Code Coverage
 
Lines
Functions and Methods
Classes and Traits
Total
87.50% covered (warning)
87.50%
42 / 48
66.67% covered (warning)
66.67%
4 / 6
CRAP
0.00% covered (danger)
0.00%
0 / 1
AntiSpoofPreAuthenticationProvider
87.50% covered (warning)
87.50%
42 / 48
66.67% covered (warning)
66.67%
4 / 6
25.12
0.00% covered (danger)
0.00%
0 / 1
 __construct
100.00% covered (success)
100.00%
3 / 3
100.00% covered (success)
100.00%
1 / 1
1
 getAuthenticationRequests
100.00% covered (success)
100.00%
6 / 6
100.00% covered (success)
100.00%
1 / 1
5
 testForAccountCreation
100.00% covered (success)
100.00%
3 / 3
100.00% covered (success)
100.00%
1 / 1
3
 testUserInternal
100.00% covered (success)
100.00%
30 / 30
100.00% covered (success)
100.00%
1 / 1
9
 testUserForCreation
0.00% covered (danger)
0.00%
0 / 5
0.00% covered (danger)
0.00%
0 / 1
30
 getSpoofUser
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
2
1<?php
2/**
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
17 */
18
19namespace MediaWiki\Extension\AntiSpoof;
20
21use Html;
22use MediaWiki\Auth\AbstractPreAuthenticationProvider;
23use MediaWiki\Auth\AuthenticationRequest;
24use MediaWiki\Auth\AuthManager;
25use MediaWiki\Permissions\PermissionManager;
26use MediaWiki\User\UserIdentity;
27use Psr\Log\LoggerInterface;
28use Psr\Log\NullLogger;
29use RawMessage;
30use RequestContext;
31use StatusValue;
32use User;
33
34class AntiSpoofPreAuthenticationProvider extends AbstractPreAuthenticationProvider {
35    /** @var bool False effectively disables this provider, but spoofed names will still be logged. */
36    protected $antiSpoofAccounts;
37
38    /** @var PermissionManager */
39    private $permissionManager;
40
41    /**
42     * @param PermissionManager $permissionManager
43     * @param array $params Options:
44     * - antiSpoofAccounts: (bool) stop spoofed accounts from being created. When false, only log.
45     */
46    public function __construct( PermissionManager $permissionManager, array $params = [] ) {
47        global $wgAntiSpoofAccounts;
48
49        $params += [ 'antiSpoofAccounts' => $wgAntiSpoofAccounts ];
50
51        $this->antiSpoofAccounts = $params['antiSpoofAccounts'];
52        $this->permissionManager = $permissionManager;
53    }
54
55    /** @inheritDoc */
56    public function getAuthenticationRequests( $action, array $options ) {
57        $needed = false;
58        switch ( $action ) {
59            case AuthManager::ACTION_CREATE:
60                $user = User::newFromName( $options['username'] ) ?: new User();
61                $needed = $this->antiSpoofAccounts
62                    && $this->permissionManager->userHasAnyRight( $user, 'override-antispoof' );
63                break;
64        }
65
66        return $needed ? [ new AntiSpoofAuthenticationRequest() ] : [];
67    }
68
69    /** @inheritDoc */
70    public function testForAccountCreation( $user, $creator, array $reqs ) {
71        /** @var AntiSpoofAuthenticationRequest $req */
72        $req = AuthenticationRequest::getRequestByClass( $reqs, AntiSpoofAuthenticationRequest::class );
73        $override = $req && $req->ignoreAntiSpoof && $creator->isAllowed( 'override-antispoof' );
74
75        return $this->testUserInternal( $user, $override, $this->logger );
76    }
77
78    /**
79     * @param UserIdentity $user
80     * @param bool $override
81     * @param LoggerInterface $logger
82     * @return StatusValue
83     */
84    private function testUserInternal( UserIdentity $user, $override, LoggerInterface $logger ) {
85        $spoofUser = $this->getSpoofUser( $user );
86        $mode = !$this->antiSpoofAccounts ? 'LOGGING ' : ( $override ? 'OVERRIDE ' : '' );
87        $active = $this->antiSpoofAccounts && !$override;
88
89        if ( $spoofUser->isLegal() ) {
90            $normalized = $spoofUser->getNormalized();
91            $conflicts = $spoofUser->getConflicts();
92            if ( empty( $conflicts ) ) {
93                $logger->debug( "{mode}PASS new account '{name}' [{normalized}]", [
94                    'mode' => $mode,
95                    'name' => $user->getName(),
96                    'normalized' => $normalized,
97                ] );
98            } else {
99                $logger->info( "{mode}CONFLICT new account '{name}' [{normalized}] spoofs {spoofs}", [
100                    'mode' => $mode,
101                    'name' => $user->getName(),
102                    'normalized' => $normalized,
103                    'spoofs' => $conflicts,
104                ] );
105                if ( $active ) {
106                    $cnt = count( $conflicts );
107                    $list = '';
108                    foreach ( $conflicts as $simUser ) {
109                        $list .= Html::element( 'li', [],
110                            wfMessage( 'antispoof-conflict-item', $simUser )->text()
111                        );
112                    }
113                    $list = Html::rawElement( 'ul', [], $list );
114
115                    $message = new RawMessage( '$1$2$3', [
116                        wfMessage( 'antispoof-conflict-top', $user->getName() )->numParams( $cnt ),
117                        $list,
118                        wfMessage( 'antispoof-conflict-bottom' )
119                    ] );
120                    return StatusValue::newFatal( $message );
121                }
122            }
123        } else {
124            $error = $spoofUser->getErrorStatus();
125            $logger->info( "{mode}ILLEGAL new account '{name}' {error}", [
126                'mode' => $mode,
127                'name' => $user->getName(),
128                'error' => $error->getMessage( false, false, 'en' )->text(),
129            ] );
130            if ( $active ) {
131                return StatusValue::newFatal( 'antispoof-name-illegal', $user->getName(),
132                    $error->getMessage() );
133            }
134        }
135        return StatusValue::newGood();
136    }
137
138    /** @inheritDoc */
139    public function testUserForCreation( $user, $autocreate, array $options = [] ) {
140        $sv = StatusValue::newGood();
141
142        // For "cancreate" checks via the API, test if the current user could
143        // create the username.
144        if ( $this->antiSpoofAccounts && !$autocreate && empty( $options['creating'] ) &&
145            !$this->permissionManager->userHasAnyRight( RequestContext::getMain()->getUser(), 'override-antispoof' )
146        ) {
147            $sv->merge( $this->testUserInternal( $user, false, new NullLogger ) );
148        }
149
150        return $sv;
151    }
152
153    /**
154     * @param UserIdentity $user
155     * @return SpoofUser
156     */
157    protected function getSpoofUser( UserIdentity $user ) {
158        return new SpoofUser( $user->getName() );
159    }
160}