MediaWiki REL1_34
AuthManager.php
Go to the documentation of this file.
1<?php
24namespace MediaWiki\Auth;
25
26use Config;
27use MediaWiki\Block\DatabaseBlock;
28use MediaWiki\MediaWikiServices;
29use Psr\Log\LoggerAwareInterface;
30use Psr\Log\LoggerInterface;
31use Status;
32use StatusValue;
33use User;
34use WebRequest;
35use Wikimedia\ObjectFactory;
36
85class AuthManager implements LoggerAwareInterface {
87 const ACTION_LOGIN = 'login';
91 const ACTION_LOGIN_CONTINUE = 'login-continue';
93 const ACTION_CREATE = 'create';
97 const ACTION_CREATE_CONTINUE = 'create-continue';
99 const ACTION_LINK = 'link';
103 const ACTION_LINK_CONTINUE = 'link-continue';
105 const ACTION_CHANGE = 'change';
107 const ACTION_REMOVE = 'remove';
109 const ACTION_UNLINK = 'unlink';
110
112 const SEC_OK = 'ok';
114 const SEC_REAUTH = 'reauth';
116 const SEC_FAIL = 'fail';
117
119 const AUTOCREATE_SOURCE_SESSION = \MediaWiki\Session\SessionManager::class;
120
122 const AUTOCREATE_SOURCE_MAINT = '::Maintenance::';
123
125 private static $instance = null;
126
128 private $request;
129
131 private $config;
132
134 private $logger;
135
137 private $allAuthenticationProviders = [];
138
140 private $preAuthenticationProviders = null;
141
143 private $primaryAuthenticationProviders = null;
144
146 private $secondaryAuthenticationProviders = null;
147
149 private $createdAccountAuthenticationRequests = [];
150
155 public static function singleton() {
156 if ( self::$instance === null ) {
157 self::$instance = new self(
158 \RequestContext::getMain()->getRequest(),
159 MediaWikiServices::getInstance()->getMainConfig()
160 );
161 }
162 return self::$instance;
163 }
164
169 public function __construct( WebRequest $request, Config $config ) {
170 $this->request = $request;
171 $this->config = $config;
172 $this->setLogger( \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' ) );
173 }
174
178 public function setLogger( LoggerInterface $logger ) {
179 $this->logger = $logger;
180 }
181
185 public function getRequest() {
186 return $this->request;
187 }
188
195 public function forcePrimaryAuthenticationProviders( array $providers, $why ) {
196 $this->logger->warning( "Overriding AuthManager primary authn because $why" );
197
198 if ( $this->primaryAuthenticationProviders !== null ) {
199 $this->logger->warning(
200 'PrimaryAuthenticationProviders have already been accessed! I hope nothing breaks.'
201 );
202
203 $this->allAuthenticationProviders = array_diff_key(
204 $this->allAuthenticationProviders,
205 $this->primaryAuthenticationProviders
206 );
207 $session = $this->request->getSession();
208 $session->remove( 'AuthManager::authnState' );
209 $session->remove( 'AuthManager::accountCreationState' );
210 $session->remove( 'AuthManager::accountLinkState' );
211 $this->createdAccountAuthenticationRequests = [];
212 }
213
214 $this->primaryAuthenticationProviders = [];
215 foreach ( $providers as $provider ) {
216 if ( !$provider instanceof PrimaryAuthenticationProvider ) {
217 throw new \RuntimeException(
218 'Expected instance of MediaWiki\\Auth\\PrimaryAuthenticationProvider, got ' .
219 get_class( $provider )
220 );
221 }
222 $provider->setLogger( $this->logger );
223 $provider->setManager( $this );
224 $provider->setConfig( $this->config );
225 $id = $provider->getUniqueId();
226 if ( isset( $this->allAuthenticationProviders[$id] ) ) {
227 throw new \RuntimeException(
228 "Duplicate specifications for id $id (classes " .
229 get_class( $provider ) . ' and ' .
230 get_class( $this->allAuthenticationProviders[$id] ) . ')'
231 );
232 }
233 $this->allAuthenticationProviders[$id] = $provider;
234 $this->primaryAuthenticationProviders[$id] = $provider;
235 }
236 }
237
249 public static function callLegacyAuthPlugin( $method, array $params, $return = null ) {
250 wfDeprecated( __METHOD__, '1.33' );
251 return $return;
252 }
253
267 public function canAuthenticateNow() {
268 return $this->request->getSession()->canSetUser();
269 }
270
289 public function beginAuthentication( array $reqs, $returnToUrl ) {
290 $session = $this->request->getSession();
291 if ( !$session->canSetUser() ) {
292 // Caller should have called canAuthenticateNow()
293 $session->remove( 'AuthManager::authnState' );
294 throw new \LogicException( 'Authentication is not possible now' );
295 }
296
297 $guessUserName = null;
298 foreach ( $reqs as $req ) {
299 $req->returnToUrl = $returnToUrl;
300 // @codeCoverageIgnoreStart
301 if ( $req->username !== null && $req->username !== '' ) {
302 if ( $guessUserName === null ) {
303 $guessUserName = $req->username;
304 } elseif ( $guessUserName !== $req->username ) {
305 $guessUserName = null;
306 break;
307 }
308 }
309 // @codeCoverageIgnoreEnd
310 }
311
312 // Check for special-case login of a just-created account
313 $req = AuthenticationRequest::getRequestByClass(
314 $reqs, CreatedAccountAuthenticationRequest::class
315 );
316 if ( $req ) {
317 if ( !in_array( $req, $this->createdAccountAuthenticationRequests, true ) ) {
318 throw new \LogicException(
319 'CreatedAccountAuthenticationRequests are only valid on ' .
320 'the same AuthManager that created the account'
321 );
322 }
323
324 $user = User::newFromName( $req->username );
325 // @codeCoverageIgnoreStart
326 if ( !$user ) {
327 throw new \UnexpectedValueException(
328 "CreatedAccountAuthenticationRequest had invalid username \"{$req->username}\""
329 );
330 } elseif ( $user->getId() != $req->id ) {
331 throw new \UnexpectedValueException(
332 "ID for \"{$req->username}\" was {$user->getId()}, expected {$req->id}"
333 );
334 }
335 // @codeCoverageIgnoreEnd
336
337 $this->logger->info( 'Logging in {user} after account creation', [
338 'user' => $user->getName(),
339 ] );
340 $ret = AuthenticationResponse::newPass( $user->getName() );
341 $this->setSessionDataForUser( $user );
342 $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
343 $session->remove( 'AuthManager::authnState' );
344 \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName(), [] ] );
345 return $ret;
346 }
347
348 $this->removeAuthenticationSessionData( null );
349
350 foreach ( $this->getPreAuthenticationProviders() as $provider ) {
351 $status = $provider->testForAuthentication( $reqs );
352 if ( !$status->isGood() ) {
353 $this->logger->debug( 'Login failed in pre-authentication by ' . $provider->getUniqueId() );
354 $ret = AuthenticationResponse::newFail(
355 Status::wrap( $status )->getMessage()
356 );
357 $this->callMethodOnProviders( 7, 'postAuthentication',
358 [ User::newFromName( $guessUserName ) ?: null, $ret ]
359 );
360 \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, null, $guessUserName, [] ] );
361 return $ret;
362 }
363 }
364
365 $state = [
366 'reqs' => $reqs,
367 'returnToUrl' => $returnToUrl,
368 'guessUserName' => $guessUserName,
369 'primary' => null,
370 'primaryResponse' => null,
371 'secondary' => [],
372 'maybeLink' => [],
373 'continueRequests' => [],
374 ];
375
376 // Preserve state from a previous failed login
377 $req = AuthenticationRequest::getRequestByClass(
378 $reqs, CreateFromLoginAuthenticationRequest::class
379 );
380 if ( $req ) {
381 $state['maybeLink'] = $req->maybeLink;
382 }
383
384 $session = $this->request->getSession();
385 $session->setSecret( 'AuthManager::authnState', $state );
386 $session->persist();
387
388 return $this->continueAuthentication( $reqs );
389 }
390
413 public function continueAuthentication( array $reqs ) {
414 $session = $this->request->getSession();
415 try {
416 if ( !$session->canSetUser() ) {
417 // Caller should have called canAuthenticateNow()
418 // @codeCoverageIgnoreStart
419 throw new \LogicException( 'Authentication is not possible now' );
420 // @codeCoverageIgnoreEnd
421 }
422
423 $state = $session->getSecret( 'AuthManager::authnState' );
424 if ( !is_array( $state ) ) {
425 return AuthenticationResponse::newFail(
426 wfMessage( 'authmanager-authn-not-in-progress' )
427 );
428 }
429 $state['continueRequests'] = [];
430
431 $guessUserName = $state['guessUserName'];
432
433 foreach ( $reqs as $req ) {
434 $req->returnToUrl = $state['returnToUrl'];
435 }
436
437 // Step 1: Choose an primary authentication provider, and call it until it succeeds.
438
439 if ( $state['primary'] === null ) {
440 // We haven't picked a PrimaryAuthenticationProvider yet
441 // @codeCoverageIgnoreStart
442 $guessUserName = null;
443 foreach ( $reqs as $req ) {
444 if ( $req->username !== null && $req->username !== '' ) {
445 if ( $guessUserName === null ) {
446 $guessUserName = $req->username;
447 } elseif ( $guessUserName !== $req->username ) {
448 $guessUserName = null;
449 break;
450 }
451 }
452 }
453 $state['guessUserName'] = $guessUserName;
454 // @codeCoverageIgnoreEnd
455 $state['reqs'] = $reqs;
456
457 foreach ( $this->getPrimaryAuthenticationProviders() as $id => $provider ) {
458 $res = $provider->beginPrimaryAuthentication( $reqs );
459 switch ( $res->status ) {
460 case AuthenticationResponse::PASS;
461 $state['primary'] = $id;
462 $state['primaryResponse'] = $res;
463 $this->logger->debug( "Primary login with $id succeeded" );
464 break 2;
465 case AuthenticationResponse::FAIL;
466 $this->logger->debug( "Login failed in primary authentication by $id" );
467 if ( $res->createRequest || $state['maybeLink'] ) {
468 $res->createRequest = new CreateFromLoginAuthenticationRequest(
469 $res->createRequest, $state['maybeLink']
470 );
471 }
472 $this->callMethodOnProviders( 7, 'postAuthentication',
473 [ User::newFromName( $guessUserName ) ?: null, $res ]
474 );
475 $session->remove( 'AuthManager::authnState' );
476 \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $res, null, $guessUserName, [] ] );
477 return $res;
478 case AuthenticationResponse::ABSTAIN;
479 // Continue loop
480 break;
481 case AuthenticationResponse::REDIRECT;
482 case AuthenticationResponse::UI;
483 $this->logger->debug( "Primary login with $id returned $res->status" );
484 $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $guessUserName );
485 $state['primary'] = $id;
486 $state['continueRequests'] = $res->neededRequests;
487 $session->setSecret( 'AuthManager::authnState', $state );
488 return $res;
489
490 // @codeCoverageIgnoreStart
491 default:
492 throw new \DomainException(
493 get_class( $provider ) . "::beginPrimaryAuthentication() returned $res->status"
494 );
495 // @codeCoverageIgnoreEnd
496 }
497 }
498 if ( $state['primary'] === null ) {
499 $this->logger->debug( 'Login failed in primary authentication because no provider accepted' );
500 $ret = AuthenticationResponse::newFail(
501 wfMessage( 'authmanager-authn-no-primary' )
502 );
503 $this->callMethodOnProviders( 7, 'postAuthentication',
504 [ User::newFromName( $guessUserName ) ?: null, $ret ]
505 );
506 $session->remove( 'AuthManager::authnState' );
507 return $ret;
508 }
509 } elseif ( $state['primaryResponse'] === null ) {
510 $provider = $this->getAuthenticationProvider( $state['primary'] );
511 if ( !$provider instanceof PrimaryAuthenticationProvider ) {
512 // Configuration changed? Force them to start over.
513 // @codeCoverageIgnoreStart
514 $ret = AuthenticationResponse::newFail(
515 wfMessage( 'authmanager-authn-not-in-progress' )
516 );
517 $this->callMethodOnProviders( 7, 'postAuthentication',
518 [ User::newFromName( $guessUserName ) ?: null, $ret ]
519 );
520 $session->remove( 'AuthManager::authnState' );
521 return $ret;
522 // @codeCoverageIgnoreEnd
523 }
524 $id = $provider->getUniqueId();
525 $res = $provider->continuePrimaryAuthentication( $reqs );
526 switch ( $res->status ) {
527 case AuthenticationResponse::PASS;
528 $state['primaryResponse'] = $res;
529 $this->logger->debug( "Primary login with $id succeeded" );
530 break;
531 case AuthenticationResponse::FAIL;
532 $this->logger->debug( "Login failed in primary authentication by $id" );
533 if ( $res->createRequest || $state['maybeLink'] ) {
534 $res->createRequest = new CreateFromLoginAuthenticationRequest(
535 $res->createRequest, $state['maybeLink']
536 );
537 }
538 $this->callMethodOnProviders( 7, 'postAuthentication',
539 [ User::newFromName( $guessUserName ) ?: null, $res ]
540 );
541 $session->remove( 'AuthManager::authnState' );
542 \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $res, null, $guessUserName, [] ] );
543 return $res;
544 case AuthenticationResponse::REDIRECT;
545 case AuthenticationResponse::UI;
546 $this->logger->debug( "Primary login with $id returned $res->status" );
547 $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $guessUserName );
548 $state['continueRequests'] = $res->neededRequests;
549 $session->setSecret( 'AuthManager::authnState', $state );
550 return $res;
551 default:
552 throw new \DomainException(
553 get_class( $provider ) . "::continuePrimaryAuthentication() returned $res->status"
554 );
555 }
556 }
557
558 $res = $state['primaryResponse'];
559 if ( $res->username === null ) {
560 $provider = $this->getAuthenticationProvider( $state['primary'] );
561 if ( !$provider instanceof PrimaryAuthenticationProvider ) {
562 // Configuration changed? Force them to start over.
563 // @codeCoverageIgnoreStart
564 $ret = AuthenticationResponse::newFail(
565 wfMessage( 'authmanager-authn-not-in-progress' )
566 );
567 $this->callMethodOnProviders( 7, 'postAuthentication',
568 [ User::newFromName( $guessUserName ) ?: null, $ret ]
569 );
570 $session->remove( 'AuthManager::authnState' );
571 return $ret;
572 // @codeCoverageIgnoreEnd
573 }
574
575 if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK &&
576 $res->linkRequest &&
577 // don't confuse the user with an incorrect message if linking is disabled
578 $this->getAuthenticationProvider( ConfirmLinkSecondaryAuthenticationProvider::class )
579 ) {
580 $state['maybeLink'][$res->linkRequest->getUniqueId()] = $res->linkRequest;
581 $msg = 'authmanager-authn-no-local-user-link';
582 } else {
583 $msg = 'authmanager-authn-no-local-user';
584 }
585 $this->logger->debug(
586 "Primary login with {$provider->getUniqueId()} succeeded, but returned no user"
587 );
588 $ret = AuthenticationResponse::newRestart( wfMessage( $msg ) );
589 $ret->neededRequests = $this->getAuthenticationRequestsInternal(
590 self::ACTION_LOGIN,
591 [],
592 $this->getPrimaryAuthenticationProviders() + $this->getSecondaryAuthenticationProviders()
593 );
594 if ( $res->createRequest || $state['maybeLink'] ) {
595 $ret->createRequest = new CreateFromLoginAuthenticationRequest(
596 $res->createRequest, $state['maybeLink']
597 );
598 $ret->neededRequests[] = $ret->createRequest;
599 }
600 $this->fillRequests( $ret->neededRequests, self::ACTION_LOGIN, null, true );
601 $session->setSecret( 'AuthManager::authnState', [
602 'reqs' => [], // Will be filled in later
603 'primary' => null,
604 'primaryResponse' => null,
605 'secondary' => [],
606 'continueRequests' => $ret->neededRequests,
607 ] + $state );
608 return $ret;
609 }
610
611 // Step 2: Primary authentication succeeded, create the User object
612 // (and add the user locally if necessary)
613
614 $user = User::newFromName( $res->username, 'usable' );
615 if ( !$user ) {
616 $provider = $this->getAuthenticationProvider( $state['primary'] );
617 throw new \DomainException(
618 get_class( $provider ) . " returned an invalid username: {$res->username}"
619 );
620 }
621 if ( $user->getId() === 0 ) {
622 // User doesn't exist locally. Create it.
623 $this->logger->info( 'Auto-creating {user} on login', [
624 'user' => $user->getName(),
625 ] );
626 $status = $this->autoCreateUser( $user, $state['primary'], false );
627 if ( !$status->isGood() ) {
628 $ret = AuthenticationResponse::newFail(
629 Status::wrap( $status )->getMessage( 'authmanager-authn-autocreate-failed' )
630 );
631 $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
632 $session->remove( 'AuthManager::authnState' );
633 \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName(), [] ] );
634 return $ret;
635 }
636 }
637
638 // Step 3: Iterate over all the secondary authentication providers.
639
640 $beginReqs = $state['reqs'];
641
642 foreach ( $this->getSecondaryAuthenticationProviders() as $id => $provider ) {
643 if ( !isset( $state['secondary'][$id] ) ) {
644 // This provider isn't started yet, so we pass it the set
645 // of reqs from beginAuthentication instead of whatever
646 // might have been used by a previous provider in line.
647 $func = 'beginSecondaryAuthentication';
648 $res = $provider->beginSecondaryAuthentication( $user, $beginReqs );
649 } elseif ( !$state['secondary'][$id] ) {
650 $func = 'continueSecondaryAuthentication';
651 $res = $provider->continueSecondaryAuthentication( $user, $reqs );
652 } else {
653 continue;
654 }
655 switch ( $res->status ) {
656 case AuthenticationResponse::PASS;
657 $this->logger->debug( "Secondary login with $id succeeded" );
658 // fall through
659 case AuthenticationResponse::ABSTAIN;
660 $state['secondary'][$id] = true;
661 break;
662 case AuthenticationResponse::FAIL;
663 $this->logger->debug( "Login failed in secondary authentication by $id" );
664 $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $res ] );
665 $session->remove( 'AuthManager::authnState' );
666 \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $res, $user, $user->getName(), [] ] );
667 return $res;
668 case AuthenticationResponse::REDIRECT;
669 case AuthenticationResponse::UI;
670 $this->logger->debug( "Secondary login with $id returned " . $res->status );
671 $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $user->getName() );
672 $state['secondary'][$id] = false;
673 $state['continueRequests'] = $res->neededRequests;
674 $session->setSecret( 'AuthManager::authnState', $state );
675 return $res;
676
677 // @codeCoverageIgnoreStart
678 default:
679 throw new \DomainException(
680 get_class( $provider ) . "::{$func}() returned $res->status"
681 );
682 // @codeCoverageIgnoreEnd
683 }
684 }
685
686 // Step 4: Authentication complete! Set the user in the session and
687 // clean up.
688
689 $this->logger->info( 'Login for {user} succeeded from {clientip}', [
690 'user' => $user->getName(),
691 'clientip' => $this->request->getIP(),
692 ] );
694 $req = AuthenticationRequest::getRequestByClass(
695 $beginReqs, RememberMeAuthenticationRequest::class
696 );
697 $this->setSessionDataForUser( $user, $req && $req->rememberMe );
698 $ret = AuthenticationResponse::newPass( $user->getName() );
699 $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
700 $session->remove( 'AuthManager::authnState' );
701 $this->removeAuthenticationSessionData( null );
702 \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName(), [] ] );
703 return $ret;
704 } catch ( \Exception $ex ) {
705 $session->remove( 'AuthManager::authnState' );
706 throw $ex;
707 }
708 }
709
721 public function securitySensitiveOperationStatus( $operation ) {
722 $status = self::SEC_OK;
723
724 $this->logger->debug( __METHOD__ . ": Checking $operation" );
725
726 $session = $this->request->getSession();
727 $aId = $session->getUser()->getId();
728 if ( $aId === 0 ) {
729 // User isn't authenticated. DWIM?
730 $status = $this->canAuthenticateNow() ? self::SEC_REAUTH : self::SEC_FAIL;
731 $this->logger->info( __METHOD__ . ": Not logged in! $operation is $status" );
732 return $status;
733 }
734
735 if ( $session->canSetUser() ) {
736 $id = $session->get( 'AuthManager:lastAuthId' );
737 $last = $session->get( 'AuthManager:lastAuthTimestamp' );
738 if ( $id !== $aId || $last === null ) {
739 $timeSinceLogin = PHP_INT_MAX; // Forever ago
740 } else {
741 $timeSinceLogin = max( 0, time() - $last );
742 }
743
744 $thresholds = $this->config->get( 'ReauthenticateTime' );
745 if ( isset( $thresholds[$operation] ) ) {
746 $threshold = $thresholds[$operation];
747 } elseif ( isset( $thresholds['default'] ) ) {
748 $threshold = $thresholds['default'];
749 } else {
750 throw new \UnexpectedValueException( '$wgReauthenticateTime lacks a default' );
751 }
752
753 if ( $threshold >= 0 && $timeSinceLogin > $threshold ) {
754 $status = self::SEC_REAUTH;
755 }
756 } else {
757 $timeSinceLogin = -1;
758
759 $pass = $this->config->get( 'AllowSecuritySensitiveOperationIfCannotReauthenticate' );
760 if ( isset( $pass[$operation] ) ) {
761 $status = $pass[$operation] ? self::SEC_OK : self::SEC_FAIL;
762 } elseif ( isset( $pass['default'] ) ) {
763 $status = $pass['default'] ? self::SEC_OK : self::SEC_FAIL;
764 } else {
765 throw new \UnexpectedValueException(
766 '$wgAllowSecuritySensitiveOperationIfCannotReauthenticate lacks a default'
767 );
768 }
769 }
770
771 \Hooks::run( 'SecuritySensitiveOperationStatus', [
772 &$status, $operation, $session, $timeSinceLogin
773 ] );
774
775 // If authentication is not possible, downgrade from "REAUTH" to "FAIL".
776 if ( !$this->canAuthenticateNow() && $status === self::SEC_REAUTH ) {
777 $status = self::SEC_FAIL;
778 }
779
780 $this->logger->info( __METHOD__ . ": $operation is $status for '{user}'",
781 [
782 'user' => $session->getUser()->getName(),
783 'clientip' => $this->getRequest()->getIP(),
784 ]
785 );
786
787 return $status;
788 }
789
799 public function userCanAuthenticate( $username ) {
800 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
801 if ( $provider->testUserCanAuthenticate( $username ) ) {
802 return true;
803 }
804 }
805 return false;
806 }
807
822 public function normalizeUsername( $username ) {
823 $ret = [];
824 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
825 $normalized = $provider->providerNormalizeUsername( $username );
826 if ( $normalized !== null ) {
827 $ret[$normalized] = true;
828 }
829 }
830 return array_keys( $ret );
831 }
832
847 public function revokeAccessForUser( $username ) {
848 $this->logger->info( 'Revoking access for {user}', [
849 'user' => $username,
850 ] );
851 $this->callMethodOnProviders( 6, 'providerRevokeAccessForUser', [ $username ] );
852 }
853
863 public function allowsAuthenticationDataChange( AuthenticationRequest $req, $checkData = true ) {
864 $any = false;
865 $providers = $this->getPrimaryAuthenticationProviders() +
866 $this->getSecondaryAuthenticationProviders();
867 foreach ( $providers as $provider ) {
868 $status = $provider->providerAllowsAuthenticationDataChange( $req, $checkData );
869 if ( !$status->isGood() ) {
870 return Status::wrap( $status );
871 }
872 $any = $any || $status->value !== 'ignored';
873 }
874 if ( !$any ) {
875 $status = Status::newGood( 'ignored' );
876 $status->warning( 'authmanager-change-not-supported' );
877 return $status;
878 }
879 return Status::newGood();
880 }
881
899 public function changeAuthenticationData( AuthenticationRequest $req, $isAddition = false ) {
900 $this->logger->info( 'Changing authentication data for {user} class {what}', [
901 'user' => is_string( $req->username ) ? $req->username : '<no name>',
902 'what' => get_class( $req ),
903 ] );
904
905 $this->callMethodOnProviders( 6, 'providerChangeAuthenticationData', [ $req ] );
906
907 // When the main account's authentication data is changed, invalidate
908 // all BotPasswords too.
909 if ( !$isAddition ) {
910 \BotPassword::invalidateAllPasswordsForUser( $req->username );
911 }
912 }
913
925 public function canCreateAccounts() {
926 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
927 switch ( $provider->accountCreationType() ) {
928 case PrimaryAuthenticationProvider::TYPE_CREATE:
929 case PrimaryAuthenticationProvider::TYPE_LINK:
930 return true;
931 }
932 }
933 return false;
934 }
935
944 public function canCreateAccount( $username, $options = [] ) {
945 // Back compat
946 if ( is_int( $options ) ) {
947 $options = [ 'flags' => $options ];
948 }
949 $options += [
950 'flags' => User::READ_NORMAL,
951 'creating' => false,
952 ];
953 $flags = $options['flags'];
954
955 if ( !$this->canCreateAccounts() ) {
956 return Status::newFatal( 'authmanager-create-disabled' );
957 }
958
959 if ( $this->userExists( $username, $flags ) ) {
960 return Status::newFatal( 'userexists' );
961 }
962
963 $user = User::newFromName( $username, 'creatable' );
964 if ( !is_object( $user ) ) {
965 return Status::newFatal( 'noname' );
966 } else {
967 $user->load( $flags ); // Explicitly load with $flags, auto-loading always uses READ_NORMAL
968 if ( $user->getId() !== 0 ) {
969 return Status::newFatal( 'userexists' );
970 }
971 }
972
973 // Denied by providers?
974 $providers = $this->getPreAuthenticationProviders() +
975 $this->getPrimaryAuthenticationProviders() +
976 $this->getSecondaryAuthenticationProviders();
977 foreach ( $providers as $provider ) {
978 $status = $provider->testUserForCreation( $user, false, $options );
979 if ( !$status->isGood() ) {
980 return Status::wrap( $status );
981 }
982 }
983
984 return Status::newGood();
985 }
986
992 public function checkAccountCreatePermissions( User $creator ) {
993 // Wiki is read-only?
994 if ( wfReadOnly() ) {
995 return Status::newFatal( wfMessage( 'readonlytext', wfReadOnlyReason() ) );
996 }
997
998 // This is awful, this permission check really shouldn't go through Title.
999 $permErrors = \SpecialPage::getTitleFor( 'CreateAccount' )
1000 ->getUserPermissionsErrors( 'createaccount', $creator, 'secure' );
1001 if ( $permErrors ) {
1002 $status = Status::newGood();
1003 foreach ( $permErrors as $args ) {
1004 $status->fatal( ...$args );
1005 }
1006 return $status;
1007 }
1008
1009 $block = $creator->isBlockedFromCreateAccount();
1010 if ( $block ) {
1011 $errorParams = [
1012 $block->getTarget(),
1013 $block->getReason() ?: wfMessage( 'blockednoreason' )->text(),
1014 $block->getByName()
1015 ];
1016
1017 if ( $block->getType() === DatabaseBlock::TYPE_RANGE ) {
1018 $errorMessage = 'cantcreateaccount-range-text';
1019 $errorParams[] = $this->getRequest()->getIP();
1020 } else {
1021 $errorMessage = 'cantcreateaccount-text';
1022 }
1023
1024 return Status::newFatal( wfMessage( $errorMessage, $errorParams ) );
1025 }
1026
1027 $ip = $this->getRequest()->getIP();
1028 if (
1029 MediaWikiServices::getInstance()->getBlockManager()
1030 ->isDnsBlacklisted( $ip, true /* check $wgProxyWhitelist */ )
1031 ) {
1032 return Status::newFatal( 'sorbs_create_account_reason' );
1033 }
1034
1035 return Status::newGood();
1036 }
1037
1057 public function beginAccountCreation( User $creator, array $reqs, $returnToUrl ) {
1058 $session = $this->request->getSession();
1059 if ( !$this->canCreateAccounts() ) {
1060 // Caller should have called canCreateAccounts()
1061 $session->remove( 'AuthManager::accountCreationState' );
1062 throw new \LogicException( 'Account creation is not possible' );
1063 }
1064
1065 try {
1066 $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
1067 } catch ( \UnexpectedValueException $ex ) {
1068 $username = null;
1069 }
1070 if ( $username === null ) {
1071 $this->logger->debug( __METHOD__ . ': No username provided' );
1072 return AuthenticationResponse::newFail( wfMessage( 'noname' ) );
1073 }
1074
1075 // Permissions check
1076 $status = $this->checkAccountCreatePermissions( $creator );
1077 if ( !$status->isGood() ) {
1078 $this->logger->debug( __METHOD__ . ': {creator} cannot create users: {reason}', [
1079 'user' => $username,
1080 'creator' => $creator->getName(),
1081 'reason' => $status->getWikiText( null, null, 'en' )
1082 ] );
1083 return AuthenticationResponse::newFail( $status->getMessage() );
1084 }
1085
1086 $status = $this->canCreateAccount(
1087 $username, [ 'flags' => User::READ_LOCKING, 'creating' => true ]
1088 );
1089 if ( !$status->isGood() ) {
1090 $this->logger->debug( __METHOD__ . ': {user} cannot be created: {reason}', [
1091 'user' => $username,
1092 'creator' => $creator->getName(),
1093 'reason' => $status->getWikiText( null, null, 'en' )
1094 ] );
1095 return AuthenticationResponse::newFail( $status->getMessage() );
1096 }
1097
1098 $user = User::newFromName( $username, 'creatable' );
1099 foreach ( $reqs as $req ) {
1100 $req->username = $username;
1101 $req->returnToUrl = $returnToUrl;
1102 if ( $req instanceof UserDataAuthenticationRequest ) {
1103 $status = $req->populateUser( $user );
1104 if ( !$status->isGood() ) {
1105 $status = Status::wrap( $status );
1106 $session->remove( 'AuthManager::accountCreationState' );
1107 $this->logger->debug( __METHOD__ . ': UserData is invalid: {reason}', [
1108 'user' => $user->getName(),
1109 'creator' => $creator->getName(),
1110 'reason' => $status->getWikiText( null, null, 'en' ),
1111 ] );
1112 return AuthenticationResponse::newFail( $status->getMessage() );
1113 }
1114 }
1115 }
1116
1117 $this->removeAuthenticationSessionData( null );
1118
1119 $state = [
1120 'username' => $username,
1121 'userid' => 0,
1122 'creatorid' => $creator->getId(),
1123 'creatorname' => $creator->getName(),
1124 'reqs' => $reqs,
1125 'returnToUrl' => $returnToUrl,
1126 'primary' => null,
1127 'primaryResponse' => null,
1128 'secondary' => [],
1129 'continueRequests' => [],
1130 'maybeLink' => [],
1131 'ranPreTests' => false,
1132 ];
1133
1134 // Special case: converting a login to an account creation
1135 $req = AuthenticationRequest::getRequestByClass(
1136 $reqs, CreateFromLoginAuthenticationRequest::class
1137 );
1138 if ( $req ) {
1139 $state['maybeLink'] = $req->maybeLink;
1140
1141 if ( $req->createRequest ) {
1142 $reqs[] = $req->createRequest;
1143 $state['reqs'][] = $req->createRequest;
1144 }
1145 }
1146
1147 $session->setSecret( 'AuthManager::accountCreationState', $state );
1148 $session->persist();
1149
1150 return $this->continueAccountCreation( $reqs );
1151 }
1152
1158 public function continueAccountCreation( array $reqs ) {
1159 $session = $this->request->getSession();
1160 try {
1161 if ( !$this->canCreateAccounts() ) {
1162 // Caller should have called canCreateAccounts()
1163 $session->remove( 'AuthManager::accountCreationState' );
1164 throw new \LogicException( 'Account creation is not possible' );
1165 }
1166
1167 $state = $session->getSecret( 'AuthManager::accountCreationState' );
1168 if ( !is_array( $state ) ) {
1169 return AuthenticationResponse::newFail(
1170 wfMessage( 'authmanager-create-not-in-progress' )
1171 );
1172 }
1173 $state['continueRequests'] = [];
1174
1175 // Step 0: Prepare and validate the input
1176
1177 $user = User::newFromName( $state['username'], 'creatable' );
1178 if ( !is_object( $user ) ) {
1179 $session->remove( 'AuthManager::accountCreationState' );
1180 $this->logger->debug( __METHOD__ . ': Invalid username', [
1181 'user' => $state['username'],
1182 ] );
1183 return AuthenticationResponse::newFail( wfMessage( 'noname' ) );
1184 }
1185
1186 if ( $state['creatorid'] ) {
1187 $creator = User::newFromId( $state['creatorid'] );
1188 } else {
1189 $creator = new User;
1190 $creator->setName( $state['creatorname'] );
1191 }
1192
1193 // Avoid account creation races on double submissions
1194 $cache = \ObjectCache::getLocalClusterInstance();
1195 $lock = $cache->getScopedLock( $cache->makeGlobalKey( 'account', md5( $user->getName() ) ) );
1196 if ( !$lock ) {
1197 // Don't clear AuthManager::accountCreationState for this code
1198 // path because the process that won the race owns it.
1199 $this->logger->debug( __METHOD__ . ': Could not acquire account creation lock', [
1200 'user' => $user->getName(),
1201 'creator' => $creator->getName(),
1202 ] );
1203 return AuthenticationResponse::newFail( wfMessage( 'usernameinprogress' ) );
1204 }
1205
1206 // Permissions check
1207 $status = $this->checkAccountCreatePermissions( $creator );
1208 if ( !$status->isGood() ) {
1209 $this->logger->debug( __METHOD__ . ': {creator} cannot create users: {reason}', [
1210 'user' => $user->getName(),
1211 'creator' => $creator->getName(),
1212 'reason' => $status->getWikiText( null, null, 'en' )
1213 ] );
1214 $ret = AuthenticationResponse::newFail( $status->getMessage() );
1215 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1216 $session->remove( 'AuthManager::accountCreationState' );
1217 return $ret;
1218 }
1219
1220 // Load from master for existence check
1221 $user->load( User::READ_LOCKING );
1222
1223 if ( $state['userid'] === 0 ) {
1224 if ( $user->getId() !== 0 ) {
1225 $this->logger->debug( __METHOD__ . ': User exists locally', [
1226 'user' => $user->getName(),
1227 'creator' => $creator->getName(),
1228 ] );
1229 $ret = AuthenticationResponse::newFail( wfMessage( 'userexists' ) );
1230 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1231 $session->remove( 'AuthManager::accountCreationState' );
1232 return $ret;
1233 }
1234 } else {
1235 if ( $user->getId() === 0 ) {
1236 $this->logger->debug( __METHOD__ . ': User does not exist locally when it should', [
1237 'user' => $user->getName(),
1238 'creator' => $creator->getName(),
1239 'expected_id' => $state['userid'],
1240 ] );
1241 throw new \UnexpectedValueException(
1242 "User \"{$state['username']}\" should exist now, but doesn't!"
1243 );
1244 }
1245 if ( $user->getId() !== $state['userid'] ) {
1246 $this->logger->debug( __METHOD__ . ': User ID/name mismatch', [
1247 'user' => $user->getName(),
1248 'creator' => $creator->getName(),
1249 'expected_id' => $state['userid'],
1250 'actual_id' => $user->getId(),
1251 ] );
1252 throw new \UnexpectedValueException(
1253 "User \"{$state['username']}\" exists, but " .
1254 "ID {$user->getId()} !== {$state['userid']}!"
1255 );
1256 }
1257 }
1258 foreach ( $state['reqs'] as $req ) {
1259 if ( $req instanceof UserDataAuthenticationRequest ) {
1260 $status = $req->populateUser( $user );
1261 if ( !$status->isGood() ) {
1262 // This should never happen...
1263 $status = Status::wrap( $status );
1264 $this->logger->debug( __METHOD__ . ': UserData is invalid: {reason}', [
1265 'user' => $user->getName(),
1266 'creator' => $creator->getName(),
1267 'reason' => $status->getWikiText( null, null, 'en' ),
1268 ] );
1269 $ret = AuthenticationResponse::newFail( $status->getMessage() );
1270 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1271 $session->remove( 'AuthManager::accountCreationState' );
1272 return $ret;
1273 }
1274 }
1275 }
1276
1277 foreach ( $reqs as $req ) {
1278 $req->returnToUrl = $state['returnToUrl'];
1279 $req->username = $state['username'];
1280 }
1281
1282 // Run pre-creation tests, if we haven't already
1283 if ( !$state['ranPreTests'] ) {
1284 $providers = $this->getPreAuthenticationProviders() +
1285 $this->getPrimaryAuthenticationProviders() +
1286 $this->getSecondaryAuthenticationProviders();
1287 foreach ( $providers as $id => $provider ) {
1288 $status = $provider->testForAccountCreation( $user, $creator, $reqs );
1289 if ( !$status->isGood() ) {
1290 $this->logger->debug( __METHOD__ . ": Fail in pre-authentication by $id", [
1291 'user' => $user->getName(),
1292 'creator' => $creator->getName(),
1293 ] );
1294 $ret = AuthenticationResponse::newFail(
1295 Status::wrap( $status )->getMessage()
1296 );
1297 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1298 $session->remove( 'AuthManager::accountCreationState' );
1299 return $ret;
1300 }
1301 }
1302
1303 $state['ranPreTests'] = true;
1304 }
1305
1306 // Step 1: Choose a primary authentication provider and call it until it succeeds.
1307
1308 if ( $state['primary'] === null ) {
1309 // We haven't picked a PrimaryAuthenticationProvider yet
1310 foreach ( $this->getPrimaryAuthenticationProviders() as $id => $provider ) {
1311 if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_NONE ) {
1312 continue;
1313 }
1314 $res = $provider->beginPrimaryAccountCreation( $user, $creator, $reqs );
1315 switch ( $res->status ) {
1316 case AuthenticationResponse::PASS;
1317 $this->logger->debug( __METHOD__ . ": Primary creation passed by $id", [
1318 'user' => $user->getName(),
1319 'creator' => $creator->getName(),
1320 ] );
1321 $state['primary'] = $id;
1322 $state['primaryResponse'] = $res;
1323 break 2;
1324 case AuthenticationResponse::FAIL;
1325 $this->logger->debug( __METHOD__ . ": Primary creation failed by $id", [
1326 'user' => $user->getName(),
1327 'creator' => $creator->getName(),
1328 ] );
1329 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $res ] );
1330 $session->remove( 'AuthManager::accountCreationState' );
1331 return $res;
1332 case AuthenticationResponse::ABSTAIN;
1333 // Continue loop
1334 break;
1335 case AuthenticationResponse::REDIRECT;
1336 case AuthenticationResponse::UI;
1337 $this->logger->debug( __METHOD__ . ": Primary creation $res->status by $id", [
1338 'user' => $user->getName(),
1339 'creator' => $creator->getName(),
1340 ] );
1341 $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null );
1342 $state['primary'] = $id;
1343 $state['continueRequests'] = $res->neededRequests;
1344 $session->setSecret( 'AuthManager::accountCreationState', $state );
1345 return $res;
1346
1347 // @codeCoverageIgnoreStart
1348 default:
1349 throw new \DomainException(
1350 get_class( $provider ) . "::beginPrimaryAccountCreation() returned $res->status"
1351 );
1352 // @codeCoverageIgnoreEnd
1353 }
1354 }
1355 if ( $state['primary'] === null ) {
1356 $this->logger->debug( __METHOD__ . ': Primary creation failed because no provider accepted', [
1357 'user' => $user->getName(),
1358 'creator' => $creator->getName(),
1359 ] );
1360 $ret = AuthenticationResponse::newFail(
1361 wfMessage( 'authmanager-create-no-primary' )
1362 );
1363 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1364 $session->remove( 'AuthManager::accountCreationState' );
1365 return $ret;
1366 }
1367 } elseif ( $state['primaryResponse'] === null ) {
1368 $provider = $this->getAuthenticationProvider( $state['primary'] );
1369 if ( !$provider instanceof PrimaryAuthenticationProvider ) {
1370 // Configuration changed? Force them to start over.
1371 // @codeCoverageIgnoreStart
1372 $ret = AuthenticationResponse::newFail(
1373 wfMessage( 'authmanager-create-not-in-progress' )
1374 );
1375 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1376 $session->remove( 'AuthManager::accountCreationState' );
1377 return $ret;
1378 // @codeCoverageIgnoreEnd
1379 }
1380 $id = $provider->getUniqueId();
1381 $res = $provider->continuePrimaryAccountCreation( $user, $creator, $reqs );
1382 switch ( $res->status ) {
1383 case AuthenticationResponse::PASS;
1384 $this->logger->debug( __METHOD__ . ": Primary creation passed by $id", [
1385 'user' => $user->getName(),
1386 'creator' => $creator->getName(),
1387 ] );
1388 $state['primaryResponse'] = $res;
1389 break;
1390 case AuthenticationResponse::FAIL;
1391 $this->logger->debug( __METHOD__ . ": Primary creation failed by $id", [
1392 'user' => $user->getName(),
1393 'creator' => $creator->getName(),
1394 ] );
1395 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $res ] );
1396 $session->remove( 'AuthManager::accountCreationState' );
1397 return $res;
1398 case AuthenticationResponse::REDIRECT;
1399 case AuthenticationResponse::UI;
1400 $this->logger->debug( __METHOD__ . ": Primary creation $res->status by $id", [
1401 'user' => $user->getName(),
1402 'creator' => $creator->getName(),
1403 ] );
1404 $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null );
1405 $state['continueRequests'] = $res->neededRequests;
1406 $session->setSecret( 'AuthManager::accountCreationState', $state );
1407 return $res;
1408 default:
1409 throw new \DomainException(
1410 get_class( $provider ) . "::continuePrimaryAccountCreation() returned $res->status"
1411 );
1412 }
1413 }
1414
1415 // Step 2: Primary authentication succeeded, create the User object
1416 // and add the user locally.
1417
1418 if ( $state['userid'] === 0 ) {
1419 $this->logger->info( 'Creating user {user} during account creation', [
1420 'user' => $user->getName(),
1421 'creator' => $creator->getName(),
1422 ] );
1423 $status = $user->addToDatabase();
1424 if ( !$status->isOK() ) {
1425 // @codeCoverageIgnoreStart
1426 $ret = AuthenticationResponse::newFail( $status->getMessage() );
1427 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1428 $session->remove( 'AuthManager::accountCreationState' );
1429 return $ret;
1430 // @codeCoverageIgnoreEnd
1431 }
1432 $this->setDefaultUserOptions( $user, $creator->isAnon() );
1433 \Hooks::runWithoutAbort( 'LocalUserCreated', [ $user, false ] );
1434 $user->saveSettings();
1435 $state['userid'] = $user->getId();
1436
1437 // Update user count
1438 \DeferredUpdates::addUpdate( \SiteStatsUpdate::factory( [ 'users' => 1 ] ) );
1439
1440 // Watch user's userpage and talk page
1441 $user->addWatch( $user->getUserPage(), User::IGNORE_USER_RIGHTS );
1442
1443 // Inform the provider
1444 $logSubtype = $provider->finishAccountCreation( $user, $creator, $state['primaryResponse'] );
1445
1446 // Log the creation
1447 if ( $this->config->get( 'NewUserLog' ) ) {
1448 $isAnon = $creator->isAnon();
1449 $logEntry = new \ManualLogEntry(
1450 'newusers',
1451 $logSubtype ?: ( $isAnon ? 'create' : 'create2' )
1452 );
1453 $logEntry->setPerformer( $isAnon ? $user : $creator );
1454 $logEntry->setTarget( $user->getUserPage() );
1456 $req = AuthenticationRequest::getRequestByClass(
1457 $state['reqs'], CreationReasonAuthenticationRequest::class
1458 );
1459 $logEntry->setComment( $req ? $req->reason : '' );
1460 $logEntry->setParameters( [
1461 '4::userid' => $user->getId(),
1462 ] );
1463 $logid = $logEntry->insert();
1464 $logEntry->publish( $logid );
1465 }
1466 }
1467
1468 // Step 3: Iterate over all the secondary authentication providers.
1469
1470 $beginReqs = $state['reqs'];
1471
1472 foreach ( $this->getSecondaryAuthenticationProviders() as $id => $provider ) {
1473 if ( !isset( $state['secondary'][$id] ) ) {
1474 // This provider isn't started yet, so we pass it the set
1475 // of reqs from beginAuthentication instead of whatever
1476 // might have been used by a previous provider in line.
1477 $func = 'beginSecondaryAccountCreation';
1478 $res = $provider->beginSecondaryAccountCreation( $user, $creator, $beginReqs );
1479 } elseif ( !$state['secondary'][$id] ) {
1480 $func = 'continueSecondaryAccountCreation';
1481 $res = $provider->continueSecondaryAccountCreation( $user, $creator, $reqs );
1482 } else {
1483 continue;
1484 }
1485 switch ( $res->status ) {
1486 case AuthenticationResponse::PASS;
1487 $this->logger->debug( __METHOD__ . ": Secondary creation passed by $id", [
1488 'user' => $user->getName(),
1489 'creator' => $creator->getName(),
1490 ] );
1491 // fall through
1492 case AuthenticationResponse::ABSTAIN;
1493 $state['secondary'][$id] = true;
1494 break;
1495 case AuthenticationResponse::REDIRECT;
1496 case AuthenticationResponse::UI;
1497 $this->logger->debug( __METHOD__ . ": Secondary creation $res->status by $id", [
1498 'user' => $user->getName(),
1499 'creator' => $creator->getName(),
1500 ] );
1501 $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null );
1502 $state['secondary'][$id] = false;
1503 $state['continueRequests'] = $res->neededRequests;
1504 $session->setSecret( 'AuthManager::accountCreationState', $state );
1505 return $res;
1506 case AuthenticationResponse::FAIL;
1507 throw new \DomainException(
1508 get_class( $provider ) . "::{$func}() returned $res->status." .
1509 ' Secondary providers are not allowed to fail account creation, that' .
1510 ' should have been done via testForAccountCreation().'
1511 );
1512 // @codeCoverageIgnoreStart
1513 default:
1514 throw new \DomainException(
1515 get_class( $provider ) . "::{$func}() returned $res->status"
1516 );
1517 // @codeCoverageIgnoreEnd
1518 }
1519 }
1520
1521 $id = $user->getId();
1522 $name = $user->getName();
1523 $req = new CreatedAccountAuthenticationRequest( $id, $name );
1524 $ret = AuthenticationResponse::newPass( $name );
1525 $ret->loginRequest = $req;
1526 $this->createdAccountAuthenticationRequests[] = $req;
1527
1528 $this->logger->info( __METHOD__ . ': Account creation succeeded for {user}', [
1529 'user' => $user->getName(),
1530 'creator' => $creator->getName(),
1531 ] );
1532
1533 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1534 $session->remove( 'AuthManager::accountCreationState' );
1535 $this->removeAuthenticationSessionData( null );
1536 return $ret;
1537 } catch ( \Exception $ex ) {
1538 $session->remove( 'AuthManager::accountCreationState' );
1539 throw $ex;
1540 }
1541 }
1542
1560 public function autoCreateUser( User $user, $source, $login = true ) {
1561 if ( $source !== self::AUTOCREATE_SOURCE_SESSION &&
1562 $source !== self::AUTOCREATE_SOURCE_MAINT &&
1563 !$this->getAuthenticationProvider( $source ) instanceof PrimaryAuthenticationProvider
1564 ) {
1565 throw new \InvalidArgumentException( "Unknown auto-creation source: $source" );
1566 }
1567
1568 $username = $user->getName();
1569
1570 // Try the local user from the replica DB
1571 $localId = User::idFromName( $username );
1572 $flags = User::READ_NORMAL;
1573
1574 // Fetch the user ID from the master, so that we don't try to create the user
1575 // when they already exist, due to replication lag
1576 // @codeCoverageIgnoreStart
1577 if (
1578 !$localId &&
1579 MediaWikiServices::getInstance()->getDBLoadBalancer()->getReaderIndex() !== 0
1580 ) {
1581 $localId = User::idFromName( $username, User::READ_LATEST );
1582 $flags = User::READ_LATEST;
1583 }
1584 // @codeCoverageIgnoreEnd
1585
1586 if ( $localId ) {
1587 $this->logger->debug( __METHOD__ . ': {username} already exists locally', [
1588 'username' => $username,
1589 ] );
1590 $user->setId( $localId );
1591 $user->loadFromId( $flags );
1592 if ( $login ) {
1593 $this->setSessionDataForUser( $user );
1594 }
1595 $status = Status::newGood();
1596 $status->warning( 'userexists' );
1597 return $status;
1598 }
1599
1600 // Wiki is read-only?
1601 if ( wfReadOnly() ) {
1602 $this->logger->debug( __METHOD__ . ': denied by wfReadOnly(): {reason}', [
1603 'username' => $username,
1604 'reason' => wfReadOnlyReason(),
1605 ] );
1606 $user->setId( 0 );
1607 $user->loadFromId();
1608 return Status::newFatal( wfMessage( 'readonlytext', wfReadOnlyReason() ) );
1609 }
1610
1611 // Check the session, if we tried to create this user already there's
1612 // no point in retrying.
1613 $session = $this->request->getSession();
1614 if ( $session->get( 'AuthManager::AutoCreateBlacklist' ) ) {
1615 $this->logger->debug( __METHOD__ . ': blacklisted in session {sessionid}', [
1616 'username' => $username,
1617 'sessionid' => $session->getId(),
1618 ] );
1619 $user->setId( 0 );
1620 $user->loadFromId();
1621 $reason = $session->get( 'AuthManager::AutoCreateBlacklist' );
1622 if ( $reason instanceof StatusValue ) {
1623 return Status::wrap( $reason );
1624 } else {
1625 return Status::newFatal( $reason );
1626 }
1627 }
1628
1629 // Is the username creatable?
1630 if ( !User::isCreatableName( $username ) ) {
1631 $this->logger->debug( __METHOD__ . ': name "{username}" is not creatable', [
1632 'username' => $username,
1633 ] );
1634 $session->set( 'AuthManager::AutoCreateBlacklist', 'noname' );
1635 $user->setId( 0 );
1636 $user->loadFromId();
1637 return Status::newFatal( 'noname' );
1638 }
1639
1640 // Is the IP user able to create accounts?
1641 $anon = new User;
1642 if ( $source !== self::AUTOCREATE_SOURCE_MAINT && !MediaWikiServices::getInstance()
1643 ->getPermissionManager()
1644 ->userHasAnyRight( $anon, 'createaccount', 'autocreateaccount' )
1645 ) {
1646 $this->logger->debug( __METHOD__ . ': IP lacks the ability to create or autocreate accounts', [
1647 'username' => $username,
1648 'ip' => $anon->getName(),
1649 ] );
1650 $session->set( 'AuthManager::AutoCreateBlacklist', 'authmanager-autocreate-noperm' );
1651 $session->persist();
1652 $user->setId( 0 );
1653 $user->loadFromId();
1654 return Status::newFatal( 'authmanager-autocreate-noperm' );
1655 }
1656
1657 // Avoid account creation races on double submissions
1658 $cache = \ObjectCache::getLocalClusterInstance();
1659 $lock = $cache->getScopedLock( $cache->makeGlobalKey( 'account', md5( $username ) ) );
1660 if ( !$lock ) {
1661 $this->logger->debug( __METHOD__ . ': Could not acquire account creation lock', [
1662 'user' => $username,
1663 ] );
1664 $user->setId( 0 );
1665 $user->loadFromId();
1666 return Status::newFatal( 'usernameinprogress' );
1667 }
1668
1669 // Denied by providers?
1670 $options = [
1671 'flags' => User::READ_LATEST,
1672 'creating' => true,
1673 ];
1674 $providers = $this->getPreAuthenticationProviders() +
1675 $this->getPrimaryAuthenticationProviders() +
1676 $this->getSecondaryAuthenticationProviders();
1677 foreach ( $providers as $provider ) {
1678 $status = $provider->testUserForCreation( $user, $source, $options );
1679 if ( !$status->isGood() ) {
1680 $ret = Status::wrap( $status );
1681 $this->logger->debug( __METHOD__ . ': Provider denied creation of {username}: {reason}', [
1682 'username' => $username,
1683 'reason' => $ret->getWikiText( null, null, 'en' ),
1684 ] );
1685 $session->set( 'AuthManager::AutoCreateBlacklist', $status );
1686 $user->setId( 0 );
1687 $user->loadFromId();
1688 return $ret;
1689 }
1690 }
1691
1692 $backoffKey = $cache->makeKey( 'AuthManager', 'autocreate-failed', md5( $username ) );
1693 if ( $cache->get( $backoffKey ) ) {
1694 $this->logger->debug( __METHOD__ . ': {username} denied by prior creation attempt failures', [
1695 'username' => $username,
1696 ] );
1697 $user->setId( 0 );
1698 $user->loadFromId();
1699 return Status::newFatal( 'authmanager-autocreate-exception' );
1700 }
1701
1702 // Checks passed, create the user...
1703 $from = $_SERVER['REQUEST_URI'] ?? 'CLI';
1704 $this->logger->info( __METHOD__ . ': creating new user ({username}) - from: {from}', [
1705 'username' => $username,
1706 'from' => $from,
1707 ] );
1708
1709 // Ignore warnings about master connections/writes...hard to avoid here
1710 $trxProfiler = \Profiler::instance()->getTransactionProfiler();
1711 $old = $trxProfiler->setSilenced( true );
1712 try {
1713 $status = $user->addToDatabase();
1714 if ( !$status->isOK() ) {
1715 // Double-check for a race condition (T70012). We make use of the fact that when
1716 // addToDatabase fails due to the user already existing, the user object gets loaded.
1717 if ( $user->getId() ) {
1718 $this->logger->info( __METHOD__ . ': {username} already exists locally (race)', [
1719 'username' => $username,
1720 ] );
1721 if ( $login ) {
1722 $this->setSessionDataForUser( $user );
1723 }
1724 $status = Status::newGood();
1725 $status->warning( 'userexists' );
1726 } else {
1727 $this->logger->error( __METHOD__ . ': {username} failed with message {msg}', [
1728 'username' => $username,
1729 'msg' => $status->getWikiText( null, null, 'en' )
1730 ] );
1731 $user->setId( 0 );
1732 $user->loadFromId();
1733 }
1734 return $status;
1735 }
1736 } catch ( \Exception $ex ) {
1737 $trxProfiler->setSilenced( $old );
1738 $this->logger->error( __METHOD__ . ': {username} failed with exception {exception}', [
1739 'username' => $username,
1740 'exception' => $ex,
1741 ] );
1742 // Do not keep throwing errors for a while
1743 $cache->set( $backoffKey, 1, 600 );
1744 // Bubble up error; which should normally trigger DB rollbacks
1745 throw $ex;
1746 }
1747
1748 $this->setDefaultUserOptions( $user, false );
1749
1750 // Inform the providers
1751 $this->callMethodOnProviders( 6, 'autoCreatedAccount', [ $user, $source ] );
1752
1753 \Hooks::run( 'LocalUserCreated', [ $user, true ] );
1754 $user->saveSettings();
1755
1756 // Update user count
1757 \DeferredUpdates::addUpdate( \SiteStatsUpdate::factory( [ 'users' => 1 ] ) );
1758 // Watch user's userpage and talk page
1759 \DeferredUpdates::addCallableUpdate( function () use ( $user ) {
1760 $user->addWatch( $user->getUserPage(), User::IGNORE_USER_RIGHTS );
1761 } );
1762
1763 // Log the creation
1764 if ( $this->config->get( 'NewUserLog' ) ) {
1765 $logEntry = new \ManualLogEntry( 'newusers', 'autocreate' );
1766 $logEntry->setPerformer( $user );
1767 $logEntry->setTarget( $user->getUserPage() );
1768 $logEntry->setComment( '' );
1769 $logEntry->setParameters( [
1770 '4::userid' => $user->getId(),
1771 ] );
1772 $logEntry->insert();
1773 }
1774
1775 $trxProfiler->setSilenced( $old );
1776
1777 if ( $login ) {
1778 $this->setSessionDataForUser( $user );
1779 }
1780
1781 return Status::newGood();
1782 }
1783
1795 public function canLinkAccounts() {
1796 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
1797 if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK ) {
1798 return true;
1799 }
1800 }
1801 return false;
1802 }
1803
1813 public function beginAccountLink( User $user, array $reqs, $returnToUrl ) {
1814 $session = $this->request->getSession();
1815 $session->remove( 'AuthManager::accountLinkState' );
1816
1817 if ( !$this->canLinkAccounts() ) {
1818 // Caller should have called canLinkAccounts()
1819 throw new \LogicException( 'Account linking is not possible' );
1820 }
1821
1822 if ( $user->getId() === 0 ) {
1823 if ( !User::isUsableName( $user->getName() ) ) {
1824 $msg = wfMessage( 'noname' );
1825 } else {
1826 $msg = wfMessage( 'authmanager-userdoesnotexist', $user->getName() );
1827 }
1828 return AuthenticationResponse::newFail( $msg );
1829 }
1830 foreach ( $reqs as $req ) {
1831 $req->username = $user->getName();
1832 $req->returnToUrl = $returnToUrl;
1833 }
1834
1835 $this->removeAuthenticationSessionData( null );
1836
1837 $providers = $this->getPreAuthenticationProviders();
1838 foreach ( $providers as $id => $provider ) {
1839 $status = $provider->testForAccountLink( $user );
1840 if ( !$status->isGood() ) {
1841 $this->logger->debug( __METHOD__ . ": Account linking pre-check failed by $id", [
1842 'user' => $user->getName(),
1843 ] );
1844 $ret = AuthenticationResponse::newFail(
1845 Status::wrap( $status )->getMessage()
1846 );
1847 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1848 return $ret;
1849 }
1850 }
1851
1852 $state = [
1853 'username' => $user->getName(),
1854 'userid' => $user->getId(),
1855 'returnToUrl' => $returnToUrl,
1856 'primary' => null,
1857 'continueRequests' => [],
1858 ];
1859
1860 $providers = $this->getPrimaryAuthenticationProviders();
1861 foreach ( $providers as $id => $provider ) {
1862 if ( $provider->accountCreationType() !== PrimaryAuthenticationProvider::TYPE_LINK ) {
1863 continue;
1864 }
1865
1866 $res = $provider->beginPrimaryAccountLink( $user, $reqs );
1867 switch ( $res->status ) {
1868 case AuthenticationResponse::PASS;
1869 $this->logger->info( "Account linked to {user} by $id", [
1870 'user' => $user->getName(),
1871 ] );
1872 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1873 return $res;
1874
1875 case AuthenticationResponse::FAIL;
1876 $this->logger->debug( __METHOD__ . ": Account linking failed by $id", [
1877 'user' => $user->getName(),
1878 ] );
1879 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1880 return $res;
1881
1882 case AuthenticationResponse::ABSTAIN;
1883 // Continue loop
1884 break;
1885
1886 case AuthenticationResponse::REDIRECT;
1887 case AuthenticationResponse::UI;
1888 $this->logger->debug( __METHOD__ . ": Account linking $res->status by $id", [
1889 'user' => $user->getName(),
1890 ] );
1891 $this->fillRequests( $res->neededRequests, self::ACTION_LINK, $user->getName() );
1892 $state['primary'] = $id;
1893 $state['continueRequests'] = $res->neededRequests;
1894 $session->setSecret( 'AuthManager::accountLinkState', $state );
1895 $session->persist();
1896 return $res;
1897
1898 // @codeCoverageIgnoreStart
1899 default:
1900 throw new \DomainException(
1901 get_class( $provider ) . "::beginPrimaryAccountLink() returned $res->status"
1902 );
1903 // @codeCoverageIgnoreEnd
1904 }
1905 }
1906
1907 $this->logger->debug( __METHOD__ . ': Account linking failed because no provider accepted', [
1908 'user' => $user->getName(),
1909 ] );
1910 $ret = AuthenticationResponse::newFail(
1911 wfMessage( 'authmanager-link-no-primary' )
1912 );
1913 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1914 return $ret;
1915 }
1916
1922 public function continueAccountLink( array $reqs ) {
1923 $session = $this->request->getSession();
1924 try {
1925 if ( !$this->canLinkAccounts() ) {
1926 // Caller should have called canLinkAccounts()
1927 $session->remove( 'AuthManager::accountLinkState' );
1928 throw new \LogicException( 'Account linking is not possible' );
1929 }
1930
1931 $state = $session->getSecret( 'AuthManager::accountLinkState' );
1932 if ( !is_array( $state ) ) {
1933 return AuthenticationResponse::newFail(
1934 wfMessage( 'authmanager-link-not-in-progress' )
1935 );
1936 }
1937 $state['continueRequests'] = [];
1938
1939 // Step 0: Prepare and validate the input
1940
1941 $user = User::newFromName( $state['username'], 'usable' );
1942 if ( !is_object( $user ) ) {
1943 $session->remove( 'AuthManager::accountLinkState' );
1944 return AuthenticationResponse::newFail( wfMessage( 'noname' ) );
1945 }
1946 if ( $user->getId() !== $state['userid'] ) {
1947 throw new \UnexpectedValueException(
1948 "User \"{$state['username']}\" is valid, but " .
1949 "ID {$user->getId()} !== {$state['userid']}!"
1950 );
1951 }
1952
1953 foreach ( $reqs as $req ) {
1954 $req->username = $state['username'];
1955 $req->returnToUrl = $state['returnToUrl'];
1956 }
1957
1958 // Step 1: Call the primary again until it succeeds
1959
1960 $provider = $this->getAuthenticationProvider( $state['primary'] );
1961 if ( !$provider instanceof PrimaryAuthenticationProvider ) {
1962 // Configuration changed? Force them to start over.
1963 // @codeCoverageIgnoreStart
1964 $ret = AuthenticationResponse::newFail(
1965 wfMessage( 'authmanager-link-not-in-progress' )
1966 );
1967 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1968 $session->remove( 'AuthManager::accountLinkState' );
1969 return $ret;
1970 // @codeCoverageIgnoreEnd
1971 }
1972 $id = $provider->getUniqueId();
1973 $res = $provider->continuePrimaryAccountLink( $user, $reqs );
1974 switch ( $res->status ) {
1975 case AuthenticationResponse::PASS;
1976 $this->logger->info( "Account linked to {user} by $id", [
1977 'user' => $user->getName(),
1978 ] );
1979 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1980 $session->remove( 'AuthManager::accountLinkState' );
1981 return $res;
1982 case AuthenticationResponse::FAIL;
1983 $this->logger->debug( __METHOD__ . ": Account linking failed by $id", [
1984 'user' => $user->getName(),
1985 ] );
1986 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1987 $session->remove( 'AuthManager::accountLinkState' );
1988 return $res;
1989 case AuthenticationResponse::REDIRECT;
1990 case AuthenticationResponse::UI;
1991 $this->logger->debug( __METHOD__ . ": Account linking $res->status by $id", [
1992 'user' => $user->getName(),
1993 ] );
1994 $this->fillRequests( $res->neededRequests, self::ACTION_LINK, $user->getName() );
1995 $state['continueRequests'] = $res->neededRequests;
1996 $session->setSecret( 'AuthManager::accountLinkState', $state );
1997 return $res;
1998 default:
1999 throw new \DomainException(
2000 get_class( $provider ) . "::continuePrimaryAccountLink() returned $res->status"
2001 );
2002 }
2003 } catch ( \Exception $ex ) {
2004 $session->remove( 'AuthManager::accountLinkState' );
2005 throw $ex;
2006 }
2007 }
2008
2034 public function getAuthenticationRequests( $action, User $user = null ) {
2035 $options = [];
2036 $providerAction = $action;
2037
2038 // Figure out which providers to query
2039 switch ( $action ) {
2040 case self::ACTION_LOGIN:
2041 case self::ACTION_CREATE:
2042 $providers = $this->getPreAuthenticationProviders() +
2043 $this->getPrimaryAuthenticationProviders() +
2044 $this->getSecondaryAuthenticationProviders();
2045 break;
2046
2047 case self::ACTION_LOGIN_CONTINUE:
2048 $state = $this->request->getSession()->getSecret( 'AuthManager::authnState' );
2049 return is_array( $state ) ? $state['continueRequests'] : [];
2050
2051 case self::ACTION_CREATE_CONTINUE:
2052 $state = $this->request->getSession()->getSecret( 'AuthManager::accountCreationState' );
2053 return is_array( $state ) ? $state['continueRequests'] : [];
2054
2055 case self::ACTION_LINK:
2056 $providers = array_filter( $this->getPrimaryAuthenticationProviders(), function ( $p ) {
2057 return $p->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK;
2058 } );
2059 break;
2060
2061 case self::ACTION_UNLINK:
2062 $providers = array_filter( $this->getPrimaryAuthenticationProviders(), function ( $p ) {
2063 return $p->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK;
2064 } );
2065
2066 // To providers, unlink and remove are identical.
2067 $providerAction = self::ACTION_REMOVE;
2068 break;
2069
2070 case self::ACTION_LINK_CONTINUE:
2071 $state = $this->request->getSession()->getSecret( 'AuthManager::accountLinkState' );
2072 return is_array( $state ) ? $state['continueRequests'] : [];
2073
2074 case self::ACTION_CHANGE:
2075 case self::ACTION_REMOVE:
2076 $providers = $this->getPrimaryAuthenticationProviders() +
2077 $this->getSecondaryAuthenticationProviders();
2078 break;
2079
2080 // @codeCoverageIgnoreStart
2081 default:
2082 throw new \DomainException( __METHOD__ . ": Invalid action \"$action\"" );
2083 }
2084 // @codeCoverageIgnoreEnd
2085
2086 return $this->getAuthenticationRequestsInternal( $providerAction, $options, $providers, $user );
2087 }
2088
2098 private function getAuthenticationRequestsInternal(
2099 $providerAction, array $options, array $providers, User $user = null
2100 ) {
2101 $user = $user ?: \RequestContext::getMain()->getUser();
2102 $options['username'] = $user->isAnon() ? null : $user->getName();
2103
2104 // Query them and merge results
2105 $reqs = [];
2106 foreach ( $providers as $provider ) {
2107 $isPrimary = $provider instanceof PrimaryAuthenticationProvider;
2108 foreach ( $provider->getAuthenticationRequests( $providerAction, $options ) as $req ) {
2109 $id = $req->getUniqueId();
2110
2111 // If a required request if from a Primary, mark it as "primary-required" instead
2112 if ( $isPrimary && $req->required ) {
2113 $req->required = AuthenticationRequest::PRIMARY_REQUIRED;
2114 }
2115
2116 if (
2117 !isset( $reqs[$id] )
2118 || $req->required === AuthenticationRequest::REQUIRED
2119 || $reqs[$id] === AuthenticationRequest::OPTIONAL
2120 ) {
2121 $reqs[$id] = $req;
2122 }
2123 }
2124 }
2125
2126 // AuthManager has its own req for some actions
2127 switch ( $providerAction ) {
2128 case self::ACTION_LOGIN:
2129 $reqs[] = new RememberMeAuthenticationRequest;
2130 break;
2131
2132 case self::ACTION_CREATE:
2133 $reqs[] = new UsernameAuthenticationRequest;
2134 $reqs[] = new UserDataAuthenticationRequest;
2135 if ( $options['username'] !== null ) {
2136 $reqs[] = new CreationReasonAuthenticationRequest;
2137 $options['username'] = null; // Don't fill in the username below
2138 }
2139 break;
2140 }
2141
2142 // Fill in reqs data
2143 $this->fillRequests( $reqs, $providerAction, $options['username'], true );
2144
2145 // For self::ACTION_CHANGE, filter out any that something else *doesn't* allow changing
2146 if ( $providerAction === self::ACTION_CHANGE || $providerAction === self::ACTION_REMOVE ) {
2147 $reqs = array_filter( $reqs, function ( $req ) {
2148 return $this->allowsAuthenticationDataChange( $req, false )->isGood();
2149 } );
2150 }
2151
2152 return array_values( $reqs );
2153 }
2154
2162 private function fillRequests( array &$reqs, $action, $username, $forceAction = false ) {
2163 foreach ( $reqs as $req ) {
2164 if ( !$req->action || $forceAction ) {
2165 $req->action = $action;
2166 }
2167 if ( $req->username === null ) {
2168 $req->username = $username;
2169 }
2170 }
2171 }
2172
2179 public function userExists( $username, $flags = User::READ_NORMAL ) {
2180 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
2181 if ( $provider->testUserExists( $username, $flags ) ) {
2182 return true;
2183 }
2184 }
2185
2186 return false;
2187 }
2188
2200 public function allowsPropertyChange( $property ) {
2201 $providers = $this->getPrimaryAuthenticationProviders() +
2202 $this->getSecondaryAuthenticationProviders();
2203 foreach ( $providers as $provider ) {
2204 if ( !$provider->providerAllowsPropertyChange( $property ) ) {
2205 return false;
2206 }
2207 }
2208 return true;
2209 }
2210
2219 public function getAuthenticationProvider( $id ) {
2220 // Fast version
2221 if ( isset( $this->allAuthenticationProviders[$id] ) ) {
2222 return $this->allAuthenticationProviders[$id];
2223 }
2224
2225 // Slow version: instantiate each kind and check
2226 $providers = $this->getPrimaryAuthenticationProviders();
2227 if ( isset( $providers[$id] ) ) {
2228 return $providers[$id];
2229 }
2230 $providers = $this->getSecondaryAuthenticationProviders();
2231 if ( isset( $providers[$id] ) ) {
2232 return $providers[$id];
2233 }
2234 $providers = $this->getPreAuthenticationProviders();
2235 if ( isset( $providers[$id] ) ) {
2236 return $providers[$id];
2237 }
2238
2239 return null;
2240 }
2241
2255 public function setAuthenticationSessionData( $key, $data ) {
2256 $session = $this->request->getSession();
2257 $arr = $session->getSecret( 'authData' );
2258 if ( !is_array( $arr ) ) {
2259 $arr = [];
2260 }
2261 $arr[$key] = $data;
2262 $session->setSecret( 'authData', $arr );
2263 }
2264
2272 public function getAuthenticationSessionData( $key, $default = null ) {
2273 $arr = $this->request->getSession()->getSecret( 'authData' );
2274 if ( is_array( $arr ) && array_key_exists( $key, $arr ) ) {
2275 return $arr[$key];
2276 } else {
2277 return $default;
2278 }
2279 }
2280
2286 public function removeAuthenticationSessionData( $key ) {
2287 $session = $this->request->getSession();
2288 if ( $key === null ) {
2289 $session->remove( 'authData' );
2290 } else {
2291 $arr = $session->getSecret( 'authData' );
2292 if ( is_array( $arr ) && array_key_exists( $key, $arr ) ) {
2293 unset( $arr[$key] );
2294 $session->setSecret( 'authData', $arr );
2295 }
2296 }
2297 }
2298
2305 protected function providerArrayFromSpecs( $class, array $specs ) {
2306 $i = 0;
2307 foreach ( $specs as &$spec ) {
2308 $spec = [ 'sort2' => $i++ ] + $spec + [ 'sort' => 0 ];
2309 }
2310 unset( $spec );
2311 // Sort according to the 'sort' field, and if they are equal, according to 'sort2'
2312 usort( $specs, function ( $a, $b ) {
2313 return $a['sort'] <=> $b['sort']
2314 ?: $a['sort2'] <=> $b['sort2'];
2315 } );
2316
2317 $ret = [];
2318 foreach ( $specs as $spec ) {
2319 $provider = ObjectFactory::getObjectFromSpec( $spec );
2320 if ( !$provider instanceof $class ) {
2321 throw new \RuntimeException(
2322 "Expected instance of $class, got " . get_class( $provider )
2323 );
2324 }
2325 $provider->setLogger( $this->logger );
2326 $provider->setManager( $this );
2327 $provider->setConfig( $this->config );
2328 $id = $provider->getUniqueId();
2329 if ( isset( $this->allAuthenticationProviders[$id] ) ) {
2330 throw new \RuntimeException(
2331 "Duplicate specifications for id $id (classes " .
2332 get_class( $provider ) . ' and ' .
2333 get_class( $this->allAuthenticationProviders[$id] ) . ')'
2334 );
2335 }
2336 $this->allAuthenticationProviders[$id] = $provider;
2337 $ret[$id] = $provider;
2338 }
2339 return $ret;
2340 }
2341
2346 private function getConfiguration() {
2347 return $this->config->get( 'AuthManagerConfig' ) ?: $this->config->get( 'AuthManagerAutoConfig' );
2348 }
2349
2354 protected function getPreAuthenticationProviders() {
2355 if ( $this->preAuthenticationProviders === null ) {
2356 $conf = $this->getConfiguration();
2357 $this->preAuthenticationProviders = $this->providerArrayFromSpecs(
2358 PreAuthenticationProvider::class, $conf['preauth']
2359 );
2360 }
2361 return $this->preAuthenticationProviders;
2362 }
2363
2368 protected function getPrimaryAuthenticationProviders() {
2369 if ( $this->primaryAuthenticationProviders === null ) {
2370 $conf = $this->getConfiguration();
2371 $this->primaryAuthenticationProviders = $this->providerArrayFromSpecs(
2372 PrimaryAuthenticationProvider::class, $conf['primaryauth']
2373 );
2374 }
2375 return $this->primaryAuthenticationProviders;
2376 }
2377
2382 protected function getSecondaryAuthenticationProviders() {
2383 if ( $this->secondaryAuthenticationProviders === null ) {
2384 $conf = $this->getConfiguration();
2385 $this->secondaryAuthenticationProviders = $this->providerArrayFromSpecs(
2386 SecondaryAuthenticationProvider::class, $conf['secondaryauth']
2387 );
2388 }
2389 return $this->secondaryAuthenticationProviders;
2390 }
2391
2397 private function setSessionDataForUser( $user, $remember = null ) {
2398 $session = $this->request->getSession();
2399 $delay = $session->delaySave();
2400
2401 $session->resetId();
2402 $session->resetAllTokens();
2403 if ( $session->canSetUser() ) {
2404 $session->setUser( $user );
2405 }
2406 if ( $remember !== null ) {
2407 $session->setRememberUser( $remember );
2408 }
2409 $session->set( 'AuthManager:lastAuthId', $user->getId() );
2410 $session->set( 'AuthManager:lastAuthTimestamp', time() );
2411 $session->persist();
2412
2413 \Wikimedia\ScopedCallback::consume( $delay );
2414
2415 \Hooks::run( 'UserLoggedIn', [ $user ] );
2416 }
2417
2422 private function setDefaultUserOptions( User $user, $useContextLang ) {
2423 $user->setToken();
2424
2425 $contLang = MediaWikiServices::getInstance()->getContentLanguage();
2426
2427 $lang = $useContextLang ? \RequestContext::getMain()->getLanguage() : $contLang;
2428 $user->setOption( 'language', $lang->getPreferredVariant() );
2429
2430 if ( $contLang->hasVariants() ) {
2431 $user->setOption( 'variant', $contLang->getPreferredVariant() );
2432 }
2433 }
2434
2440 private function callMethodOnProviders( $which, $method, array $args ) {
2441 $providers = [];
2442 if ( $which & 1 ) {
2443 $providers += $this->getPreAuthenticationProviders();
2444 }
2445 if ( $which & 2 ) {
2446 $providers += $this->getPrimaryAuthenticationProviders();
2447 }
2448 if ( $which & 4 ) {
2449 $providers += $this->getSecondaryAuthenticationProviders();
2450 }
2451 foreach ( $providers as $provider ) {
2452 $provider->$method( ...$args );
2453 }
2454 }
2455
2460 public static function resetCache() {
2461 if ( !defined( 'MW_PHPUNIT_TEST' ) ) {
2462 // @codeCoverageIgnoreStart
2463 throw new \MWException( __METHOD__ . ' may only be called from unit tests!' );
2464 // @codeCoverageIgnoreEnd
2465 }
2466
2467 self::$instance = null;
2468 }
2469
2472}
2473
getPermissionManager
getPermissionManager()
wfReadOnly
wfReadOnly()
Check whether the wiki is in read-only mode.
Definition GlobalFunctions.php:1170
wfReadOnlyReason
wfReadOnlyReason()
Check if the site is in read-only mode and return the message if so.
Definition GlobalFunctions.php:1183
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:1263
wfDeprecated
wfDeprecated( $function, $version=false, $component=false, $callerOffset=2)
Throws a warning that $function is deprecated.
Definition GlobalFunctions.php:1044
$args
if( $line===false) $args
Definition cdb.php:64
MediaWiki\Auth\AuthManager
This serves as the entry point to the authentication system.
Definition AuthManager.php:85
MediaWiki\Auth\AuthManager\resetCache
static resetCache()
Reset the internal caching for unit testing.
Definition AuthManager.php:2460
MediaWiki\Auth\AuthManager\canLinkAccounts
canLinkAccounts()
Determine whether accounts can be linked.
Definition AuthManager.php:1795
MediaWiki\Auth\AuthManager\ACTION_UNLINK
const ACTION_UNLINK
Like ACTION_REMOVE but for linking providers only.
Definition AuthManager.php:109
MediaWiki\Auth\AuthManager\SEC_FAIL
const SEC_FAIL
Security-sensitive should not be performed.
Definition AuthManager.php:116
MediaWiki\Auth\AuthManager\getPrimaryAuthenticationProviders
getPrimaryAuthenticationProviders()
Get the list of PrimaryAuthenticationProviders.
Definition AuthManager.php:2368
MediaWiki\Auth\AuthManager\ACTION_LOGIN_CONTINUE
const ACTION_LOGIN_CONTINUE
Continue a login process that was interrupted by the need for user input or communication with an ext...
Definition AuthManager.php:91
MediaWiki\Auth\AuthManager\setAuthenticationSessionData
setAuthenticationSessionData( $key, $data)
Store authentication in the current session.
Definition AuthManager.php:2255
MediaWiki\Auth\AuthManager\beginAccountCreation
beginAccountCreation(User $creator, array $reqs, $returnToUrl)
Start an account creation flow.
Definition AuthManager.php:1057
MediaWiki\Auth\AuthManager\callMethodOnProviders
callMethodOnProviders( $which, $method, array $args)
Definition AuthManager.php:2440
MediaWiki\Auth\AuthManager\getAuthenticationProvider
getAuthenticationProvider( $id)
Get a provider by ID.
Definition AuthManager.php:2219
MediaWiki\Auth\AuthManager\setSessionDataForUser
setSessionDataForUser( $user, $remember=null)
Log the user in.
Definition AuthManager.php:2397
MediaWiki\Auth\AuthManager\securitySensitiveOperationStatus
securitySensitiveOperationStatus( $operation)
Whether security-sensitive operations should proceed.
Definition AuthManager.php:721
MediaWiki\Auth\AuthManager\$secondaryAuthenticationProviders
SecondaryAuthenticationProvider[] $secondaryAuthenticationProviders
Definition AuthManager.php:146
MediaWiki\Auth\AuthManager\revokeAccessForUser
revokeAccessForUser( $username)
Revoke any authentication credentials for a user.
Definition AuthManager.php:847
MediaWiki\Auth\AuthManager\beginAccountLink
beginAccountLink(User $user, array $reqs, $returnToUrl)
Start an account linking flow.
Definition AuthManager.php:1813
MediaWiki\Auth\AuthManager\SEC_REAUTH
const SEC_REAUTH
Security-sensitive operations should re-authenticate.
Definition AuthManager.php:114
MediaWiki\Auth\AuthManager\getSecondaryAuthenticationProviders
getSecondaryAuthenticationProviders()
Get the list of SecondaryAuthenticationProviders.
Definition AuthManager.php:2382
MediaWiki\Auth\AuthManager\allowsPropertyChange
allowsPropertyChange( $property)
Determine whether a user property should be allowed to be changed.
Definition AuthManager.php:2200
MediaWiki\Auth\AuthManager\ACTION_CREATE_CONTINUE
const ACTION_CREATE_CONTINUE
Continue a user creation process that was interrupted by the need for user input or communication wit...
Definition AuthManager.php:97
MediaWiki\Auth\AuthManager\continueAccountLink
continueAccountLink(array $reqs)
Continue an account linking flow.
Definition AuthManager.php:1922
MediaWiki\Auth\AuthManager\setLogger
setLogger(LoggerInterface $logger)
Definition AuthManager.php:178
MediaWiki\Auth\AuthManager\allowsAuthenticationDataChange
allowsAuthenticationDataChange(AuthenticationRequest $req, $checkData=true)
Validate a change of authentication data (e.g.
Definition AuthManager.php:863
MediaWiki\Auth\AuthManager\beginAuthentication
beginAuthentication(array $reqs, $returnToUrl)
Start an authentication flow.
Definition AuthManager.php:289
MediaWiki\Auth\AuthManager\getAuthenticationSessionData
getAuthenticationSessionData( $key, $default=null)
Fetch authentication data from the current session.
Definition AuthManager.php:2272
MediaWiki\Auth\AuthManager\canCreateAccounts
canCreateAccounts()
Determine whether accounts can be created.
Definition AuthManager.php:925
MediaWiki\Auth\AuthManager\canCreateAccount
canCreateAccount( $username, $options=[])
Determine whether a particular account can be created.
Definition AuthManager.php:944
MediaWiki\Auth\AuthManager\changeAuthenticationData
changeAuthenticationData(AuthenticationRequest $req, $isAddition=false)
Change authentication data (e.g.
Definition AuthManager.php:899
MediaWiki\Auth\AuthManager\userCanAuthenticate
userCanAuthenticate( $username)
Determine whether a username can authenticate.
Definition AuthManager.php:799
MediaWiki\Auth\AuthManager\removeAuthenticationSessionData
removeAuthenticationSessionData( $key)
Remove authentication data.
Definition AuthManager.php:2286
MediaWiki\Auth\AuthManager\providerArrayFromSpecs
providerArrayFromSpecs( $class, array $specs)
Create an array of AuthenticationProviders from an array of ObjectFactory specs.
Definition AuthManager.php:2305
MediaWiki\Auth\AuthManager\forcePrimaryAuthenticationProviders
forcePrimaryAuthenticationProviders(array $providers, $why)
Force certain PrimaryAuthenticationProviders.
Definition AuthManager.php:195
MediaWiki\Auth\AuthManager\AUTOCREATE_SOURCE_MAINT
const AUTOCREATE_SOURCE_MAINT
Auto-creation is due to a Maintenance script.
Definition AuthManager.php:122
MediaWiki\Auth\AuthManager\setDefaultUserOptions
setDefaultUserOptions(User $user, $useContextLang)
Definition AuthManager.php:2422
MediaWiki\Auth\AuthManager\checkAccountCreatePermissions
checkAccountCreatePermissions(User $creator)
Basic permissions checks on whether a user can create accounts.
Definition AuthManager.php:992
MediaWiki\Auth\AuthManager\singleton
static singleton()
Get the global AuthManager.
Definition AuthManager.php:155
MediaWiki\Auth\AuthManager\$createdAccountAuthenticationRequests
CreatedAccountAuthenticationRequest[] $createdAccountAuthenticationRequests
Definition AuthManager.php:149
MediaWiki\Auth\AuthManager\$allAuthenticationProviders
AuthenticationProvider[] $allAuthenticationProviders
Definition AuthManager.php:137
MediaWiki\Auth\AuthManager\continueAuthentication
continueAuthentication(array $reqs)
Continue an authentication flow.
Definition AuthManager.php:413
MediaWiki\Auth\AuthManager\SEC_OK
const SEC_OK
Security-sensitive operations are ok.
Definition AuthManager.php:112
MediaWiki\Auth\AuthManager\getAuthenticationRequestsInternal
getAuthenticationRequestsInternal( $providerAction, array $options, array $providers, User $user=null)
Internal request lookup for self::getAuthenticationRequests.
Definition AuthManager.php:2098
MediaWiki\Auth\AuthManager\autoCreateUser
autoCreateUser(User $user, $source, $login=true)
Auto-create an account, and log into that account.
Definition AuthManager.php:1560
MediaWiki\Auth\AuthManager\ACTION_LINK_CONTINUE
const ACTION_LINK_CONTINUE
Continue a user linking process that was interrupted by the need for user input or communication with...
Definition AuthManager.php:103
MediaWiki\Auth\AuthManager\ACTION_CHANGE
const ACTION_CHANGE
Change a user's credentials.
Definition AuthManager.php:105
MediaWiki\Auth\AuthManager\canAuthenticateNow
canAuthenticateNow()
Indicate whether user authentication is possible.
Definition AuthManager.php:267
MediaWiki\Auth\AuthManager\callLegacyAuthPlugin
static callLegacyAuthPlugin( $method, array $params, $return=null)
This used to call a legacy AuthPlugin method, if necessary.
Definition AuthManager.php:249
MediaWiki\Auth\AuthManager\ACTION_REMOVE
const ACTION_REMOVE
Remove a user's credentials.
Definition AuthManager.php:107
MediaWiki\Auth\AuthManager\ACTION_LINK
const ACTION_LINK
Link an existing user to a third-party account.
Definition AuthManager.php:99
MediaWiki\Auth\AuthManager\$preAuthenticationProviders
PreAuthenticationProvider[] $preAuthenticationProviders
Definition AuthManager.php:140
MediaWiki\Auth\AuthManager\$primaryAuthenticationProviders
PrimaryAuthenticationProvider[] $primaryAuthenticationProviders
Definition AuthManager.php:143
MediaWiki\Auth\AuthManager\getConfiguration
getConfiguration()
Get the configuration.
Definition AuthManager.php:2346
MediaWiki\Auth\AuthManager\AUTOCREATE_SOURCE_SESSION
const AUTOCREATE_SOURCE_SESSION
Auto-creation is due to SessionManager.
Definition AuthManager.php:119
MediaWiki\Auth\AuthManager\getPreAuthenticationProviders
getPreAuthenticationProviders()
Get the list of PreAuthenticationProviders.
Definition AuthManager.php:2354
MediaWiki\Auth\AuthManager\getAuthenticationRequests
getAuthenticationRequests( $action, User $user=null)
Return the applicable list of AuthenticationRequests.
Definition AuthManager.php:2034
MediaWiki\Auth\AuthManager\fillRequests
fillRequests(array &$reqs, $action, $username, $forceAction=false)
Set values in an array of requests.
Definition AuthManager.php:2162
MediaWiki\Auth\AuthManager\userExists
userExists( $username, $flags=User::READ_NORMAL)
Determine whether a username exists.
Definition AuthManager.php:2179
MediaWiki\Auth\AuthManager\ACTION_LOGIN
const ACTION_LOGIN
Log in with an existing (not necessarily local) user.
Definition AuthManager.php:87
MediaWiki\Auth\AuthManager\__construct
__construct(WebRequest $request, Config $config)
Definition AuthManager.php:169
MediaWiki\Auth\AuthManager\normalizeUsername
normalizeUsername( $username)
Provide normalized versions of the username for security checks.
Definition AuthManager.php:822
MediaWiki\Auth\AuthManager\$instance
static AuthManager null $instance
Definition AuthManager.php:125
MediaWiki\Auth\AuthManager\continueAccountCreation
continueAccountCreation(array $reqs)
Continue an account creation flow.
Definition AuthManager.php:1158
MediaWiki\Auth\AuthManager\ACTION_CREATE
const ACTION_CREATE
Create a new user.
Definition AuthManager.php:93
MediaWiki\Auth\AuthenticationRequest
This is a value object for authentication requests.
Definition AuthenticationRequest.php:37
MediaWiki\Auth\AuthenticationRequest\OPTIONAL
const OPTIONAL
Indicates that the request is not required for authentication to proceed.
Definition AuthenticationRequest.php:40
MediaWiki\Auth\AuthenticationRequest\PRIMARY_REQUIRED
const PRIMARY_REQUIRED
Indicates that the request is required by a primary authentication provider.
Definition AuthenticationRequest.php:52
MediaWiki\Auth\AuthenticationRequest\REQUIRED
const REQUIRED
Indicates that the request is required for authentication to proceed.
Definition AuthenticationRequest.php:46
MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition AuthenticationRequest.php:283
MediaWiki\Auth\AuthenticationRequest\getRequestByClass
static getRequestByClass(array $reqs, $class, $allowSubclasses=false)
Select a request by class name.
Definition AuthenticationRequest.php:263
MediaWiki\Auth\AuthenticationResponse\FAIL
const FAIL
Indicates that the authentication failed.
Definition AuthenticationResponse.php:42
MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition AuthenticationResponse.php:39
MediaWiki\Auth\AuthenticationResponse\UI
const UI
Indicates that the authentication needs further user input of some sort.
Definition AuthenticationResponse.php:55
MediaWiki\Auth\AuthenticationResponse\REDIRECT
const REDIRECT
Indicates that the authentication needs to be redirected to a third party to proceed.
Definition AuthenticationResponse.php:58
MediaWiki\Auth\AuthenticationResponse\ABSTAIN
const ABSTAIN
Indicates that the authentication provider does not handle this request.
Definition AuthenticationResponse.php:52
MediaWiki\Auth\CreateFromLoginAuthenticationRequest
This transfers state between the login and account creation flows.
Definition CreateFromLoginAuthenticationRequest.php:34
MediaWiki\Auth\CreatedAccountAuthenticationRequest
Returned from account creation to allow for logging into the created account.
Definition CreatedAccountAuthenticationRequest.php:29
MediaWiki\Auth\CreationReasonAuthenticationRequest
Authentication request for the reason given for account creation.
Definition CreationReasonAuthenticationRequest.php:9
MediaWiki\Auth\RememberMeAuthenticationRequest
This is an authentication request added by AuthManager to show a "remember me" checkbox.
Definition RememberMeAuthenticationRequest.php:33
MediaWiki\Auth\UserDataAuthenticationRequest
This represents additional user data requested on the account creation form.
Definition UserDataAuthenticationRequest.php:34
MediaWiki\Auth\UsernameAuthenticationRequest
AuthenticationRequest to ensure something with a username is present.
Definition UsernameAuthenticationRequest.php:29
MediaWiki\Block\DatabaseBlock
A DatabaseBlock (unlike a SystemBlock) is stored in the database, may give rise to autoblocks and may...
Definition DatabaseBlock.php:54
MediaWiki\MediaWikiServices
MediaWikiServices is the service locator for the application scope of MediaWiki.
Definition MediaWikiServices.php:117
MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition MediaWikiServices.php:138
StatusValue
Generic operation result class Has warning/error list, boolean status and arbitrary value.
Definition StatusValue.php:42
Status
Generic operation result class Has warning/error list, boolean status and arbitrary value.
Definition Status.php:40
User
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition User.php:51
User\addWatch
addWatch( $title, $checkRights=self::CHECK_USER_RIGHTS)
Watch an article.
Definition User.php:3768
User\getName
getName()
Get the user name, or the IP of an anonymous user.
Definition User.php:2364
User\addToDatabase
addToDatabase()
Add this existing user object to the database.
Definition User.php:4212
User\newFromName
static newFromName( $name, $validate='valid')
Static factory method for creation from username.
Definition User.php:518
User\isCreatableName
static isCreatableName( $name)
Usernames which fail to pass this function will be blocked from new account registrations,...
Definition User.php:1082
User\loadFromId
loadFromId( $flags=self::READ_NORMAL)
Load user table data, given mId has already been set.
Definition User.php:391
User\setName
setName( $str)
Set the user name.
Definition User.php:2392
User\getId
getId()
Get the user's ID.
Definition User.php:2335
User\newFromId
static newFromId( $id)
Static factory method for creation from a given user ID.
Definition User.php:542
User\setId
setId( $v)
Set the user and reload all fields according to a given ID.
Definition User.php:2355
User\isUsableName
static isUsableName( $name)
Usernames which fail to pass this function will be blocked from user login and new account registrati...
Definition User.php:1008
User\IGNORE_USER_RIGHTS
const IGNORE_USER_RIGHTS
Definition User.php:83
User\setOption
setOption( $oname, $val)
Set the given option for a user.
Definition User.php:3109
User\isBlockedFromCreateAccount
isBlockedFromCreateAccount()
Get whether the user is explicitly blocked from account creation.
Definition User.php:4328
User\getUserPage
getUserPage()
Get this user's personal page title.
Definition User.php:4381
User\idFromName
static idFromName( $name, $flags=self::READ_NORMAL)
Get database id given a user name.
Definition User.php:871
User\saveSettings
saveSettings()
Save this user's settings into the database.
Definition User.php:4027
User\setToken
setToken( $token=false)
Set the random token (used for persistent authentication) Called from loadDefaults() among other plac...
Definition User.php:2889
WebRequest
The WebRequest class encapsulates getting at data passed in the URL or via a POSTed form stripping il...
Definition WebRequest.php:42
Config
Interface for configuration instances.
Definition Config.php:28
IDBAccessObject\READ_LOCKING
const READ_LOCKING
Constants for object loading bitfield flags (higher => higher QoS)
Definition IDBAccessObject.php:64
MediaWiki\Auth\AuthenticationProvider
An AuthenticationProvider is used by AuthManager when authenticating users.
Definition AuthenticationProvider.php:39
MediaWiki\Auth\AuthenticationProvider\getUniqueId
getUniqueId()
Return a unique identifier for this instance.
MediaWiki\Auth\PreAuthenticationProvider
A pre-authentication provider can prevent authentication early on.
Definition PreAuthenticationProvider.php:44
MediaWiki\Auth\PrimaryAuthenticationProvider
A primary authentication provider is responsible for associating the submitted authentication data wi...
Definition PrimaryAuthenticationProvider.php:75
MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_LINK
const TYPE_LINK
Provider can link to existing accounts elsewhere.
Definition PrimaryAuthenticationProvider.php:79
MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_NONE
const TYPE_NONE
Provider cannot create or link to accounts.
Definition PrimaryAuthenticationProvider.php:81
MediaWiki\Auth\SecondaryAuthenticationProvider
A secondary provider mostly acts when the submitted authentication data has already been associated t...
Definition SecondaryAuthenticationProvider.php:52
$cache
$cache
Definition mcc.php:33
$source
$source
Definition mwdoc-filter.php:34
MediaWiki
A helper class for throttling authentication attempts.
$last
$last
Definition profileinfo.php:419
$lang
if(!isset( $args[0])) $lang
Definition testCompression.php:33