Merge branch '4.4' into 5.0

nicolas-grekas · nicolas-grekas · commit 1b11cce7544f · 2019-12-07T17:40:37.000+01:00
* 4.4: (30 commits)
  [Security] Check UserInterface::getPassword is not null before calling needsRehash
  gracefully handle missing event dispatchers
  Fix TokenStorage::reset not called in stateless firewall
  [DotEnv] Remove `usePutEnv` property default value
  [HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
  Set up typo fix
  [DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
  [Cache] fix memory leak when using PhpArrayAdapter
  [Validator] Allow underscore character "_" in URL username and password
  [TwigBridge] Update bootstrap_4_layout.html.twig
  [FrameworkBundle][SodiumVault] Create secrets directory only when needed
  fix parsing negative octal numbers
  [SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
  [DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
  [SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass
  do not validate passwords when the hash is null
  [DI] fix resolving bindings for named TypedReference
  [Config] never try loading failed classes twice with ClassExistenceResource
  [Mailer] Fix SMTP Authentication when using STARTTLS
  [DI] Fix making the container path-independent when the app is in /app
  ...
diff --git a/Authentication/Provider/DaoAuthenticationProvider.php b/Authentication/Provider/DaoAuthenticationProvider.php
@@ -55,6 +55,10 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
+            if (null === $user->getPassword()) {
+                throw new BadCredentialsException('The presented password is invalid.');
+            }
+
             $encoder = $this->encoderFactory->getEncoder($user);
 
             if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
diff --git a/Encoder/UserPasswordEncoder.php b/Encoder/UserPasswordEncoder.php
@@ -42,6 +42,10 @@ public function encodePassword(UserInterface $user, string $plainPassword)
      */
     public function isPasswordValid(UserInterface $user, string $raw)
     {
+        if (null === $user->getPassword()) {
+            return false;
+        }
+
         $encoder = $this->encoderFactory->getEncoder($user);
 
         return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());
@@ -52,6 +56,10 @@ public function isPasswordValid(UserInterface $user, string $raw)
      */
     public function needsRehash(UserInterface $user): bool
     {
+        if (null === $user->getPassword()) {
+            return false;
+        }
+
         $encoder = $this->encoderFactory->getEncoder($user);
 
         return $encoder->needsRehash($user->getPassword());
diff --git a/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php b/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php
@@ -147,7 +147,11 @@ public function testCheckAuthenticationWhenCredentialsAre0()
             ->willReturn('0')
         ;
 
-        $method->invoke($provider, new TestUser(), $token);
+        $method->invoke(
+            $provider,
+            new User('username', 'password'),
+            $token
+        );
     }
 
     public function testCheckAuthenticationWhenCredentialsAreNotValid()
@@ -169,7 +173,7 @@ public function testCheckAuthenticationWhenCredentialsAreNotValid()
               ->willReturn('foo')
         ;
 
-        $method->invoke($provider, new TestUser(), $token);
+        $method->invoke($provider, new User('username', 'password'), $token);
     }
 
     public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
@@ -241,7 +245,7 @@ public function testCheckAuthentication()
               ->willReturn('foo')
         ;
 
-        $method->invoke($provider, new TestUser(), $token);
+        $method->invoke($provider, new User('username', 'password'), $token);
     }
 
     public function testPasswordUpgrades()
diff --git a/Validator/Constraints/UserPasswordValidator.php b/Validator/Constraints/UserPasswordValidator.php
@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)
 
         $encoder = $this->encoderFactory->getEncoder($user);
 
-        if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
+        if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
             $this->context->addViolation($constraint->message);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,10 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke`
`55`	`55`	`throw new BadCredentialsException('The presented password cannot be empty.');`
`56`	`56`	`}`
`57`	`57`
	`58`	`+ if (null === $user->getPassword()) {`
	`59`	`+ throw new BadCredentialsException('The presented password is invalid.');`
	`60`	`+ }`
	`61`	`+`
`58`	`62`	`$encoder = $this->encoderFactory->getEncoder($user);`
`59`	`63`
`60`	`64`	`if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,11 @@ public function testCheckAuthenticationWhenCredentialsAre0()`
`147`	`147`	`->willReturn('0')`
`148`	`148`	`;`
`149`	`149`
`150`		`- $method->invoke($provider, new TestUser(), $token);`
	`150`	`+ $method->invoke(`
	`151`	`+ $provider,`
	`152`	`+ new User('username', 'password'),`
	`153`	`+ $token`
	`154`	`+ );`
`151`	`155`	`}`
`152`	`156`
`153`	`157`	`public function testCheckAuthenticationWhenCredentialsAreNotValid()`
`@@ -169,7 +173,7 @@ public function testCheckAuthenticationWhenCredentialsAreNotValid()`
`169`	`173`	`->willReturn('foo')`
`170`	`174`	`;`
`171`	`175`
`172`		`- $method->invoke($provider, new TestUser(), $token);`
	`176`	`+ $method->invoke($provider, new User('username', 'password'), $token);`
`173`	`177`	`}`
`174`	`178`
`175`	`179`	`public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()`
`@@ -241,7 +245,7 @@ public function testCheckAuthentication()`
`241`	`245`	`->willReturn('foo')`
`242`	`246`	`;`
`243`	`247`
`244`		`- $method->invoke($provider, new TestUser(), $token);`
	`248`	`+ $method->invoke($provider, new User('username', 'password'), $token);`
`245`	`249`	`}`
`246`	`250`
`247`	`251`	`public function testPasswordUpgrades()`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)`
`53`	`53`
`54`	`54`	`$encoder = $this->encoderFactory->getEncoder($user);`
`55`	`55`
`56`		`- if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {`
	`56`	`+ if (null === $user->getPassword() \|\| !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {`
`57`	`57`	`$this->context->addViolation($constraint->message);`
`58`	`58`	`}`
`59`	`59`	`}`