[Security] Add migrating encoder configuration

Author: chalasr

Core/Encoder/EncoderFactory.php

@@ -65,9 +65,10 @@ public function getEncoder($user)
      *
      * @throws \InvalidArgumentException
      */
-    private function createEncoder(array $config): PasswordEncoderInterface
+    private function createEncoder(array $config, bool $isExtra = false): PasswordEncoderInterface
     {
         if (isset($config['algorithm'])) {
+            $rawConfig = $config;
             $config = $this->getEncoderConfigFromAlgorithm($config);
         }
         if (!isset($config['class'])) {
@@ -79,7 +80,23 @@ private function createEncoder(array $config): PasswordEncoderInterface
 
         $reflection = new \ReflectionClass($config['class']);
 
-        return $reflection->newInstanceArgs($config['arguments']);
+        $encoder = $reflection->newInstanceArgs($config['arguments']);
+
+        if ($isExtra || !\in_array($config['class'], [NativePasswordEncoder::class, SodiumPasswordEncoder::class], true)) {
+            return $encoder;
+        }
+
+        if ($rawConfig ?? null) {
+            $extraEncoders = array_map(function (string $algo) use ($rawConfig): PasswordEncoderInterface {
+                $rawConfig['algorithm'] = $algo;
+
+                return $this->createEncoder($rawConfig);
+            }, ['pbkdf2', $rawConfig['hash_algorithm'] ?? 'sha512']);
+        } else {
+            $extraEncoders = [new Pbkdf2PasswordEncoder(), new MessageDigestPasswordEncoder()];
+        }
+
+        return new MigratingPasswordEncoder($encoder, ...$extraEncoders);
     }
 
     private function getEncoderConfigFromAlgorithm(array $config): array
@@ -89,7 +106,25 @@ private function getEncoderConfigFromAlgorithm(array $config): array
             // "plaintext" is not listed as any leaked hashes could then be used to authenticate directly
             foreach ([SodiumPasswordEncoder::isSupported() ? 'sodium' : 'native', 'pbkdf2', $config['hash_algorithm']] as $algo) {
                 $config['algorithm'] = $algo;
-                $encoderChain[] = $this->createEncoder($config);
+                $encoderChain[] = $this->createEncoder($config, true);
+            }
+
+            return [
+                'class' => MigratingPasswordEncoder::class,
+                'arguments' => $encoderChain,
+            ];
+        }
+
+        if ($fromEncoders = ($config['migrate_from'] ?? false)) {
+            $encoderChain = [];
+            foreach ($fromEncoders as $name) {
+                if ($encoder = $this->encoders[$name] ?? false) {
+                    $encoder = $encoder instanceof PasswordEncoderInterface ? $encoder : $this->createEncoder($encoder, true);
+                } else {
+                    $encoder = $this->createEncoder(['algorithm' => $name], true);
+                }
+
+                $encoderChain[] = $encoder;
             }
 
             return [

Core/Tests/Encoder/EncoderFactoryTest.php

@@ -15,6 +15,9 @@
 use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
 use Symfony\Component\Security\Core\Encoder\EncoderFactory;
 use Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder;
+use Symfony\Component\Security\Core\Encoder\MigratingPasswordEncoder;
+use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
+use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
 use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Core\User\UserInterface;
 
@@ -131,6 +134,44 @@ public function testGetEncoderForEncoderAwareWithClassName()
         $expectedEncoder = new MessageDigestPasswordEncoder('sha1');
         $this->assertEquals($expectedEncoder->encodePassword('foo', ''), $encoder->encodePassword('foo', ''));
     }
+
+    public function testMigrateFrom()
+    {
+        if (!SodiumPasswordEncoder::isSupported()) {
+            $this->markTestSkipped('Sodium is not available');
+        }
+
+        $factory = new EncoderFactory([
+            'digest_encoder' => $digest = new MessageDigestPasswordEncoder('sha256'),
+            'pbdkf2' => $digest = new MessageDigestPasswordEncoder('sha256'),
+            'bcrypt_encoder' => ['algorithm' => 'bcrypt'],
+            SomeUser::class => ['algorithm' => 'sodium', 'migrate_from' => ['bcrypt_encoder', 'digest_encoder']],
+        ]);
+
+        $encoder = $factory->getEncoder(SomeUser::class);
+        $this->assertInstanceOf(MigratingPasswordEncoder::class, $encoder);
+
+        $this->assertTrue($encoder->isPasswordValid((new SodiumPasswordEncoder())->encodePassword('foo', null), 'foo', null));
+        $this->assertTrue($encoder->isPasswordValid((new NativePasswordEncoder(null, null, null, \PASSWORD_BCRYPT))->encodePassword('foo', null), 'foo', null));
+        $this->assertTrue($encoder->isPasswordValid($digest->encodePassword('foo', null), 'foo', null));
+    }
+
+    public function testDefaultMigratingEncoders()
+    {
+        $this->assertInstanceOf(
+            MigratingPasswordEncoder::class,
+            (new EncoderFactory([SomeUser::class => ['class' => NativePasswordEncoder::class, 'arguments' => []]]))->getEncoder(SomeUser::class)
+        );
+
+        if (!SodiumPasswordEncoder::isSupported()) {
+            return;
+        }
+
+        $this->assertInstanceOf(
+            MigratingPasswordEncoder::class,
+            (new EncoderFactory([SomeUser::class => ['class' => SodiumPasswordEncoder::class, 'arguments' => []]]))->getEncoder(SomeUser::class)
+        );
+    }
 }
 
 class SomeUser implements UserInterface