forked from rebillar/site-accueil-insa
		
	
		
			
				
	
	
		
			120 lines
		
	
	
	
		
			3.4 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			120 lines
		
	
	
	
		
			3.4 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <?php
 | |
| /**
 | |
|  * Matomo - free/libre analytics platform
 | |
|  *
 | |
|  * @link https://matomo.org
 | |
|  * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
 | |
|  */
 | |
| 
 | |
| namespace Piwik\Auth;
 | |
| 
 | |
| use Exception;
 | |
| use Piwik\Config;
 | |
| 
 | |
| /**
 | |
|  * Main class to handle actions related to password hashing and verification.
 | |
|  *
 | |
|  * @api
 | |
|  */
 | |
| class Password
 | |
| {
 | |
|     /**
 | |
|      * Choose the used algorithm for password_hash depending on the config option
 | |
|      *
 | |
|      * @return string|int depending on PHP version
 | |
|      * @throws Exception
 | |
|      */
 | |
|     private function preferredAlgorithm()
 | |
|     {
 | |
|         $passwordHashAlgorithm = Config::getInstance()->General['password_hash_algorithm'];
 | |
|         switch ($passwordHashAlgorithm) {
 | |
|             case "default":
 | |
|                 return PASSWORD_DEFAULT;
 | |
|             case "bcrypt":
 | |
|                 return PASSWORD_BCRYPT;
 | |
|             case "argon2i":
 | |
|                 return PASSWORD_ARGON2I;
 | |
|             case "argon2id":
 | |
|                 if (version_compare(PHP_VERSION, '7.3.0', '<')) {
 | |
|                     throw new Exception("argon2id needs at leat PHP 7.3.0");
 | |
|                 }
 | |
|                 return PASSWORD_ARGON2ID;
 | |
|             default:
 | |
|                 throw new Exception("invalid password_hash_algorithm");
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     /**
 | |
|      * Fetches argon2 options from config.ini.php
 | |
|      *
 | |
|      * @return array
 | |
|      */
 | |
|     private function algorithmOptions()
 | |
|     {
 | |
|         $options = [];
 | |
|         $generalConfig = Config::getInstance()->General;
 | |
|         if ($generalConfig["password_hash_argon2_threads"] != "default") {
 | |
|             $options["threads"] = max($generalConfig["password_hash_argon2_threads"], 1);
 | |
|         }
 | |
|         if ($generalConfig["password_hash_argon2_memory_cost"] != "default") {
 | |
|             $options["memory_cost"] = max($generalConfig["password_hash_argon2_memory_cost"], 8 * $options["threads"]);
 | |
|         }
 | |
|         if ($generalConfig["password_hash_argon2_time_cost"] != "default") {
 | |
|             $options["time_cost"] = max($generalConfig["password_hash_argon2_time_cost"], 1);
 | |
|         }
 | |
|         return $options;
 | |
|     }
 | |
| 
 | |
|     /**
 | |
|      * Hashes a password with the configured algorithm.
 | |
|      *
 | |
|      * @param string $password
 | |
|      * @return string
 | |
|      */
 | |
|     public function hash($password)
 | |
|     {
 | |
|         return password_hash($password, $this->preferredAlgorithm(), $this->algorithmOptions());
 | |
|     }
 | |
| 
 | |
|     /**
 | |
|      * Returns information about a hashed password (algo, options, ...).
 | |
|      *
 | |
|      * Can be used to verify whether a string is compatible with password_hash().
 | |
|      *
 | |
|      * @param string
 | |
|      * @return array
 | |
|      */
 | |
|     public function info($hash)
 | |
|     {
 | |
|         return password_get_info($hash);
 | |
|     }
 | |
| 
 | |
|     /**
 | |
|      * Rehashes a user's password if necessary.
 | |
|      *
 | |
|      * This method expects the password to be pre-hashed by
 | |
|      * \Piwik\Plugins\UsersManager\UsersManager::getPasswordHash().
 | |
|      *
 | |
|      * @param string $hash
 | |
|      * @return boolean
 | |
|      */
 | |
|     public function needsRehash($hash)
 | |
|     {
 | |
|         return password_needs_rehash($hash, $this->preferredAlgorithm(), $this->algorithmOptions());
 | |
|     }
 | |
| 
 | |
|     /**
 | |
|      * Verifies a user's password against the provided hash.
 | |
|      *
 | |
|      * This method expects the password to be pre-hashed by
 | |
|      * \Piwik\Plugins\UsersManager\UsersManager::getPasswordHash().
 | |
|      *
 | |
|      * @param string $password
 | |
|      * @param string $hash
 | |
|      * @return boolean
 | |
|      */
 | |
|     public function verify($password, $hash)
 | |
|     {
 | |
|         return password_verify($password, $hash);
 | |
|     }
 | |
| }
 |