Support password_verify() in version 2. Provide v1 compat interfaces.

Author: nathanjrobertson

src/Auth/Source/PasswordVerify1Compat.php

@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\sqlauth\Auth\Source;
+
+/**
+ * @package SimpleSAMLphp
+ */
+
+class PasswordVerify1Compat extends SQL2
+{
+    /**
+     * Constructor for this authentication source.
+     *
+     * @param array $info  Information about this authentication source.
+     * @param array $config  Configuration.
+     */
+    public function __construct(array $info, array $config)
+    {
+        /* Transform PasswordVerify (version 1) config to SQL2 config 
+         * Version 1 supported only one database, but multiple queries. The first query was defined
+         * to be the "authentication query", all subsequent queries were "attribute queries".
+         */
+        $v2config = [
+            'sqlauth:SQL2',
+            'databases' => [
+                'default' => [
+                    'dsn' => $config['dsn'],
+                    'username' => $config['username'],
+                    'password' => $config['password'],
+                ]
+            ],
+
+            'auth_queries' => [
+                'default' => [
+                    'database' => 'default',
+                    'query' => is_array($config['query']) ? $config['query'][0] : $config['query'],
+                    'password_verify_hash_column' => 'passwordhash',
+                ]
+            ],
+        ];
+
+        if (array_key_exists('username_regex', $config)) {
+            $v2config['auth_queries']['default']['username_regex'] = $config['username_regex'];
+        }
+
+        // Override the default passwordhash column if configured
+        if (array_key_exists('passwordhash_column', $config)) {
+            $v2config['auth_queries']['default']['password_verify_hash_column'] = $config['passwordhash_column'];
+        }
+
+        if (is_array($config['query']) && count($config['query']) > 1) {
+            $v2config['attr_queries'] = [];
+            for ($i = 1; $i < count($config['query']); $i++) {
+                $v2config['attr_queries']['query' . $i] = [
+                    'database' => 'default',
+                    'query' => $config['query'][$i],
+                ];
+            }
+        }
+
+        parent::__construct($info, $v2config);
+    }
+}

src/Auth/Source/SQL1Compat.php

@@ -5,11 +5,6 @@
 namespace SimpleSAML\Module\sqlauth\Auth\Source;
 
 /**
- * Simple SQL authentication source
- *
- * This class is an example authentication source which authenticates an user
- * against a SQL database.
- *
  * @package SimpleSAMLphp
  */
 

src/Auth/Source/SQL2.php

@@ -179,6 +179,14 @@ public function __construct(array $info, array $config)
                     $this->authQueries[$authQueryName]['extract_userid_from'] = $authQueryConfig['extract_userid_from'];
                 }
 
+                if (array_key_exists('password_verify_hash_column', $authQueryConfig)) {
+                    if (!is_string($authQueryConfig['password_verify_hash_column'])) {
+                        throw new Exception('Optional parameter \'password_verify_hash_column\' for authentication source ' .
+                            $this->authId . ' was provided and is expected to be a string. Instead it was: ' .
+                            var_export($authQueryConfig['password_verify_hash_column'], true));
+                    }
+                    $this->authQueries[$authQueryName]['password_verify_hash_column'] = $authQueryConfig['password_verify_hash_column'];
+                }
             }
         } else {
             throw new Exception('Missing required attribute \'auth_queries\' for authentication source ' . $this->authId);
@@ -408,7 +416,14 @@ protected function login(
             $db = $this->connect($queryConfig['database']);
 
             try {
-                $data = $this->executeQuery($db, $queryConfig['query'], ['username' => $username, 'password' => $password]);
+                if (array_key_exists('password_verify_hash_column', $queryConfig)) {
+                    // We will verify the password using password_verify() later, so we do not
+                    // pass the password to the query.
+                    $data = $this->executeQuery($db, $queryConfig['query'], ['username' => $username]);
+                } else {
+                    // Pass both username and password to the query
+                    $data = $this->executeQuery($db, $queryConfig['query'], ['username' => $username, 'password' => $password]);
+                }
             } catch (PDOException $e) {
                 Logger::error('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
                               ' failed with error: ' . $e->getMessage());
@@ -417,14 +432,64 @@ protected function login(
 
             // If we got any rows, the authentication succeeded. If not, try the next query.
             if (count($data) > 0) {
+                /* This is where we need to run password_verify() if we are using password_verify() to
+                 * authenticate hashed passwords that are only stored in the database. */
+                if (array_key_exists('password_verify_hash_column', $queryConfig)) {
+                    $hashColumn = $queryConfig['password_verify_hash_column'];
+                    if (!array_key_exists($hashColumn, $data[0])) {
+                        Logger::error('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
+                                     ' did not return expected hash column \'' . $hashColumn . '\'');
+                        throw new Error\Error('WRONGUSERPASS');
+                    }
+
+                    $passwordHash = null;
+                    foreach ($data as $row) {
+                        if ((!array_key_exists($hashColumn, $row)) || is_null($row[$hashColumn])) {
+                            Logger::error(sprintf(
+                                'sqlauth:%s: column `%s` must be in every result tuple.',
+                                $this->authId,
+                                $hashColumn,
+                            ));
+                            throw new Error\Error('WRONGUSERPASS');
+                        }
+                        if ($passwordHash === null) {
+                            $passwordHash = $row[$hashColumn];
+                        } elseif ($passwordHash != $row[$hashColumn]) {
+                            Logger::error(sprintf(
+                                'sqlauth:%s: column %s must be THE SAME in every result tuple.',
+                                $this->authId,
+                                $hashColumn,
+                            ));
+                            throw new Error\Error('WRONGUSERPASS');
+                        }
+                    }
+
+                    if (($passwordHash === null) || (!password_verify($password, $passwordHash))) {
+                        Logger::error('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
+                                     ' password verification failed');
+                        /* Authentication with verify_password() failed, however that only means that
+                         * this auth query did not succeed. We should try the next auth query if any. */
+                        continue;
+                    }
+
+                    Logger::debug('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
+                                 ' password verification using password_verify() succeeded');
+                }
+
                 Logger::debug('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
                              ' succeeded with ' . count($data) . ' rows');
                 $queryConfig['_winning_auth_query'] = true;
+
                 if (array_key_exists('extract_userid_from', $queryConfig)) {
                     $queryConfig['_extracted_userid'] = $data[0][$queryConfig['extract_userid_from']];
                 }
                 $winning_auth_query = $queryname;
-                $this->extractAttributes($attributes, $data, []);
+
+                $forbiddenAttributes = [];
+                if (array_key_exists('password_verify_hash_column', $queryConfig)) {
+                    $forbiddenAttributes[] = $queryConfig['password_verify_hash_column'];
+                }
+                $this->extractAttributes($attributes, $data, $forbiddenAttributes);
 
                 // The first auth query that succeeds is the winning one, so we can stop here.
                 break;

tests/bootstrap.php

@@ -5,14 +5,20 @@
 $projectRoot = dirname(__DIR__);
 require_once($projectRoot . '/vendor/autoload.php');
 
+
 // Load our wrapper class to get around login() being declared protected in SQL.php
 require_once($projectRoot . '/tests/src/Auth/Source/SQLWrapper.php');
 require_once($projectRoot . '/tests/src/Auth/Source/SQL2Wrapper.php');
 require_once($projectRoot . '/tests/src/Auth/Source/SQL1CompatWrapper.php');
 require_once($projectRoot . '/tests/src/Auth/Source/PasswordVerifyWrapper.php');
+require_once($projectRoot . '/tests/src/Auth/Source/PasswordVerify1CompatWrapper.php');
 
-// Get around SQL1CompatTest extending SQLTest and not being able to find SQLTest
+// We use inheritance quite extensively in our test cases, so we need to
+// make sure all the classes that are subclassed are loaded before we run any tests.
+require_once($projectRoot . '/tests/src/Auth/Source/PasswordVerifyTest.php');
 require_once($projectRoot . '/tests/src/Auth/Source/SQLTest.php');
+require_once($projectRoot . '/tests/src/Auth/Source/SQL2SimpleTest.php');
+require_once($projectRoot . '/tests/src/Auth/Source/SQL2SingleAuthTest.php');
 
 // Symlink module into ssp vendor lib so that templates and urls can resolve correctly
 $linkPath = $projectRoot . '/vendor/simplesamlphp/simplesamlphp/modules/sqlauth';

tests/src/Auth/Source/PasswordVerify1CompatTest.php

@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\sqlauth\Auth\Source;
+
+/**
+ * Test for the core:AttributeLimit filter.
+ *
+ * @covers \SimpleSAML\Module\core\Auth\Process\AttributeLimit
+ */
+class PasswordVerify1CompatTest extends PasswordVerifyTest
+{
+    protected string $wrapperClassName = '\SimpleSAML\Test\Module\sqlauth\Auth\Source\PasswordVerify1CompatWrapper';
+}

tests/src/Auth/Source/PasswordVerify1CompatWrapper.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\sqlauth\Auth\Source;
+
+use SimpleSAML\Module\sqlauth\Auth\Source\PasswordVerify1Compat;
+
+/**
+ * This class only exists to allow us to call the protected login() method.
+ * The calling method in UserPassBase.php doesn't return, so can't be used
+ * from PHPUnit. So we do this just to be able to unit test the login()
+ * method in SQL.php
+ */
+
+class PasswordVerify1CompatWrapper extends PasswordVerify1Compat
+{
+    /**
+     * @param array<mixed> $info
+     * @param array<mixed> $config
+     */
+    public function __construct(array $info, array $config)
+    {
+        parent::__construct($info, $config);
+    }
+
+
+    /**
+     * @return array<mixed>
+     */
+    public function callLogin(string $username, string $password): array
+    {
+        return $this->login($username, $password);
+    }
+}

tests/src/Auth/Source/PasswordVerifyTest.php

@@ -14,6 +14,9 @@
  */
 class PasswordVerifyTest extends TestCase
 {
+    // Subclasses can override this to test other wrapper classes
+    protected string $wrapperClassName = '\SimpleSAML\Test\Module\sqlauth\Auth\Source\PasswordVerifyWrapper';
+
     /** @var array<string, string> */
     private array $info = ['AuthId' => 'testAuthId'];
 
@@ -83,7 +86,7 @@ public function testBasicSingleSuccess(): void
     {
         // Correct username/password
         $this->config['query'] = "select givenName, email, passwordhash from users where uid=:username";
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('bob', 'password1');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('bob', 'password1');
         asort($ret);
         $this->assertCount(2, $ret);
         $this->assertEquals($ret, [
@@ -98,7 +101,7 @@ public function testBasicSingleFailedLogin(): void
         $this->expectException(\SimpleSAML\Error\Error::class);
         // Wrong username/password
         $this->config['query'] = "select givenName, email, passwordhash from users where uid=:username";
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('alice', 'wrong');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('alice', 'wrong');
         $this->assertCount(0, $ret);
     }
 
@@ -107,7 +110,7 @@ public function testBasicSingleFailedLoginNonExisting(): void
         $this->expectException(\SimpleSAML\Error\Error::class);
         // Wrong username/password
         $this->config['query'] = "select givenName, email, passwordhash from users where uid=:username";
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('henry', 'boo');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('henry', 'boo');
         $this->assertCount(0, $ret);
     }
 
@@ -117,7 +120,7 @@ public function testBasicSingleFailedLoginNonExistingNoPassword(): void
         $this->expectException(\SimpleSAML\Error\Error::class);
         // Wrong username/password
         $this->config['query'] = "select givenName, email, passwordhash from users where uid=:username";
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('alice2', '');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('alice2', '');
         $this->assertCount(0, $ret);
     }
 
@@ -129,7 +132,7 @@ public function testJoinSingleSuccess(): void
             select u.givenName, u.email, ug.groupname, passwordhash
             from users u left join usergroups ug on (u.uid=ug.uid)
             where u.uid=:username ";
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('bob', 'password1');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('bob', 'password1');
         asort($ret);
         asort($ret['groupname']);
         $this->assertCount(3, $ret);
@@ -148,7 +151,7 @@ public function testJoinSingleFailedLogin(): void
             select u.givenName, u.email, ug.groupname, passwordhash
             from users u left join usergroups ug on (u.uid=ug.uid)
             where u.uid=:username";
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('alice', 'wrong');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('alice', 'wrong');
         $this->assertCount(0, $ret);
     }
 
@@ -159,7 +162,7 @@ public function testMultiQuerySuccess(): void
             "select givenName, email, passwordhash from users where uid=:username",
             "select groupname from usergroups where uid=:username",
         ];
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('bob', 'password1');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('bob', 'password1');
         asort($ret);
         asort($ret['groupname']);
         $this->assertCount(3, $ret);
@@ -178,7 +181,7 @@ public function testMultiQueryFailedLogin(): void
             "select givenName, email, passwordhash from users where uid=:username",
             "select groupname from usergroups where uid=:username",
         ];
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('alice', 'wrong');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('alice', 'wrong');
         $this->assertCount(0, $ret);
     }
 
@@ -191,7 +194,7 @@ public function testMultiQuerySubsequentNoRowsSuccess(): void
             "select groupname from usergroups where uid=:username and groupname like '%nomatch%'",
             "select groupname from usergroups where uid=:username and groupname like 'stud%'",
         ];
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('bob', 'password1');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('bob', 'password1');
         asort($ret);
         asort($ret['groupname']);
         $this->assertCount(3, $ret);
@@ -210,7 +213,7 @@ public function testMultiQuerySubsequentAppendSuccess(): void
             "select groupname from usergroups where uid=:username and groupname like 'stud%'",
             "select groupname from usergroups where uid=:username and groupname like '%sers'",
         ];
-        $ret = (new PasswordVerifyWrapper($this->info, $this->config))->callLogin('bob', 'password1');
+        $ret = (new $this->wrapperClassName($this->info, $this->config))->callLogin('bob', 'password1');
         asort($ret);
         asort($ret['groupname']);
         $this->assertCount(3, $ret);