer->load($customer->getId());
             if (!$this->encryptor->validateHashVersion($customer->getPasswordHash())) {
                 list($hash, $salt, $version) = explode(Encryptor::DELIMITER, $customer->getPasswordHash(), 3);
-                $version .= Encryptor::DELIMITER . Encryptor::HASH_VERSION_LATEST;
-                $customer->setPasswordHash($this->encryptor->getHash($hash, $salt, $version));
+                $version .= Encryptor::DELIMITER . $this->encryptor->getLatestHashVersion();
+                $hash = $this->encryptor->getHash($hash, $salt, $this->encryptor->getLatestHashVersion());
+                list($hash, $salt) = explode(Encryptor::DELIMITER, $hash, 3);
+                $hash = implode(Encryptor::DELIMITER, [$hash, $salt, $version]);
+                $customer->setPasswordHash($hash);
                 $customer->save();
                 $output->write(".");
             }

app/code/Magento/Customer/Model/AccountManagement.php

@@ -554,6 +554,7 @@ public function authenticate($username, $password)
         }
         try {
             $this->getAuthentication()->authenticate($customerId, $password);
+            // phpcs:ignore Magento2.Exceptions.ThrowCatch
         } catch (InvalidEmailOrPasswordException $e) {
             throw new InvalidEmailOrPasswordException(__('Invalid login or password.'));
         }
@@ -894,6 +895,7 @@ public function createAccountWithPasswordHash(CustomerInterface $customer, $hash
             throw new InputMismatchException(
                 __('A customer with the same email address already exists in an associated website.')
             );
+            // phpcs:ignore Magento2.Exceptions.ThrowCatch
         } catch (LocalizedException $e) {
             throw $e;
         }
@@ -910,6 +912,7 @@ public function createAccountWithPasswordHash(CustomerInterface $customer, $hash
                 }
             }
             $this->customerRegistry->remove($customer->getId());
+            // phpcs:ignore Magento2.Exceptions.ThrowCatch
         } catch (InputException $e) {
             $this->customerRepository->delete($customer);
             throw $e;
@@ -1012,6 +1015,7 @@ private function changePasswordForCustomer($customer, $currentPassword, $newPass
     {
         try {
             $this->getAuthentication()->authenticate($customer->getId(), $currentPassword);
+            // phpcs:ignore Magento2.Exceptions.ThrowCatch
         } catch (InvalidEmailOrPasswordException $e) {
             throw new InvalidEmailOrPasswordException(
                 __("The password doesn't match this account. Verify the password and try again.")
@@ -1071,6 +1075,7 @@ public function validate(CustomerInterface $customer)
         $result = $this->getEavValidator()->isValid($customerModel);
         if ($result === false && is_array($this->getEavValidator()->getMessages())) {
             return $validationResults->setIsValid(false)->setMessages(
+            // phpcs:ignore Magento2.Functions.DiscouragedFunction
                 call_user_func_array(
                     'array_merge',
                     $this->getEavValidator()->getMessages()
@@ -1532,7 +1537,7 @@ protected function getFullCustomerObject($customer)
      */
     public function getPasswordHash($password)
     {
-        return $this->encryptor->getHash($password);
+        return $this->encryptor->getHash($password, true);
     }
 
     /**

dev/tests/integration/testsuite/Magento/User/Model/UserTest.php

@@ -7,6 +7,7 @@
 namespace Magento\User\Model;
 
 use Magento\Framework\Serialize\Serializer\Json;
+use Magento\Framework\Encryption\Encryptor;
 
 /**
  * @magentoAppArea adminhtml
@@ -33,6 +34,11 @@ class UserTest extends \PHPUnit\Framework\TestCase
      */
     private $serializer;
 
+    /**
+     * @var Encryptor
+     */
+    private $encryptor;
+
     protected function setUp()
     {
         $this->_model = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
@@ -44,6 +50,9 @@ protected function setUp()
         $this->serializer = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
             Json::class
         );
+        $this->encryptor = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
+            Encryptor::class
+        );
     }
 
     /**
@@ -104,6 +113,9 @@ public function testUpdateRoleOnSave()
         $this->assertEquals('admin_role', $this->_model->getRole()->getRoleName());
     }
 
+    /**
+     * phpcs:disable Magento2.Functions.StaticFunction
+     */
     public static function roleDataFixture()
     {
         self::$_newRole = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
@@ -335,6 +347,9 @@ public function testBeforeSaveRequiredFieldsValidation()
      */
     public function testBeforeSavePasswordHash()
     {
+        $pattern = $this->encryptor->getLatestHashVersion() === Encryptor::HASH_VERSION_ARGON2ID13 ?
+            '/^[0-9a-f]+:[0-9a-zA-Z]{16}:[0-9]+$/' :
+            '/^[0-9a-f]+:[0-9a-zA-Z]{32}:[0-9]+$/';
         $this->_model->setUsername(
             'john.doe'
         )->setFirstname(
@@ -349,7 +364,7 @@ public function testBeforeSavePasswordHash()
         $this->_model->save();
         $this->assertNotContains('123123q', $this->_model->getPassword(), 'Password is expected to be hashed');
         $this->assertRegExp(
-            '/^[0-9a-f]+:[0-9a-zA-Z]{32}:[0-9]+$/',
+            $pattern,
             $this->_model->getPassword(),
             'Salt is expected to be saved along with the password'
         );

lib/internal/Magento/Framework/Encryption/Encryptor.php

@@ -31,10 +31,17 @@ class Encryptor implements EncryptorInterface
      */
     const HASH_VERSION_SHA256 = 1;
 
+    /**
+     * Key of Argon2ID13 algorithm
+     */
+    public const HASH_VERSION_ARGON2ID13 = 2;
+
     /**
      * Key of latest used algorithm
+     * @deprecated
+     * @see \Magento\Framework\Encryption\Encryptor::getLatestHashVersion
      */
-    const HASH_VERSION_LATEST = 1;
+    const HASH_VERSION_LATEST = 2;
 
     /**
      * Default length of salt in bytes
@@ -87,7 +94,7 @@ class Encryptor implements EncryptorInterface
     private $passwordHashMap = [
         self::PASSWORD_HASH => '',
         self::PASSWORD_SALT => '',
-        self::PASSWORD_VERSION => self::HASH_VERSION_LATEST
+        self::PASSWORD_VERSION => self::HASH_VERSION_SHA256
     ];
 
     /**
@@ -123,6 +130,7 @@ class Encryptor implements EncryptorInterface
 
     /**
      * Encryptor constructor.
+     *
      * @param Random $random
      * @param DeploymentConfig $deploymentConfig
      * @param KeyValidator|null $keyValidator
@@ -138,6 +146,25 @@ public function __construct(
         $this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get(self::PARAM_CRYPT_KEY)));
         $this->keyVersion = count($this->keys) - 1;
         $this->keyValidator = $keyValidator ?: ObjectManager::getInstance()->get(KeyValidator::class);
+        $latestHashVersion = $this->getLatestHashVersion();
+        if ($latestHashVersion === self::HASH_VERSION_ARGON2ID13) {
+            $this->hashVersionMap[self::HASH_VERSION_ARGON2ID13] = SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13;
+            $this->passwordHashMap[self::PASSWORD_VERSION] = self::HASH_VERSION_ARGON2ID13;
+        }
+    }
+
+    /**
+     * Gets latest hash algorithm version.
+     *
+     * @return int
+     */
+    public function getLatestHashVersion(): int
+    {
+        if (extension_loaded('sodium')) {
+            return self::HASH_VERSION_ARGON2ID13;
+        }
+
+        return self::HASH_VERSION_SHA256;
     }
 
     /**
@@ -160,6 +187,7 @@ public function validateCipher($version)
 
         $version = (int)$version;
         if (!in_array($version, $types, true)) {
+            // phpcs:ignore Magento2.Exceptions.DirectThrow
             throw new \Exception((string)new \Magento\Framework\Phrase('Not supported cipher version'));
         }
         return $version;
@@ -170,20 +198,34 @@ public function validateCipher($version)
      */
     public function getHash($password, $salt = false, $version = self::HASH_VERSION_LATEST)
     {
+        if (!isset($this->hashVersionMap[$version])) {
+            $version = self::HASH_VERSION_SHA256;
+        }
+
         if ($salt === false) {
+            $version = $version === self::HASH_VERSION_ARGON2ID13 ? self::HASH_VERSION_SHA256 : $version;
             return $this->hash($password, $version);
         }
         if ($salt === true) {
             $salt = self::DEFAULT_SALT_LENGTH;
         }
         if (is_integer($salt)) {
+            $salt = $version === self::HASH_VERSION_ARGON2ID13 ?
+                SODIUM_CRYPTO_PWHASH_SALTBYTES :
+                $salt;
             $salt = $this->random->getRandomString($salt);
         }
 
+        if ($version === self::HASH_VERSION_ARGON2ID13) {
+            $hash = $this->getArgonHash($password, $salt);
+        } else {
+            $hash = $this->hash($salt . $password, $version);
+        }
+
         return implode(
             self::DELIMITER,
             [
-                $this->hash($salt . $password, $version),
+                $hash,
                 $salt,
                 $version
             ]
@@ -193,7 +235,7 @@ public function getHash($password, $salt = false, $version = self::HASH_VERSION_
     /**
      * @inheritdoc
      */
-    public function hash($data, $version = self::HASH_VERSION_LATEST)
+    public function hash($data, $version = self::HASH_VERSION_SHA256)
     {
         return hash($this->hashVersionMap[$version], (string)$data);
     }
@@ -214,7 +256,11 @@ public function isValidHash($password, $hash)
         $this->explodePasswordHash($hash);
 
         foreach ($this->getPasswordVersion() as $hashVersion) {
-            $password = $this->hash($this->getPasswordSalt() . $password, $hashVersion);
+            if ($hashVersion === self::HASH_VERSION_ARGON2ID13) {
+                $password = $this->getArgonHash($password, $this->getPasswordSalt());
+            } else {
+                $password = $this->hash($this->getPasswordSalt() . $password, $hashVersion);
+            }
         }
 
         return Security::compareStrings(
@@ -232,8 +278,8 @@ public function validateHashVersion($hash, $validateCount = false)
         $hashVersions = $this->getPasswordVersion();
 
         return $validateCount
-            ? end($hashVersions) === self::HASH_VERSION_LATEST && count($hashVersions) === 1
-            : end($hashVersions) === self::HASH_VERSION_LATEST;
+            ? end($hashVersions) === $this->getLatestHashVersion() && count($hashVersions) === 1
+            : end($hashVersions) === $this->getLatestHashVersion();
     }
 
     /**
@@ -384,6 +430,7 @@ public function decrypt($data)
     public function validateKey($key)
     {
         if (!$this->keyValidator->isValid($key)) {
+            // phpcs:ignore Magento2.Exceptions.DirectThrow
             throw new \Exception(
                 (string)new \Magento\Framework\Phrase(
                     'Encryption key must be 32 character string without any white space.'
@@ -481,4 +528,32 @@ private function getCipherVersion()
             return self::CIPHER_RIJNDAEL_256;
         }
     }
+
+    /**
+     * Generate Argon2ID13 hash.
+     *
+     * @param string $data
+     * @param string $salt
+     * @return string
+     * @throws \SodiumException
+     */
+    private function getArgonHash($data, $salt = ''): string
+    {
+        $salt = empty($salt) ?
+            random_bytes(SODIUM_CRYPTO_PWHASH_SALTBYTES) :
+            substr($salt, 0, SODIUM_CRYPTO_PWHASH_SALTBYTES);
+
+        if (strlen($salt) < SODIUM_CRYPTO_PWHASH_SALTBYTES) {
+            $salt = str_pad($salt, SODIUM_CRYPTO_PWHASH_SALTBYTES, $salt);
+        }
+
+        return bin2hex(sodium_crypto_pwhash(
+            SODIUM_CRYPTO_SIGN_SEEDBYTES,
+            $data,
+            $salt,
+            SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
+            SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE,
+            $this->hashVersionMap[self::HASH_VERSION_ARGON2ID13]
+        ));
+    }
 }

lib/internal/Magento/Framework/Encryption/Test/Unit/EncryptorTest.php

@@ -16,6 +16,9 @@
 use Magento\Framework\Encryption\KeyValidator;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
 
+/**
+ * Test case for \Magento\Framework\Encryption\Encryptor
+ */
 class EncryptorTest extends \PHPUnit\Framework\TestCase
 {
     private const CRYPT_KEY_1 = 'g9mY9KLrcuAVJfsmVUSRkKFLDdUPVkaZ';
@@ -67,7 +70,9 @@ public function testGetHashNoSalt(): void
     public function testGetHashSpecifiedSalt(): void
     {
         $this->randomGeneratorMock->expects($this->never())->method('getRandomString');
-        $expected = '13601bda4ea78e55a07b98866d2be6be0744e3866f13c00c811cab608a28f322:salt:1';
+        $expected = $this->encryptor->getLatestHashVersion() === Encryptor::HASH_VERSION_ARGON2ID13 ?
+            '7640855aef9cb6ffd20229601d2904a2192e372b391db8230d7faf073b393e4c:salt:2' :
+            '13601bda4ea78e55a07b98866d2be6be0744e3866f13c00c811cab608a28f322:salt:1';
         $actual = $this->encryptor->getHash('password', 'salt');
         $this->assertEquals($expected, $actual);
     }
@@ -78,9 +83,11 @@ public function testGetHashRandomSaltDefaultLength(): void
         $this->randomGeneratorMock
             ->expects($this->once())
             ->method('getRandomString')
-            ->with(32)
+            ->with($this->encryptor->getLatestHashVersion() === Encryptor::HASH_VERSION_ARGON2ID13 ? 16 : 32)
             ->willReturn($salt);
-        $expected = 'a1c7fc88037b70c9be84d3ad12522c7888f647915db78f42eb572008422ba2fa:' . $salt . ':1';
+        $expected = $this->encryptor->getLatestHashVersion() === Encryptor::HASH_VERSION_ARGON2ID13 ?
+            '0be2351d7513d3e9622bd2df1891c39ba5ba6d1e3d67a058c60d6fd83f6641d8:' . $salt . ':2' :
+            'a1c7fc88037b70c9be84d3ad12522c7888f647915db78f42eb572008422ba2fa:' . $salt . ':1';
         $actual = $this->encryptor->getHash('password', true);
         $this->assertEquals($expected, $actual);
     }
@@ -90,9 +97,15 @@ public function testGetHashRandomSaltSpecifiedLength(): void
         $this->randomGeneratorMock
             ->expects($this->once())
             ->method('getRandomString')
-            ->with(11)
-            ->willReturn('random_salt');
-        $expected = '4c5cab8dd00137d11258f8f87b93fd17bd94c5026fc52d3c5af911dd177a2611:random_salt:1';
+            ->with($this->encryptor->getLatestHashVersion() === Encryptor::HASH_VERSION_ARGON2ID13 ? 16 : 11)
+            ->willReturn(
+                $this->encryptor->getLatestHashVersion() === Encryptor::HASH_VERSION_ARGON2ID13 ?
+                    'random_salt12345' :
+                    'random_salt'
+            );
+        $expected = $this->encryptor->getLatestHashVersion() === Encryptor::HASH_VERSION_ARGON2ID13 ?
+            'ca7982945fa90444b78d586678ff1c223ce13f99a39ec9541eae8b63ada3816a:random_salt12345:2' :
+            '4c5cab8dd00137d11258f8f87b93fd17bd94c5026fc52d3c5af911dd177a2611:random_salt:1';
         $actual = $this->encryptor->getHash('password', 11);
         $this->assertEquals($expected, $actual);
     }