Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
0.00% |
0 / 22 |
|
0.00% |
0 / 2 |
CRAP | |
0.00% |
0 / 1 |
DisableOATHAuthForUser | |
0.00% |
0 / 16 |
|
0.00% |
0 / 2 |
30 | |
0.00% |
0 / 1 |
__construct | |
0.00% |
0 / 4 |
|
0.00% |
0 / 1 |
2 | |||
execute | |
0.00% |
0 / 12 |
|
0.00% |
0 / 1 |
20 |
1 | <?php |
2 | |
3 | use MediaWiki\Extension\OATHAuth\OATHAuthServices; |
4 | use MediaWiki\MediaWikiServices; |
5 | use MediaWiki\Session\SessionManager; |
6 | |
7 | if ( getenv( 'MW_INSTALL_PATH' ) ) { |
8 | $IP = getenv( 'MW_INSTALL_PATH' ); |
9 | } else { |
10 | $IP = __DIR__ . '/../../..'; |
11 | } |
12 | require_once "$IP/maintenance/Maintenance.php"; |
13 | |
14 | class DisableOATHAuthForUser extends Maintenance { |
15 | public function __construct() { |
16 | parent::__construct(); |
17 | $this->addDescription( 'Remove all two-factor authentication devices from a specific user' ); |
18 | $this->addArg( 'user', 'The username to remove 2FA devices from.' ); |
19 | $this->requireExtension( 'OATHAuth' ); |
20 | } |
21 | |
22 | public function execute() { |
23 | $username = $this->getArg( 0 ); |
24 | |
25 | $user = MediaWikiServices::getInstance()->getUserFactory() |
26 | ->newFromName( $username ); |
27 | if ( $user === null || $user->getId() === 0 ) { |
28 | $this->fatalError( "User $username doesn't exist!" ); |
29 | } |
30 | |
31 | $repo = OATHAuthServices::getInstance()->getUserRepository(); |
32 | $oathUser = $repo->findByUser( $user ); |
33 | if ( !$oathUser->isTwoFactorAuthEnabled() ) { |
34 | $this->fatalError( "User $username does not have two-factor authentication enabled!" ); |
35 | } |
36 | |
37 | $repo->removeAll( $oathUser, 'Maintenance script', false ); |
38 | // Kill all existing sessions. |
39 | // If this request to disable 2FA was social-engineered by an attacker, |
40 | // the legitimate user will hopefully log in again to the wiki, and notice that the second factor |
41 | // is missing or different, and alert the operators. |
42 | SessionManager::singleton()->invalidateSessionsForUser( $user ); |
43 | |
44 | $this->output( "Two-factor authentication disabled for $username.\n" ); |
45 | } |
46 | } |
47 | |
48 | $maintClass = DisableOATHAuthForUser::class; |
49 | require_once RUN_MAINTENANCE_IF_MAIN; |