From 8ec87eac76f1fe4f7684fa53e97860477f79ffc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=8A=A0=E8=97=A4=20=E6=9C=97?= <kato.kaisya@gmail.com>
Date: Thu, 24 Oct 2024 12:53:45 +0900
Subject: [PATCH] =?UTF-8?q?fix=20#3882=20[=E8=A6=81=E6=9C=9B]baserCMS4?=
 =?UTF-8?q?=E7=B3=BB=E3=81=A7=E4=BD=BF=E7=94=A8=E3=81=97=E3=81=A6=E3=81=84?=
 =?UTF-8?q?=E3=81=9F=E3=81=A8=E3=81=8D=E3=81=AE=E3=83=91=E3=82=B9=E3=83=AF?=
 =?UTF-8?q?=E3=83=BC=E3=83=89=E3=81=8C=E5=BC=95=E3=81=8D=E7=B6=99=E3=81=92?=
 =?UTF-8?q?=E3=81=AA=E3=81=84=E5=95=8F=E9=A1=8C=E3=82=92=E8=A7=A3=E6=B1=BA?=
 =?UTF-8?q?=20(#3883)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: kato <kato@e-catchup.jp>
Co-authored-by: ryuring <egashira@catchup.co.jp>
---
 config/.env.example                           |  3 +++
 plugins/baser-core/config/setting.php         |  5 +++++
 plugins/baser-core/src/BaserCorePlugin.php    | 21 ++++++++++++++++++-
 .../src/Controller/Admin/UsersController.php  | 19 +++++++++++++++++
 4 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/config/.env.example b/config/.env.example
index 5bfbfe81a6..25ed90a638 100644
--- a/config/.env.example
+++ b/config/.env.example
@@ -34,6 +34,9 @@ export USE_CORE_ADMIN_API="false"
 export SHOW_TEST_METHOD="false"
 ## プロキシサーバーを利用するかどうか（SSL判定に利用）
 export TRUST_PROXY="false"
+## 4系のパスワード暗号化を使用する場合は下記のコメントアウトを外し4系で利用していたセキュリティーソルトを設定する
+# export HASH_TYPE="sha1"
+# export SECURITY_SALT=""
 
 # Uncomment these to define cache configuration via environment variables.
 #export CACHE_DURATION="+2 minutes"
diff --git a/plugins/baser-core/config/setting.php b/plugins/baser-core/config/setting.php
index 815c30318d..857c6cd3d2 100644
--- a/plugins/baser-core/config/setting.php
+++ b/plugins/baser-core/config/setting.php
@@ -327,6 +327,11 @@
          */
         'twoFactorAuthenticationCodeAllowTime' => 10,
 
+        /**
+         * 4系のパスワードでログインする際に、新しいハッシュアルゴリズムでハッシュ化するかどうか
+         */
+        'needsPasswordRehash' => true,
+
         /**
          * エディタ
          */
diff --git a/plugins/baser-core/src/BaserCorePlugin.php b/plugins/baser-core/src/BaserCorePlugin.php
index 60bcfcd6d0..703f272e07 100644
--- a/plugins/baser-core/src/BaserCorePlugin.php
+++ b/plugins/baser-core/src/BaserCorePlugin.php
@@ -43,7 +43,6 @@
 use Cake\Database\Exception\MissingConnectionException;
 use Cake\Event\EventManager;
 use Cake\Http\Middleware\CsrfProtectionMiddleware;
-use Cake\Http\Middleware\HttpsEnforcerMiddleware;
 use Cake\Http\MiddlewareQueue;
 use Cake\Http\ServerRequestFactory;
 use Cake\I18n\I18n;
@@ -436,6 +435,25 @@ public function setupSessionAuth(AuthenticationService $service, array $authSett
             ],
             'loginUrl' => Router::url($authSetting['loginAction']),
         ]);
+
+        $passwordHasher = null;
+        if(!empty($authSetting['passwordHasher'])) {
+            $passwordHasher = $authSetting['passwordHasher'];
+        } elseif(env('HASH_TYPE') === 'sha1') {
+            // .env に HASH_TYPE で sha1が設定されている場合 4系のハッシュアルゴリズムを使用
+            $passwordHasher = [
+                'className' => 'Authentication.Fallback',
+                'hashers' => [
+                    'Authentication.Default',
+                    [
+                        'className' => 'Authentication.Legacy',
+                        'hashType' => 'sha1',
+                        'salt' => true
+                    ]
+                ]
+            ];
+        }
+
         $service->loadIdentifier('Authentication.Password', [
             'fields' => [
                 'username' => $authSetting['username'],
@@ -446,6 +464,7 @@ public function setupSessionAuth(AuthenticationService $service, array $authSett
                 'userModel' => $authSetting['userModel'],
                 'finder' => $authSetting['finder']?? 'available'
             ],
+            'passwordHasher' => $passwordHasher
         ]);
         return $service;
     }
diff --git a/plugins/baser-core/src/Controller/Admin/UsersController.php b/plugins/baser-core/src/Controller/Admin/UsersController.php
index ea04c33523..7a0f0a320b 100644
--- a/plugins/baser-core/src/Controller/Admin/UsersController.php
+++ b/plugins/baser-core/src/Controller/Admin/UsersController.php
@@ -89,6 +89,25 @@ public function login(UsersAdminServiceInterface $service)
                     $this->response = $service->setCookieAutoLoginKey($this->response, $user->id);
                 }
                 $this->BcMessage->setInfo(__d('baser_core', 'ようこそ、{0}さん。', $user->getDisplayName()));
+
+                // baserCMS4系のパスワードでログインした場合、新しいハッシュアルゴリズムでパスワードをハッシュし直す
+                if (Configure::read('BcApp.needsPasswordRehash') &&
+                    $this->request->getAttribute('authentication')
+                        ->identifiers()
+                        ->get('Password')
+                        ->needsPasswordRehash()
+                ) {
+                    try {
+                        $password = $this->getRequest()->getData('password');
+                        $service->update($user, [
+                            'password_1' => $password,
+                            'password_2' => $password
+                        ]);
+                    } catch (PersistenceFailedException) {
+                        // バリデーションでパスワードの更新に失敗した場合はスルーする
+                    }
+                }
+
                 return $this->redirect($target);
             } else {
                 $this->BcMessage->setError(__d('baser_core', 'Eメール、または、パスワードが間違っています。'));