MediaWiki REL1_28
LocalPasswordPrimaryAuthenticationProvider.php
Go to the documentation of this file.
1<?php
22namespace MediaWiki\Auth;
23
24use User;
25
31class LocalPasswordPrimaryAuthenticationProvider
32 extends AbstractPasswordPrimaryAuthenticationProvider
33{
34
36 protected $loginOnly = false;
37
44 public function __construct( $params = [] ) {
45 parent::__construct( $params );
46 $this->loginOnly = !empty( $params['loginOnly'] );
47 }
48
49 protected function getPasswordResetData( $username, $row ) {
50 $now = wfTimestamp();
51 $expiration = wfTimestampOrNull( TS_UNIX, $row->user_password_expires );
52 if ( $expiration === null || $expiration >= $now ) {
53 return null;
54 }
55
56 $grace = $this->config->get( 'PasswordExpireGrace' );
57 if ( $expiration + $grace < $now ) {
58 $data = [
59 'hard' => true,
60 'msg' => \Status::newFatal( 'resetpass-expired' )->getMessage(),
61 ];
62 } else {
63 $data = [
64 'hard' => false,
65 'msg' => \Status::newFatal( 'resetpass-expired-soft' )->getMessage(),
66 ];
67 }
68
69 return (object)$data;
70 }
71
72 public function beginPrimaryAuthentication( array $reqs ) {
73 $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );
74 if ( !$req ) {
75 return AuthenticationResponse::newAbstain();
76 }
77
78 if ( $req->username === null || $req->password === null ) {
79 return AuthenticationResponse::newAbstain();
80 }
81
82 $username = User::getCanonicalName( $req->username, 'usable' );
83 if ( $username === false ) {
84 return AuthenticationResponse::newAbstain();
85 }
86
87 $fields = [
88 'user_id', 'user_password', 'user_password_expires',
89 ];
90
91 $dbr = wfGetDB( DB_REPLICA );
92 $row = $dbr->selectRow(
93 'user',
94 $fields,
95 [ 'user_name' => $username ],
96 __METHOD__
97 );
98 if ( !$row ) {
99 // Do not reveal whether its bad username or
100 // bad password to prevent username enumeration
101 // on private wikis. (T134100)
102 return $this->failResponse( $req );
103 }
104
105 $oldRow = clone $row;
106 // Check for *really* old password hashes that don't even have a type
107 // The old hash format was just an md5 hex hash, with no type information
108 if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
109 if ( $this->config->get( 'PasswordSalt' ) ) {
110 $row->user_password = ":A:{$row->user_id}:{$row->user_password}";
111 } else {
112 $row->user_password = ":A:{$row->user_password}";
113 }
114 }
115
116 $status = $this->checkPasswordValidity( $username, $req->password );
117 if ( !$status->isOK() ) {
118 // Fatal, can't log in
119 return AuthenticationResponse::newFail( $status->getMessage() );
120 }
121
122 $pwhash = $this->getPassword( $row->user_password );
123 if ( !$pwhash->equals( $req->password ) ) {
124 if ( $this->config->get( 'LegacyEncoding' ) ) {
125 // Some wikis were converted from ISO 8859-1 to UTF-8, the passwords can't be converted
126 // Check for this with iconv
127 $cp1252Password = iconv( 'UTF-8', 'WINDOWS-1252//TRANSLIT', $req->password );
128 if ( $cp1252Password === $req->password || !$pwhash->equals( $cp1252Password ) ) {
129 return $this->failResponse( $req );
130 }
131 } else {
132 return $this->failResponse( $req );
133 }
134 }
135
136 // @codeCoverageIgnoreStart
137 if ( $this->getPasswordFactory()->needsUpdate( $pwhash ) ) {
138 $pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
139 \DeferredUpdates::addCallableUpdate( function () use ( $pwhash, $oldRow ) {
140 $dbw = wfGetDB( DB_MASTER );
141 $dbw->update(
142 'user',
143 [ 'user_password' => $pwhash->toString() ],
144 [
145 'user_id' => $oldRow->user_id,
146 'user_password' => $oldRow->user_password
147 ],
148 __METHOD__
149 );
150 } );
151 }
152 // @codeCoverageIgnoreEnd
153
154 $this->setPasswordResetFlag( $username, $status, $row );
155
156 return AuthenticationResponse::newPass( $username );
157 }
158
159 public function testUserCanAuthenticate( $username ) {
160 $username = User::getCanonicalName( $username, 'usable' );
161 if ( $username === false ) {
162 return false;
163 }
164
165 $dbr = wfGetDB( DB_REPLICA );
166 $row = $dbr->selectRow(
167 'user',
168 [ 'user_password' ],
169 [ 'user_name' => $username ],
170 __METHOD__
171 );
172 if ( !$row ) {
173 return false;
174 }
175
176 // Check for *really* old password hashes that don't even have a type
177 // The old hash format was just an md5 hex hash, with no type information
178 if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
179 return true;
180 }
181
182 return !$this->getPassword( $row->user_password ) instanceof \InvalidPassword;
183 }
184
185 public function testUserExists( $username, $flags = User::READ_NORMAL ) {
186 $username = User::getCanonicalName( $username, 'usable' );
187 if ( $username === false ) {
188 return false;
189 }
190
191 list( $db, $options ) = \DBAccessObjectUtils::getDBOptions( $flags );
192 return (bool)wfGetDB( $db )->selectField(
193 [ 'user' ],
194 [ 'user_id' ],
195 [ 'user_name' => $username ],
196 __METHOD__,
197 $options
198 );
199 }
200
201 public function providerAllowsAuthenticationDataChange(
202 AuthenticationRequest $req, $checkData = true
203 ) {
204 // We only want to blank the password if something else will accept the
205 // new authentication data, so return 'ignore' here.
206 if ( $this->loginOnly ) {
207 return \StatusValue::newGood( 'ignored' );
208 }
209
210 if ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
211 if ( !$checkData ) {
212 return \StatusValue::newGood();
213 }
214
215 $username = User::getCanonicalName( $req->username, 'usable' );
216 if ( $username !== false ) {
217 $row = wfGetDB( DB_MASTER )->selectRow(
218 'user',
219 [ 'user_id' ],
220 [ 'user_name' => $username ],
221 __METHOD__
222 );
223 if ( $row ) {
224 $sv = \StatusValue::newGood();
225 if ( $req->password !== null ) {
226 if ( $req->password !== $req->retype ) {
227 $sv->fatal( 'badretype' );
228 } else {
229 $sv->merge( $this->checkPasswordValidity( $username, $req->password ) );
230 }
231 }
232 return $sv;
233 }
234 }
235 }
236
237 return \StatusValue::newGood( 'ignored' );
238 }
239
240 public function providerChangeAuthenticationData( AuthenticationRequest $req ) {
241 $username = $req->username !== null ? User::getCanonicalName( $req->username, 'usable' ) : false;
242 if ( $username === false ) {
243 return;
244 }
245
246 $pwhash = null;
247
248 if ( $this->loginOnly ) {
249 $pwhash = $this->getPasswordFactory()->newFromCiphertext( null );
250 $expiry = null;
251 // @codeCoverageIgnoreStart
252 } elseif ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
253 // @codeCoverageIgnoreEnd
254 $pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
255 $expiry = $this->getNewPasswordExpiry( $username );
256 }
257
258 if ( $pwhash ) {
259 $dbw = wfGetDB( DB_MASTER );
260 $dbw->update(
261 'user',
262 [
263 'user_password' => $pwhash->toString(),
264 'user_password_expires' => $dbw->timestampOrNull( $expiry ),
265 ],
266 [ 'user_name' => $username ],
267 __METHOD__
268 );
269 }
270 }
271
272 public function accountCreationType() {
273 return $this->loginOnly ? self::TYPE_NONE : self::TYPE_CREATE;
274 }
275
276 public function testForAccountCreation( $user, $creator, array $reqs ) {
277 $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );
278
279 $ret = \StatusValue::newGood();
280 if ( !$this->loginOnly && $req && $req->username !== null && $req->password !== null ) {
281 if ( $req->password !== $req->retype ) {
282 $ret->fatal( 'badretype' );
283 } else {
284 $ret->merge(
285 $this->checkPasswordValidity( $user->getName(), $req->password )
286 );
287 }
288 }
289 return $ret;
290 }
291
292 public function beginPrimaryAccountCreation( $user, $creator, array $reqs ) {
293 if ( $this->accountCreationType() === self::TYPE_NONE ) {
294 throw new \BadMethodCallException( 'Shouldn\'t call this when accountCreationType() is NONE' );
295 }
296
297 $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );
298 if ( $req ) {
299 if ( $req->username !== null && $req->password !== null ) {
300 // Nothing we can do besides claim it, because the user isn't in
301 // the DB yet
302 if ( $req->username !== $user->getName() ) {
303 $req = clone( $req );
304 $req->username = $user->getName();
305 }
306 $ret = AuthenticationResponse::newPass( $req->username );
307 $ret->createRequest = $req;
308 return $ret;
309 }
310 }
311 return AuthenticationResponse::newAbstain();
312 }
313
314 public function finishAccountCreation( $user, $creator, AuthenticationResponse $res ) {
315 if ( $this->accountCreationType() === self::TYPE_NONE ) {
316 throw new \BadMethodCallException( 'Shouldn\'t call this when accountCreationType() is NONE' );
317 }
318
319 // Now that the user is in the DB, set the password on it.
320 $this->providerChangeAuthenticationData( $res->createRequest );
321
322 return null;
323 }
324}
use
Apache License January AND DISTRIBUTION Definitions License shall mean the terms and conditions for use
Definition APACHE-LICENSE-2.0.txt:10
wfTimestampOrNull
wfTimestampOrNull( $outputtype=TS_UNIX, $ts=null)
Return a formatted timestamp, or null if input is null.
Definition GlobalFunctions.php:2024
wfGetDB
wfGetDB( $db, $groups=[], $wiki=false)
Get a Database object.
Definition GlobalFunctions.php:3074
wfTimestamp
wfTimestamp( $outputtype=TS_UNIX, $ts=0)
Get a timestamp string in one of various formats.
Definition GlobalFunctions.php:2008
MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider
Basic framework for a primary authentication provider that uses passwords.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:35
MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\failResponse
failResponse(PasswordAuthenticationRequest $req)
Return the appropriate response for failure.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:83
MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\setPasswordResetFlag
setPasswordResetFlag( $username, Status $status, $data=null)
Check if the password should be reset.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:118
MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getNewPasswordExpiry
getNewPasswordExpiry( $username)
Get expiration date for a new password, if any.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:150
MediaWiki\Auth\AuthenticationRequest
This is a value object for authentication requests.
Definition AuthenticationRequest.php:37
MediaWiki\Auth\AuthenticationRequest\getRequestByClass
static getRequestByClass(array $reqs, $class, $allowSubclasses=false)
Select a request by class name.
Definition AuthenticationRequest.php:253
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:37
MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider
A primary authentication provider that uses the password field in the 'user' table.
Definition LocalPasswordPrimaryAuthenticationProvider.php:33
MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\testUserExists
testUserExists( $username, $flags=User::READ_NORMAL)
Test whether the named user exists.
Definition LocalPasswordPrimaryAuthenticationProvider.php:185
MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\beginPrimaryAccountCreation
beginPrimaryAccountCreation( $user, $creator, array $reqs)
Start an account creation flow.
Definition LocalPasswordPrimaryAuthenticationProvider.php:292
MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\testUserCanAuthenticate
testUserCanAuthenticate( $username)
Test whether the named user can authenticate with this provider.
Definition LocalPasswordPrimaryAuthenticationProvider.php:159
MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\providerAllowsAuthenticationDataChange
providerAllowsAuthenticationDataChange(AuthenticationRequest $req, $checkData=true)
Validate a change of authentication data (e.g.
Definition LocalPasswordPrimaryAuthenticationProvider.php:201
MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\providerChangeAuthenticationData
providerChangeAuthenticationData(AuthenticationRequest $req)
Change or remove authentication data (e.g.
Definition LocalPasswordPrimaryAuthenticationProvider.php:240
MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\finishAccountCreation
finishAccountCreation( $user, $creator, AuthenticationResponse $res)
Post-creation callback.
Definition LocalPasswordPrimaryAuthenticationProvider.php:314
MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.
Definition LocalPasswordPrimaryAuthenticationProvider.php:276
User
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition User.php:48
$res
$res
Definition database.txt:21
list
deferred txt A few of the database updates required by various functions here can be deferred until after the result page is displayed to the user For updating the view updating the linked to tables after a etc PHP does not yet have any way to tell the server to actually return and disconnect while still running these but it might have such a feature in the future We handle these by creating a deferred update object and putting those objects on a global list
Definition deferred.txt:11
$req
this hook is for auditing only $req
Definition hooks.txt:1010
$status
this hook is for auditing only RecentChangesLinked and Watchlist RecentChangesLinked and Watchlist e g Watchlist removed from all revisions and log entries to which it was applied This gives extensions a chance to take it off their books as the deletion has already been partly carried out by this point or something similar the user will be unable to create the tag set $status
Definition hooks.txt:1049
array
the array() calling protocol came about after MediaWiki 1.4rc1.
$user
please add to it if you re going to add events to the MediaWiki code where normally authentication against an external auth plugin would be creating a local account $user
Definition hooks.txt:249
$options
this hook is for auditing only RecentChangesLinked and Watchlist RecentChangesLinked and Watchlist e g Watchlist removed from all revisions and log entries to which it was applied This gives extensions a chance to take it off their books as the deletion has already been partly carried out by this point or something similar the user will be unable to create the tag set and then return false from the hook function Ensure you consume the ChangeTagAfterDelete hook to carry out custom deletion actions as context called by AbstractContent::getParserOutput May be used to override the normal model specific rendering of page content as context as context $options
Definition hooks.txt:1096
$flags
it s the revision text itself In either if gzip is the revision text is gzipped $flags
Definition hooks.txt:2710
$ret
null means default in associative array with keys and values unescaped Should be merged with default with a value of false meaning to suppress the attribute in associative array with keys and values unescaped noclasses & $ret
Definition hooks.txt:1949
$username
this hook is for auditing only or null if authentication failed before getting that far $username
Definition hooks.txt:807
php
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition injection.txt:37
MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_NONE
const TYPE_NONE
Provider cannot create or link to accounts.
Definition PrimaryAuthenticationProvider.php:81
DB_REPLICA
const DB_REPLICA
Definition defines.php:22
DB_MASTER
const DB_MASTER
Definition defines.php:23
$params
$params
Definition styleTest.css.php:40
TS_UNIX
const TS_UNIX
Unix time - the number of seconds since 1970-01-01 00:00:00 UTC.
Definition defines.php:6