/**
* It should detect already hashed passwords.
*
* @dataProvider providePreSaveAlreadyHashed
*/
public function testOnPreSavePasswordAlreadyHashed($hash)
{
$this->storageEvent->getContent()->willReturn($this->user->reveal());
$this->user->getPassword()->willReturn($hash);
$this->passwordFactory->createHash(Argument::cetera())->shouldNotBeCalled();
$this->user->setPassword($hash)->shouldBeCalled();
$this->listener->onUserEntityPreSave($this->storageEvent->reveal());
}
/**
* Return a valid hash for a password, of if the password is already hashed
* just return as is.
*
* @param string $password
*
* @throws AccessControlException
*
* @return string
*/
private function getValidHash($password)
{
if (Password\Blowfish::detect($password)) {
return $password;
}
if (Password\PHPASS::detect($password)) {
return $password;
}
if (strlen($password) < 6) {
throw new AccessControlException('Can not save a password with a length shorter than 6 characters!');
}
return $this->passwordFactory->createHash($password, '$2y$');
}
/**
* Check a user login request for username/password combinations.
*
* @param string $userName
* @param string $password
* @param AccessControlEvent $event
*
* @return bool
*/
protected function loginCheckPassword($userName, $password, AccessControlEvent $event)
{
if (!($userEntity = $this->getUserEntity($userName))) {
$this->dispatcher->dispatch(AccessControlEvents::LOGIN_FAILURE, $event->setReason(AccessControlEvents::FAILURE_INVALID));
return false;
}
$userAuth = $this->getRepositoryUsers()->getUserAuthData($userEntity->getId());
if ($userAuth->getPassword() === null || $userAuth->getPassword() === '') {
$this->systemLogger->alert("Attempt to login to an account with empty password field: '{$userName}'", ['event' => 'security']);
$this->flashLogger->error(Trans::__('general.phrase.login-account-disabled'));
$this->dispatcher->dispatch(AccessControlEvents::LOGIN_FAILURE, $event->setReason(AccessControlEvents::FAILURE_DISABLED));
return $this->loginFailed($userEntity);
}
if ((bool) $userEntity->getEnabled() === false) {
$this->systemLogger->alert("Attempt to login to a disabled account: '{$userName}'", ['event' => 'security']);
$this->flashLogger->error(Trans::__('general.phrase.login-account-disabled'));
$this->dispatcher->dispatch(AccessControlEvents::LOGIN_FAILURE, $event->setReason(AccessControlEvents::FAILURE_DISABLED));
return $this->loginFailed($userEntity);
}
$isValid = $this->passwordFactory->verifyHash($password, $userAuth->getPassword());
if (!$isValid) {
$this->dispatcher->dispatch(AccessControlEvents::LOGIN_FAILURE, $event->setReason(AccessControlEvents::FAILURE_PASSWORD));
return $this->loginFailed($userEntity);
}
// Rehash password if not using Blowfish algorithm
if (!Blowfish::detect($userAuth->getPassword())) {
$userEntity->setPassword($this->passwordFactory->createHash($password, '$2y$'));
try {
$this->getRepositoryUsers()->update($userEntity);
} catch (NotNullConstraintViolationException $e) {
// Database needs updating
}
}
$this->dispatcher->dispatch(AccessControlEvents::LOGIN_SUCCESS, $event->setDispatched());
return $this->loginFinish($userEntity);
}
public function testVerifySHA512()
{
$factory = new Factory();
$this->assertTrue($factory->verifyHash('foo', hash('sha512', 'foo')));
}
/**
* Verify a password against a supplied password hash
*
* @param string $password The supplied password to attempt to verify
* @param string $hash The valid hash to verify against
*
* @throws \DomainException If the hash is invalid or impossible to verify
* @return boolean Is the password valid
*/
public function verifyPasswordHash($password, $hash)
{
$factory = new PasswordFactory();
return $factory->verifyHash($password, $hash);
}
