Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
99.77% |
1302 / 1305 |
|
95.45% |
42 / 44 |
CRAP | |
0.00% |
0 / 1 |
AuthManager | |
99.77% |
1302 / 1305 |
|
95.45% |
42 / 44 |
339 | |
0.00% |
0 / 1 |
__construct | |
100.00% |
17 / 17 |
|
100.00% |
1 / 1 |
1 | |||
setLogger | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
getRequest | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
forcePrimaryAuthenticationProviders | |
100.00% |
31 / 31 |
|
100.00% |
1 / 1 |
5 | |||
canAuthenticateNow | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
beginAuthentication | |
100.00% |
64 / 64 |
|
100.00% |
1 / 1 |
14 | |||
continueAuthentication | |
99.06% |
211 / 213 |
|
0.00% |
0 / 1 |
52 | |||
securitySensitiveOperationStatus | |
100.00% |
43 / 43 |
|
100.00% |
1 / 1 |
16 | |||
userCanAuthenticate | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
3 | |||
normalizeUsername | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
3 | |||
revokeAccessForUser | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
1 | |||
allowsAuthenticationDataChange | |
100.00% |
14 / 14 |
|
100.00% |
1 / 1 |
6 | |||
changeAuthenticationData | |
100.00% |
7 / 7 |
|
100.00% |
1 / 1 |
3 | |||
canCreateAccounts | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
4 | |||
canCreateAccount | |
96.00% |
24 / 25 |
|
0.00% |
0 / 1 |
8 | |||
authorizeInternal | |
100.00% |
13 / 13 |
|
100.00% |
1 / 1 |
4 | |||
probablyCanCreateAccount | |
100.00% |
10 / 10 |
|
100.00% |
1 / 1 |
1 | |||
authorizeCreateAccount | |
100.00% |
10 / 10 |
|
100.00% |
1 / 1 |
1 | |||
beginAccountCreation | |
100.00% |
69 / 69 |
|
100.00% |
1 / 1 |
11 | |||
continueAccountCreation | |
100.00% |
272 / 272 |
|
100.00% |
1 / 1 |
52 | |||
autoCreateUser | |
100.00% |
160 / 160 |
|
100.00% |
1 / 1 |
36 | |||
authorizeAutoCreateAccount | |
100.00% |
10 / 10 |
|
100.00% |
1 / 1 |
1 | |||
canLinkAccounts | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
3 | |||
beginAccountLink | |
100.00% |
71 / 71 |
|
100.00% |
1 / 1 |
15 | |||
continueAccountLink | |
100.00% |
59 / 59 |
|
100.00% |
1 / 1 |
13 | |||
getAuthenticationRequests | |
100.00% |
36 / 36 |
|
100.00% |
1 / 1 |
18 | |||
getAuthenticationRequestsInternal | |
100.00% |
31 / 31 |
|
100.00% |
1 / 1 |
15 | |||
fillRequests | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
4 | |||
userExists | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
3 | |||
allowsPropertyChange | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
3 | |||
getAuthenticationProvider | |
100.00% |
12 / 12 |
|
100.00% |
1 / 1 |
5 | |||
setAuthenticationSessionData | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
2 | |||
getAuthenticationSessionData | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
3 | |||
removeAuthenticationSessionData | |
100.00% |
7 / 7 |
|
100.00% |
1 / 1 |
4 | |||
providerArrayFromSpecs | |
100.00% |
22 / 22 |
|
100.00% |
1 / 1 |
5 | |||
getConfiguration | |
100.00% |
2 / 2 |
|
100.00% |
1 / 1 |
2 | |||
getPreAuthenticationProviders | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
2 | |||
getPrimaryAuthenticationProviders | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
2 | |||
getSecondaryAuthenticationProviders | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
2 | |||
setSessionDataForUser | |
100.00% |
13 / 13 |
|
100.00% |
1 / 1 |
3 | |||
setDefaultUserOptions | |
100.00% |
14 / 14 |
|
100.00% |
1 / 1 |
3 | |||
callMethodOnProviders | |
100.00% |
9 / 9 |
|
100.00% |
1 / 1 |
5 | |||
getHookContainer | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
getHookRunner | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 |
1 | <?php |
2 | /** |
3 | * Authentication (and possibly Authorization in the future) system entry point |
4 | * |
5 | * This program is free software; you can redistribute it and/or modify |
6 | * it under the terms of the GNU General Public License as published by |
7 | * the Free Software Foundation; either version 2 of the License, or |
8 | * (at your option) any later version. |
9 | * |
10 | * This program is distributed in the hope that it will be useful, |
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
13 | * GNU General Public License for more details. |
14 | * |
15 | * You should have received a copy of the GNU General Public License along |
16 | * with this program; if not, write to the Free Software Foundation, Inc., |
17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
18 | * http://www.gnu.org/copyleft/gpl.html |
19 | * |
20 | * @file |
21 | * @ingroup Auth |
22 | */ |
23 | |
24 | namespace MediaWiki\Auth; |
25 | |
26 | use IDBAccessObject; |
27 | use Language; |
28 | use MediaWiki\Block\BlockManager; |
29 | use MediaWiki\Config\Config; |
30 | use MediaWiki\Context\RequestContext; |
31 | use MediaWiki\Deferred\DeferredUpdates; |
32 | use MediaWiki\Deferred\SiteStatsUpdate; |
33 | use MediaWiki\HookContainer\HookContainer; |
34 | use MediaWiki\HookContainer\HookRunner; |
35 | use MediaWiki\Languages\LanguageConverterFactory; |
36 | use MediaWiki\MainConfigNames; |
37 | use MediaWiki\Page\PageIdentity; |
38 | use MediaWiki\Permissions\Authority; |
39 | use MediaWiki\Permissions\PermissionStatus; |
40 | use MediaWiki\Request\WebRequest; |
41 | use MediaWiki\SpecialPage\SpecialPage; |
42 | use MediaWiki\Status\Status; |
43 | use MediaWiki\User\BotPasswordStore; |
44 | use MediaWiki\User\Options\UserOptionsManager; |
45 | use MediaWiki\User\TempUser\TempUserCreator; |
46 | use MediaWiki\User\User; |
47 | use MediaWiki\User\UserFactory; |
48 | use MediaWiki\User\UserIdentity; |
49 | use MediaWiki\User\UserIdentityLookup; |
50 | use MediaWiki\User\UserNameUtils; |
51 | use MediaWiki\User\UserRigorOptions; |
52 | use MediaWiki\Watchlist\WatchlistManager; |
53 | use Psr\Log\LoggerAwareInterface; |
54 | use Psr\Log\LoggerInterface; |
55 | use Psr\Log\NullLogger; |
56 | use StatusValue; |
57 | use Wikimedia\ObjectFactory\ObjectFactory; |
58 | use Wikimedia\Rdbms\ILoadBalancer; |
59 | use Wikimedia\Rdbms\ReadOnlyMode; |
60 | use Wikimedia\ScopedCallback; |
61 | |
62 | /** |
63 | * This serves as the entry point to the authentication system. |
64 | * |
65 | * In the future, it may also serve as the entry point to the authorization |
66 | * system. |
67 | * |
68 | * If you are looking at this because you are working on an extension that creates its own |
69 | * login or signup page, then 1) you really shouldn't do that, 2) if you feel you absolutely |
70 | * have to, subclass AuthManagerSpecialPage or build it on the client side using the clientlogin |
71 | * or the createaccount API. Trying to call this class directly will very likely end up in |
72 | * security vulnerabilities or broken UX in edge cases. |
73 | * |
74 | * If you are working on an extension that needs to integrate with the authentication system |
75 | * (e.g. by providing a new login method, or doing extra permission checks), you'll probably |
76 | * need to write an AuthenticationProvider. |
77 | * |
78 | * If you want to create a "reserved" user programmatically, User::newSystemUser() might be what |
79 | * you are looking for. If you want to change user data, use User::changeAuthenticationData(). |
80 | * Code that is related to some SessionProvider or PrimaryAuthenticationProvider can |
81 | * create a (non-reserved) user by calling AuthManager::autoCreateUser(); it is then the provider's |
82 | * responsibility to ensure that the user can authenticate somehow (see especially |
83 | * PrimaryAuthenticationProvider::autoCreatedAccount()). The same functionality can also be used |
84 | * from Maintenance scripts such as createAndPromote.php. |
85 | * If you are writing code that is not associated with such a provider and needs to create accounts |
86 | * programmatically for real users, you should rethink your architecture. There is no good way to |
87 | * do that as such code has no knowledge of what authentication methods are enabled on the wiki and |
88 | * cannot provide any means for users to access the accounts it would create. |
89 | * |
90 | * The two main control flows when using this class are as follows: |
91 | * * Login, user creation or account linking code will call getAuthenticationRequests(), populate |
92 | * the requests with data (by using them to build a HTMLForm and have the user fill it, or by |
93 | * exposing a form specification via the API, so that the client can build it), and pass them to |
94 | * the appropriate begin* method. That will return either a success/failure response, or more |
95 | * requests to fill (either by building a form or by redirecting the user to some external |
96 | * provider which will send the data back), in which case they need to be submitted to the |
97 | * appropriate continue* method and that step has to be repeated until the response is a success |
98 | * or failure response. AuthManager will use the session to maintain internal state during the |
99 | * process. |
100 | * * Code doing an authentication data change will call getAuthenticationRequests(), select |
101 | * a single request, populate it, and pass it to allowsAuthenticationDataChange() and then |
102 | * changeAuthenticationData(). If the data change is user-initiated, the whole process needs |
103 | * to be preceded by a call to securitySensitiveOperationStatus() and aborted if that returns |
104 | * a non-OK status. |
105 | * |
106 | * @ingroup Auth |
107 | * @since 1.27 |
108 | * @see https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager |
109 | */ |
110 | class AuthManager implements LoggerAwareInterface { |
111 | /** |
112 | * @internal |
113 | * Key in the user's session data for storing login state. |
114 | */ |
115 | public const AUTHN_STATE = 'AuthManager::authnState'; |
116 | |
117 | /** |
118 | * @internal |
119 | * Key in the user's session data for storing account creation state. |
120 | */ |
121 | public const ACCOUNT_CREATION_STATE = 'AuthManager::accountCreationState'; |
122 | |
123 | /** |
124 | * @internal |
125 | * Key in the user's session data for storing account linking state. |
126 | */ |
127 | public const ACCOUNT_LINK_STATE = 'AuthManager::accountLinkState'; |
128 | |
129 | /** |
130 | * @internal |
131 | * Key in the user's session data for storing autocreation failures, |
132 | * to avoid re-attempting expensive autocreation checks on every request. |
133 | */ |
134 | public const AUTOCREATE_BLOCKLIST = 'AuthManager::AutoCreateBlacklist'; |
135 | |
136 | /** Log in with an existing (not necessarily local) user */ |
137 | public const ACTION_LOGIN = 'login'; |
138 | /** Continue a login process that was interrupted by the need for user input or communication |
139 | * with an external provider |
140 | */ |
141 | public const ACTION_LOGIN_CONTINUE = 'login-continue'; |
142 | /** Create a new user */ |
143 | public const ACTION_CREATE = 'create'; |
144 | /** Continue a user creation process that was interrupted by the need for user input or |
145 | * communication with an external provider |
146 | */ |
147 | public const ACTION_CREATE_CONTINUE = 'create-continue'; |
148 | /** Link an existing user to a third-party account */ |
149 | public const ACTION_LINK = 'link'; |
150 | /** Continue a user linking process that was interrupted by the need for user input or |
151 | * communication with an external provider |
152 | */ |
153 | public const ACTION_LINK_CONTINUE = 'link-continue'; |
154 | /** Change a user's credentials */ |
155 | public const ACTION_CHANGE = 'change'; |
156 | /** Remove a user's credentials */ |
157 | public const ACTION_REMOVE = 'remove'; |
158 | /** Like ACTION_REMOVE but for linking providers only */ |
159 | public const ACTION_UNLINK = 'unlink'; |
160 | |
161 | /** Security-sensitive operations are ok. */ |
162 | public const SEC_OK = 'ok'; |
163 | /** Security-sensitive operations should re-authenticate. */ |
164 | public const SEC_REAUTH = 'reauth'; |
165 | /** Security-sensitive should not be performed. */ |
166 | public const SEC_FAIL = 'fail'; |
167 | |
168 | /** Auto-creation is due to SessionManager */ |
169 | public const AUTOCREATE_SOURCE_SESSION = \MediaWiki\Session\SessionManager::class; |
170 | |
171 | /** Auto-creation is due to a Maintenance script */ |
172 | public const AUTOCREATE_SOURCE_MAINT = '::Maintenance::'; |
173 | |
174 | /** Auto-creation is due to temporary account creation on page save */ |
175 | public const AUTOCREATE_SOURCE_TEMP = TempUserCreator::class; |
176 | |
177 | /** @var WebRequest */ |
178 | private $request; |
179 | |
180 | /** @var Config */ |
181 | private $config; |
182 | |
183 | /** @var ObjectFactory */ |
184 | private $objectFactory; |
185 | |
186 | /** @var LoggerInterface */ |
187 | private $logger; |
188 | |
189 | /** @var UserNameUtils */ |
190 | private $userNameUtils; |
191 | |
192 | /** @var AuthenticationProvider[] */ |
193 | private $allAuthenticationProviders = []; |
194 | |
195 | /** @var PreAuthenticationProvider[] */ |
196 | private $preAuthenticationProviders = null; |
197 | |
198 | /** @var PrimaryAuthenticationProvider[] */ |
199 | private $primaryAuthenticationProviders = null; |
200 | |
201 | /** @var SecondaryAuthenticationProvider[] */ |
202 | private $secondaryAuthenticationProviders = null; |
203 | |
204 | /** @var CreatedAccountAuthenticationRequest[] */ |
205 | private $createdAccountAuthenticationRequests = []; |
206 | |
207 | /** @var HookContainer */ |
208 | private $hookContainer; |
209 | |
210 | /** @var HookRunner */ |
211 | private $hookRunner; |
212 | |
213 | /** @var ReadOnlyMode */ |
214 | private $readOnlyMode; |
215 | |
216 | /** @var BlockManager */ |
217 | private $blockManager; |
218 | |
219 | /** @var WatchlistManager */ |
220 | private $watchlistManager; |
221 | |
222 | /** @var ILoadBalancer */ |
223 | private $loadBalancer; |
224 | |
225 | /** @var Language */ |
226 | private $contentLanguage; |
227 | |
228 | /** @var LanguageConverterFactory */ |
229 | private $languageConverterFactory; |
230 | |
231 | /** @var BotPasswordStore */ |
232 | private $botPasswordStore; |
233 | |
234 | /** @var UserFactory */ |
235 | private $userFactory; |
236 | |
237 | /** @var UserIdentityLookup */ |
238 | private $userIdentityLookup; |
239 | |
240 | /** @var UserOptionsManager */ |
241 | private $userOptionsManager; |
242 | |
243 | /** |
244 | * @param WebRequest $request |
245 | * @param Config $config |
246 | * @param ObjectFactory $objectFactory |
247 | * @param HookContainer $hookContainer |
248 | * @param ReadOnlyMode $readOnlyMode |
249 | * @param UserNameUtils $userNameUtils |
250 | * @param BlockManager $blockManager |
251 | * @param WatchlistManager $watchlistManager |
252 | * @param ILoadBalancer $loadBalancer |
253 | * @param Language $contentLanguage |
254 | * @param LanguageConverterFactory $languageConverterFactory |
255 | * @param BotPasswordStore $botPasswordStore |
256 | * @param UserFactory $userFactory |
257 | * @param UserIdentityLookup $userIdentityLookup |
258 | * @param UserOptionsManager $userOptionsManager |
259 | */ |
260 | public function __construct( |
261 | WebRequest $request, |
262 | Config $config, |
263 | ObjectFactory $objectFactory, |
264 | HookContainer $hookContainer, |
265 | ReadOnlyMode $readOnlyMode, |
266 | UserNameUtils $userNameUtils, |
267 | BlockManager $blockManager, |
268 | WatchlistManager $watchlistManager, |
269 | ILoadBalancer $loadBalancer, |
270 | Language $contentLanguage, |
271 | LanguageConverterFactory $languageConverterFactory, |
272 | BotPasswordStore $botPasswordStore, |
273 | UserFactory $userFactory, |
274 | UserIdentityLookup $userIdentityLookup, |
275 | UserOptionsManager $userOptionsManager |
276 | ) { |
277 | $this->request = $request; |
278 | $this->config = $config; |
279 | $this->objectFactory = $objectFactory; |
280 | $this->hookContainer = $hookContainer; |
281 | $this->hookRunner = new HookRunner( $hookContainer ); |
282 | $this->setLogger( new NullLogger() ); |
283 | $this->readOnlyMode = $readOnlyMode; |
284 | $this->userNameUtils = $userNameUtils; |
285 | $this->blockManager = $blockManager; |
286 | $this->watchlistManager = $watchlistManager; |
287 | $this->loadBalancer = $loadBalancer; |
288 | $this->contentLanguage = $contentLanguage; |
289 | $this->languageConverterFactory = $languageConverterFactory; |
290 | $this->botPasswordStore = $botPasswordStore; |
291 | $this->userFactory = $userFactory; |
292 | $this->userIdentityLookup = $userIdentityLookup; |
293 | $this->userOptionsManager = $userOptionsManager; |
294 | } |
295 | |
296 | /** |
297 | * @param LoggerInterface $logger |
298 | */ |
299 | public function setLogger( LoggerInterface $logger ) { |
300 | $this->logger = $logger; |
301 | } |
302 | |
303 | /** |
304 | * @return WebRequest |
305 | */ |
306 | public function getRequest() { |
307 | return $this->request; |
308 | } |
309 | |
310 | /** |
311 | * Force certain PrimaryAuthenticationProviders |
312 | * @deprecated For backwards compatibility only |
313 | * @param PrimaryAuthenticationProvider[] $providers |
314 | * @param string $why |
315 | */ |
316 | public function forcePrimaryAuthenticationProviders( array $providers, $why ) { |
317 | $this->logger->warning( "Overriding AuthManager primary authn because $why" ); |
318 | |
319 | if ( $this->primaryAuthenticationProviders !== null ) { |
320 | $this->logger->warning( |
321 | 'PrimaryAuthenticationProviders have already been accessed! I hope nothing breaks.' |
322 | ); |
323 | |
324 | $this->allAuthenticationProviders = array_diff_key( |
325 | $this->allAuthenticationProviders, |
326 | $this->primaryAuthenticationProviders |
327 | ); |
328 | $session = $this->request->getSession(); |
329 | $session->remove( self::AUTHN_STATE ); |
330 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
331 | $session->remove( self::ACCOUNT_LINK_STATE ); |
332 | $this->createdAccountAuthenticationRequests = []; |
333 | } |
334 | |
335 | $this->primaryAuthenticationProviders = []; |
336 | foreach ( $providers as $provider ) { |
337 | if ( !$provider instanceof AbstractPrimaryAuthenticationProvider ) { |
338 | throw new \RuntimeException( |
339 | 'Expected instance of MediaWiki\\Auth\\AbstractPrimaryAuthenticationProvider, got ' . |
340 | get_class( $provider ) |
341 | ); |
342 | } |
343 | $provider->init( $this->logger, $this, $this->hookContainer, $this->config, $this->userNameUtils ); |
344 | $id = $provider->getUniqueId(); |
345 | if ( isset( $this->allAuthenticationProviders[$id] ) ) { |
346 | throw new \RuntimeException( |
347 | "Duplicate specifications for id $id (classes " . |
348 | get_class( $provider ) . ' and ' . |
349 | get_class( $this->allAuthenticationProviders[$id] ) . ')' |
350 | ); |
351 | } |
352 | $this->allAuthenticationProviders[$id] = $provider; |
353 | $this->primaryAuthenticationProviders[$id] = $provider; |
354 | } |
355 | } |
356 | |
357 | /***************************************************************************/ |
358 | // region Authentication |
359 | /** @name Authentication */ |
360 | |
361 | /** |
362 | * Indicate whether user authentication is possible |
363 | * |
364 | * It may not be if the session is provided by something like OAuth |
365 | * for which each individual request includes authentication data. |
366 | * |
367 | * @return bool |
368 | */ |
369 | public function canAuthenticateNow() { |
370 | return $this->request->getSession()->canSetUser(); |
371 | } |
372 | |
373 | /** |
374 | * Start an authentication flow |
375 | * |
376 | * In addition to the AuthenticationRequests returned by |
377 | * $this->getAuthenticationRequests(), a client might include a |
378 | * CreateFromLoginAuthenticationRequest from a previous login attempt to |
379 | * preserve state. |
380 | * |
381 | * Instead of the AuthenticationRequests returned by |
382 | * $this->getAuthenticationRequests(), a client might pass a |
383 | * CreatedAccountAuthenticationRequest from an account creation that just |
384 | * succeeded to log in to the just-created account. |
385 | * |
386 | * @param AuthenticationRequest[] $reqs |
387 | * @param string $returnToUrl Url that REDIRECT responses should eventually |
388 | * return to. |
389 | * @return AuthenticationResponse See self::continueAuthentication() |
390 | */ |
391 | public function beginAuthentication( array $reqs, $returnToUrl ) { |
392 | $session = $this->request->getSession(); |
393 | if ( !$session->canSetUser() ) { |
394 | // Caller should have called canAuthenticateNow() |
395 | $session->remove( self::AUTHN_STATE ); |
396 | throw new \LogicException( 'Authentication is not possible now' ); |
397 | } |
398 | |
399 | $guessUserName = null; |
400 | foreach ( $reqs as $req ) { |
401 | $req->returnToUrl = $returnToUrl; |
402 | // @codeCoverageIgnoreStart |
403 | if ( $req->username !== null && $req->username !== '' ) { |
404 | if ( $guessUserName === null ) { |
405 | $guessUserName = $req->username; |
406 | } elseif ( $guessUserName !== $req->username ) { |
407 | $guessUserName = null; |
408 | break; |
409 | } |
410 | } |
411 | // @codeCoverageIgnoreEnd |
412 | } |
413 | |
414 | // Check for special-case login of a just-created account |
415 | $req = AuthenticationRequest::getRequestByClass( |
416 | $reqs, CreatedAccountAuthenticationRequest::class |
417 | ); |
418 | if ( $req ) { |
419 | if ( !in_array( $req, $this->createdAccountAuthenticationRequests, true ) ) { |
420 | throw new \LogicException( |
421 | 'CreatedAccountAuthenticationRequests are only valid on ' . |
422 | 'the same AuthManager that created the account' |
423 | ); |
424 | } |
425 | |
426 | $user = $this->userFactory->newFromName( (string)$req->username ); |
427 | // @codeCoverageIgnoreStart |
428 | if ( !$user ) { |
429 | throw new \UnexpectedValueException( |
430 | "CreatedAccountAuthenticationRequest had invalid username \"{$req->username}\"" |
431 | ); |
432 | } elseif ( $user->getId() != $req->id ) { |
433 | throw new \UnexpectedValueException( |
434 | "ID for \"{$req->username}\" was {$user->getId()}, expected {$req->id}" |
435 | ); |
436 | } |
437 | // @codeCoverageIgnoreEnd |
438 | |
439 | $this->logger->info( 'Logging in {user} after account creation', [ |
440 | 'user' => $user->getName(), |
441 | ] ); |
442 | $ret = AuthenticationResponse::newPass( $user->getName() ); |
443 | $performer = $session->getUser(); |
444 | $this->setSessionDataForUser( $user ); |
445 | $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] ); |
446 | $session->remove( self::AUTHN_STATE ); |
447 | $this->getHookRunner()->onAuthManagerLoginAuthenticateAudit( |
448 | $ret, $user, $user->getName(), [ |
449 | 'performer' => $performer |
450 | ] ); |
451 | return $ret; |
452 | } |
453 | |
454 | $this->removeAuthenticationSessionData( null ); |
455 | |
456 | foreach ( $this->getPreAuthenticationProviders() as $provider ) { |
457 | $status = $provider->testForAuthentication( $reqs ); |
458 | if ( !$status->isGood() ) { |
459 | $this->logger->debug( 'Login failed in pre-authentication by ' . $provider->getUniqueId() ); |
460 | $ret = AuthenticationResponse::newFail( |
461 | Status::wrap( $status )->getMessage() |
462 | ); |
463 | $this->callMethodOnProviders( 7, 'postAuthentication', |
464 | [ $this->userFactory->newFromName( (string)$guessUserName ), $ret ] |
465 | ); |
466 | $this->getHookRunner()->onAuthManagerLoginAuthenticateAudit( $ret, null, $guessUserName, [ |
467 | 'performer' => $session->getUser() |
468 | ] ); |
469 | return $ret; |
470 | } |
471 | } |
472 | |
473 | $state = [ |
474 | 'reqs' => $reqs, |
475 | 'returnToUrl' => $returnToUrl, |
476 | 'guessUserName' => $guessUserName, |
477 | 'primary' => null, |
478 | 'primaryResponse' => null, |
479 | 'secondary' => [], |
480 | 'maybeLink' => [], |
481 | 'continueRequests' => [], |
482 | ]; |
483 | |
484 | // Preserve state from a previous failed login |
485 | $req = AuthenticationRequest::getRequestByClass( |
486 | $reqs, CreateFromLoginAuthenticationRequest::class |
487 | ); |
488 | if ( $req ) { |
489 | $state['maybeLink'] = $req->maybeLink; |
490 | } |
491 | |
492 | $session = $this->request->getSession(); |
493 | $session->setSecret( self::AUTHN_STATE, $state ); |
494 | $session->persist(); |
495 | |
496 | return $this->continueAuthentication( $reqs ); |
497 | } |
498 | |
499 | /** |
500 | * Continue an authentication flow |
501 | * |
502 | * Return values are interpreted as follows: |
503 | * - status FAIL: Authentication failed. If $response->createRequest is |
504 | * set, that may be passed to self::beginAuthentication() or to |
505 | * self::beginAccountCreation() to preserve state. |
506 | * - status REDIRECT: The client should be redirected to the contained URL, |
507 | * new AuthenticationRequests should be made (if any), then |
508 | * AuthManager::continueAuthentication() should be called. |
509 | * - status UI: The client should be presented with a user interface for |
510 | * the fields in the specified AuthenticationRequests, then new |
511 | * AuthenticationRequests should be made, then |
512 | * AuthManager::continueAuthentication() should be called. |
513 | * - status RESTART: The user logged in successfully with a third-party |
514 | * service, but the third-party credentials aren't attached to any local |
515 | * account. This could be treated as a UI or a FAIL. |
516 | * - status PASS: Authentication was successful. |
517 | * |
518 | * @param AuthenticationRequest[] $reqs |
519 | * @return AuthenticationResponse |
520 | */ |
521 | public function continueAuthentication( array $reqs ) { |
522 | $session = $this->request->getSession(); |
523 | try { |
524 | if ( !$session->canSetUser() ) { |
525 | // Caller should have called canAuthenticateNow() |
526 | // @codeCoverageIgnoreStart |
527 | throw new \LogicException( 'Authentication is not possible now' ); |
528 | // @codeCoverageIgnoreEnd |
529 | } |
530 | |
531 | $state = $session->getSecret( self::AUTHN_STATE ); |
532 | if ( !is_array( $state ) ) { |
533 | return AuthenticationResponse::newFail( |
534 | wfMessage( 'authmanager-authn-not-in-progress' ) |
535 | ); |
536 | } |
537 | $state['continueRequests'] = []; |
538 | |
539 | $guessUserName = $state['guessUserName']; |
540 | |
541 | foreach ( $reqs as $req ) { |
542 | $req->returnToUrl = $state['returnToUrl']; |
543 | } |
544 | |
545 | // Step 1: Choose a primary authentication provider, and call it until it succeeds. |
546 | |
547 | if ( $state['primary'] === null ) { |
548 | // We haven't picked a PrimaryAuthenticationProvider yet |
549 | // @codeCoverageIgnoreStart |
550 | $guessUserName = null; |
551 | foreach ( $reqs as $req ) { |
552 | if ( $req->username !== null && $req->username !== '' ) { |
553 | if ( $guessUserName === null ) { |
554 | $guessUserName = $req->username; |
555 | } elseif ( $guessUserName !== $req->username ) { |
556 | $guessUserName = null; |
557 | break; |
558 | } |
559 | } |
560 | } |
561 | $state['guessUserName'] = $guessUserName; |
562 | // @codeCoverageIgnoreEnd |
563 | $state['reqs'] = $reqs; |
564 | |
565 | foreach ( $this->getPrimaryAuthenticationProviders() as $id => $provider ) { |
566 | $res = $provider->beginPrimaryAuthentication( $reqs ); |
567 | switch ( $res->status ) { |
568 | case AuthenticationResponse::PASS: |
569 | $state['primary'] = $id; |
570 | $state['primaryResponse'] = $res; |
571 | $this->logger->debug( "Primary login with $id succeeded" ); |
572 | break 2; |
573 | case AuthenticationResponse::FAIL: |
574 | $this->logger->debug( "Login failed in primary authentication by $id" ); |
575 | if ( $res->createRequest || $state['maybeLink'] ) { |
576 | $res->createRequest = new CreateFromLoginAuthenticationRequest( |
577 | $res->createRequest, $state['maybeLink'] |
578 | ); |
579 | } |
580 | $this->callMethodOnProviders( |
581 | 7, |
582 | 'postAuthentication', |
583 | [ |
584 | $this->userFactory->newFromName( (string)$guessUserName ), |
585 | $res |
586 | ] |
587 | ); |
588 | $session->remove( self::AUTHN_STATE ); |
589 | $this->getHookRunner()->onAuthManagerLoginAuthenticateAudit( |
590 | $res, null, $guessUserName, [ |
591 | 'performer' => $session->getUser() |
592 | ] ); |
593 | return $res; |
594 | case AuthenticationResponse::ABSTAIN: |
595 | // Continue loop |
596 | break; |
597 | case AuthenticationResponse::REDIRECT: |
598 | case AuthenticationResponse::UI: |
599 | $this->logger->debug( "Primary login with $id returned $res->status" ); |
600 | $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $guessUserName ); |
601 | $state['primary'] = $id; |
602 | $state['continueRequests'] = $res->neededRequests; |
603 | $session->setSecret( self::AUTHN_STATE, $state ); |
604 | return $res; |
605 | |
606 | // @codeCoverageIgnoreStart |
607 | default: |
608 | throw new \DomainException( |
609 | get_class( $provider ) . "::beginPrimaryAuthentication() returned $res->status" |
610 | ); |
611 | // @codeCoverageIgnoreEnd |
612 | } |
613 | } |
614 | // @phan-suppress-next-line PhanTypePossiblyInvalidDimOffset Always set in loop before, if passed |
615 | if ( $state['primary'] === null ) { |
616 | $this->logger->debug( 'Login failed in primary authentication because no provider accepted' ); |
617 | $ret = AuthenticationResponse::newFail( |
618 | wfMessage( 'authmanager-authn-no-primary' ) |
619 | ); |
620 | $this->callMethodOnProviders( 7, 'postAuthentication', |
621 | [ $this->userFactory->newFromName( (string)$guessUserName ), $ret ] |
622 | ); |
623 | $session->remove( self::AUTHN_STATE ); |
624 | return $ret; |
625 | } |
626 | } elseif ( $state['primaryResponse'] === null ) { |
627 | $provider = $this->getAuthenticationProvider( $state['primary'] ); |
628 | if ( !$provider instanceof PrimaryAuthenticationProvider ) { |
629 | // Configuration changed? Force them to start over. |
630 | // @codeCoverageIgnoreStart |
631 | $ret = AuthenticationResponse::newFail( |
632 | wfMessage( 'authmanager-authn-not-in-progress' ) |
633 | ); |
634 | $this->callMethodOnProviders( 7, 'postAuthentication', |
635 | [ $this->userFactory->newFromName( (string)$guessUserName ), $ret ] |
636 | ); |
637 | $session->remove( self::AUTHN_STATE ); |
638 | return $ret; |
639 | // @codeCoverageIgnoreEnd |
640 | } |
641 | $id = $provider->getUniqueId(); |
642 | $res = $provider->continuePrimaryAuthentication( $reqs ); |
643 | switch ( $res->status ) { |
644 | case AuthenticationResponse::PASS: |
645 | $state['primaryResponse'] = $res; |
646 | $this->logger->debug( "Primary login with $id succeeded" ); |
647 | break; |
648 | case AuthenticationResponse::FAIL: |
649 | $this->logger->debug( "Login failed in primary authentication by $id" ); |
650 | if ( $res->createRequest || $state['maybeLink'] ) { |
651 | $res->createRequest = new CreateFromLoginAuthenticationRequest( |
652 | $res->createRequest, $state['maybeLink'] |
653 | ); |
654 | } |
655 | $this->callMethodOnProviders( 7, 'postAuthentication', |
656 | [ $this->userFactory->newFromName( (string)$guessUserName ), $res ] |
657 | ); |
658 | $session->remove( self::AUTHN_STATE ); |
659 | $this->getHookRunner()->onAuthManagerLoginAuthenticateAudit( |
660 | $res, null, $guessUserName, [ |
661 | 'performer' => $session->getUser() |
662 | ] ); |
663 | return $res; |
664 | case AuthenticationResponse::REDIRECT: |
665 | case AuthenticationResponse::UI: |
666 | $this->logger->debug( "Primary login with $id returned $res->status" ); |
667 | $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $guessUserName ); |
668 | $state['continueRequests'] = $res->neededRequests; |
669 | $session->setSecret( self::AUTHN_STATE, $state ); |
670 | return $res; |
671 | default: |
672 | throw new \DomainException( |
673 | get_class( $provider ) . "::continuePrimaryAuthentication() returned $res->status" |
674 | ); |
675 | } |
676 | } |
677 | |
678 | // @phan-suppress-next-line PhanTypePossiblyInvalidDimOffset Always set in loop before, if passed |
679 | $res = $state['primaryResponse']; |
680 | if ( $res->username === null ) { |
681 | $provider = $this->getAuthenticationProvider( $state['primary'] ); |
682 | if ( !$provider instanceof PrimaryAuthenticationProvider ) { |
683 | // Configuration changed? Force them to start over. |
684 | // @codeCoverageIgnoreStart |
685 | $ret = AuthenticationResponse::newFail( |
686 | wfMessage( 'authmanager-authn-not-in-progress' ) |
687 | ); |
688 | $this->callMethodOnProviders( 7, 'postAuthentication', |
689 | [ $this->userFactory->newFromName( (string)$guessUserName ), $ret ] |
690 | ); |
691 | $session->remove( self::AUTHN_STATE ); |
692 | return $ret; |
693 | // @codeCoverageIgnoreEnd |
694 | } |
695 | |
696 | if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK && |
697 | $res->linkRequest && |
698 | // don't confuse the user with an incorrect message if linking is disabled |
699 | $this->getAuthenticationProvider( ConfirmLinkSecondaryAuthenticationProvider::class ) |
700 | ) { |
701 | $state['maybeLink'][$res->linkRequest->getUniqueId()] = $res->linkRequest; |
702 | $msg = 'authmanager-authn-no-local-user-link'; |
703 | } else { |
704 | $msg = 'authmanager-authn-no-local-user'; |
705 | } |
706 | $this->logger->debug( |
707 | "Primary login with {$provider->getUniqueId()} succeeded, but returned no user" |
708 | ); |
709 | $ret = AuthenticationResponse::newRestart( wfMessage( $msg ) ); |
710 | $ret->neededRequests = $this->getAuthenticationRequestsInternal( |
711 | self::ACTION_LOGIN, |
712 | [], |
713 | $this->getPrimaryAuthenticationProviders() + $this->getSecondaryAuthenticationProviders() |
714 | ); |
715 | if ( $res->createRequest || $state['maybeLink'] ) { |
716 | $ret->createRequest = new CreateFromLoginAuthenticationRequest( |
717 | $res->createRequest, $state['maybeLink'] |
718 | ); |
719 | $ret->neededRequests[] = $ret->createRequest; |
720 | } |
721 | $this->fillRequests( $ret->neededRequests, self::ACTION_LOGIN, null, true ); |
722 | $session->setSecret( self::AUTHN_STATE, [ |
723 | 'reqs' => [], // Will be filled in later |
724 | 'primary' => null, |
725 | 'primaryResponse' => null, |
726 | 'secondary' => [], |
727 | 'continueRequests' => $ret->neededRequests, |
728 | ] + $state ); |
729 | return $ret; |
730 | } |
731 | |
732 | // Step 2: Primary authentication succeeded, create the User object |
733 | // (and add the user locally if necessary) |
734 | |
735 | $user = $this->userFactory->newFromName( |
736 | (string)$res->username, |
737 | UserRigorOptions::RIGOR_USABLE |
738 | ); |
739 | if ( !$user ) { |
740 | $provider = $this->getAuthenticationProvider( $state['primary'] ); |
741 | throw new \DomainException( |
742 | get_class( $provider ) . " returned an invalid username: {$res->username}" |
743 | ); |
744 | } |
745 | if ( !$user->isRegistered() ) { |
746 | // User doesn't exist locally. Create it. |
747 | $this->logger->info( 'Auto-creating {user} on login', [ |
748 | 'user' => $user->getName(), |
749 | ] ); |
750 | $status = $this->autoCreateUser( $user, $state['primary'], false ); |
751 | if ( !$status->isGood() ) { |
752 | $ret = AuthenticationResponse::newFail( |
753 | Status::wrap( $status )->getMessage( 'authmanager-authn-autocreate-failed' ) |
754 | ); |
755 | $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] ); |
756 | $session->remove( self::AUTHN_STATE ); |
757 | $this->getHookRunner()->onAuthManagerLoginAuthenticateAudit( |
758 | $ret, $user, $user->getName(), [ |
759 | 'performer' => $session->getUser() |
760 | ] ); |
761 | return $ret; |
762 | } |
763 | } |
764 | |
765 | // Step 3: Iterate over all the secondary authentication providers. |
766 | |
767 | $beginReqs = $state['reqs']; |
768 | |
769 | foreach ( $this->getSecondaryAuthenticationProviders() as $id => $provider ) { |
770 | if ( !isset( $state['secondary'][$id] ) ) { |
771 | // This provider isn't started yet, so we pass it the set |
772 | // of reqs from beginAuthentication instead of whatever |
773 | // might have been used by a previous provider in line. |
774 | $func = 'beginSecondaryAuthentication'; |
775 | $res = $provider->beginSecondaryAuthentication( $user, $beginReqs ); |
776 | } elseif ( !$state['secondary'][$id] ) { |
777 | $func = 'continueSecondaryAuthentication'; |
778 | $res = $provider->continueSecondaryAuthentication( $user, $reqs ); |
779 | } else { |
780 | continue; |
781 | } |
782 | switch ( $res->status ) { |
783 | case AuthenticationResponse::PASS: |
784 | $this->logger->debug( "Secondary login with $id succeeded" ); |
785 | // fall through |
786 | case AuthenticationResponse::ABSTAIN: |
787 | $state['secondary'][$id] = true; |
788 | break; |
789 | case AuthenticationResponse::FAIL: |
790 | $this->logger->debug( "Login failed in secondary authentication by $id" ); |
791 | $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $res ] ); |
792 | $session->remove( self::AUTHN_STATE ); |
793 | $this->getHookRunner()->onAuthManagerLoginAuthenticateAudit( |
794 | $res, $user, $user->getName(), [ |
795 | 'performer' => $session->getUser() |
796 | ] ); |
797 | return $res; |
798 | case AuthenticationResponse::REDIRECT: |
799 | case AuthenticationResponse::UI: |
800 | $this->logger->debug( "Secondary login with $id returned " . $res->status ); |
801 | $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $user->getName() ); |
802 | $state['secondary'][$id] = false; |
803 | $state['continueRequests'] = $res->neededRequests; |
804 | $session->setSecret( self::AUTHN_STATE, $state ); |
805 | return $res; |
806 | |
807 | // @codeCoverageIgnoreStart |
808 | default: |
809 | throw new \DomainException( |
810 | get_class( $provider ) . "::{$func}() returned $res->status" |
811 | ); |
812 | // @codeCoverageIgnoreEnd |
813 | } |
814 | } |
815 | |
816 | // Step 4: Authentication complete! Set the user in the session and |
817 | // clean up. |
818 | |
819 | $this->logger->info( 'Login for {user} succeeded from {clientip}', [ |
820 | 'user' => $user->getName(), |
821 | 'clientip' => $this->request->getIP(), |
822 | ] ); |
823 | $rememberMeConfig = $this->config->get( MainConfigNames::RememberMe ); |
824 | if ( $rememberMeConfig === RememberMeAuthenticationRequest::ALWAYS_REMEMBER ) { |
825 | $rememberMe = true; |
826 | } elseif ( $rememberMeConfig === RememberMeAuthenticationRequest::NEVER_REMEMBER ) { |
827 | $rememberMe = false; |
828 | } else { |
829 | /** @var RememberMeAuthenticationRequest $req */ |
830 | $req = AuthenticationRequest::getRequestByClass( |
831 | $beginReqs, RememberMeAuthenticationRequest::class |
832 | ); |
833 | $rememberMe = $req && $req->rememberMe; |
834 | } |
835 | $this->setSessionDataForUser( $user, $rememberMe ); |
836 | $ret = AuthenticationResponse::newPass( $user->getName() ); |
837 | $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] ); |
838 | $performer = $session->getUser(); |
839 | $session->remove( self::AUTHN_STATE ); |
840 | $this->removeAuthenticationSessionData( null ); |
841 | $this->getHookRunner()->onAuthManagerLoginAuthenticateAudit( |
842 | $ret, $user, $user->getName(), [ |
843 | 'performer' => $performer |
844 | ] ); |
845 | return $ret; |
846 | } catch ( \Exception $ex ) { |
847 | $session->remove( self::AUTHN_STATE ); |
848 | throw $ex; |
849 | } |
850 | } |
851 | |
852 | /** |
853 | * Whether security-sensitive operations should proceed. |
854 | * |
855 | * A "security-sensitive operation" is something like a password or email |
856 | * change, that would normally have a "reenter your password to confirm" |
857 | * box if we only supported password-based authentication. |
858 | * |
859 | * @param string $operation Operation being checked. This should be a |
860 | * message-key-like string such as 'change-password' or 'change-email'. |
861 | * @return string One of the SEC_* constants. |
862 | */ |
863 | public function securitySensitiveOperationStatus( $operation ) { |
864 | $status = self::SEC_OK; |
865 | |
866 | $this->logger->debug( __METHOD__ . ": Checking $operation" ); |
867 | |
868 | $session = $this->request->getSession(); |
869 | $aId = $session->getUser()->getId(); |
870 | if ( $aId === 0 ) { |
871 | // User isn't authenticated. DWIM? |
872 | $status = $this->canAuthenticateNow() ? self::SEC_REAUTH : self::SEC_FAIL; |
873 | $this->logger->info( __METHOD__ . ": Not logged in! $operation is $status" ); |
874 | return $status; |
875 | } |
876 | |
877 | if ( $session->canSetUser() ) { |
878 | $id = $session->get( 'AuthManager:lastAuthId' ); |
879 | $last = $session->get( 'AuthManager:lastAuthTimestamp' ); |
880 | if ( $id !== $aId || $last === null ) { |
881 | $timeSinceLogin = PHP_INT_MAX; // Forever ago |
882 | } else { |
883 | $timeSinceLogin = max( 0, time() - $last ); |
884 | } |
885 | |
886 | $thresholds = $this->config->get( MainConfigNames::ReauthenticateTime ); |
887 | if ( isset( $thresholds[$operation] ) ) { |
888 | $threshold = $thresholds[$operation]; |
889 | } elseif ( isset( $thresholds['default'] ) ) { |
890 | $threshold = $thresholds['default']; |
891 | } else { |
892 | throw new \UnexpectedValueException( '$wgReauthenticateTime lacks a default' ); |
893 | } |
894 | |
895 | if ( $threshold >= 0 && $timeSinceLogin > $threshold ) { |
896 | $status = self::SEC_REAUTH; |
897 | } |
898 | } else { |
899 | $timeSinceLogin = -1; |
900 | |
901 | $pass = $this->config->get( |
902 | MainConfigNames::AllowSecuritySensitiveOperationIfCannotReauthenticate ); |
903 | if ( isset( $pass[$operation] ) ) { |
904 | $status = $pass[$operation] ? self::SEC_OK : self::SEC_FAIL; |
905 | } elseif ( isset( $pass['default'] ) ) { |
906 | $status = $pass['default'] ? self::SEC_OK : self::SEC_FAIL; |
907 | } else { |
908 | throw new \UnexpectedValueException( |
909 | '$wgAllowSecuritySensitiveOperationIfCannotReauthenticate lacks a default' |
910 | ); |
911 | } |
912 | } |
913 | |
914 | $this->getHookRunner()->onSecuritySensitiveOperationStatus( |
915 | $status, $operation, $session, $timeSinceLogin ); |
916 | |
917 | // If authentication is not possible, downgrade from "REAUTH" to "FAIL". |
918 | if ( !$this->canAuthenticateNow() && $status === self::SEC_REAUTH ) { |
919 | $status = self::SEC_FAIL; |
920 | } |
921 | |
922 | $this->logger->info( __METHOD__ . ": $operation is $status for '{user}'", |
923 | [ |
924 | 'user' => $session->getUser()->getName(), |
925 | 'clientip' => $this->getRequest()->getIP(), |
926 | ] |
927 | ); |
928 | |
929 | return $status; |
930 | } |
931 | |
932 | /** |
933 | * Determine whether a username can authenticate |
934 | * |
935 | * This is mainly for internal purposes and only takes authentication data into account, |
936 | * not things like blocks that can change without the authentication system being aware. |
937 | * |
938 | * @param string $username MediaWiki username |
939 | * @return bool |
940 | */ |
941 | public function userCanAuthenticate( $username ) { |
942 | foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) { |
943 | if ( $provider->testUserCanAuthenticate( $username ) ) { |
944 | return true; |
945 | } |
946 | } |
947 | return false; |
948 | } |
949 | |
950 | /** |
951 | * Provide normalized versions of the username for security checks |
952 | * |
953 | * Since different providers can normalize the input in different ways, |
954 | * this returns an array of all the different ways the name might be |
955 | * normalized for authentication. |
956 | * |
957 | * The returned strings should not be revealed to the user, as that might |
958 | * leak private information (e.g. an email address might be normalized to a |
959 | * username). |
960 | * |
961 | * @param string $username |
962 | * @return string[] |
963 | */ |
964 | public function normalizeUsername( $username ) { |
965 | $ret = []; |
966 | foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) { |
967 | $normalized = $provider->providerNormalizeUsername( $username ); |
968 | if ( $normalized !== null ) { |
969 | $ret[$normalized] = true; |
970 | } |
971 | } |
972 | return array_keys( $ret ); |
973 | } |
974 | |
975 | // endregion -- end of Authentication |
976 | |
977 | /***************************************************************************/ |
978 | // region Authentication data changing |
979 | /** @name Authentication data changing */ |
980 | |
981 | /** |
982 | * Revoke any authentication credentials for a user |
983 | * |
984 | * After this, the user should no longer be able to log in. |
985 | * |
986 | * @param string $username |
987 | */ |
988 | public function revokeAccessForUser( $username ) { |
989 | $this->logger->info( 'Revoking access for {user}', [ |
990 | 'user' => $username, |
991 | ] ); |
992 | $this->callMethodOnProviders( 6, 'providerRevokeAccessForUser', [ $username ] ); |
993 | } |
994 | |
995 | /** |
996 | * Validate a change of authentication data (e.g. passwords) |
997 | * @param AuthenticationRequest $req |
998 | * @param bool $checkData If false, $req hasn't been loaded from the |
999 | * submission so checks on user-submitted fields should be skipped. $req->username is |
1000 | * considered user-submitted for this purpose, even if it cannot be changed via |
1001 | * $req->loadFromSubmission. |
1002 | * @return Status |
1003 | */ |
1004 | public function allowsAuthenticationDataChange( AuthenticationRequest $req, $checkData = true ) { |
1005 | $any = false; |
1006 | $providers = $this->getPrimaryAuthenticationProviders() + |
1007 | $this->getSecondaryAuthenticationProviders(); |
1008 | |
1009 | foreach ( $providers as $provider ) { |
1010 | $status = $provider->providerAllowsAuthenticationDataChange( $req, $checkData ); |
1011 | if ( !$status->isGood() ) { |
1012 | // If status is not good because reset email password last attempt was within |
1013 | // $wgPasswordReminderResendTime then return good status with throttled-mailpassword value; |
1014 | // otherwise, return the $status wrapped. |
1015 | return $status->hasMessage( 'throttled-mailpassword' ) |
1016 | ? Status::newGood( 'throttled-mailpassword' ) |
1017 | : Status::wrap( $status ); |
1018 | } |
1019 | $any = $any || $status->value !== 'ignored'; |
1020 | } |
1021 | if ( !$any ) { |
1022 | return Status::newGood( 'ignored' ) |
1023 | ->warning( 'authmanager-change-not-supported' ); |
1024 | } |
1025 | return Status::newGood(); |
1026 | } |
1027 | |
1028 | /** |
1029 | * Change authentication data (e.g. passwords) |
1030 | * |
1031 | * If $req was returned for AuthManager::ACTION_CHANGE, using $req should |
1032 | * result in a successful login in the future. |
1033 | * |
1034 | * If $req was returned for AuthManager::ACTION_REMOVE, using $req should |
1035 | * no longer result in a successful login. |
1036 | * |
1037 | * This method should only be called if allowsAuthenticationDataChange( $req, true ) |
1038 | * returned success. |
1039 | * |
1040 | * @param AuthenticationRequest $req |
1041 | * @param bool $isAddition Set true if this represents an addition of |
1042 | * credentials rather than a change. The main difference is that additions |
1043 | * should not invalidate BotPasswords. If you're not sure, leave it false. |
1044 | */ |
1045 | public function changeAuthenticationData( AuthenticationRequest $req, $isAddition = false ) { |
1046 | $this->logger->info( 'Changing authentication data for {user} class {what}', [ |
1047 | 'user' => is_string( $req->username ) ? $req->username : '<no name>', |
1048 | 'what' => get_class( $req ), |
1049 | ] ); |
1050 | |
1051 | $this->callMethodOnProviders( 6, 'providerChangeAuthenticationData', [ $req ] ); |
1052 | |
1053 | // When the main account's authentication data is changed, invalidate |
1054 | // all BotPasswords too. |
1055 | if ( !$isAddition ) { |
1056 | $this->botPasswordStore->invalidateUserPasswords( (string)$req->username ); |
1057 | } |
1058 | } |
1059 | |
1060 | // endregion -- end of Authentication data changing |
1061 | |
1062 | /***************************************************************************/ |
1063 | // region Account creation |
1064 | /** @name Account creation */ |
1065 | |
1066 | /** |
1067 | * Determine whether accounts can be created |
1068 | * @return bool |
1069 | */ |
1070 | public function canCreateAccounts() { |
1071 | foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) { |
1072 | switch ( $provider->accountCreationType() ) { |
1073 | case PrimaryAuthenticationProvider::TYPE_CREATE: |
1074 | case PrimaryAuthenticationProvider::TYPE_LINK: |
1075 | return true; |
1076 | } |
1077 | } |
1078 | return false; |
1079 | } |
1080 | |
1081 | /** |
1082 | * Determine whether a particular account can be created |
1083 | * @param string $username MediaWiki username |
1084 | * @param array $options |
1085 | * - flags: (int) Bitfield of IDBAccessObject::READ_* constants, default IDBAccessObject::READ_NORMAL |
1086 | * - creating: (bool) For internal use only. Never specify this. |
1087 | * @return Status |
1088 | */ |
1089 | public function canCreateAccount( $username, $options = [] ) { |
1090 | // Back compat |
1091 | if ( is_int( $options ) ) { |
1092 | $options = [ 'flags' => $options ]; |
1093 | } |
1094 | $options += [ |
1095 | 'flags' => IDBAccessObject::READ_NORMAL, |
1096 | 'creating' => false, |
1097 | ]; |
1098 | // @phan-suppress-next-line PhanTypePossiblyInvalidDimOffset False positive |
1099 | $flags = $options['flags']; |
1100 | |
1101 | if ( !$this->canCreateAccounts() ) { |
1102 | return Status::newFatal( 'authmanager-create-disabled' ); |
1103 | } |
1104 | |
1105 | if ( $this->userExists( $username, $flags ) ) { |
1106 | return Status::newFatal( 'userexists' ); |
1107 | } |
1108 | |
1109 | $user = $this->userFactory->newFromName( (string)$username, UserRigorOptions::RIGOR_CREATABLE ); |
1110 | if ( !is_object( $user ) ) { |
1111 | return Status::newFatal( 'noname' ); |
1112 | } else { |
1113 | $user->load( $flags ); // Explicitly load with $flags, auto-loading always uses READ_NORMAL |
1114 | if ( $user->isRegistered() ) { |
1115 | return Status::newFatal( 'userexists' ); |
1116 | } |
1117 | } |
1118 | |
1119 | // Denied by providers? |
1120 | $providers = $this->getPreAuthenticationProviders() + |
1121 | $this->getPrimaryAuthenticationProviders() + |
1122 | $this->getSecondaryAuthenticationProviders(); |
1123 | foreach ( $providers as $provider ) { |
1124 | $status = $provider->testUserForCreation( $user, false, $options ); |
1125 | if ( !$status->isGood() ) { |
1126 | return Status::wrap( $status ); |
1127 | } |
1128 | } |
1129 | |
1130 | return Status::newGood(); |
1131 | } |
1132 | |
1133 | /** |
1134 | * @param callable $authorizer ( string $action, PageIdentity $target, PermissionStatus $status ) |
1135 | * @param string $action |
1136 | * @return StatusValue |
1137 | */ |
1138 | private function authorizeInternal( |
1139 | callable $authorizer, |
1140 | string $action |
1141 | ): StatusValue { |
1142 | // Wiki is read-only? |
1143 | if ( $this->readOnlyMode->isReadOnly() ) { |
1144 | return StatusValue::newFatal( wfMessage( 'readonlytext', $this->readOnlyMode->getReason() ) ); |
1145 | } |
1146 | |
1147 | $permStatus = new PermissionStatus(); |
1148 | if ( !$authorizer( |
1149 | $action, |
1150 | SpecialPage::getTitleFor( 'CreateAccount' ), |
1151 | $permStatus |
1152 | ) ) { |
1153 | return $permStatus; |
1154 | } |
1155 | |
1156 | $ip = $this->getRequest()->getIP(); |
1157 | if ( $this->blockManager->isDnsBlacklisted( $ip, true /* check $wgProxyWhitelist */ ) ) { |
1158 | return StatusValue::newFatal( 'sorbs_create_account_reason' ); |
1159 | } |
1160 | |
1161 | return StatusValue::newGood(); |
1162 | } |
1163 | |
1164 | /** |
1165 | * Check whether $creator can create accounts. |
1166 | * |
1167 | * @note this method does not guarantee full permissions check, so it should only |
1168 | * be used to to decide whether to show a form. To authorize the account creation |
1169 | * action use {@link self::authorizeCreateAccount} instead. |
1170 | * |
1171 | * @since 1.39 |
1172 | * @param Authority $creator |
1173 | * @return StatusValue |
1174 | */ |
1175 | public function probablyCanCreateAccount( Authority $creator ): StatusValue { |
1176 | return $this->authorizeInternal( |
1177 | static function ( |
1178 | string $action, |
1179 | PageIdentity $target, |
1180 | PermissionStatus $status |
1181 | ) use ( $creator ) { |
1182 | return $creator->probablyCan( $action, $target, $status ); |
1183 | }, |
1184 | 'createaccount' |
1185 | ); |
1186 | } |
1187 | |
1188 | /** |
1189 | * Authorize the account creation by $creator |
1190 | * |
1191 | * @note this method should be used right before the account is created. |
1192 | * To check whether a current performer has the potential to create accounts, |
1193 | * use {@link self::probablyCanCreateAccount} instead. |
1194 | * |
1195 | * @since 1.39 |
1196 | * @param Authority $creator |
1197 | * @return StatusValue |
1198 | */ |
1199 | public function authorizeCreateAccount( Authority $creator ): StatusValue { |
1200 | return $this->authorizeInternal( |
1201 | static function ( |
1202 | string $action, |
1203 | PageIdentity $target, |
1204 | PermissionStatus $status |
1205 | ) use ( $creator ) { |
1206 | return $creator->authorizeWrite( $action, $target, $status ); |
1207 | }, |
1208 | 'createaccount' |
1209 | ); |
1210 | } |
1211 | |
1212 | /** |
1213 | * Start an account creation flow |
1214 | * |
1215 | * In addition to the AuthenticationRequests returned by |
1216 | * $this->getAuthenticationRequests(), a client might include a |
1217 | * CreateFromLoginAuthenticationRequest from a previous login attempt. If |
1218 | * <code> |
1219 | * $createFromLoginAuthenticationRequest->hasPrimaryStateForAction( AuthManager::ACTION_CREATE ) |
1220 | * </code> |
1221 | * returns true, any AuthenticationRequest::PRIMARY_REQUIRED requests |
1222 | * should be omitted. If the CreateFromLoginAuthenticationRequest has a |
1223 | * username set, that username must be used for all other requests. |
1224 | * |
1225 | * @param Authority $creator User doing the account creation |
1226 | * @param AuthenticationRequest[] $reqs |
1227 | * @param string $returnToUrl Url that REDIRECT responses should eventually |
1228 | * return to. |
1229 | * @return AuthenticationResponse |
1230 | */ |
1231 | public function beginAccountCreation( Authority $creator, array $reqs, $returnToUrl ) { |
1232 | $session = $this->request->getSession(); |
1233 | if ( !$this->canCreateAccounts() ) { |
1234 | // Caller should have called canCreateAccounts() |
1235 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1236 | throw new \LogicException( 'Account creation is not possible' ); |
1237 | } |
1238 | |
1239 | try { |
1240 | $username = AuthenticationRequest::getUsernameFromRequests( $reqs ); |
1241 | } catch ( \UnexpectedValueException $ex ) { |
1242 | $username = null; |
1243 | } |
1244 | if ( $username === null ) { |
1245 | $this->logger->debug( __METHOD__ . ': No username provided' ); |
1246 | return AuthenticationResponse::newFail( wfMessage( 'noname' ) ); |
1247 | } |
1248 | |
1249 | // Permissions check |
1250 | $status = Status::wrap( $this->authorizeCreateAccount( $creator ) ); |
1251 | if ( !$status->isGood() ) { |
1252 | $this->logger->debug( __METHOD__ . ': {creator} cannot create users: {reason}', [ |
1253 | 'user' => $username, |
1254 | 'creator' => $creator->getUser()->getName(), |
1255 | 'reason' => $status->getWikiText( false, false, 'en' ) |
1256 | ] ); |
1257 | return AuthenticationResponse::newFail( $status->getMessage() ); |
1258 | } |
1259 | |
1260 | $status = $this->canCreateAccount( |
1261 | $username, [ 'flags' => IDBAccessObject::READ_LOCKING, 'creating' => true ] |
1262 | ); |
1263 | if ( !$status->isGood() ) { |
1264 | $this->logger->debug( __METHOD__ . ': {user} cannot be created: {reason}', [ |
1265 | 'user' => $username, |
1266 | 'creator' => $creator->getUser()->getName(), |
1267 | 'reason' => $status->getWikiText( false, false, 'en' ) |
1268 | ] ); |
1269 | return AuthenticationResponse::newFail( $status->getMessage() ); |
1270 | } |
1271 | |
1272 | $user = $this->userFactory->newFromName( (string)$username, UserRigorOptions::RIGOR_CREATABLE ); |
1273 | foreach ( $reqs as $req ) { |
1274 | $req->username = $username; |
1275 | $req->returnToUrl = $returnToUrl; |
1276 | if ( $req instanceof UserDataAuthenticationRequest ) { |
1277 | // @phan-suppress-next-line PhanTypeMismatchArgumentNullable user should be checked and valid here |
1278 | $status = $req->populateUser( $user ); |
1279 | if ( !$status->isGood() ) { |
1280 | $status = Status::wrap( $status ); |
1281 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1282 | $this->logger->debug( __METHOD__ . ': UserData is invalid: {reason}', [ |
1283 | 'user' => $user->getName(), |
1284 | 'creator' => $creator->getUser()->getName(), |
1285 | 'reason' => $status->getWikiText( false, false, 'en' ), |
1286 | ] ); |
1287 | return AuthenticationResponse::newFail( $status->getMessage() ); |
1288 | } |
1289 | } |
1290 | } |
1291 | |
1292 | $this->removeAuthenticationSessionData( null ); |
1293 | |
1294 | $state = [ |
1295 | 'username' => $username, |
1296 | 'userid' => 0, |
1297 | 'creatorid' => $creator->getUser()->getId(), |
1298 | 'creatorname' => $creator->getUser()->getName(), |
1299 | 'reqs' => $reqs, |
1300 | 'returnToUrl' => $returnToUrl, |
1301 | 'primary' => null, |
1302 | 'primaryResponse' => null, |
1303 | 'secondary' => [], |
1304 | 'continueRequests' => [], |
1305 | 'maybeLink' => [], |
1306 | 'ranPreTests' => false, |
1307 | ]; |
1308 | |
1309 | // Special case: converting a login to an account creation |
1310 | $req = AuthenticationRequest::getRequestByClass( |
1311 | $reqs, CreateFromLoginAuthenticationRequest::class |
1312 | ); |
1313 | if ( $req ) { |
1314 | $state['maybeLink'] = $req->maybeLink; |
1315 | |
1316 | if ( $req->createRequest ) { |
1317 | $reqs[] = $req->createRequest; |
1318 | $state['reqs'][] = $req->createRequest; |
1319 | } |
1320 | } |
1321 | |
1322 | $session->setSecret( self::ACCOUNT_CREATION_STATE, $state ); |
1323 | $session->persist(); |
1324 | |
1325 | return $this->continueAccountCreation( $reqs ); |
1326 | } |
1327 | |
1328 | /** |
1329 | * Continue an account creation flow |
1330 | * @param AuthenticationRequest[] $reqs |
1331 | * @return AuthenticationResponse |
1332 | */ |
1333 | public function continueAccountCreation( array $reqs ) { |
1334 | $session = $this->request->getSession(); |
1335 | try { |
1336 | if ( !$this->canCreateAccounts() ) { |
1337 | // Caller should have called canCreateAccounts() |
1338 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1339 | throw new \LogicException( 'Account creation is not possible' ); |
1340 | } |
1341 | |
1342 | $state = $session->getSecret( self::ACCOUNT_CREATION_STATE ); |
1343 | if ( !is_array( $state ) ) { |
1344 | return AuthenticationResponse::newFail( |
1345 | wfMessage( 'authmanager-create-not-in-progress' ) |
1346 | ); |
1347 | } |
1348 | $state['continueRequests'] = []; |
1349 | |
1350 | // Step 0: Prepare and validate the input |
1351 | |
1352 | $user = $this->userFactory->newFromName( |
1353 | (string)$state['username'], |
1354 | UserRigorOptions::RIGOR_CREATABLE |
1355 | ); |
1356 | if ( !is_object( $user ) ) { |
1357 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1358 | $this->logger->debug( __METHOD__ . ': Invalid username', [ |
1359 | 'user' => $state['username'], |
1360 | ] ); |
1361 | return AuthenticationResponse::newFail( wfMessage( 'noname' ) ); |
1362 | } |
1363 | |
1364 | if ( $state['creatorid'] ) { |
1365 | $creator = $this->userFactory->newFromId( (int)$state['creatorid'] ); |
1366 | } else { |
1367 | $creator = $this->userFactory->newAnonymous(); |
1368 | $creator->setName( $state['creatorname'] ); |
1369 | } |
1370 | |
1371 | // Avoid account creation races on double submissions |
1372 | $cache = \ObjectCache::getLocalClusterInstance(); |
1373 | $lock = $cache->getScopedLock( $cache->makeGlobalKey( 'account', md5( $user->getName() ) ) ); |
1374 | if ( !$lock ) { |
1375 | // Don't clear AuthManager::accountCreationState for this code |
1376 | // path because the process that won the race owns it. |
1377 | $this->logger->debug( __METHOD__ . ': Could not acquire account creation lock', [ |
1378 | 'user' => $user->getName(), |
1379 | 'creator' => $creator->getName(), |
1380 | ] ); |
1381 | return AuthenticationResponse::newFail( wfMessage( 'usernameinprogress' ) ); |
1382 | } |
1383 | |
1384 | // Permissions check |
1385 | $status = Status::wrap( $this->authorizeCreateAccount( $creator ) ); |
1386 | if ( !$status->isGood() ) { |
1387 | $this->logger->debug( __METHOD__ . ': {creator} cannot create users: {reason}', [ |
1388 | 'user' => $user->getName(), |
1389 | 'creator' => $creator->getName(), |
1390 | 'reason' => $status->getWikiText( false, false, 'en' ) |
1391 | ] ); |
1392 | $ret = AuthenticationResponse::newFail( $status->getMessage() ); |
1393 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] ); |
1394 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1395 | return $ret; |
1396 | } |
1397 | |
1398 | // Load from primary DB for existence check |
1399 | $user->load( IDBAccessObject::READ_LOCKING ); |
1400 | |
1401 | if ( $state['userid'] === 0 ) { |
1402 | if ( $user->isRegistered() ) { |
1403 | $this->logger->debug( __METHOD__ . ': User exists locally', [ |
1404 | 'user' => $user->getName(), |
1405 | 'creator' => $creator->getName(), |
1406 | ] ); |
1407 | $ret = AuthenticationResponse::newFail( wfMessage( 'userexists' ) ); |
1408 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] ); |
1409 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1410 | return $ret; |
1411 | } |
1412 | } else { |
1413 | if ( !$user->isRegistered() ) { |
1414 | $this->logger->debug( __METHOD__ . ': User does not exist locally when it should', [ |
1415 | 'user' => $user->getName(), |
1416 | 'creator' => $creator->getName(), |
1417 | 'expected_id' => $state['userid'], |
1418 | ] ); |
1419 | throw new \UnexpectedValueException( |
1420 | "User \"{$state['username']}\" should exist now, but doesn't!" |
1421 | ); |
1422 | } |
1423 | if ( $user->getId() !== $state['userid'] ) { |
1424 | $this->logger->debug( __METHOD__ . ': User ID/name mismatch', [ |
1425 | 'user' => $user->getName(), |
1426 | 'creator' => $creator->getName(), |
1427 | 'expected_id' => $state['userid'], |
1428 | 'actual_id' => $user->getId(), |
1429 | ] ); |
1430 | throw new \UnexpectedValueException( |
1431 | "User \"{$state['username']}\" exists, but " . |
1432 | "ID {$user->getId()} !== {$state['userid']}!" |
1433 | ); |
1434 | } |
1435 | } |
1436 | foreach ( $state['reqs'] as $req ) { |
1437 | if ( $req instanceof UserDataAuthenticationRequest ) { |
1438 | $status = $req->populateUser( $user ); |
1439 | if ( !$status->isGood() ) { |
1440 | // This should never happen... |
1441 | $status = Status::wrap( $status ); |
1442 | $this->logger->debug( __METHOD__ . ': UserData is invalid: {reason}', [ |
1443 | 'user' => $user->getName(), |
1444 | 'creator' => $creator->getName(), |
1445 | 'reason' => $status->getWikiText( false, false, 'en' ), |
1446 | ] ); |
1447 | $ret = AuthenticationResponse::newFail( $status->getMessage() ); |
1448 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] ); |
1449 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1450 | return $ret; |
1451 | } |
1452 | } |
1453 | } |
1454 | |
1455 | foreach ( $reqs as $req ) { |
1456 | $req->returnToUrl = $state['returnToUrl']; |
1457 | $req->username = $state['username']; |
1458 | } |
1459 | |
1460 | // Run pre-creation tests, if we haven't already |
1461 | if ( !$state['ranPreTests'] ) { |
1462 | $providers = $this->getPreAuthenticationProviders() + |
1463 | $this->getPrimaryAuthenticationProviders() + |
1464 | $this->getSecondaryAuthenticationProviders(); |
1465 | foreach ( $providers as $id => $provider ) { |
1466 | $status = $provider->testForAccountCreation( $user, $creator, $reqs ); |
1467 | if ( !$status->isGood() ) { |
1468 | $this->logger->debug( __METHOD__ . ": Fail in pre-authentication by $id", [ |
1469 | 'user' => $user->getName(), |
1470 | 'creator' => $creator->getName(), |
1471 | ] ); |
1472 | $ret = AuthenticationResponse::newFail( |
1473 | Status::wrap( $status )->getMessage() |
1474 | ); |
1475 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] ); |
1476 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1477 | return $ret; |
1478 | } |
1479 | } |
1480 | |
1481 | $state['ranPreTests'] = true; |
1482 | } |
1483 | |
1484 | // Step 1: Choose a primary authentication provider and call it until it succeeds. |
1485 | |
1486 | if ( $state['primary'] === null ) { |
1487 | // We haven't picked a PrimaryAuthenticationProvider yet |
1488 | foreach ( $this->getPrimaryAuthenticationProviders() as $id => $provider ) { |
1489 | if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_NONE ) { |
1490 | continue; |
1491 | } |
1492 | $res = $provider->beginPrimaryAccountCreation( $user, $creator, $reqs ); |
1493 | switch ( $res->status ) { |
1494 | case AuthenticationResponse::PASS: |
1495 | $this->logger->debug( __METHOD__ . ": Primary creation passed by $id", [ |
1496 | 'user' => $user->getName(), |
1497 | 'creator' => $creator->getName(), |
1498 | ] ); |
1499 | $state['primary'] = $id; |
1500 | $state['primaryResponse'] = $res; |
1501 | break 2; |
1502 | case AuthenticationResponse::FAIL: |
1503 | $this->logger->debug( __METHOD__ . ": Primary creation failed by $id", [ |
1504 | 'user' => $user->getName(), |
1505 | 'creator' => $creator->getName(), |
1506 | ] ); |
1507 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $res ] ); |
1508 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1509 | return $res; |
1510 | case AuthenticationResponse::ABSTAIN: |
1511 | // Continue loop |
1512 | break; |
1513 | case AuthenticationResponse::REDIRECT: |
1514 | case AuthenticationResponse::UI: |
1515 | $this->logger->debug( __METHOD__ . ": Primary creation $res->status by $id", [ |
1516 | 'user' => $user->getName(), |
1517 | 'creator' => $creator->getName(), |
1518 | ] ); |
1519 | $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null ); |
1520 | $state['primary'] = $id; |
1521 | $state['continueRequests'] = $res->neededRequests; |
1522 | $session->setSecret( self::ACCOUNT_CREATION_STATE, $state ); |
1523 | return $res; |
1524 | |
1525 | // @codeCoverageIgnoreStart |
1526 | default: |
1527 | throw new \DomainException( |
1528 | get_class( $provider ) . "::beginPrimaryAccountCreation() returned $res->status" |
1529 | ); |
1530 | // @codeCoverageIgnoreEnd |
1531 | } |
1532 | } |
1533 | // @phan-suppress-next-line PhanTypePossiblyInvalidDimOffset Always set in loop before, if passed |
1534 | if ( $state['primary'] === null ) { |
1535 | $this->logger->debug( __METHOD__ . ': Primary creation failed because no provider accepted', [ |
1536 | 'user' => $user->getName(), |
1537 | 'creator' => $creator->getName(), |
1538 | ] ); |
1539 | $ret = AuthenticationResponse::newFail( |
1540 | wfMessage( 'authmanager-create-no-primary' ) |
1541 | ); |
1542 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] ); |
1543 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1544 | return $ret; |
1545 | } |
1546 | } elseif ( $state['primaryResponse'] === null ) { |
1547 | $provider = $this->getAuthenticationProvider( $state['primary'] ); |
1548 | if ( !$provider instanceof PrimaryAuthenticationProvider ) { |
1549 | // Configuration changed? Force them to start over. |
1550 | // @codeCoverageIgnoreStart |
1551 | $ret = AuthenticationResponse::newFail( |
1552 | wfMessage( 'authmanager-create-not-in-progress' ) |
1553 | ); |
1554 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] ); |
1555 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1556 | return $ret; |
1557 | // @codeCoverageIgnoreEnd |
1558 | } |
1559 | $id = $provider->getUniqueId(); |
1560 | $res = $provider->continuePrimaryAccountCreation( $user, $creator, $reqs ); |
1561 | switch ( $res->status ) { |
1562 | case AuthenticationResponse::PASS: |
1563 | $this->logger->debug( __METHOD__ . ": Primary creation passed by $id", [ |
1564 | 'user' => $user->getName(), |
1565 | 'creator' => $creator->getName(), |
1566 | ] ); |
1567 | $state['primaryResponse'] = $res; |
1568 | break; |
1569 | case AuthenticationResponse::FAIL: |
1570 | $this->logger->debug( __METHOD__ . ": Primary creation failed by $id", [ |
1571 | 'user' => $user->getName(), |
1572 | 'creator' => $creator->getName(), |
1573 | ] ); |
1574 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $res ] ); |
1575 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1576 | return $res; |
1577 | case AuthenticationResponse::REDIRECT: |
1578 | case AuthenticationResponse::UI: |
1579 | $this->logger->debug( __METHOD__ . ": Primary creation $res->status by $id", [ |
1580 | 'user' => $user->getName(), |
1581 | 'creator' => $creator->getName(), |
1582 | ] ); |
1583 | $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null ); |
1584 | $state['continueRequests'] = $res->neededRequests; |
1585 | $session->setSecret( self::ACCOUNT_CREATION_STATE, $state ); |
1586 | return $res; |
1587 | default: |
1588 | throw new \DomainException( |
1589 | get_class( $provider ) . "::continuePrimaryAccountCreation() returned $res->status" |
1590 | ); |
1591 | } |
1592 | } |
1593 | |
1594 | // Step 2: Primary authentication succeeded, create the User object |
1595 | // and add the user locally. |
1596 | |
1597 | if ( $state['userid'] === 0 ) { |
1598 | $this->logger->info( 'Creating user {user} during account creation', [ |
1599 | 'user' => $user->getName(), |
1600 | 'creator' => $creator->getName(), |
1601 | ] ); |
1602 | $status = $user->addToDatabase(); |
1603 | if ( !$status->isOK() ) { |
1604 | // @codeCoverageIgnoreStart |
1605 | $ret = AuthenticationResponse::newFail( $status->getMessage() ); |
1606 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] ); |
1607 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1608 | return $ret; |
1609 | // @codeCoverageIgnoreEnd |
1610 | } |
1611 | $this->setDefaultUserOptions( $user, $creator->isAnon() ); |
1612 | $this->getHookRunner()->onLocalUserCreated( $user, false ); |
1613 | $user->saveSettings(); |
1614 | $state['userid'] = $user->getId(); |
1615 | |
1616 | // Update user count |
1617 | DeferredUpdates::addUpdate( SiteStatsUpdate::factory( [ 'users' => 1 ] ) ); |
1618 | |
1619 | // Watch user's userpage and talk page |
1620 | $this->watchlistManager->addWatchIgnoringRights( $user, $user->getUserPage() ); |
1621 | |
1622 | // Inform the provider |
1623 | // @phan-suppress-next-next-line PhanPossiblyUndeclaredVariable |
1624 | // @phan-suppress-next-line PhanTypePossiblyInvalidDimOffset Always set in loop before, if passed |
1625 | $logSubtype = $provider->finishAccountCreation( $user, $creator, $state['primaryResponse'] ); |
1626 | |
1627 | // Log the creation |
1628 | if ( $this->config->get( MainConfigNames::NewUserLog ) ) { |
1629 | $isAnon = $creator->isAnon(); |
1630 | $logEntry = new \ManualLogEntry( |
1631 | 'newusers', |
1632 | $logSubtype ?: ( $isAnon ? 'create' : 'create2' ) |
1633 | ); |
1634 | $logEntry->setPerformer( $isAnon ? $user : $creator ); |
1635 | $logEntry->setTarget( $user->getUserPage() ); |
1636 | /** @var CreationReasonAuthenticationRequest $req */ |
1637 | $req = AuthenticationRequest::getRequestByClass( |
1638 | $state['reqs'], CreationReasonAuthenticationRequest::class |
1639 | ); |
1640 | $logEntry->setComment( $req ? $req->reason : '' ); |
1641 | $logEntry->setParameters( [ |
1642 | '4::userid' => $user->getId(), |
1643 | ] ); |
1644 | $logid = $logEntry->insert(); |
1645 | $logEntry->publish( $logid ); |
1646 | } |
1647 | } |
1648 | |
1649 | // Step 3: Iterate over all the secondary authentication providers. |
1650 | |
1651 | $beginReqs = $state['reqs']; |
1652 | |
1653 | foreach ( $this->getSecondaryAuthenticationProviders() as $id => $provider ) { |
1654 | if ( !isset( $state['secondary'][$id] ) ) { |
1655 | // This provider isn't started yet, so we pass it the set |
1656 | // of reqs from beginAuthentication instead of whatever |
1657 | // might have been used by a previous provider in line. |
1658 | $func = 'beginSecondaryAccountCreation'; |
1659 | $res = $provider->beginSecondaryAccountCreation( $user, $creator, $beginReqs ); |
1660 | } elseif ( !$state['secondary'][$id] ) { |
1661 | $func = 'continueSecondaryAccountCreation'; |
1662 | $res = $provider->continueSecondaryAccountCreation( $user, $creator, $reqs ); |
1663 | } else { |
1664 | continue; |
1665 | } |
1666 | switch ( $res->status ) { |
1667 | case AuthenticationResponse::PASS: |
1668 | $this->logger->debug( __METHOD__ . ": Secondary creation passed by $id", [ |
1669 | 'user' => $user->getName(), |
1670 | 'creator' => $creator->getName(), |
1671 | ] ); |
1672 | // fall through |
1673 | case AuthenticationResponse::ABSTAIN: |
1674 | $state['secondary'][$id] = true; |
1675 | break; |
1676 | case AuthenticationResponse::REDIRECT: |
1677 | case AuthenticationResponse::UI: |
1678 | $this->logger->debug( __METHOD__ . ": Secondary creation $res->status by $id", [ |
1679 | 'user' => $user->getName(), |
1680 | 'creator' => $creator->getName(), |
1681 | ] ); |
1682 | $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null ); |
1683 | $state['secondary'][$id] = false; |
1684 | $state['continueRequests'] = $res->neededRequests; |
1685 | $session->setSecret( self::ACCOUNT_CREATION_STATE, $state ); |
1686 | return $res; |
1687 | case AuthenticationResponse::FAIL: |
1688 | throw new \DomainException( |
1689 | get_class( $provider ) . "::{$func}() returned $res->status." . |
1690 | ' Secondary providers are not allowed to fail account creation, that' . |
1691 | ' should have been done via testForAccountCreation().' |
1692 | ); |
1693 | // @codeCoverageIgnoreStart |
1694 | default: |
1695 | throw new \DomainException( |
1696 | get_class( $provider ) . "::{$func}() returned $res->status" |
1697 | ); |
1698 | // @codeCoverageIgnoreEnd |
1699 | } |
1700 | } |
1701 | |
1702 | $id = $user->getId(); |
1703 | $name = $user->getName(); |
1704 | $req = new CreatedAccountAuthenticationRequest( $id, $name ); |
1705 | $ret = AuthenticationResponse::newPass( $name ); |
1706 | $ret->loginRequest = $req; |
1707 | $this->createdAccountAuthenticationRequests[] = $req; |
1708 | |
1709 | $this->logger->info( __METHOD__ . ': Account creation succeeded for {user}', [ |
1710 | 'user' => $user->getName(), |
1711 | 'creator' => $creator->getName(), |
1712 | ] ); |
1713 | |
1714 | $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] ); |
1715 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1716 | $this->removeAuthenticationSessionData( null ); |
1717 | return $ret; |
1718 | } catch ( \Exception $ex ) { |
1719 | $session->remove( self::ACCOUNT_CREATION_STATE ); |
1720 | throw $ex; |
1721 | } |
1722 | } |
1723 | |
1724 | /** |
1725 | * Auto-create an account, and optionally log into that account |
1726 | * |
1727 | * PrimaryAuthenticationProviders can invoke this method by returning a PASS from |
1728 | * beginPrimaryAuthentication/continuePrimaryAuthentication with the username of a |
1729 | * non-existing user. SessionProviders can invoke it by returning a SessionInfo with |
1730 | * the username of a non-existing user from provideSessionInfo(). Calling this method |
1731 | * explicitly (e.g. from a maintenance script) is also fine. |
1732 | * |
1733 | * @param User $user User to auto-create |
1734 | * @param string $source What caused the auto-creation? This must be one of: |
1735 | * - the ID of a PrimaryAuthenticationProvider, |
1736 | * - one of the self::AUTOCREATE_SOURCE_* constants |
1737 | * @param bool $login Whether to also log the user in |
1738 | * @param bool $log Whether to generate a user creation log entry (since 1.36) |
1739 | * @param Authority|null $performer The performer of the action to use for user rights |
1740 | * checking. Normally null to indicate an anonymous performer. Added in 1.42 for |
1741 | * Special:CreateLocalAccount (T234371). |
1742 | * |
1743 | * @return Status Good if user was created, Ok if user already existed, otherwise Fatal |
1744 | */ |
1745 | public function autoCreateUser( |
1746 | User $user, |
1747 | $source, |
1748 | $login = true, |
1749 | $log = true, |
1750 | ?Authority $performer = null |
1751 | ) { |
1752 | $validSources = [ |
1753 | self::AUTOCREATE_SOURCE_SESSION, |
1754 | self::AUTOCREATE_SOURCE_MAINT, |
1755 | self::AUTOCREATE_SOURCE_TEMP |
1756 | ]; |
1757 | if ( !in_array( $source, $validSources, true ) |
1758 | && !$this->getAuthenticationProvider( $source ) instanceof PrimaryAuthenticationProvider |
1759 | ) { |
1760 | throw new \InvalidArgumentException( "Unknown auto-creation source: $source" ); |
1761 | } |
1762 | |
1763 | $username = $user->getName(); |
1764 | |
1765 | // Try the local user from the replica DB |
1766 | $localUserIdentity = $this->userIdentityLookup->getUserIdentityByName( $username ); |
1767 | $localId = ( $localUserIdentity && $localUserIdentity->getId() ) |
1768 | ? $localUserIdentity->getId() |
1769 | : null; |
1770 | $flags = IDBAccessObject::READ_NORMAL; |
1771 | |
1772 | // Fetch the user ID from the primary, so that we don't try to create the user |
1773 | // when they already exist, due to replication lag |
1774 | // @codeCoverageIgnoreStart |
1775 | if ( |
1776 | !$localId && |
1777 | $this->loadBalancer->getReaderIndex() !== 0 |
1778 | ) { |
1779 | $localUserIdentity = $this->userIdentityLookup->getUserIdentityByName( |
1780 | $username, |
1781 | IDBAccessObject::READ_LATEST |
1782 | ); |
1783 | $localId = ( $localUserIdentity && $localUserIdentity->getId() ) |
1784 | ? $localUserIdentity->getId() |
1785 | : null; |
1786 | $flags = IDBAccessObject::READ_LATEST; |
1787 | } |
1788 | // @codeCoverageIgnoreEnd |
1789 | |
1790 | if ( $localId ) { |
1791 | $this->logger->debug( __METHOD__ . ': {username} already exists locally', [ |
1792 | 'username' => $username, |
1793 | ] ); |
1794 | $user->setId( $localId ); |
1795 | $user->loadFromId( $flags ); |
1796 | if ( $login ) { |
1797 | $remember = $source === self::AUTOCREATE_SOURCE_TEMP; |
1798 | $this->setSessionDataForUser( $user, $remember ); |
1799 | } |
1800 | return Status::newGood()->warning( 'userexists' ); |
1801 | } |
1802 | |
1803 | // Wiki is read-only? |
1804 | if ( $this->readOnlyMode->isReadOnly() ) { |
1805 | $reason = $this->readOnlyMode->getReason(); |
1806 | $this->logger->debug( __METHOD__ . ': denied because of read only mode: {reason}', [ |
1807 | 'username' => $username, |
1808 | 'reason' => $reason, |
1809 | ] ); |
1810 | $user->setId( 0 ); |
1811 | $user->loadFromId(); |
1812 | return Status::newFatal( wfMessage( 'readonlytext', $reason ) ); |
1813 | } |
1814 | |
1815 | // If there is a non-anonymous performer, don't use their session |
1816 | $session = $performer ? null : $this->request->getSession(); |
1817 | |
1818 | // Check the session, if we tried to create this user already there's |
1819 | // no point in retrying. |
1820 | if ( $session && $session->get( self::AUTOCREATE_BLOCKLIST ) ) { |
1821 | $this->logger->debug( __METHOD__ . ': blacklisted in session {sessionid}', [ |
1822 | 'username' => $username, |
1823 | 'sessionid' => $session->getId(), |
1824 | ] ); |
1825 | $user->setId( 0 ); |
1826 | $user->loadFromId(); |
1827 | $reason = $session->get( self::AUTOCREATE_BLOCKLIST ); |
1828 | if ( $reason instanceof StatusValue ) { |
1829 | return Status::wrap( $reason ); |
1830 | } else { |
1831 | return Status::newFatal( $reason ); |
1832 | } |
1833 | } |
1834 | |
1835 | // Is the username usable? (Previously isCreatable() was checked here but |
1836 | // that doesn't work with auto-creation of TempUser accounts by CentralAuth) |
1837 | if ( !$this->userNameUtils->isUsable( $username ) ) { |
1838 | $this->logger->debug( __METHOD__ . ': name "{username}" is not usable', [ |
1839 | 'username' => $username, |
1840 | ] ); |
1841 | if ( $session ) { |
1842 | $session->set( self::AUTOCREATE_BLOCKLIST, 'noname' ); |
1843 | } |
1844 | $user->setId( 0 ); |
1845 | $user->loadFromId(); |
1846 | return Status::newFatal( 'noname' ); |
1847 | } |
1848 | |
1849 | // Is the IP user able to create accounts? |
1850 | $performer ??= $this->userFactory->newAnonymous(); |
1851 | $bypassAuthorization = $session ? $session->getProvider()->canAlwaysAutocreate() : false; |
1852 | if ( $source !== self::AUTOCREATE_SOURCE_MAINT && !$bypassAuthorization ) { |
1853 | $status = $this->authorizeAutoCreateAccount( $performer ); |
1854 | if ( !$status->isOK() ) { |
1855 | $this->logger->debug( __METHOD__ . ': cannot create or autocreate accounts', [ |
1856 | 'username' => $username, |
1857 | 'creator' => $performer->getUser()->getName(), |
1858 | ] ); |
1859 | if ( $session ) { |
1860 | $session->set( self::AUTOCREATE_BLOCKLIST, $status ); |
1861 | $session->persist(); |
1862 | } |
1863 | $user->setId( 0 ); |
1864 | $user->loadFromId(); |
1865 | return Status::wrap( $status ); |
1866 | } |
1867 | } |
1868 | |
1869 | // Avoid account creation races on double submissions |
1870 | $cache = \ObjectCache::getLocalClusterInstance(); |
1871 | $lock = $cache->getScopedLock( $cache->makeGlobalKey( 'account', md5( $username ) ) ); |
1872 | if ( !$lock ) { |
1873 | $this->logger->debug( __METHOD__ . ': Could not acquire account creation lock', [ |
1874 | 'user' => $username, |
1875 | ] ); |
1876 | $user->setId( 0 ); |
1877 | $user->loadFromId(); |
1878 | return Status::newFatal( 'usernameinprogress' ); |
1879 | } |
1880 | |
1881 | // Denied by providers? |
1882 | $options = [ |
1883 | 'flags' => IDBAccessObject::READ_LATEST, |
1884 | 'creating' => true, |
1885 | ]; |
1886 | $providers = $this->getPreAuthenticationProviders() + |
1887 | $this->getPrimaryAuthenticationProviders() + |
1888 | $this->getSecondaryAuthenticationProviders(); |
1889 | foreach ( $providers as $provider ) { |
1890 | $status = $provider->testUserForCreation( $user, $source, $options ); |
1891 | if ( !$status->isGood() ) { |
1892 | $ret = Status::wrap( $status ); |
1893 | $this->logger->debug( __METHOD__ . ': Provider denied creation of {username}: {reason}', [ |
1894 | 'username' => $username, |
1895 | 'reason' => $ret->getWikiText( false, false, 'en' ), |
1896 | ] ); |
1897 | if ( $session ) { |
1898 | $session->set( self::AUTOCREATE_BLOCKLIST, $status ); |
1899 | } |
1900 | $user->setId( 0 ); |
1901 | $user->loadFromId(); |
1902 | return $ret; |
1903 | } |
1904 | } |
1905 | |
1906 | $backoffKey = $cache->makeKey( 'AuthManager', 'autocreate-failed', md5( $username ) ); |
1907 | if ( $cache->get( $backoffKey ) ) { |
1908 | $this->logger->debug( __METHOD__ . ': {username} denied by prior creation attempt failures', [ |
1909 | 'username' => $username, |
1910 | ] ); |
1911 | $user->setId( 0 ); |
1912 | $user->loadFromId(); |
1913 | return Status::newFatal( 'authmanager-autocreate-exception' ); |
1914 | } |
1915 | |
1916 | // Checks passed, create the user... |
1917 | $from = $_SERVER['REQUEST_URI'] ?? 'CLI'; |
1918 | $this->logger->info( __METHOD__ . ': creating new user ({username}) - from: {from}', [ |
1919 | 'username' => $username, |
1920 | 'from' => $from, |
1921 | ] ); |
1922 | |
1923 | // Ignore warnings about primary connections/writes...hard to avoid here |
1924 | $trxProfiler = \Profiler::instance()->getTransactionProfiler(); |
1925 | $scope = $trxProfiler->silenceForScope( $trxProfiler::EXPECTATION_REPLICAS_ONLY ); |
1926 | try { |
1927 | $status = $user->addToDatabase(); |
1928 | if ( !$status->isOK() ) { |
1929 | // Double-check for a race condition (T70012). We make use of the fact that when |
1930 | // addToDatabase fails due to the user already existing, the user object gets loaded. |
1931 | if ( $user->getId() ) { |
1932 | $this->logger->info( __METHOD__ . ': {username} already exists locally (race)', [ |
1933 | 'username' => $username, |
1934 | ] ); |
1935 | if ( $login ) { |
1936 | $remember = $source === self::AUTOCREATE_SOURCE_TEMP; |
1937 | $this->setSessionDataForUser( $user, $remember ); |
1938 | } |
1939 | $status = Status::newGood()->warning( 'userexists' ); |
1940 | } else { |
1941 | $this->logger->error( __METHOD__ . ': {username} failed with message {msg}', [ |
1942 | 'username' => $username, |
1943 | 'msg' => $status->getWikiText( false, false, 'en' ) |
1944 | ] ); |
1945 | $user->setId( 0 ); |
1946 | $user->loadFromId(); |
1947 | } |
1948 | return $status; |
1949 | } |
1950 | } catch ( \Exception $ex ) { |
1951 | $this->logger->error( __METHOD__ . ': {username} failed with exception {exception}', [ |
1952 | 'username' => $username, |
1953 | 'exception' => $ex, |
1954 | ] ); |
1955 | // Do not keep throwing errors for a while |
1956 | $cache->set( $backoffKey, 1, 600 ); |
1957 | // Bubble up error; which should normally trigger DB rollbacks |
1958 | throw $ex; |
1959 | } |
1960 | |
1961 | $this->setDefaultUserOptions( $user, false ); |
1962 | |
1963 | // Inform the providers |
1964 | $this->callMethodOnProviders( 6, 'autoCreatedAccount', [ $user, $source ] ); |
1965 | |
1966 | $this->getHookRunner()->onLocalUserCreated( $user, true ); |
1967 | $user->saveSettings(); |
1968 | |
1969 | // Update user count |
1970 | DeferredUpdates::addUpdate( SiteStatsUpdate::factory( [ 'users' => 1 ] ) ); |
1971 | // Watch user's userpage and talk page (except temp users) |
1972 | if ( $source !== self::AUTOCREATE_SOURCE_TEMP ) { |
1973 | DeferredUpdates::addCallableUpdate( function () use ( $user ) { |
1974 | $this->watchlistManager->addWatchIgnoringRights( $user, $user->getUserPage() ); |
1975 | } ); |
1976 | } |
1977 | |
1978 | // Log the creation |
1979 | if ( $this->config->get( MainConfigNames::NewUserLog ) && $log ) { |
1980 | $logEntry = new \ManualLogEntry( 'newusers', 'autocreate' ); |
1981 | $logEntry->setPerformer( $user ); |
1982 | $logEntry->setTarget( $user->getUserPage() ); |
1983 | $logEntry->setComment( '' ); |
1984 | $logEntry->setParameters( [ |
1985 | '4::userid' => $user->getId(), |
1986 | ] ); |
1987 | $logEntry->insert(); |
1988 | } |
1989 | |
1990 | ScopedCallback::consume( $scope ); |
1991 | |
1992 | if ( $login ) { |
1993 | $remember = $source === self::AUTOCREATE_SOURCE_TEMP; |
1994 | $this->setSessionDataForUser( $user, $remember ); |
1995 | } |
1996 | |
1997 | return Status::newGood(); |
1998 | } |
1999 | |
2000 | /** |
2001 | * Authorize automatic account creation. This is like account creation but |
2002 | * checks the autocreateaccount right instead of the createaccount right. |
2003 | * |
2004 | * @param Authority $creator |
2005 | * @return StatusValue |
2006 | */ |
2007 | private function authorizeAutoCreateAccount( Authority $creator ) { |
2008 | return $this->authorizeInternal( |
2009 | static function ( |
2010 | string $action, |
2011 | PageIdentity $target, |
2012 | PermissionStatus $status |
2013 | ) use ( $creator ) { |
2014 | return $creator->authorizeWrite( $action, $target, $status ); |
2015 | }, |
2016 | 'autocreateaccount' |
2017 | ); |
2018 | } |
2019 | |
2020 | // endregion -- end of Account creation |
2021 | |
2022 | /***************************************************************************/ |
2023 | // region Account linking |
2024 | /** @name Account linking */ |
2025 | |
2026 | /** |
2027 | * Determine whether accounts can be linked |
2028 | * @return bool |
2029 | */ |
2030 | public function canLinkAccounts() { |
2031 | foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) { |
2032 | if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK ) { |
2033 | return true; |
2034 | } |
2035 | } |
2036 | return false; |
2037 | } |
2038 | |
2039 | /** |
2040 | * Start an account linking flow |
2041 | * |
2042 | * @param User $user User being linked |
2043 | * @param AuthenticationRequest[] $reqs |
2044 | * @param string $returnToUrl Url that REDIRECT responses should eventually |
2045 | * return to. |
2046 | * @return AuthenticationResponse |
2047 | */ |
2048 | public function beginAccountLink( User $user, array $reqs, $returnToUrl ) { |
2049 | $session = $this->request->getSession(); |
2050 | $session->remove( self::ACCOUNT_LINK_STATE ); |
2051 | |
2052 | if ( !$this->canLinkAccounts() ) { |
2053 | // Caller should have called canLinkAccounts() |
2054 | throw new \LogicException( 'Account linking is not possible' ); |
2055 | } |
2056 | |
2057 | if ( !$user->isRegistered() ) { |
2058 | if ( !$this->userNameUtils->isUsable( $user->getName() ) ) { |
2059 | $msg = wfMessage( 'noname' ); |
2060 | } else { |
2061 | $msg = wfMessage( 'authmanager-userdoesnotexist', $user->getName() ); |
2062 | } |
2063 | return AuthenticationResponse::newFail( $msg ); |
2064 | } |
2065 | foreach ( $reqs as $req ) { |
2066 | $req->username = $user->getName(); |
2067 | $req->returnToUrl = $returnToUrl; |
2068 | } |
2069 | |
2070 | $this->removeAuthenticationSessionData( null ); |
2071 | |
2072 | $providers = $this->getPreAuthenticationProviders(); |
2073 | foreach ( $providers as $id => $provider ) { |
2074 | $status = $provider->testForAccountLink( $user ); |
2075 | if ( !$status->isGood() ) { |
2076 | $this->logger->debug( __METHOD__ . ": Account linking pre-check failed by $id", [ |
2077 | 'user' => $user->getName(), |
2078 | ] ); |
2079 | $ret = AuthenticationResponse::newFail( |
2080 | Status::wrap( $status )->getMessage() |
2081 | ); |
2082 | $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] ); |
2083 | return $ret; |
2084 | } |
2085 | } |
2086 | |
2087 | $state = [ |
2088 | 'username' => $user->getName(), |
2089 | 'userid' => $user->getId(), |
2090 | 'returnToUrl' => $returnToUrl, |
2091 | 'primary' => null, |
2092 | 'continueRequests' => [], |
2093 | ]; |
2094 | |
2095 | $providers = $this->getPrimaryAuthenticationProviders(); |
2096 | foreach ( $providers as $id => $provider ) { |
2097 | if ( $provider->accountCreationType() !== PrimaryAuthenticationProvider::TYPE_LINK ) { |
2098 | continue; |
2099 | } |
2100 | |
2101 | $res = $provider->beginPrimaryAccountLink( $user, $reqs ); |
2102 | switch ( $res->status ) { |
2103 | case AuthenticationResponse::PASS: |
2104 | $this->logger->info( "Account linked to {user} by $id", [ |
2105 | 'user' => $user->getName(), |
2106 | ] ); |
2107 | $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] ); |
2108 | return $res; |
2109 | |
2110 | case AuthenticationResponse::FAIL: |
2111 | $this->logger->debug( __METHOD__ . ": Account linking failed by $id", [ |
2112 | 'user' => $user->getName(), |
2113 | ] ); |
2114 | $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] ); |
2115 | return $res; |
2116 | |
2117 | case AuthenticationResponse::ABSTAIN: |
2118 | // Continue loop |
2119 | break; |
2120 | |
2121 | case AuthenticationResponse::REDIRECT: |
2122 | case AuthenticationResponse::UI: |
2123 | $this->logger->debug( __METHOD__ . ": Account linking $res->status by $id", [ |
2124 | 'user' => $user->getName(), |
2125 | ] ); |
2126 | $this->fillRequests( $res->neededRequests, self::ACTION_LINK, $user->getName() ); |
2127 | $state['primary'] = $id; |
2128 | $state['continueRequests'] = $res->neededRequests; |
2129 | $session->setSecret( self::ACCOUNT_LINK_STATE, $state ); |
2130 | $session->persist(); |
2131 | return $res; |
2132 | |
2133 | // @codeCoverageIgnoreStart |
2134 | default: |
2135 | throw new \DomainException( |
2136 | get_class( $provider ) . "::beginPrimaryAccountLink() returned $res->status" |
2137 | ); |
2138 | // @codeCoverageIgnoreEnd |
2139 | } |
2140 | } |
2141 | |
2142 | $this->logger->debug( __METHOD__ . ': Account linking failed because no provider accepted', [ |
2143 | 'user' => $user->getName(), |
2144 | ] ); |
2145 | $ret = AuthenticationResponse::newFail( |
2146 | wfMessage( 'authmanager-link-no-primary' ) |
2147 | ); |
2148 | $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] ); |
2149 | return $ret; |
2150 | } |
2151 | |
2152 | /** |
2153 | * Continue an account linking flow |
2154 | * @param AuthenticationRequest[] $reqs |
2155 | * @return AuthenticationResponse |
2156 | */ |
2157 | public function continueAccountLink( array $reqs ) { |
2158 | $session = $this->request->getSession(); |
2159 | try { |
2160 | if ( !$this->canLinkAccounts() ) { |
2161 | // Caller should have called canLinkAccounts() |
2162 | $session->remove( self::ACCOUNT_LINK_STATE ); |
2163 | throw new \LogicException( 'Account linking is not possible' ); |
2164 | } |
2165 | |
2166 | $state = $session->getSecret( self::ACCOUNT_LINK_STATE ); |
2167 | if ( !is_array( $state ) ) { |
2168 | return AuthenticationResponse::newFail( |
2169 | wfMessage( 'authmanager-link-not-in-progress' ) |
2170 | ); |
2171 | } |
2172 | $state['continueRequests'] = []; |
2173 | |
2174 | // Step 0: Prepare and validate the input |
2175 | |
2176 | $user = $this->userFactory->newFromName( |
2177 | (string)$state['username'], |
2178 | UserRigorOptions::RIGOR_USABLE |
2179 | ); |
2180 | if ( !is_object( $user ) ) { |
2181 | $session->remove( self::ACCOUNT_LINK_STATE ); |
2182 | return AuthenticationResponse::newFail( wfMessage( 'noname' ) ); |
2183 | } |
2184 | if ( $user->getId() !== $state['userid'] ) { |
2185 | throw new \UnexpectedValueException( |
2186 | "User \"{$state['username']}\" is valid, but " . |
2187 | "ID {$user->getId()} !== {$state['userid']}!" |
2188 | ); |
2189 | } |
2190 | |
2191 | foreach ( $reqs as $req ) { |
2192 | $req->username = $state['username']; |
2193 | $req->returnToUrl = $state['returnToUrl']; |
2194 | } |
2195 | |
2196 | // Step 1: Call the primary again until it succeeds |
2197 | |
2198 | $provider = $this->getAuthenticationProvider( $state['primary'] ); |
2199 | if ( !$provider instanceof PrimaryAuthenticationProvider ) { |
2200 | // Configuration changed? Force them to start over. |
2201 | // @codeCoverageIgnoreStart |
2202 | $ret = AuthenticationResponse::newFail( |
2203 | wfMessage( 'authmanager-link-not-in-progress' ) |
2204 | ); |
2205 | $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] ); |
2206 | $session->remove( self::ACCOUNT_LINK_STATE ); |
2207 | return $ret; |
2208 | // @codeCoverageIgnoreEnd |
2209 | } |
2210 | $id = $provider->getUniqueId(); |
2211 | $res = $provider->continuePrimaryAccountLink( $user, $reqs ); |
2212 | switch ( $res->status ) { |
2213 | case AuthenticationResponse::PASS: |
2214 | $this->logger->info( "Account linked to {user} by $id", [ |
2215 | 'user' => $user->getName(), |
2216 | ] ); |
2217 | $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] ); |
2218 | $session->remove( self::ACCOUNT_LINK_STATE ); |
2219 | return $res; |
2220 | case AuthenticationResponse::FAIL: |
2221 | $this->logger->debug( __METHOD__ . ": Account linking failed by $id", [ |
2222 | 'user' => $user->getName(), |
2223 | ] ); |
2224 | $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] ); |
2225 | $session->remove( self::ACCOUNT_LINK_STATE ); |
2226 | return $res; |
2227 | case AuthenticationResponse::REDIRECT: |
2228 | case AuthenticationResponse::UI: |
2229 | $this->logger->debug( __METHOD__ . ": Account linking $res->status by $id", [ |
2230 | 'user' => $user->getName(), |
2231 | ] ); |
2232 | $this->fillRequests( $res->neededRequests, self::ACTION_LINK, $user->getName() ); |
2233 | $state['continueRequests'] = $res->neededRequests; |
2234 | $session->setSecret( self::ACCOUNT_LINK_STATE, $state ); |
2235 | return $res; |
2236 | default: |
2237 | throw new \DomainException( |
2238 | get_class( $provider ) . "::continuePrimaryAccountLink() returned $res->status" |
2239 | ); |
2240 | } |
2241 | } catch ( \Exception $ex ) { |
2242 | $session->remove( self::ACCOUNT_LINK_STATE ); |
2243 | throw $ex; |
2244 | } |
2245 | } |
2246 | |
2247 | // endregion -- end of Account linking |
2248 | |
2249 | /***************************************************************************/ |
2250 | // region Information methods |
2251 | /** @name Information methods */ |
2252 | |
2253 | /** |
2254 | * Return the applicable list of AuthenticationRequests |
2255 | * |
2256 | * Possible values for $action: |
2257 | * - ACTION_LOGIN: Valid for passing to beginAuthentication |
2258 | * - ACTION_LOGIN_CONTINUE: Valid for passing to continueAuthentication in the current state |
2259 | * - ACTION_CREATE: Valid for passing to beginAccountCreation |
2260 | * - ACTION_CREATE_CONTINUE: Valid for passing to continueAccountCreation in the current state |
2261 | * - ACTION_LINK: Valid for passing to beginAccountLink |
2262 | * - ACTION_LINK_CONTINUE: Valid for passing to continueAccountLink in the current state |
2263 | * - ACTION_CHANGE: Valid for passing to changeAuthenticationData to change credentials |
2264 | * - ACTION_REMOVE: Valid for passing to changeAuthenticationData to remove credentials. |
2265 | * - ACTION_UNLINK: Same as ACTION_REMOVE, but limited to linked accounts. |
2266 | * |
2267 | * @param string $action One of the AuthManager::ACTION_* constants |
2268 | * @param UserIdentity|null $user User being acted on, instead of the current user. |
2269 | * @return AuthenticationRequest[] |
2270 | */ |
2271 | public function getAuthenticationRequests( $action, UserIdentity $user = null ) { |
2272 | $options = []; |
2273 | $providerAction = $action; |
2274 | |
2275 | // Figure out which providers to query |
2276 | switch ( $action ) { |
2277 | case self::ACTION_LOGIN: |
2278 | case self::ACTION_CREATE: |
2279 | $providers = $this->getPreAuthenticationProviders() + |
2280 | $this->getPrimaryAuthenticationProviders() + |
2281 | $this->getSecondaryAuthenticationProviders(); |
2282 | break; |
2283 | |
2284 | case self::ACTION_LOGIN_CONTINUE: |
2285 | $state = $this->request->getSession()->getSecret( self::AUTHN_STATE ); |
2286 | return is_array( $state ) ? $state['continueRequests'] : []; |
2287 | |
2288 | case self::ACTION_CREATE_CONTINUE: |
2289 | $state = $this->request->getSession()->getSecret( self::ACCOUNT_CREATION_STATE ); |
2290 | return is_array( $state ) ? $state['continueRequests'] : []; |
2291 | |
2292 | case self::ACTION_LINK: |
2293 | $providers = []; |
2294 | foreach ( $this->getPrimaryAuthenticationProviders() as $p ) { |
2295 | if ( $p->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK ) { |
2296 | $providers[] = $p; |
2297 | } |
2298 | } |
2299 | break; |
2300 | |
2301 | case self::ACTION_UNLINK: |
2302 | $providers = []; |
2303 | foreach ( $this->getPrimaryAuthenticationProviders() as $p ) { |
2304 | if ( $p->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK ) { |
2305 | $providers[] = $p; |
2306 | } |
2307 | } |
2308 | |
2309 | // To providers, unlink and remove are identical. |
2310 | $providerAction = self::ACTION_REMOVE; |
2311 | break; |
2312 | |
2313 | case self::ACTION_LINK_CONTINUE: |
2314 | $state = $this->request->getSession()->getSecret( self::ACCOUNT_LINK_STATE ); |
2315 | return is_array( $state ) ? $state['continueRequests'] : []; |
2316 | |
2317 | case self::ACTION_CHANGE: |
2318 | case self::ACTION_REMOVE: |
2319 | $providers = $this->getPrimaryAuthenticationProviders() + |
2320 | $this->getSecondaryAuthenticationProviders(); |
2321 | break; |
2322 | |
2323 | // @codeCoverageIgnoreStart |
2324 | default: |
2325 | throw new \DomainException( __METHOD__ . ": Invalid action \"$action\"" ); |
2326 | } |
2327 | // @codeCoverageIgnoreEnd |
2328 | |
2329 | return $this->getAuthenticationRequestsInternal( $providerAction, $options, $providers, $user ); |
2330 | } |
2331 | |
2332 | /** |
2333 | * Internal request lookup for self::getAuthenticationRequests |
2334 | * |
2335 | * @param string $providerAction Action to pass to providers |
2336 | * @param array $options Options to pass to providers |
2337 | * @param AuthenticationProvider[] $providers |
2338 | * @param UserIdentity|null $user being acted on |
2339 | * @return AuthenticationRequest[] |
2340 | */ |
2341 | private function getAuthenticationRequestsInternal( |
2342 | $providerAction, array $options, array $providers, UserIdentity $user = null |
2343 | ) { |
2344 | $user = $user ?: RequestContext::getMain()->getUser(); |
2345 | $options['username'] = $user->isRegistered() ? $user->getName() : null; |
2346 | |
2347 | // Query them and merge results |
2348 | $reqs = []; |
2349 | foreach ( $providers as $provider ) { |
2350 | $isPrimary = $provider instanceof PrimaryAuthenticationProvider; |
2351 | foreach ( $provider->getAuthenticationRequests( $providerAction, $options ) as $req ) { |
2352 | $id = $req->getUniqueId(); |
2353 | |
2354 | // If a required request if from a Primary, mark it as "primary-required" instead |
2355 | if ( $isPrimary && $req->required ) { |
2356 | $req->required = AuthenticationRequest::PRIMARY_REQUIRED; |
2357 | } |
2358 | |
2359 | if ( |
2360 | !isset( $reqs[$id] ) |
2361 | || $req->required === AuthenticationRequest::REQUIRED |
2362 | || $reqs[$id] === AuthenticationRequest::OPTIONAL |
2363 | ) { |
2364 | $reqs[$id] = $req; |
2365 | } |
2366 | } |
2367 | } |
2368 | |
2369 | // AuthManager has its own req for some actions |
2370 | switch ( $providerAction ) { |
2371 | case self::ACTION_LOGIN: |
2372 | $reqs[] = new RememberMeAuthenticationRequest( |
2373 | $this->config->get( MainConfigNames::RememberMe ) ); |
2374 | $options['username'] = null; // Don't fill in the username below |
2375 | break; |
2376 | |
2377 | case self::ACTION_CREATE: |
2378 | $reqs[] = new UsernameAuthenticationRequest; |
2379 | $reqs[] = new UserDataAuthenticationRequest; |
2380 | if ( $options['username'] !== null ) { |
2381 | $reqs[] = new CreationReasonAuthenticationRequest; |
2382 | $options['username'] = null; // Don't fill in the username below |
2383 | } |
2384 | break; |
2385 | } |
2386 | |
2387 | // Fill in reqs data |
2388 | $this->fillRequests( $reqs, $providerAction, $options['username'], true ); |
2389 | |
2390 | // For self::ACTION_CHANGE, filter out any that something else *doesn't* allow changing |
2391 | if ( $providerAction === self::ACTION_CHANGE || $providerAction === self::ACTION_REMOVE ) { |
2392 | $reqs = array_filter( $reqs, function ( $req ) { |
2393 | return $this->allowsAuthenticationDataChange( $req, false )->isGood(); |
2394 | } ); |
2395 | } |
2396 | |
2397 | return array_values( $reqs ); |
2398 | } |
2399 | |
2400 | /** |
2401 | * Set values in an array of requests |
2402 | * @param AuthenticationRequest[] &$reqs |
2403 | * @param string $action |
2404 | * @param string|null $username |
2405 | * @param bool $forceAction |
2406 | */ |
2407 | private function fillRequests( array &$reqs, $action, $username, $forceAction = false ) { |
2408 | foreach ( $reqs as $req ) { |
2409 | if ( !$req->action || $forceAction ) { |
2410 | $req->action = $action; |
2411 | } |
2412 | $req->username ??= $username; |
2413 | } |
2414 | } |
2415 | |
2416 | /** |
2417 | * Determine whether a username exists |
2418 | * @param string $username |
2419 | * @param int $flags Bitfield of IDBAccessObject::READ_* constants |
2420 | * @return bool |
2421 | */ |
2422 | public function userExists( $username, $flags = IDBAccessObject::READ_NORMAL ) { |
2423 | foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) { |
2424 | if ( $provider->testUserExists( $username, $flags ) ) { |
2425 | return true; |
2426 | } |
2427 | } |
2428 | |
2429 | return false; |
2430 | } |
2431 | |
2432 | /** |
2433 | * Determine whether a user property should be allowed to be changed. |
2434 | * |
2435 | * Supported properties are: |
2436 | * - emailaddress |
2437 | * - realname |
2438 | * - nickname |
2439 | * |
2440 | * @param string $property |
2441 | * @return bool |
2442 | */ |
2443 | public function allowsPropertyChange( $property ) { |
2444 | $providers = $this->getPrimaryAuthenticationProviders() + |
2445 | $this->getSecondaryAuthenticationProviders(); |
2446 | foreach ( $providers as $provider ) { |
2447 | if ( !$provider->providerAllowsPropertyChange( $property ) ) { |
2448 | return false; |
2449 | } |
2450 | } |
2451 | return true; |
2452 | } |
2453 | |
2454 | /** |
2455 | * Get a provider by ID |
2456 | * @note This is public so extensions can check whether their own provider |
2457 | * is installed and so they can read its configuration if necessary. |
2458 | * Other uses are not recommended. |
2459 | * @param string $id |
2460 | * @return AuthenticationProvider|null |
2461 | */ |
2462 | public function getAuthenticationProvider( $id ) { |
2463 | // Fast version |
2464 | if ( isset( $this->allAuthenticationProviders[$id] ) ) { |
2465 | return $this->allAuthenticationProviders[$id]; |
2466 | } |
2467 | |
2468 | // Slow version: instantiate each kind and check |
2469 | $providers = $this->getPrimaryAuthenticationProviders(); |
2470 | if ( isset( $providers[$id] ) ) { |
2471 | return $providers[$id]; |
2472 | } |
2473 | $providers = $this->getSecondaryAuthenticationProviders(); |
2474 | if ( isset( $providers[$id] ) ) { |
2475 | return $providers[$id]; |
2476 | } |
2477 | $providers = $this->getPreAuthenticationProviders(); |
2478 | if ( isset( $providers[$id] ) ) { |
2479 | return $providers[$id]; |
2480 | } |
2481 | |
2482 | return null; |
2483 | } |
2484 | |
2485 | // endregion -- end of Information methods |
2486 | |
2487 | /***************************************************************************/ |
2488 | // region Internal methods |
2489 | /** @name Internal methods */ |
2490 | |
2491 | /** |
2492 | * Store authentication in the current session |
2493 | * @note For use by AuthenticationProviders only |
2494 | * @param string $key |
2495 | * @param mixed $data Must be serializable |
2496 | */ |
2497 | public function setAuthenticationSessionData( $key, $data ) { |
2498 | $session = $this->request->getSession(); |
2499 | $arr = $session->getSecret( 'authData' ); |
2500 | if ( !is_array( $arr ) ) { |
2501 | $arr = []; |
2502 | } |
2503 | $arr[$key] = $data; |
2504 | $session->setSecret( 'authData', $arr ); |
2505 | } |
2506 | |
2507 | /** |
2508 | * Fetch authentication data from the current session |
2509 | * @note For use by AuthenticationProviders only |
2510 | * @param string $key |
2511 | * @param mixed|null $default |
2512 | * @return mixed |
2513 | */ |
2514 | public function getAuthenticationSessionData( $key, $default = null ) { |
2515 | $arr = $this->request->getSession()->getSecret( 'authData' ); |
2516 | if ( is_array( $arr ) && array_key_exists( $key, $arr ) ) { |
2517 | return $arr[$key]; |
2518 | } else { |
2519 | return $default; |
2520 | } |
2521 | } |
2522 | |
2523 | /** |
2524 | * Remove authentication data |
2525 | * @note For use by AuthenticationProviders |
2526 | * @param string|null $key If null, all data is removed |
2527 | */ |
2528 | public function removeAuthenticationSessionData( $key ) { |
2529 | $session = $this->request->getSession(); |
2530 | if ( $key === null ) { |
2531 | $session->remove( 'authData' ); |
2532 | } else { |
2533 | $arr = $session->getSecret( 'authData' ); |
2534 | if ( is_array( $arr ) && array_key_exists( $key, $arr ) ) { |
2535 | unset( $arr[$key] ); |
2536 | $session->setSecret( 'authData', $arr ); |
2537 | } |
2538 | } |
2539 | } |
2540 | |
2541 | /** |
2542 | * Create an array of AuthenticationProviders from an array of ObjectFactory specs |
2543 | * @param string $class |
2544 | * @param array[] $specs |
2545 | * @return AuthenticationProvider[] |
2546 | */ |
2547 | protected function providerArrayFromSpecs( $class, array $specs ) { |
2548 | $i = 0; |
2549 | foreach ( $specs as &$spec ) { |
2550 | $spec = [ 'sort2' => $i++ ] + $spec + [ 'sort' => 0 ]; |
2551 | } |
2552 | unset( $spec ); |
2553 | // Sort according to the 'sort' field, and if they are equal, according to 'sort2' |
2554 | usort( $specs, static function ( $a, $b ) { |
2555 | return $a['sort'] <=> $b['sort'] |
2556 | ?: $a['sort2'] <=> $b['sort2']; |
2557 | } ); |
2558 | |
2559 | $ret = []; |
2560 | foreach ( $specs as $spec ) { |
2561 | /** @var AbstractAuthenticationProvider $provider */ |
2562 | $provider = $this->objectFactory->createObject( $spec, [ 'assertClass' => $class ] ); |
2563 | $provider->init( $this->logger, $this, $this->getHookContainer(), $this->config, $this->userNameUtils ); |
2564 | $id = $provider->getUniqueId(); |
2565 | if ( isset( $this->allAuthenticationProviders[$id] ) ) { |
2566 | throw new \RuntimeException( |
2567 | "Duplicate specifications for id $id (classes " . |
2568 | get_class( $provider ) . ' and ' . |
2569 | get_class( $this->allAuthenticationProviders[$id] ) . ')' |
2570 | ); |
2571 | } |
2572 | $this->allAuthenticationProviders[$id] = $provider; |
2573 | $ret[$id] = $provider; |
2574 | } |
2575 | return $ret; |
2576 | } |
2577 | |
2578 | /** |
2579 | * @return array |
2580 | */ |
2581 | private function getConfiguration() { |
2582 | return $this->config->get( MainConfigNames::AuthManagerConfig ) |
2583 | ?: $this->config->get( MainConfigNames::AuthManagerAutoConfig ); |
2584 | } |
2585 | |
2586 | /** |
2587 | * Get the list of PreAuthenticationProviders |
2588 | * @return PreAuthenticationProvider[] |
2589 | */ |
2590 | protected function getPreAuthenticationProviders() { |
2591 | if ( $this->preAuthenticationProviders === null ) { |
2592 | $conf = $this->getConfiguration(); |
2593 | $this->preAuthenticationProviders = $this->providerArrayFromSpecs( |
2594 | PreAuthenticationProvider::class, $conf['preauth'] |
2595 | ); |
2596 | } |
2597 | return $this->preAuthenticationProviders; |
2598 | } |
2599 | |
2600 | /** |
2601 | * Get the list of PrimaryAuthenticationProviders |
2602 | * @return PrimaryAuthenticationProvider[] |
2603 | */ |
2604 | protected function getPrimaryAuthenticationProviders() { |
2605 | if ( $this->primaryAuthenticationProviders === null ) { |
2606 | $conf = $this->getConfiguration(); |
2607 | $this->primaryAuthenticationProviders = $this->providerArrayFromSpecs( |
2608 | PrimaryAuthenticationProvider::class, $conf['primaryauth'] |
2609 | ); |
2610 | } |
2611 | return $this->primaryAuthenticationProviders; |
2612 | } |
2613 | |
2614 | /** |
2615 | * Get the list of SecondaryAuthenticationProviders |
2616 | * @return SecondaryAuthenticationProvider[] |
2617 | */ |
2618 | protected function getSecondaryAuthenticationProviders() { |
2619 | if ( $this->secondaryAuthenticationProviders === null ) { |
2620 | $conf = $this->getConfiguration(); |
2621 | $this->secondaryAuthenticationProviders = $this->providerArrayFromSpecs( |
2622 | SecondaryAuthenticationProvider::class, $conf['secondaryauth'] |
2623 | ); |
2624 | } |
2625 | return $this->secondaryAuthenticationProviders; |
2626 | } |
2627 | |
2628 | /** |
2629 | * Log the user in |
2630 | * @param User $user |
2631 | * @param bool|null $remember |
2632 | */ |
2633 | private function setSessionDataForUser( $user, $remember = null ) { |
2634 | $session = $this->request->getSession(); |
2635 | $delay = $session->delaySave(); |
2636 | |
2637 | $session->resetId(); |
2638 | $session->resetAllTokens(); |
2639 | if ( $session->canSetUser() ) { |
2640 | $session->setUser( $user ); |
2641 | } |
2642 | if ( $remember !== null ) { |
2643 | $session->setRememberUser( $remember ); |
2644 | } |
2645 | $session->set( 'AuthManager:lastAuthId', $user->getId() ); |
2646 | $session->set( 'AuthManager:lastAuthTimestamp', time() ); |
2647 | $session->persist(); |
2648 | |
2649 | \Wikimedia\ScopedCallback::consume( $delay ); |
2650 | |
2651 | $this->getHookRunner()->onUserLoggedIn( $user ); |
2652 | } |
2653 | |
2654 | /** |
2655 | * @param User $user |
2656 | * @param bool $useContextLang Use 'uselang' to set the user's language |
2657 | */ |
2658 | private function setDefaultUserOptions( User $user, $useContextLang ) { |
2659 | $user->setToken(); |
2660 | |
2661 | $lang = $useContextLang ? RequestContext::getMain()->getLanguage() : $this->contentLanguage; |
2662 | $this->userOptionsManager->setOption( |
2663 | $user, |
2664 | 'language', |
2665 | $this->languageConverterFactory->getLanguageConverter( $lang )->getPreferredVariant() |
2666 | ); |
2667 | |
2668 | $contLangConverter = $this->languageConverterFactory->getLanguageConverter( $this->contentLanguage ); |
2669 | if ( $contLangConverter->hasVariants() ) { |
2670 | $this->userOptionsManager->setOption( |
2671 | $user, |
2672 | 'variant', |
2673 | $contLangConverter->getPreferredVariant() |
2674 | ); |
2675 | } |
2676 | } |
2677 | |
2678 | /** |
2679 | * @param int $which Bitmask: 1 = pre, 2 = primary, 4 = secondary |
2680 | * @param string $method |
2681 | * @param array $args |
2682 | */ |
2683 | private function callMethodOnProviders( $which, $method, array $args ) { |
2684 | $providers = []; |
2685 | if ( $which & 1 ) { |
2686 | $providers += $this->getPreAuthenticationProviders(); |
2687 | } |
2688 | if ( $which & 2 ) { |
2689 | $providers += $this->getPrimaryAuthenticationProviders(); |
2690 | } |
2691 | if ( $which & 4 ) { |
2692 | $providers += $this->getSecondaryAuthenticationProviders(); |
2693 | } |
2694 | foreach ( $providers as $provider ) { |
2695 | $provider->$method( ...$args ); |
2696 | } |
2697 | } |
2698 | |
2699 | /** |
2700 | * @return HookContainer |
2701 | */ |
2702 | private function getHookContainer() { |
2703 | return $this->hookContainer; |
2704 | } |
2705 | |
2706 | /** |
2707 | * @return HookRunner |
2708 | */ |
2709 | private function getHookRunner() { |
2710 | return $this->hookRunner; |
2711 | } |
2712 | |
2713 | // endregion -- end of Internal methods |
2714 | |
2715 | } |
2716 | |
2717 | /* |
2718 | * This file uses VisualStudio style region/endregion fold markers which are |
2719 | * recognised by PHPStorm. If modelines are enabled, the following editor |
2720 | * configuration will also enable folding in vim, if it is in the last 5 lines |
2721 | * of the file. We also use "@name" which creates sections in Doxygen. |
2722 | * |
2723 | * vim: foldmarker=//\ region,//\ endregion foldmethod=marker |
2724 | */ |