From 419cdb5529b8e9fd95cf4a2ccedc346e1bad3fff Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <gunnstein.lye@ez.no>
Date: Fri, 12 Jun 2020 15:01:36 +0000
Subject: [PATCH] EZP-31682: Support Argon2 password hashes

---
 eZ/Publish/API/Repository/Values/User/User.php | 14 ++++++++++++++
 .../Repository/User/PasswordHashService.php    | 18 ++++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/eZ/Publish/API/Repository/Values/User/User.php b/eZ/Publish/API/Repository/Values/User/User.php
index ac97a7bc42..bfc2282313 100644
--- a/eZ/Publish/API/Repository/Values/User/User.php
+++ b/eZ/Publish/API/Repository/Values/User/User.php
@@ -30,9 +30,23 @@ abstract class User extends Content implements UserReference
     /** @var int Passwords hashed by PHPs default algorithm, which may change over time */
     const PASSWORD_HASH_PHP_DEFAULT = 7;
 
+    /** @var int Passwords in Argon2i */
+    const PASSWORD_HASH_ARGON2I = 8;
+
+    /** @var int Passwords in Argon2id */
+    const PASSWORD_HASH_ARGON2ID = 9;
+
     /** @var int Default password hash, used when none is specified, may change over time */
     const DEFAULT_PASSWORD_HASH = self::PASSWORD_HASH_PHP_DEFAULT;
 
+    /** @var int[] Password hash algoritms supported by PHP's password_hash() function, may change over time */
+    const PHP_PASSWORD_HASH_ALGORITHMS = [
+        self::PASSWORD_HASH_BCRYPT,
+        self::PASSWORD_HASH_PHP_DEFAULT,
+        self::PASSWORD_HASH_ARGON2I,
+        self::PASSWORD_HASH_ARGON2ID,
+    ];
+
     /**
      * User login.
      *
diff --git a/eZ/Publish/Core/Repository/User/PasswordHashService.php b/eZ/Publish/Core/Repository/User/PasswordHashService.php
index 308c55622a..760e8d9731 100644
--- a/eZ/Publish/Core/Repository/User/PasswordHashService.php
+++ b/eZ/Publish/Core/Repository/User/PasswordHashService.php
@@ -40,6 +40,20 @@ public function createPasswordHash(string $password, ?int $hashType = null): str
             case User::PASSWORD_HASH_PHP_DEFAULT:
                 return password_hash($password, PASSWORD_DEFAULT);
 
+            case User::PASSWORD_HASH_ARGON2I:
+                if (!defined('PASSWORD_ARGON2I')) {
+                    throw new InvalidArgumentException('hashType', "Password hash algorithm 'PASSWORD_ARGON2I' is not compiled into PHP");
+                }
+
+                return password_hash($password, PASSWORD_ARGON2I);
+
+            case User::PASSWORD_HASH_ARGON2ID:
+                if (!defined('PASSWORD_ARGON2ID')) {
+                    throw new InvalidArgumentException('hashType', "Password hash algorithm 'PASSWORD_ARGON2ID' is not compiled into PHP");
+                }
+
+                return password_hash($password, PASSWORD_ARGON2ID);
+
             default:
                 throw new InvalidArgumentException('hashType', "Password hash type '$hashType' is not recognized");
         }
@@ -47,8 +61,8 @@ public function createPasswordHash(string $password, ?int $hashType = null): str
 
     public function isValidPassword(string $plainPassword, string $passwordHash, ?int $hashType = null): bool
     {
-        if ($hashType === User::PASSWORD_HASH_BCRYPT || $hashType === User::PASSWORD_HASH_PHP_DEFAULT) {
-            // In case of bcrypt let php's password functionality do it's magic
+        if (in_array($hashType, User::PHP_PASSWORD_HASH_ALGORITHMS, true)) {
+            // Let php's password functionality do it's magic
             return password_verify($plainPassword, $passwordHash);
         }