[ticket/15219] Update hashes to bcrypt with cron

PHPBB3-15219

4 files changed, 184 insertions, 0 deletions

diff --git a/phpBB/config/cron.yml b/phpBB/config/cron.yml
index c5b88df181..dc628b43ff 100644
--- a/phpBB/config/cron.yml
+++ b/phpBB/config/cron.yml
@@ -146,3 +146,17 @@ services:
             - [set_name, [cron.task.core.tidy_warnings]]
         tags:
             - { name: cron.task }
+
+    cron.task.core.update_hashes:
+        class: phpbb\cron\task\core\update_hashes
+        arguments:
+            - @config
+            - @dbal.conn
+            - @passwords.update.lock
+            - @passwords.manager
+            - @passwords.driver_collection
+            - %passwords.algorithms%
+        calls:
+            - [set_name, [cron.task.core.update_hashes]]
+        tags:
+            - { name: cron.task }
diff --git a/phpBB/config/password.yml b/phpBB/config/password.yml
index cb45ec3d42..938cef7e16 100644
--- a/phpBB/config/password.yml
+++ b/phpBB/config/password.yml
@@ -122,3 +122,10 @@ services:
             - @passwords.driver_helper
         tags:
             - { name: passwords.driver }
+
+    passwords.update.lock:
+        class: phpbb\lock\db
+        arguments:
+            - update_hashes_lock
+            - '@config'
+            - '@dbal.conn'
diff --git a/phpBB/phpbb/cron/task/core/update_hashes.php b/phpBB/phpbb/cron/task/core/update_hashes.php
new file mode 100644
index 0000000000..458853f2fd
--- /dev/null
+++ b/phpBB/phpbb/cron/task/core/update_hashes.php
@@ -0,0 +1,130 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\cron\task\core;
+
+/**
+ * Update old hashes to the current default hashing algorithm
+ *
+ * It is intended to gradually update all "old" style hashes to the
+ * current default hashing algorithm.
+ */
+class update_hashes extends \phpbb\cron\task\base
+{
+	/** @var \phpbb\config\config */
+	protected $config;
+
+	/** @var \phpbb\db\driver\driver_interface */
+	protected $db;
+
+	/** @var \phpbb\lock\db */
+	protected $update_lock;
+
+	/** @var \phpbb\passwords\manager */
+	protected $passwords_manager;
+
+	/** @var string Default hashing type */
+	protected $default_type;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param \phpbb\config\config $config
+	 * @param \phpbb\db\driver\driver_interface $db
+	 * @param \phpbb\lock\db $update_lock
+	 * @param \phpbb\passwords\manager $passwords_manager
+	 * @param array $hashing_algorithms Hashing driver
+	 *			service collection
+	 * @param array $defaults Default password types
+	 */
+	public function __construct(\phpbb\config\config $config, \phpbb\db\driver\driver_interface $db, \phpbb\lock\db $update_lock, \phpbb\passwords\manager $passwords_manager, $hashing_algorithms, $defaults)
+	{
+		$this->config = $config;
+		$this->db = $db;
+		$this->passwords_manager = $passwords_manager;
+		$this->update_lock = $update_lock;
+
+		foreach ($defaults as $type)
+		{
+			if ($hashing_algorithms[$type]->is_supported())
+			{
+				$this->default_type = $type;
+				break;
+			}
+		}
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function is_runnable()
+	{
+		return !$this->config['use_system_cron'];
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function should_run()
+	{
+		if (!empty($this->config['update_hashes_lock']))
+		{
+			$last_run = explode(' ', $this->config['update_hashes_lock']);
+			if ($last_run[0] + 60 >= time())
+			{
+				return false;
+			}
+		}
+
+		return $this->config['enable_update_hashes'] && $this->config['update_hashes_last_cron'] < (time() - 60);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function run()
+	{
+		if ($this->update_lock->acquire())
+		{
+			$sql = 'SELECT user_id, user_password
+				FROM ' . USERS_TABLE . '
+				WHERE user_password ' . $this->db->sql_like_expression('$H$' . $this->db->get_any_char()) . '
+				OR user_password ' . $this->db->sql_like_expression('$CP$' . $this->db->get_any_char());
+			$result = $this->db->sql_query_limit($sql, 20);
+
+			$affected_rows = 0;
+
+			while ($row = $this->db->sql_fetchrow($result))
+			{
+				$new_hash = $this->passwords_manager->hash($row['user_password'], array($this->default_type));
+
+				// Increase number so we know that users were selected from the database
+				$affected_rows++;
+
+				$sql = 'UPDATE ' . USERS_TABLE . '
+					SET user_password = "' . $this->db->sql_escape($new_hash) . '"
+					WHERE user_id = ' . (int)$row['user_id'];
+				$this->db->sql_query($sql);
+			}
+
+			$this->config->set('update_hashes_last_cron', time());
+			$this->update_lock->release();
+
+			// Stop cron for good once all hashes are converted
+			if ($affected_rows === 0)
+			{
+				$this->config->set('enable_update_hashes', '0');
+			}
+		}
+	}
+}
diff --git a/phpBB/phpbb/db/migration/data/v31x/update_hashes.php b/phpBB/phpbb/db/migration/data/v31x/update_hashes.php
new file mode 100644
index 0000000000..aa83c3ffbf
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/update_hashes.php
@@ -0,0 +1,33 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+namespace phpbb\db\migration\data\v31x;
+
+class update_hashes extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return array(
+			'\phpbb\db\migration\data\v31x\v3110',
+		);
+	}
+
+	public function update_data()
+	{
+		return array(
+			array('config.add', array('enable_update_hashes', '1')),
+			array('config.add', array('update_hashes_lock', '')),
+			array('config.add', array('update_hashes_last_cron', '0'))
+		);
+	}
+}