feature #26175 [Security] Add configuration for Argon2i encryption (CoalaJoe)

This PR was merged into the 4.1-dev branch.

Discussion
----------

[Security] Add configuration for Argon2i encryption

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #26174
| License       | MIT
| Doc PR        | [#9300](symfony/symfony-docs#9300)

Feedback?

Current situation: Configuration only applies if argon2i is natively supported.

Commits
-------

1300fece5f [Security] Add configuration for Argon2i encryption

Author: fabpot

DependencyInjection/MainConfiguration.php

@@ -385,6 +385,9 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
                                 ->max(31)
                                 ->defaultValue(13)
                             ->end()
+                            ->scalarNode('memory_cost')->defaultNull()->end()
+                            ->scalarNode('time_cost')->defaultNull()->end()
+                            ->scalarNode('threads')->defaultNull()->end()
                             ->scalarNode('id')->end()
                         ->end()
                     ->end()

DependencyInjection/SecurityExtension.php

@@ -523,7 +523,11 @@ private function createEncoder($config, ContainerBuilder $container)
 
             return array(
                 'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
-                'arguments' => array(),
+                'arguments' => array(
+                    $config['memory_cost'],
+                    $config['time_cost'],
+                    $config['threads'],
+                ),
             );
         }
 

Tests/DependencyInjection/CompleteConfigurationTest.php

@@ -285,6 +285,9 @@ public function testEncoders()
                 'key_length' => 40,
                 'ignore_case' => false,
                 'cost' => 13,
+                'memory_cost' => null,
+                'time_cost' => null,
+                'threads' => null,
             ),
             'JMS\FooBundle\Entity\User3' => array(
                 'algorithm' => 'md5',
@@ -294,6 +297,9 @@ public function testEncoders()
                 'encode_as_base64' => true,
                 'iterations' => 5000,
                 'cost' => 13,
+                'memory_cost' => null,
+                'time_cost' => null,
+                'threads' => null,
             ),
             'JMS\FooBundle\Entity\User4' => new Reference('security.encoder.foo'),
             'JMS\FooBundle\Entity\User5' => array(
@@ -307,16 +313,57 @@ public function testEncoders()
         )), $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
-    public function testArgon2iEncoder()
+    public function testEncodersWithLibsodium()
     {
         if (!Argon2iPasswordEncoder::isSupported()) {
             $this->markTestSkipped('Argon2i algorithm is not supported.');
         }
 
-        $this->assertSame(array(array('JMS\FooBundle\Entity\User7' => array(
-            'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
-            'arguments' => array(),
-        ))), $this->getContainer('argon2i_encoder')->getDefinition('security.encoder_factory.generic')->getArguments());
+        $container = $this->getContainer('argon2i_encoder');
+
+        $this->assertEquals(array(array(
+            'JMS\FooBundle\Entity\User1' => array(
+                'class' => 'Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder',
+                'arguments' => array(false),
+            ),
+            'JMS\FooBundle\Entity\User2' => array(
+                'algorithm' => 'sha1',
+                'encode_as_base64' => false,
+                'iterations' => 5,
+                'hash_algorithm' => 'sha512',
+                'key_length' => 40,
+                'ignore_case' => false,
+                'cost' => 13,
+                'memory_cost' => null,
+                'time_cost' => null,
+                'threads' => null,
+            ),
+            'JMS\FooBundle\Entity\User3' => array(
+                'algorithm' => 'md5',
+                'hash_algorithm' => 'sha512',
+                'key_length' => 40,
+                'ignore_case' => false,
+                'encode_as_base64' => true,
+                'iterations' => 5000,
+                'cost' => 13,
+                'memory_cost' => null,
+                'time_cost' => null,
+                'threads' => null,
+            ),
+            'JMS\FooBundle\Entity\User4' => new Reference('security.encoder.foo'),
+            'JMS\FooBundle\Entity\User5' => array(
+                'class' => 'Symfony\Component\Security\Core\Encoder\Pbkdf2PasswordEncoder',
+                'arguments' => array('sha1', false, 5, 30),
+            ),
+            'JMS\FooBundle\Entity\User6' => array(
+                'class' => 'Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder',
+                'arguments' => array(15),
+            ),
+            'JMS\FooBundle\Entity\User7' => array(
+                'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
+                'arguments' => array(256, 1, 2),
+            ),
+        )), $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
     public function testRememberMeThrowExceptionsDefault()

Tests/DependencyInjection/Fixtures/php/argon2i_encoder.php

@@ -1,18 +1,14 @@
 <?php
 
+$this->load('container1.php', $container);
+
 $container->loadFromExtension('security', array(
     'encoders' => array(
         'JMS\FooBundle\Entity\User7' => array(
             'algorithm' => 'argon2i',
-        ),
-    ),
-    'providers' => array(
-        'default' => array('id' => 'foo'),
-    ),
-    'firewalls' => array(
-        'main' => array(
-            'form_login' => false,
-            'http_basic' => null,
+            'memory_cost' => 256,
+            'time_cost' => 1,
+            'threads' => 2,
         ),
     ),
 ));

Tests/DependencyInjection/Fixtures/xml/argon2i_encoder.xml

@@ -1,18 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<srv:container xmlns="http://symfony.com/schema/dic/security"
-               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-               xmlns:srv="http://symfony.com/schema/dic/services"
-               xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+<container xmlns="http://symfony.com/schema/dic/services"
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xmlns:sec="http://symfony.com/schema/dic/security"
+   xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
 
-    <config>
-        <encoder class="JMS\FooBundle\Entity\User7" algorithm="argon2i" />
+    <imports>
+        <import resource="container1.xml"/>
+    </imports>
 
-        <provider name="default" id="foo" />
+    <sec:config>
+        <sec:encoder class="JMS\FooBundle\Entity\User7" algorithm="argon2i" memory_cost="256" time_cost="1" threads="2" />
+    </sec:config>
 
-        <firewall name="main">
-            <form-login login-path="/login" />
-        </firewall>
-    </config>
-
-</srv:container>
+</container>

Tests/DependencyInjection/Fixtures/yml/argon2i_encoder.yml

@@ -1,12 +1,10 @@
+imports:
+    - { resource: container1.yml }
+
 security:
     encoders:
         JMS\FooBundle\Entity\User7:
             algorithm: argon2i
-
-    providers:
-        default: { id: foo }
-
-    firewalls:
-        main:
-            form_login: false
-            http_basic: ~
+            memory_cost: 256
+            time_cost: 1
+            threads: 2

composer.json

@@ -18,7 +18,7 @@
     "require": {
         "php": "^7.1.3",
         "ext-xml": "*",
-        "symfony/security": "~3.4|~4.0",
+        "symfony/security": "~4.1",
         "symfony/dependency-injection": "^3.4.3|^4.0.3",
         "symfony/http-kernel": "~3.4|~4.0"
     },