MediaWiki REL1_34
UserPasswordPolicy.php
Go to the documentation of this file.
1<?php
28class UserPasswordPolicy {
29
33 private $policies;
34
41 private $policyCheckFunctions;
42
48 public function __construct( array $policies, array $checks ) {
49 if ( !isset( $policies['default'] ) ) {
50 throw new InvalidArgumentException(
51 'Must include a \'default\' password policy'
52 );
53 }
54 $this->policies = $policies;
55
56 foreach ( $checks as $statement => $check ) {
57 if ( !is_callable( $check ) ) {
58 throw new InvalidArgumentException(
59 "Policy check functions must be callable. '$statement' isn't callable."
60 );
61 }
62 $this->policyCheckFunctions[$statement] = $check;
63 }
64 }
65
76 public function checkUserPassword( User $user, $password ) {
77 $effectivePolicy = $this->getPoliciesForUser( $user );
78 return $this->checkPolicies(
79 $user,
80 $password,
81 $effectivePolicy,
82 $this->policyCheckFunctions
83 );
84 }
85
99 public function checkUserPasswordForGroups( User $user, $password, array $groups ) {
100 $effectivePolicy = self::getPoliciesForGroups(
101 $this->policies,
102 $groups,
103 $this->policies['default']
104 );
105 return $this->checkPolicies(
106 $user,
107 $password,
108 $effectivePolicy,
109 $this->policyCheckFunctions
110 );
111 }
112
120 private function checkPolicies( User $user, $password, $policies, $policyCheckFunctions ) {
121 $status = Status::newGood( [] );
122 $forceChange = false;
123 $suggestChangeOnLogin = false;
124 foreach ( $policies as $policy => $settings ) {
125 if ( !isset( $policyCheckFunctions[$policy] ) ) {
126 throw new DomainException( "Invalid password policy config. No check defined for '$policy'." );
127 }
128 if ( !is_array( $settings ) ) {
129 // legacy format
130 $settings = [ 'value' => $settings ];
131 }
132 if ( !array_key_exists( 'value', $settings ) ) {
133 throw new DomainException( "Invalid password policy config. No value defined for '$policy'." );
134 }
135 $value = $settings['value'];
137 $policyStatus = call_user_func(
138 $policyCheckFunctions[$policy],
139 $value,
140 $user,
141 $password
142 );
143
144 if ( !$policyStatus->isGood() ) {
145 if ( !empty( $settings['forceChange'] ) ) {
146 $forceChange = true;
147 }
148
149 if ( !empty( $settings['suggestChangeOnLogin'] ) ) {
150 $suggestChangeOnLogin = true;
151 }
152 }
153 $status->merge( $policyStatus );
154 }
155
156 if ( $status->isOK() ) {
157 if ( $forceChange ) {
158 $status->value['forceChange'] = true;
159 } elseif ( $suggestChangeOnLogin ) {
160 $status->value['suggestChangeOnLogin'] = true;
161 }
162 }
163
164 return $status;
165 }
166
173 public function getPoliciesForUser( User $user ) {
174 $effectivePolicy = self::getPoliciesForGroups(
175 $this->policies,
176 $user->getEffectiveGroups(),
177 $this->policies['default']
178 );
179
180 Hooks::run( 'PasswordPoliciesForUser', [ $user, &$effectivePolicy ] );
181
182 return $effectivePolicy;
183 }
184
193 public static function getPoliciesForGroups( array $policies, array $userGroups,
194 array $defaultPolicy
195 ) {
196 $effectivePolicy = $defaultPolicy;
197 foreach ( $policies as $group => $policy ) {
198 if ( in_array( $group, $userGroups ) ) {
199 $effectivePolicy = self::maxOfPolicies(
200 $effectivePolicy,
201 $policies[$group]
202 );
203 }
204 }
205
206 return $effectivePolicy;
207 }
208
217 public static function maxOfPolicies( array $p1, array $p2 ) {
218 $ret = [];
219 $keys = array_merge( array_keys( $p1 ), array_keys( $p2 ) );
220 foreach ( $keys as $key ) {
221 if ( !isset( $p1[$key] ) ) {
222 $ret[$key] = $p2[$key];
223 } elseif ( !isset( $p2[$key] ) ) {
224 $ret[$key] = $p1[$key];
225 } elseif ( !is_array( $p1[$key] ) && !is_array( $p2[$key] ) ) {
226 $ret[$key] = max( $p1[$key], $p2[$key] );
227 } else {
228 if ( !is_array( $p1[$key] ) ) {
229 $p1[$key] = [ 'value' => $p1[$key] ];
230 } elseif ( !is_array( $p2[$key] ) ) {
231 $p2[$key] = [ 'value' => $p2[$key] ];
232 }
233 $ret[$key] = self::maxOfPolicies( $p1[$key], $p2[$key] );
234 }
235 }
236 return $ret;
237 }
238
239}
UserPasswordPolicy
Check if a user's password complies with any password policies that apply to that user,...
Definition UserPasswordPolicy.php:28
UserPasswordPolicy\checkUserPassword
checkUserPassword(User $user, $password)
Check if a password meets the effective password policy for a User.
Definition UserPasswordPolicy.php:76
UserPasswordPolicy\getPoliciesForGroups
static getPoliciesForGroups(array $policies, array $userGroups, array $defaultPolicy)
Utility function to get the effective policy from a list of policies, based on a list of groups.
Definition UserPasswordPolicy.php:193
UserPasswordPolicy\__construct
__construct(array $policies, array $checks)
Definition UserPasswordPolicy.php:48
UserPasswordPolicy\checkPolicies
checkPolicies(User $user, $password, $policies, $policyCheckFunctions)
Definition UserPasswordPolicy.php:120
UserPasswordPolicy\checkUserPasswordForGroups
checkUserPasswordForGroups(User $user, $password, array $groups)
Check if a password meets the effective password policy for a User, using a set of groups they may or...
Definition UserPasswordPolicy.php:99
UserPasswordPolicy\maxOfPolicies
static maxOfPolicies(array $p1, array $p2)
Utility function to get a policy that is the most restrictive of $p1 and $p2.
Definition UserPasswordPolicy.php:217
UserPasswordPolicy\$policyCheckFunctions
array $policyCheckFunctions
Mapping of statements to the function that will test the password for compliance.
Definition UserPasswordPolicy.php:41
UserPasswordPolicy\getPoliciesForUser
getPoliciesForUser(User $user)
Get the policy for a user, based on their group membership.
Definition UserPasswordPolicy.php:173
User
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition User.php:51
User\getEffectiveGroups
getEffectiveGroups( $recache=false)
Get the list of implicit group memberships this user has.
Definition User.php:3442