Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
93.28% |
111 / 119 |
|
71.43% |
5 / 7 |
CRAP | |
0.00% |
0 / 1 |
| PasswordReset | |
94.07% |
111 / 118 |
|
71.43% |
5 / 7 |
45.42 | |
0.00% |
0 / 1 |
| __construct | |
100.00% |
10 / 10 |
|
100.00% |
1 / 1 |
1 | |||
| isAllowed | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
| isEnabled | |
100.00% |
11 / 11 |
|
100.00% |
1 / 1 |
5 | |||
| computeIsAllowed | |
100.00% |
8 / 8 |
|
100.00% |
1 / 1 |
4 | |||
| execute | |
97.37% |
74 / 76 |
|
0.00% |
0 / 1 |
31 | |||
| isBlocked | |
100.00% |
2 / 2 |
|
100.00% |
1 / 1 |
2 | |||
| getUsersByEmail | |
0.00% |
0 / 5 |
|
0.00% |
0 / 1 |
2 | |||
| 1 | <?php |
| 2 | /** |
| 3 | * @license GPL-2.0-or-later |
| 4 | * @file |
| 5 | */ |
| 6 | |
| 7 | namespace MediaWiki\User; |
| 8 | |
| 9 | use Iterator; |
| 10 | use LogicException; |
| 11 | use MediaWiki\Auth\AuthManager; |
| 12 | use MediaWiki\Auth\TemporaryPasswordAuthenticationRequest; |
| 13 | use MediaWiki\Config\ServiceOptions; |
| 14 | use MediaWiki\Deferred\DeferredUpdates; |
| 15 | use MediaWiki\Deferred\SendPasswordResetEmailUpdate; |
| 16 | use MediaWiki\HookContainer\HookContainer; |
| 17 | use MediaWiki\HookContainer\HookRunner; |
| 18 | use MediaWiki\MainConfigNames; |
| 19 | use MediaWiki\Message\Message; |
| 20 | use MediaWiki\Parser\Sanitizer; |
| 21 | use MediaWiki\User\Options\UserOptionsLookup; |
| 22 | use Psr\Log\LoggerAwareInterface; |
| 23 | use Psr\Log\LoggerAwareTrait; |
| 24 | use Psr\Log\LoggerInterface; |
| 25 | use StatusValue; |
| 26 | use Wikimedia\MapCacheLRU\MapCacheLRU; |
| 27 | |
| 28 | /** |
| 29 | * Password reset helper for functionality shared by the web UI and the API. |
| 30 | * |
| 31 | * Requires the TemporaryPasswordPrimaryAuthenticationProvider and the |
| 32 | * EmailNotificationSecondaryAuthenticationProvider (or something providing equivalent |
| 33 | * functionality) to be enabled. |
| 34 | */ |
| 35 | class PasswordReset implements LoggerAwareInterface { |
| 36 | use LoggerAwareTrait; |
| 37 | |
| 38 | private ServiceOptions $config; |
| 39 | private AuthManager $authManager; |
| 40 | private HookRunner $hookRunner; |
| 41 | private UserIdentityLookup $userIdentityLookup; |
| 42 | private UserFactory $userFactory; |
| 43 | private UserNameUtils $userNameUtils; |
| 44 | private UserOptionsLookup $userOptionsLookup; |
| 45 | |
| 46 | /** |
| 47 | * In-process cache for isAllowed lookups, by username. |
| 48 | * Contains a StatusValue object |
| 49 | */ |
| 50 | private MapCacheLRU $permissionCache; |
| 51 | |
| 52 | /** |
| 53 | * @internal For use by ServiceWiring |
| 54 | */ |
| 55 | public const CONSTRUCTOR_OPTIONS = [ |
| 56 | MainConfigNames::EnableEmail, |
| 57 | MainConfigNames::PasswordResetRoutes, |
| 58 | ]; |
| 59 | |
| 60 | /** |
| 61 | * This class is managed by MediaWikiServices, don't instantiate directly. |
| 62 | * |
| 63 | * @param ServiceOptions $config |
| 64 | * @param LoggerInterface $logger |
| 65 | * @param AuthManager $authManager |
| 66 | * @param HookContainer $hookContainer |
| 67 | * @param UserIdentityLookup $userIdentityLookup |
| 68 | * @param UserFactory $userFactory |
| 69 | * @param UserNameUtils $userNameUtils |
| 70 | * @param UserOptionsLookup $userOptionsLookup |
| 71 | */ |
| 72 | public function __construct( |
| 73 | ServiceOptions $config, |
| 74 | LoggerInterface $logger, |
| 75 | AuthManager $authManager, |
| 76 | HookContainer $hookContainer, |
| 77 | UserIdentityLookup $userIdentityLookup, |
| 78 | UserFactory $userFactory, |
| 79 | UserNameUtils $userNameUtils, |
| 80 | UserOptionsLookup $userOptionsLookup |
| 81 | ) { |
| 82 | $config->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS ); |
| 83 | |
| 84 | $this->config = $config; |
| 85 | $this->logger = $logger; |
| 86 | |
| 87 | $this->authManager = $authManager; |
| 88 | $this->hookRunner = new HookRunner( $hookContainer ); |
| 89 | $this->userIdentityLookup = $userIdentityLookup; |
| 90 | $this->userFactory = $userFactory; |
| 91 | $this->userNameUtils = $userNameUtils; |
| 92 | $this->userOptionsLookup = $userOptionsLookup; |
| 93 | |
| 94 | $this->permissionCache = new MapCacheLRU( 1 ); |
| 95 | } |
| 96 | |
| 97 | /** |
| 98 | * Check if a given user has permission to use this functionality. |
| 99 | * @param User $user |
| 100 | * @since 1.29 Second argument for displayPassword removed. |
| 101 | * @return StatusValue |
| 102 | */ |
| 103 | public function isAllowed( User $user ) { |
| 104 | return $this->permissionCache->getWithSetCallback( |
| 105 | $user->getName(), |
| 106 | function () use ( $user ) { |
| 107 | return $this->computeIsAllowed( $user ); |
| 108 | } |
| 109 | ); |
| 110 | } |
| 111 | |
| 112 | /** |
| 113 | * @since 1.42 |
| 114 | * @return StatusValue |
| 115 | */ |
| 116 | public function isEnabled(): StatusValue { |
| 117 | $resetRoutes = $this->config->get( MainConfigNames::PasswordResetRoutes ); |
| 118 | if ( !is_array( $resetRoutes ) || !in_array( true, $resetRoutes, true ) ) { |
| 119 | // Maybe password resets are disabled, or there are no allowable routes |
| 120 | return StatusValue::newFatal( 'passwordreset-disabled' ); |
| 121 | } |
| 122 | |
| 123 | $providerStatus = $this->authManager->allowsAuthenticationDataChange( |
| 124 | new TemporaryPasswordAuthenticationRequest(), false ); |
| 125 | if ( !$providerStatus->isGood() ) { |
| 126 | // Maybe the external auth plugin won't allow local password changes |
| 127 | return StatusValue::newFatal( 'resetpass_forbidden-reason', |
| 128 | $providerStatus->getMessage() ); |
| 129 | } |
| 130 | if ( !$this->config->get( MainConfigNames::EnableEmail ) ) { |
| 131 | // Maybe email features have been disabled |
| 132 | return StatusValue::newFatal( 'passwordreset-emaildisabled' ); |
| 133 | } |
| 134 | return StatusValue::newGood(); |
| 135 | } |
| 136 | |
| 137 | private function computeIsAllowed( User $user ): StatusValue { |
| 138 | $enabledStatus = $this->isEnabled(); |
| 139 | if ( !$enabledStatus->isGood() ) { |
| 140 | return $enabledStatus; |
| 141 | } |
| 142 | if ( !$user->isAllowed( 'editmyprivateinfo' ) ) { |
| 143 | // Maybe not all users have permission to change private data |
| 144 | return StatusValue::newFatal( 'badaccess' ); |
| 145 | } |
| 146 | if ( $this->isBlocked( $user ) ) { |
| 147 | // Maybe the user is blocked (check this here rather than relying on the parent |
| 148 | // method as we have a more specific error message to use here, and we want to |
| 149 | // ignore some types of blocks) |
| 150 | return StatusValue::newFatal( 'blocked-mailpassword' ); |
| 151 | } |
| 152 | return StatusValue::newGood(); |
| 153 | } |
| 154 | |
| 155 | /** |
| 156 | * Do a password reset. Authorization is the caller's responsibility. |
| 157 | * |
| 158 | * Process the form. |
| 159 | * |
| 160 | * At this point, we know that the user passes all the criteria in |
| 161 | * userCanExecute(), and if the data array contains 'Username', etc., then Username |
| 162 | * resets are allowed. |
| 163 | * |
| 164 | * @since 1.29 Fourth argument for displayPassword removed. |
| 165 | * @param User $performingUser The user that does the password reset |
| 166 | * @param string|null $username The user whose password is reset |
| 167 | * @param string|null $email Alternative way to specify the user |
| 168 | * @return StatusValue |
| 169 | */ |
| 170 | public function execute( |
| 171 | User $performingUser, |
| 172 | $username = null, |
| 173 | $email = null |
| 174 | ) { |
| 175 | if ( !$this->isAllowed( $performingUser )->isGood() ) { |
| 176 | throw new LogicException( |
| 177 | 'User ' . $performingUser->getName() . ' is not allowed to reset passwords' |
| 178 | ); |
| 179 | } |
| 180 | |
| 181 | // Check against the rate limiter. If the $wgRateLimit is reached, we want to pretend |
| 182 | // that the request was good to avoid displaying an error message. |
| 183 | if ( $performingUser->pingLimiter( 'mailpassword' ) ) { |
| 184 | return StatusValue::newGood(); |
| 185 | } |
| 186 | |
| 187 | // We need to have a valid IP address for the hook 'User::mailPasswordInternal', but per T20347, |
| 188 | // we should send the user's name if they're logged in. |
| 189 | $ip = $performingUser->getRequest()->getIP(); |
| 190 | if ( !$ip ) { |
| 191 | return StatusValue::newFatal( 'badipaddress' ); |
| 192 | } |
| 193 | |
| 194 | $resetRoutes = $this->config->get( MainConfigNames::PasswordResetRoutes ) |
| 195 | + [ 'username' => false, 'email' => false ]; |
| 196 | if ( !$resetRoutes['username'] || $username === '' ) { |
| 197 | $username = null; |
| 198 | } |
| 199 | if ( !$resetRoutes['email'] || $email === '' ) { |
| 200 | $email = null; |
| 201 | } |
| 202 | |
| 203 | if ( $username !== null && !$this->userNameUtils->getCanonical( $username ) ) { |
| 204 | return StatusValue::newFatal( 'noname' ); |
| 205 | } |
| 206 | if ( $email !== null && !Sanitizer::validateEmail( $email ) ) { |
| 207 | return StatusValue::newFatal( 'passwordreset-invalidemail' ); |
| 208 | } |
| 209 | // At this point, $username and $email are either valid or not provided |
| 210 | |
| 211 | /** @var User[] $users */ |
| 212 | $users = []; |
| 213 | |
| 214 | if ( $username !== null ) { |
| 215 | $user = $this->userFactory->newFromName( $username ); |
| 216 | // User must have an email address to attempt sending a password reset email |
| 217 | if ( $user && $user->isRegistered() && $user->getEmail() && ( |
| 218 | !$this->userOptionsLookup->getBoolOption( $user, 'requireemail' ) || |
| 219 | $user->getEmail() === $email |
| 220 | ) ) { |
| 221 | // Either providing the email in the form is not required to request a reset, |
| 222 | // or the correct email was provided |
| 223 | $users[] = $user; |
| 224 | } |
| 225 | |
| 226 | } elseif ( $email !== null ) { |
| 227 | foreach ( $this->getUsersByEmail( $email ) as $userIdent ) { |
| 228 | // Skip users whose preference 'requireemail' is on since the username was not submitted |
| 229 | if ( $this->userOptionsLookup->getBoolOption( $userIdent, 'requireemail' ) ) { |
| 230 | continue; |
| 231 | } |
| 232 | $users[] = $this->userFactory->newFromUserIdentity( $userIdent ); |
| 233 | } |
| 234 | |
| 235 | } else { |
| 236 | // The user didn't supply any data |
| 237 | return StatusValue::newFatal( 'passwordreset-nodata' ); |
| 238 | } |
| 239 | |
| 240 | // Check for hooks (captcha etc.), and allow them to modify the list of users |
| 241 | $data = [ |
| 242 | 'Username' => $username, |
| 243 | 'Email' => $email, |
| 244 | ]; |
| 245 | |
| 246 | $error = []; |
| 247 | if ( !$this->hookRunner->onSpecialPasswordResetOnSubmit( $users, $data, $error ) ) { |
| 248 | return StatusValue::newFatal( Message::newFromSpecifier( $error ) ); |
| 249 | } |
| 250 | |
| 251 | if ( !$users ) { |
| 252 | // Don't reveal whether a username or email address is in use |
| 253 | return StatusValue::newGood(); |
| 254 | } |
| 255 | |
| 256 | // Get the first element in $users by using `reset` function since |
| 257 | // the key '0' might have been unset from $users array by a hook handler. |
| 258 | $firstUser = reset( $users ); |
| 259 | |
| 260 | $this->hookRunner->onUser__mailPasswordInternal( $performingUser, $ip, $firstUser ); |
| 261 | |
| 262 | $result = StatusValue::newGood(); |
| 263 | $reqs = []; |
| 264 | foreach ( $users as $user ) { |
| 265 | $req = TemporaryPasswordAuthenticationRequest::newRandom(); |
| 266 | $req->username = $user->getName(); |
| 267 | $req->mailpassword = true; |
| 268 | $req->caller = $performingUser->getName(); |
| 269 | |
| 270 | $status = $this->authManager->allowsAuthenticationDataChange( $req, true ); |
| 271 | // If the status is good and the value is 'throttled-mailpassword', we want to pretend |
| 272 | // that the request was good to avoid displaying an error message and disclose |
| 273 | // if a reset password was previously sent. |
| 274 | if ( $status->isGood() && $status->getValue() === 'throttled-mailpassword' ) { |
| 275 | return StatusValue::newGood(); |
| 276 | } |
| 277 | |
| 278 | if ( $status->isGood() && $status->getValue() !== 'ignored' ) { |
| 279 | $reqs[] = $req; |
| 280 | } elseif ( $result->isGood() ) { |
| 281 | // only record the first error, to avoid exposing the number of users having the |
| 282 | // same email address |
| 283 | if ( $status->getValue() === 'ignored' ) { |
| 284 | $status = StatusValue::newFatal( 'passwordreset-ignored' ); |
| 285 | } |
| 286 | $result->merge( $status ); |
| 287 | } |
| 288 | } |
| 289 | |
| 290 | $logContext = [ |
| 291 | 'requestingIp' => $ip, |
| 292 | 'requestingUser' => $performingUser->getName(), |
| 293 | 'targetUsername' => $username, |
| 294 | 'targetEmail' => $email, |
| 295 | ]; |
| 296 | |
| 297 | if ( !$result->isGood() ) { |
| 298 | $this->logger->info( |
| 299 | "{requestingUser} attempted password reset of {targetUsername} but failed", |
| 300 | $logContext + [ 'errors' => $result->getErrors() ] |
| 301 | ); |
| 302 | return $result; |
| 303 | } |
| 304 | |
| 305 | DeferredUpdates::addUpdate( |
| 306 | new SendPasswordResetEmailUpdate( $this->authManager, $reqs, $logContext ), |
| 307 | DeferredUpdates::POSTSEND |
| 308 | ); |
| 309 | |
| 310 | return StatusValue::newGood(); |
| 311 | } |
| 312 | |
| 313 | /** |
| 314 | * Check whether the user is blocked. |
| 315 | * Ignores certain types of system blocks that are only meant to force users to log in. |
| 316 | * @param User $user |
| 317 | * @return bool |
| 318 | * @since 1.30 |
| 319 | */ |
| 320 | private function isBlocked( User $user ) { |
| 321 | $block = $user->getBlock(); |
| 322 | return $block && $block->appliesToPasswordReset(); |
| 323 | } |
| 324 | |
| 325 | /** |
| 326 | * @note This is protected to allow configuring in tests. This class is not stable to extend. |
| 327 | * |
| 328 | * @param string $email |
| 329 | * |
| 330 | * @return Iterator<UserIdentity> |
| 331 | */ |
| 332 | protected function getUsersByEmail( $email ) { |
| 333 | return $this->userIdentityLookup->newSelectQueryBuilder() |
| 334 | ->join( 'user', null, [ "actor_user=user_id" ] ) |
| 335 | ->where( [ 'user_email' => $email ] ) |
| 336 | ->caller( __METHOD__ ) |
| 337 | ->fetchUserIdentities(); |
| 338 | } |
| 339 | |
| 340 | } |
| 341 | |
| 342 | /** @deprecated class alias since 1.41 */ |
| 343 | class_alias( PasswordReset::class, 'PasswordReset' ); |