Use new symfony authenticator mechanism

- Add auth success listener to initialize legacy session
- Add password encoder to support legacy style encoding
- Add xsrf-token check to json_login
- enable authenticator_manager

config/core_services.yaml

@@ -136,6 +136,17 @@ services:
   App\Engine\Service\Extensions\ExtensionAssetCacheWarmupDecorator:
     decorates: 'cache_warmer'
 
+  security.authenticator.json_login:
+    class: App\Security\AppJsonLoginAuthenticator
+    abstract: true
+    arguments:
+      - '@security.http_utils'
+      - !abstract user provider
+      - !abstract authentication success handler
+      - !abstract authentication failure handler
+      - !abstract options
+      - '@?property_accessor'
+
   App\Security\LegacySessionLogoutHandler:
     tags:
       - name: 'kernel.event_listener'

config/packages/security.yaml

@@ -1,7 +1,11 @@
 security:
+  enable_authenticator_manager: true
+
   encoders:
+    app_encoder:
+      id: App\Security\LegacyPasswordEncoder
     App\Module\Users\Entity\User:
-      algorithm: auto
+      id: App\Security\LegacyPasswordEncoder
 
   providers:
     app_user_provider:
@@ -27,6 +31,7 @@ security:
 
   # Note: Only the *first* access control that matches will be used
   access_control:
+    - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
     - { path: ^/session-status$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
     - { path: ^/logout$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
     - { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }

core/backend/Security/AppJsonLoginAuthenticator.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
+ * Copyright (C) 2022 SalesAgility Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Affero General Public License version 3 as published by the
+ * Free Software Foundation with the addition of the following permission added
+ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
+ * IN WHICH THE COPYRIGHT IS OWNED BY SALESAGILITY, SALESAGILITY DISCLAIMS THE
+ * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License
+ * version 3, these Appropriate Legal Notices must retain the display of the
+ * "Supercharged by SuiteCRM" logo. If the display of the logos is not reasonably
+ * feasible for technical reasons, the Appropriate Legal Notices must display
+ * the words "Supercharged by SuiteCRM".
+ */
+
+namespace App\Security;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Http\Authenticator\JsonLoginAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+
+class AppJsonLoginAuthenticator extends JsonLoginAuthenticator
+{
+    /**
+     * @param Request $request
+     * @return PassportInterface
+     */
+    public function authenticate(Request $request): PassportInterface
+    {
+        $passport = parent::authenticate($request);
+
+        $csrfToken = $request->headers->get('x-xsrf-token');
+        $passport->addBadge(new CsrfTokenBadge('angular', $csrfToken));
+
+        return $passport;
+    }
+}

core/backend/Security/LegacyPasswordEncoder.php

@@ -0,0 +1,89 @@
+<?php
+/**
+ * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
+ * Copyright (C) 2022 SalesAgility Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Affero General Public License version 3 as published by the
+ * Free Software Foundation with the addition of the following permission added
+ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
+ * IN WHICH THE COPYRIGHT IS OWNED BY SALESAGILITY, SALESAGILITY DISCLAIMS THE
+ * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License
+ * version 3, these Appropriate Legal Notices must retain the display of the
+ * "Supercharged by SuiteCRM" logo. If the display of the logos is not reasonably
+ * feasible for technical reasons, the Appropriate Legal Notices must display
+ * the words "Supercharged by SuiteCRM".
+ */
+
+namespace App\Security;
+
+use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+
+class LegacyPasswordEncoder extends BasePasswordEncoder
+{
+
+    /**
+     * @inheritDoc
+     */
+    public function encodePassword($raw, $salt): string
+    {
+        if ($this->isPasswordTooLong($raw)) {
+            throw new BadCredentialsException('Invalid password.');
+        }
+
+        return password_hash(strtolower(md5($raw)), PASSWORD_DEFAULT);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function isPasswordValid($encoded, $raw, $salt): bool
+    {
+        if ($this->isPasswordTooLong($raw)) {
+            return false;
+        }
+
+        $userHash = $encoded;
+        $password = (md5($raw));
+
+        $valid = self::checkPasswordMD5($password, $userHash);
+
+        if ($valid) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Check that md5-encoded password matches existing hash
+     * @param string $passwordMd5 MD5-encoded password
+     * @param string $userHash DB hash
+     * @return bool Match or not?
+     */
+    public static function checkPasswordMD5(string $passwordMd5, string $userHash): bool
+    {
+        if (empty($userHash)) {
+            return false;
+        }
+
+        if ($userHash[0] !== '$' && strlen($userHash) === 32) {
+            $valid = strtolower($passwordMd5) === $userHash;
+        } else {
+            $valid = password_verify(strtolower($passwordMd5), $userHash);
+        }
+
+        return $valid;
+    }
+}

core/backend/Security/LoginSuccessEventListener.php

@@ -0,0 +1,69 @@
+<?php
+/**
+ * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
+ * Copyright (C) 2022 SalesAgility Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Affero General Public License version 3 as published by the
+ * Free Software Foundation with the addition of the following permission added
+ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
+ * IN WHICH THE COPYRIGHT IS OWNED BY SALESAGILITY, SALESAGILITY DISCLAIMS THE
+ * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License
+ * version 3, these Appropriate Legal Notices must retain the display of the
+ * "Supercharged by SuiteCRM" logo. If the display of the logos is not reasonably
+ * feasible for technical reasons, the Appropriate Legal Notices must display
+ * the words "Supercharged by SuiteCRM".
+ */
+
+namespace App\Security;
+
+use App\Authentication\LegacyHandler\Authentication;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
+use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
+
+class LoginSuccessEventListener implements EventSubscriberInterface
+{
+
+    /**
+     * @var Authentication
+     */
+    private $authentication;
+
+    public function __construct(Authentication $authentication)
+    {
+        $this->authentication = $authentication;
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            LoginSuccessEvent::class => 'onLoginSuccess',
+        ];
+    }
+
+    public function onLoginSuccess(LoginSuccessEvent $event): void
+    {
+        if (null === $this->authentication) {
+            return;
+        }
+
+        $user = $event->getUser();
+
+        $result = $this->authentication->initLegacyUserSession($user->getUsername());
+
+        if ($result === false) {
+            throw new CustomUserMessageAuthenticationException('Authentication: Invalid login credentials');
+        }
+    }
+}