[Config] Add password algorithm selector

[skarya22]

Brief summary of changes

• In CCNA, we use PASSWORD_ARGON2I rather than PASSWORD_DEFAULT
• This PR adds an option to change which php password algorithm to use so that projects do not need an override in-order to change it.
• It defaults to PASSWORD_DEFAULT which is what it was set to before.
  

Testing instructions (if applicable)

1. Try changing the password hash in config, and then setting a new password.
2. See that you can still login

[driusan]

Could you use https://www.php.net/manual/en/function.password-algos.php (and add a "Default" option)

I'm not really sure what the point of having the blank option here is.

[skarya22]

That function doesn't output usable strings for the password_hash function unfortunately. It gives values such as: '2y','argon2i, 'argon2id', but password_hash uses, 'PASSWORD_DEFAULT','PASSWORD_BCRYPT', 'PASSWORD_ARGON2I', and 'PASSWORD_ARGON2ID'

I will remove the blank option though. It was just there in-case somehow a non-usable value was saved so it doesn't show PASSWORD_DEFAULT instead. But it probably just makes it confusing

[driusan]

PASSWORD_DEFAULT/PASSWORD_BCRYPT/etc are just built in constants with those values.

$ php -a
Interactive shell

php > print PASSWORD_DEFAULT;
2y
php > print PASSWORD_ARGON2I;
argon2i
php > print_r(password_algos());
Array
(
    [0] => 2y
    [1] => argon2i
    [2] => argon2id
)
php > print password_hash('test', 'argon2i');
$argon2i$v=19$m=65536,t=4,p=1$WlBObVNleHU0RHVCMG9DTw$3jZ/HN8N4r6YERoJJbMGup/d8rebjUZ72lYZcbTsjno
php > 

[skarya22]

oh sweet, thanks!

[skarya22]

@kongtiaowang I can't seem to get the tests to work in the Password class due to the addition of a getSetting from the Config table in Password. How can I setup the mock table in the test to have a value for Config?

[kongtiaowang]

@skarya22 To facilitate unit testing, I made a minor change to the constructor of the Password class. This change has no side effects and is solely intended to make unit testing easier. Here is my modified code. https://github.com/kongtiaowang/Loris/pull/419/files#diff-bf291adaa689a3d54945b77732cec08369c6dcda853873f34019aaa00541470d
https://github.com/kongtiaowang/Loris/pull/419/files#diff-167ca151b2e71b96943a10cc6b5dfa1a573b681db2deea77cbae6ebb89cbaa00

[CamilleBeau]

Assigning @skarya22 to fix tests & @kongtiaowang to test :)

[skarya22]

@skarya22 To facilitate unit testing, I made a minor change to the constructor of the Password class. This change has no side effects and is solely intended to make unit testing easier. Here is my modified code. https://github.com/kongtiaowang/Loris/pull/419/files#diff-bf291adaa689a3d54945b77732cec08369c6dcda853873f34019aaa00541470d https://github.com/kongtiaowang/Loris/pull/419/files#diff-167ca151b2e71b96943a10cc6b5dfa1a573b681db2deea77cbae6ebb89cbaa00

@kongtiaowang thank you for this! Though I am not quite sure how to use this as it causes further errors :(
test/unittests/PasswordTest.php:174 PhanTypeMismatchArgument Argument 2 ($config) is $configMock of type \PHPUnit\Framework\MockObject\MockObject|\PHPUnit\Framework\MockObject\Stub but \Password::__construct() takes ?\NDB_Config defined at php/libraries/Password.class.inc:203

[skarya22]

@kongtiaowang nevermind, ready for review now :)

[driusan]

One of the main selling points of password_hash is that it's supposed to have sensible defaults that can be upgraded by PHP over time. I think in this case, you should use PASSWORD_DEFAULT (and that there should be an option to explicitly use the default from PHP.

[ridz1208]

@skarya22 lets discuss this today at the LORIS meeting