MediaWiki  master
AuthManager.php
Go to the documentation of this file.
1 <?php
24 namespace MediaWiki\Auth;
25 
26 use Config;
27 use MediaWiki\Block\DatabaseBlock;
28 use MediaWiki\MediaWikiServices;
29 use Psr\Log\LoggerAwareInterface;
30 use Psr\Log\LoggerInterface;
31 use Status;
32 use StatusValue;
33 use User;
34 use WebRequest;
35 use Wikimedia\ObjectFactory;
36 
85 class AuthManager implements LoggerAwareInterface {
87  const ACTION_LOGIN = 'login';
91  const ACTION_LOGIN_CONTINUE = 'login-continue';
93  const ACTION_CREATE = 'create';
97  const ACTION_CREATE_CONTINUE = 'create-continue';
99  const ACTION_LINK = 'link';
103  const ACTION_LINK_CONTINUE = 'link-continue';
105  const ACTION_CHANGE = 'change';
107  const ACTION_REMOVE = 'remove';
109  const ACTION_UNLINK = 'unlink';
110 
112  const SEC_OK = 'ok';
114  const SEC_REAUTH = 'reauth';
116  const SEC_FAIL = 'fail';
117 
119  const AUTOCREATE_SOURCE_SESSION = \MediaWiki\Session\SessionManager::class;
120 
122  const AUTOCREATE_SOURCE_MAINT = '::Maintenance::';
123 
125  private static $instance = null;
126 
128  private $request;
129 
131  private $config;
132 
134  private $logger;
135 
137  private $allAuthenticationProviders = [];
138 
140  private $preAuthenticationProviders = null;
141 
143  private $primaryAuthenticationProviders = null;
144 
146  private $secondaryAuthenticationProviders = null;
147 
149  private $createdAccountAuthenticationRequests = [];
150 
155  public static function singleton() {
156  if ( self::$instance === null ) {
157  self::$instance = new self(
158  \RequestContext::getMain()->getRequest(),
159  MediaWikiServices::getInstance()->getMainConfig()
160  );
161  }
162  return self::$instance;
163  }
164 
169  public function __construct( WebRequest $request, Config $config ) {
170  $this->request = $request;
171  $this->config = $config;
172  $this->setLogger( \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' ) );
173  }
174 
178  public function setLogger( LoggerInterface $logger ) {
179  $this->logger = $logger;
180  }
181 
185  public function getRequest() {
186  return $this->request;
187  }
188 
195  public function forcePrimaryAuthenticationProviders( array $providers, $why ) {
196  $this->logger->warning( "Overriding AuthManager primary authn because $why" );
197 
198  if ( $this->primaryAuthenticationProviders !== null ) {
199  $this->logger->warning(
200  'PrimaryAuthenticationProviders have already been accessed! I hope nothing breaks.'
201  );
202 
203  $this->allAuthenticationProviders = array_diff_key(
204  $this->allAuthenticationProviders,
205  $this->primaryAuthenticationProviders
206  );
207  $session = $this->request->getSession();
208  $session->remove( 'AuthManager::authnState' );
209  $session->remove( 'AuthManager::accountCreationState' );
210  $session->remove( 'AuthManager::accountLinkState' );
211  $this->createdAccountAuthenticationRequests = [];
212  }
213 
214  $this->primaryAuthenticationProviders = [];
215  foreach ( $providers as $provider ) {
216  if ( !$provider instanceof PrimaryAuthenticationProvider ) {
217  throw new \RuntimeException(
218  'Expected instance of MediaWiki\\Auth\\PrimaryAuthenticationProvider, got ' .
219  get_class( $provider )
220  );
221  }
222  $provider->setLogger( $this->logger );
223  $provider->setManager( $this );
224  $provider->setConfig( $this->config );
225  $id = $provider->getUniqueId();
226  if ( isset( $this->allAuthenticationProviders[$id] ) ) {
227  throw new \RuntimeException(
228  "Duplicate specifications for id $id (classes " .
229  get_class( $provider ) . ' and ' .
230  get_class( $this->allAuthenticationProviders[$id] ) . ')'
231  );
232  }
233  $this->allAuthenticationProviders[$id] = $provider;
234  $this->primaryAuthenticationProviders[$id] = $provider;
235  }
236  }
237 
249  public static function callLegacyAuthPlugin( $method, array $params, $return = null ) {
250  wfDeprecated( __METHOD__, '1.33' );
251  return $return;
252  }
253 
267  public function canAuthenticateNow() {
268  return $this->request->getSession()->canSetUser();
269  }
270 
289  public function beginAuthentication( array $reqs, $returnToUrl ) {
290  $session = $this->request->getSession();
291  if ( !$session->canSetUser() ) {
292  // Caller should have called canAuthenticateNow()
293  $session->remove( 'AuthManager::authnState' );
294  throw new \LogicException( 'Authentication is not possible now' );
295  }
296 
297  $guessUserName = null;
298  foreach ( $reqs as $req ) {
299  $req->returnToUrl = $returnToUrl;
300  // @codeCoverageIgnoreStart
301  if ( $req->username !== null && $req->username !== '' ) {
302  if ( $guessUserName === null ) {
303  $guessUserName = $req->username;
304  } elseif ( $guessUserName !== $req->username ) {
305  $guessUserName = null;
306  break;
307  }
308  }
309  // @codeCoverageIgnoreEnd
310  }
311 
312  // Check for special-case login of a just-created account
313  $req = AuthenticationRequest::getRequestByClass(
314  $reqs, CreatedAccountAuthenticationRequest::class
315  );
316  if ( $req ) {
317  if ( !in_array( $req, $this->createdAccountAuthenticationRequests, true ) ) {
318  throw new \LogicException(
319  'CreatedAccountAuthenticationRequests are only valid on ' .
320  'the same AuthManager that created the account'
321  );
322  }
323 
324  $user = User::newFromName( $req->username );
325  // @codeCoverageIgnoreStart
326  if ( !$user ) {
327  throw new \UnexpectedValueException(
328  "CreatedAccountAuthenticationRequest had invalid username \"{$req->username}\""
329  );
330  } elseif ( $user->getId() != $req->id ) {
331  throw new \UnexpectedValueException(
332  "ID for \"{$req->username}\" was {$user->getId()}, expected {$req->id}"
333  );
334  }
335  // @codeCoverageIgnoreEnd
336 
337  $this->logger->info( 'Logging in {user} after account creation', [
338  'user' => $user->getName(),
339  ] );
340  $ret = AuthenticationResponse::newPass( $user->getName() );
341  $this->setSessionDataForUser( $user );
342  $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
343  $session->remove( 'AuthManager::authnState' );
344  \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName(), [] ] );
345  return $ret;
346  }
347 
348  $this->removeAuthenticationSessionData( null );
349 
350  foreach ( $this->getPreAuthenticationProviders() as $provider ) {
351  $status = $provider->testForAuthentication( $reqs );
352  if ( !$status->isGood() ) {
353  $this->logger->debug( 'Login failed in pre-authentication by ' . $provider->getUniqueId() );
354  $ret = AuthenticationResponse::newFail(
355  Status::wrap( $status )->getMessage()
356  );
357  $this->callMethodOnProviders( 7, 'postAuthentication',
358  [ User::newFromName( $guessUserName ) ?: null, $ret ]
359  );
360  \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, null, $guessUserName, [] ] );
361  return $ret;
362  }
363  }
364 
365  $state = [
366  'reqs' => $reqs,
367  'returnToUrl' => $returnToUrl,
368  'guessUserName' => $guessUserName,
369  'primary' => null,
370  'primaryResponse' => null,
371  'secondary' => [],
372  'maybeLink' => [],
373  'continueRequests' => [],
374  ];
375 
376  // Preserve state from a previous failed login
377  $req = AuthenticationRequest::getRequestByClass(
378  $reqs, CreateFromLoginAuthenticationRequest::class
379  );
380  if ( $req ) {
381  $state['maybeLink'] = $req->maybeLink;
382  }
383 
384  $session = $this->request->getSession();
385  $session->setSecret( 'AuthManager::authnState', $state );
386  $session->persist();
387 
388  return $this->continueAuthentication( $reqs );
389  }
390 
413  public function continueAuthentication( array $reqs ) {
414  $session = $this->request->getSession();
415  try {
416  if ( !$session->canSetUser() ) {
417  // Caller should have called canAuthenticateNow()
418  // @codeCoverageIgnoreStart
419  throw new \LogicException( 'Authentication is not possible now' );
420  // @codeCoverageIgnoreEnd
421  }
422 
423  $state = $session->getSecret( 'AuthManager::authnState' );
424  if ( !is_array( $state ) ) {
425  return AuthenticationResponse::newFail(
426  wfMessage( 'authmanager-authn-not-in-progress' )
427  );
428  }
429  $state['continueRequests'] = [];
430 
431  $guessUserName = $state['guessUserName'];
432 
433  foreach ( $reqs as $req ) {
434  $req->returnToUrl = $state['returnToUrl'];
435  }
436 
437  // Step 1: Choose an primary authentication provider, and call it until it succeeds.
438 
439  if ( $state['primary'] === null ) {
440  // We haven't picked a PrimaryAuthenticationProvider yet
441  // @codeCoverageIgnoreStart
442  $guessUserName = null;
443  foreach ( $reqs as $req ) {
444  if ( $req->username !== null && $req->username !== '' ) {
445  if ( $guessUserName === null ) {
446  $guessUserName = $req->username;
447  } elseif ( $guessUserName !== $req->username ) {
448  $guessUserName = null;
449  break;
450  }
451  }
452  }
453  $state['guessUserName'] = $guessUserName;
454  // @codeCoverageIgnoreEnd
455  $state['reqs'] = $reqs;
456 
457  foreach ( $this->getPrimaryAuthenticationProviders() as $id => $provider ) {
458  $res = $provider->beginPrimaryAuthentication( $reqs );
459  switch ( $res->status ) {
460  case AuthenticationResponse::PASS;
461  $state['primary'] = $id;
462  $state['primaryResponse'] = $res;
463  $this->logger->debug( "Primary login with $id succeeded" );
464  break 2;
465  case AuthenticationResponse::FAIL;
466  $this->logger->debug( "Login failed in primary authentication by $id" );
467  if ( $res->createRequest || $state['maybeLink'] ) {
468  $res->createRequest = new CreateFromLoginAuthenticationRequest(
469  $res->createRequest, $state['maybeLink']
470  );
471  }
472  $this->callMethodOnProviders( 7, 'postAuthentication',
473  [ User::newFromName( $guessUserName ) ?: null, $res ]
474  );
475  $session->remove( 'AuthManager::authnState' );
476  \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $res, null, $guessUserName, [] ] );
477  return $res;
478  case AuthenticationResponse::ABSTAIN;
479  // Continue loop
480  break;
481  case AuthenticationResponse::REDIRECT;
482  case AuthenticationResponse::UI;
483  $this->logger->debug( "Primary login with $id returned $res->status" );
484  $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $guessUserName );
485  $state['primary'] = $id;
486  $state['continueRequests'] = $res->neededRequests;
487  $session->setSecret( 'AuthManager::authnState', $state );
488  return $res;
489 
490  // @codeCoverageIgnoreStart
491  default:
492  throw new \DomainException(
493  get_class( $provider ) . "::beginPrimaryAuthentication() returned $res->status"
494  );
495  // @codeCoverageIgnoreEnd
496  }
497  }
498  if ( $state['primary'] === null ) {
499  $this->logger->debug( 'Login failed in primary authentication because no provider accepted' );
500  $ret = AuthenticationResponse::newFail(
501  wfMessage( 'authmanager-authn-no-primary' )
502  );
503  $this->callMethodOnProviders( 7, 'postAuthentication',
504  [ User::newFromName( $guessUserName ) ?: null, $ret ]
505  );
506  $session->remove( 'AuthManager::authnState' );
507  return $ret;
508  }
509  } elseif ( $state['primaryResponse'] === null ) {
510  $provider = $this->getAuthenticationProvider( $state['primary'] );
511  if ( !$provider instanceof PrimaryAuthenticationProvider ) {
512  // Configuration changed? Force them to start over.
513  // @codeCoverageIgnoreStart
514  $ret = AuthenticationResponse::newFail(
515  wfMessage( 'authmanager-authn-not-in-progress' )
516  );
517  $this->callMethodOnProviders( 7, 'postAuthentication',
518  [ User::newFromName( $guessUserName ) ?: null, $ret ]
519  );
520  $session->remove( 'AuthManager::authnState' );
521  return $ret;
522  // @codeCoverageIgnoreEnd
523  }
524  $id = $provider->getUniqueId();
525  $res = $provider->continuePrimaryAuthentication( $reqs );
526  switch ( $res->status ) {
527  case AuthenticationResponse::PASS;
528  $state['primaryResponse'] = $res;
529  $this->logger->debug( "Primary login with $id succeeded" );
530  break;
531  case AuthenticationResponse::FAIL;
532  $this->logger->debug( "Login failed in primary authentication by $id" );
533  if ( $res->createRequest || $state['maybeLink'] ) {
534  $res->createRequest = new CreateFromLoginAuthenticationRequest(
535  $res->createRequest, $state['maybeLink']
536  );
537  }
538  $this->callMethodOnProviders( 7, 'postAuthentication',
539  [ User::newFromName( $guessUserName ) ?: null, $res ]
540  );
541  $session->remove( 'AuthManager::authnState' );
542  \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $res, null, $guessUserName, [] ] );
543  return $res;
544  case AuthenticationResponse::REDIRECT;
545  case AuthenticationResponse::UI;
546  $this->logger->debug( "Primary login with $id returned $res->status" );
547  $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $guessUserName );
548  $state['continueRequests'] = $res->neededRequests;
549  $session->setSecret( 'AuthManager::authnState', $state );
550  return $res;
551  default:
552  throw new \DomainException(
553  get_class( $provider ) . "::continuePrimaryAuthentication() returned $res->status"
554  );
555  }
556  }
557 
558  $res = $state['primaryResponse'];
559  if ( $res->username === null ) {
560  $provider = $this->getAuthenticationProvider( $state['primary'] );
561  if ( !$provider instanceof PrimaryAuthenticationProvider ) {
562  // Configuration changed? Force them to start over.
563  // @codeCoverageIgnoreStart
564  $ret = AuthenticationResponse::newFail(
565  wfMessage( 'authmanager-authn-not-in-progress' )
566  );
567  $this->callMethodOnProviders( 7, 'postAuthentication',
568  [ User::newFromName( $guessUserName ) ?: null, $ret ]
569  );
570  $session->remove( 'AuthManager::authnState' );
571  return $ret;
572  // @codeCoverageIgnoreEnd
573  }
574 
575  if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK &&
576  $res->linkRequest &&
577  // don't confuse the user with an incorrect message if linking is disabled
578  $this->getAuthenticationProvider( ConfirmLinkSecondaryAuthenticationProvider::class )
579  ) {
580  $state['maybeLink'][$res->linkRequest->getUniqueId()] = $res->linkRequest;
581  $msg = 'authmanager-authn-no-local-user-link';
582  } else {
583  $msg = 'authmanager-authn-no-local-user';
584  }
585  $this->logger->debug(
586  "Primary login with {$provider->getUniqueId()} succeeded, but returned no user"
587  );
588  $ret = AuthenticationResponse::newRestart( wfMessage( $msg ) );
589  $ret->neededRequests = $this->getAuthenticationRequestsInternal(
590  self::ACTION_LOGIN,
591  [],
592  $this->getPrimaryAuthenticationProviders() + $this->getSecondaryAuthenticationProviders()
593  );
594  if ( $res->createRequest || $state['maybeLink'] ) {
595  $ret->createRequest = new CreateFromLoginAuthenticationRequest(
596  $res->createRequest, $state['maybeLink']
597  );
598  $ret->neededRequests[] = $ret->createRequest;
599  }
600  $this->fillRequests( $ret->neededRequests, self::ACTION_LOGIN, null, true );
601  $session->setSecret( 'AuthManager::authnState', [
602  'reqs' => [], // Will be filled in later
603  'primary' => null,
604  'primaryResponse' => null,
605  'secondary' => [],
606  'continueRequests' => $ret->neededRequests,
607  ] + $state );
608  return $ret;
609  }
610 
611  // Step 2: Primary authentication succeeded, create the User object
612  // (and add the user locally if necessary)
613 
614  $user = User::newFromName( $res->username, 'usable' );
615  if ( !$user ) {
616  $provider = $this->getAuthenticationProvider( $state['primary'] );
617  throw new \DomainException(
618  get_class( $provider ) . " returned an invalid username: {$res->username}"
619  );
620  }
621  if ( $user->getId() === 0 ) {
622  // User doesn't exist locally. Create it.
623  $this->logger->info( 'Auto-creating {user} on login', [
624  'user' => $user->getName(),
625  ] );
626  $status = $this->autoCreateUser( $user, $state['primary'], false );
627  if ( !$status->isGood() ) {
628  $ret = AuthenticationResponse::newFail(
629  Status::wrap( $status )->getMessage( 'authmanager-authn-autocreate-failed' )
630  );
631  $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
632  $session->remove( 'AuthManager::authnState' );
633  \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName(), [] ] );
634  return $ret;
635  }
636  }
637 
638  // Step 3: Iterate over all the secondary authentication providers.
639 
640  $beginReqs = $state['reqs'];
641 
642  foreach ( $this->getSecondaryAuthenticationProviders() as $id => $provider ) {
643  if ( !isset( $state['secondary'][$id] ) ) {
644  // This provider isn't started yet, so we pass it the set
645  // of reqs from beginAuthentication instead of whatever
646  // might have been used by a previous provider in line.
647  $func = 'beginSecondaryAuthentication';
648  $res = $provider->beginSecondaryAuthentication( $user, $beginReqs );
649  } elseif ( !$state['secondary'][$id] ) {
650  $func = 'continueSecondaryAuthentication';
651  $res = $provider->continueSecondaryAuthentication( $user, $reqs );
652  } else {
653  continue;
654  }
655  switch ( $res->status ) {
656  case AuthenticationResponse::PASS;
657  $this->logger->debug( "Secondary login with $id succeeded" );
658  // fall through
659  case AuthenticationResponse::ABSTAIN;
660  $state['secondary'][$id] = true;
661  break;
662  case AuthenticationResponse::FAIL;
663  $this->logger->debug( "Login failed in secondary authentication by $id" );
664  $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $res ] );
665  $session->remove( 'AuthManager::authnState' );
666  \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $res, $user, $user->getName(), [] ] );
667  return $res;
668  case AuthenticationResponse::REDIRECT;
669  case AuthenticationResponse::UI;
670  $this->logger->debug( "Secondary login with $id returned " . $res->status );
671  $this->fillRequests( $res->neededRequests, self::ACTION_LOGIN, $user->getName() );
672  $state['secondary'][$id] = false;
673  $state['continueRequests'] = $res->neededRequests;
674  $session->setSecret( 'AuthManager::authnState', $state );
675  return $res;
676 
677  // @codeCoverageIgnoreStart
678  default:
679  throw new \DomainException(
680  get_class( $provider ) . "::{$func}() returned $res->status"
681  );
682  // @codeCoverageIgnoreEnd
683  }
684  }
685 
686  // Step 4: Authentication complete! Set the user in the session and
687  // clean up.
688 
689  $this->logger->info( 'Login for {user} succeeded from {clientip}', [
690  'user' => $user->getName(),
691  'clientip' => $this->request->getIP(),
692  ] );
694  $req = AuthenticationRequest::getRequestByClass(
695  $beginReqs, RememberMeAuthenticationRequest::class
696  );
697  $this->setSessionDataForUser( $user, $req && $req->rememberMe );
698  $ret = AuthenticationResponse::newPass( $user->getName() );
699  $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
700  $session->remove( 'AuthManager::authnState' );
701  $this->removeAuthenticationSessionData( null );
702  \Hooks::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName(), [] ] );
703  return $ret;
704  } catch ( \Exception $ex ) {
705  $session->remove( 'AuthManager::authnState' );
706  throw $ex;
707  }
708  }
709 
721  public function securitySensitiveOperationStatus( $operation ) {
722  $status = self::SEC_OK;
723 
724  $this->logger->debug( __METHOD__ . ": Checking $operation" );
725 
726  $session = $this->request->getSession();
727  $aId = $session->getUser()->getId();
728  if ( $aId === 0 ) {
729  // User isn't authenticated. DWIM?
730  $status = $this->canAuthenticateNow() ? self::SEC_REAUTH : self::SEC_FAIL;
731  $this->logger->info( __METHOD__ . ": Not logged in! $operation is $status" );
732  return $status;
733  }
734 
735  if ( $session->canSetUser() ) {
736  $id = $session->get( 'AuthManager:lastAuthId' );
737  $last = $session->get( 'AuthManager:lastAuthTimestamp' );
738  if ( $id !== $aId || $last === null ) {
739  $timeSinceLogin = PHP_INT_MAX; // Forever ago
740  } else {
741  $timeSinceLogin = max( 0, time() - $last );
742  }
743 
744  $thresholds = $this->config->get( 'ReauthenticateTime' );
745  if ( isset( $thresholds[$operation] ) ) {
746  $threshold = $thresholds[$operation];
747  } elseif ( isset( $thresholds['default'] ) ) {
748  $threshold = $thresholds['default'];
749  } else {
750  throw new \UnexpectedValueException( '$wgReauthenticateTime lacks a default' );
751  }
752 
753  if ( $threshold >= 0 && $timeSinceLogin > $threshold ) {
754  $status = self::SEC_REAUTH;
755  }
756  } else {
757  $timeSinceLogin = -1;
758 
759  $pass = $this->config->get( 'AllowSecuritySensitiveOperationIfCannotReauthenticate' );
760  if ( isset( $pass[$operation] ) ) {
761  $status = $pass[$operation] ? self::SEC_OK : self::SEC_FAIL;
762  } elseif ( isset( $pass['default'] ) ) {
763  $status = $pass['default'] ? self::SEC_OK : self::SEC_FAIL;
764  } else {
765  throw new \UnexpectedValueException(
766  '$wgAllowSecuritySensitiveOperationIfCannotReauthenticate lacks a default'
767  );
768  }
769  }
770 
771  \Hooks::run( 'SecuritySensitiveOperationStatus', [
772  &$status, $operation, $session, $timeSinceLogin
773  ] );
774 
775  // If authentication is not possible, downgrade from "REAUTH" to "FAIL".
776  if ( !$this->canAuthenticateNow() && $status === self::SEC_REAUTH ) {
777  $status = self::SEC_FAIL;
778  }
779 
780  $this->logger->info( __METHOD__ . ": $operation is $status for '{user}'",
781  [
782  'user' => $session->getUser()->getName(),
783  'clientip' => $this->getRequest()->getIP(),
784  ]
785  );
786 
787  return $status;
788  }
789 
799  public function userCanAuthenticate( $username ) {
800  foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
801  if ( $provider->testUserCanAuthenticate( $username ) ) {
802  return true;
803  }
804  }
805  return false;
806  }
807 
822  public function normalizeUsername( $username ) {
823  $ret = [];
824  foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
825  $normalized = $provider->providerNormalizeUsername( $username );
826  if ( $normalized !== null ) {
827  $ret[$normalized] = true;
828  }
829  }
830  return array_keys( $ret );
831  }
832 
847  public function revokeAccessForUser( $username ) {
848  $this->logger->info( 'Revoking access for {user}', [
849  'user' => $username,
850  ] );
851  $this->callMethodOnProviders( 6, 'providerRevokeAccessForUser', [ $username ] );
852  }
853 
863  public function allowsAuthenticationDataChange( AuthenticationRequest $req, $checkData = true ) {
864  $any = false;
865  $providers = $this->getPrimaryAuthenticationProviders() +
866  $this->getSecondaryAuthenticationProviders();
867  foreach ( $providers as $provider ) {
868  $status = $provider->providerAllowsAuthenticationDataChange( $req, $checkData );
869  if ( !$status->isGood() ) {
870  return Status::wrap( $status );
871  }
872  $any = $any || $status->value !== 'ignored';
873  }
874  if ( !$any ) {
875  $status = Status::newGood( 'ignored' );
876  $status->warning( 'authmanager-change-not-supported' );
877  return $status;
878  }
879  return Status::newGood();
880  }
881 
899  public function changeAuthenticationData( AuthenticationRequest $req, $isAddition = false ) {
900  $this->logger->info( 'Changing authentication data for {user} class {what}', [
901  'user' => is_string( $req->username ) ? $req->username : '<no name>',
902  'what' => get_class( $req ),
903  ] );
904 
905  $this->callMethodOnProviders( 6, 'providerChangeAuthenticationData', [ $req ] );
906 
907  // When the main account's authentication data is changed, invalidate
908  // all BotPasswords too.
909  if ( !$isAddition ) {
910  \BotPassword::invalidateAllPasswordsForUser( $req->username );
911  }
912  }
913 
925  public function canCreateAccounts() {
926  foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
927  switch ( $provider->accountCreationType() ) {
928  case PrimaryAuthenticationProvider::TYPE_CREATE:
929  case PrimaryAuthenticationProvider::TYPE_LINK:
930  return true;
931  }
932  }
933  return false;
934  }
935 
944  public function canCreateAccount( $username, $options = [] ) {
945  // Back compat
946  if ( is_int( $options ) ) {
947  $options = [ 'flags' => $options ];
948  }
949  $options += [
950  'flags' => User::READ_NORMAL,
951  'creating' => false,
952  ];
953  $flags = $options['flags'];
954 
955  if ( !$this->canCreateAccounts() ) {
956  return Status::newFatal( 'authmanager-create-disabled' );
957  }
958 
959  if ( $this->userExists( $username, $flags ) ) {
960  return Status::newFatal( 'userexists' );
961  }
962 
963  $user = User::newFromName( $username, 'creatable' );
964  if ( !is_object( $user ) ) {
965  return Status::newFatal( 'noname' );
966  } else {
967  $user->load( $flags ); // Explicitly load with $flags, auto-loading always uses READ_NORMAL
968  if ( $user->getId() !== 0 ) {
969  return Status::newFatal( 'userexists' );
970  }
971  }
972 
973  // Denied by providers?
974  $providers = $this->getPreAuthenticationProviders() +
975  $this->getPrimaryAuthenticationProviders() +
976  $this->getSecondaryAuthenticationProviders();
977  foreach ( $providers as $provider ) {
978  $status = $provider->testUserForCreation( $user, false, $options );
979  if ( !$status->isGood() ) {
980  return Status::wrap( $status );
981  }
982  }
983 
984  return Status::newGood();
985  }
986 
992  public function checkAccountCreatePermissions( User $creator ) {
993  // Wiki is read-only?
994  if ( wfReadOnly() ) {
995  return Status::newFatal( wfMessage( 'readonlytext', wfReadOnlyReason() ) );
996  }
997 
998  // This is awful, this permission check really shouldn't go through Title.
999  $permErrors = \SpecialPage::getTitleFor( 'CreateAccount' )
1000  ->getUserPermissionsErrors( 'createaccount', $creator, 'secure' );
1001  if ( $permErrors ) {
1002  $status = Status::newGood();
1003  foreach ( $permErrors as $args ) {
1004  $status->fatal( ...$args );
1005  }
1006  return $status;
1007  }
1008 
1009  $block = $creator->isBlockedFromCreateAccount();
1010  if ( $block ) {
1011  $errorParams = [
1012  $block->getTarget(),
1013  $block->getReason() ?: wfMessage( 'blockednoreason' )->text(),
1014  $block->getByName()
1015  ];
1016 
1017  if ( $block->getType() === DatabaseBlock::TYPE_RANGE ) {
1018  $errorMessage = 'cantcreateaccount-range-text';
1019  $errorParams[] = $this->getRequest()->getIP();
1020  } else {
1021  $errorMessage = 'cantcreateaccount-text';
1022  }
1023 
1024  return Status::newFatal( wfMessage( $errorMessage, $errorParams ) );
1025  }
1026 
1027  $ip = $this->getRequest()->getIP();
1028  if (
1029  MediaWikiServices::getInstance()->getBlockManager()
1030  ->isDnsBlacklisted( $ip, true /* check $wgProxyWhitelist */ )
1031  ) {
1032  return Status::newFatal( 'sorbs_create_account_reason' );
1033  }
1034 
1035  return Status::newGood();
1036  }
1037 
1057  public function beginAccountCreation( User $creator, array $reqs, $returnToUrl ) {
1058  $session = $this->request->getSession();
1059  if ( !$this->canCreateAccounts() ) {
1060  // Caller should have called canCreateAccounts()
1061  $session->remove( 'AuthManager::accountCreationState' );
1062  throw new \LogicException( 'Account creation is not possible' );
1063  }
1064 
1065  try {
1066  $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
1067  } catch ( \UnexpectedValueException $ex ) {
1068  $username = null;
1069  }
1070  if ( $username === null ) {
1071  $this->logger->debug( __METHOD__ . ': No username provided' );
1072  return AuthenticationResponse::newFail( wfMessage( 'noname' ) );
1073  }
1074 
1075  // Permissions check
1076  $status = $this->checkAccountCreatePermissions( $creator );
1077  if ( !$status->isGood() ) {
1078  $this->logger->debug( __METHOD__ . ': {creator} cannot create users: {reason}', [
1079  'user' => $username,
1080  'creator' => $creator->getName(),
1081  'reason' => $status->getWikiText( null, null, 'en' )
1082  ] );
1083  return AuthenticationResponse::newFail( $status->getMessage() );
1084  }
1085 
1086  $status = $this->canCreateAccount(
1087  $username, [ 'flags' => User::READ_LOCKING, 'creating' => true ]
1088  );
1089  if ( !$status->isGood() ) {
1090  $this->logger->debug( __METHOD__ . ': {user} cannot be created: {reason}', [
1091  'user' => $username,
1092  'creator' => $creator->getName(),
1093  'reason' => $status->getWikiText( null, null, 'en' )
1094  ] );
1095  return AuthenticationResponse::newFail( $status->getMessage() );
1096  }
1097 
1098  $user = User::newFromName( $username, 'creatable' );
1099  foreach ( $reqs as $req ) {
1100  $req->username = $username;
1101  $req->returnToUrl = $returnToUrl;
1102  if ( $req instanceof UserDataAuthenticationRequest ) {
1103  $status = $req->populateUser( $user );
1104  if ( !$status->isGood() ) {
1105  $status = Status::wrap( $status );
1106  $session->remove( 'AuthManager::accountCreationState' );
1107  $this->logger->debug( __METHOD__ . ': UserData is invalid: {reason}', [
1108  'user' => $user->getName(),
1109  'creator' => $creator->getName(),
1110  'reason' => $status->getWikiText( null, null, 'en' ),
1111  ] );
1112  return AuthenticationResponse::newFail( $status->getMessage() );
1113  }
1114  }
1115  }
1116 
1117  $this->removeAuthenticationSessionData( null );
1118 
1119  $state = [
1120  'username' => $username,
1121  'userid' => 0,
1122  'creatorid' => $creator->getId(),
1123  'creatorname' => $creator->getName(),
1124  'reqs' => $reqs,
1125  'returnToUrl' => $returnToUrl,
1126  'primary' => null,
1127  'primaryResponse' => null,
1128  'secondary' => [],
1129  'continueRequests' => [],
1130  'maybeLink' => [],
1131  'ranPreTests' => false,
1132  ];
1133 
1134  // Special case: converting a login to an account creation
1135  $req = AuthenticationRequest::getRequestByClass(
1136  $reqs, CreateFromLoginAuthenticationRequest::class
1137  );
1138  if ( $req ) {
1139  $state['maybeLink'] = $req->maybeLink;
1140 
1141  if ( $req->createRequest ) {
1142  $reqs[] = $req->createRequest;
1143  $state['reqs'][] = $req->createRequest;
1144  }
1145  }
1146 
1147  $session->setSecret( 'AuthManager::accountCreationState', $state );
1148  $session->persist();
1149 
1150  return $this->continueAccountCreation( $reqs );
1151  }
1152 
1158  public function continueAccountCreation( array $reqs ) {
1159  $session = $this->request->getSession();
1160  try {
1161  if ( !$this->canCreateAccounts() ) {
1162  // Caller should have called canCreateAccounts()
1163  $session->remove( 'AuthManager::accountCreationState' );
1164  throw new \LogicException( 'Account creation is not possible' );
1165  }
1166 
1167  $state = $session->getSecret( 'AuthManager::accountCreationState' );
1168  if ( !is_array( $state ) ) {
1169  return AuthenticationResponse::newFail(
1170  wfMessage( 'authmanager-create-not-in-progress' )
1171  );
1172  }
1173  $state['continueRequests'] = [];
1174 
1175  // Step 0: Prepare and validate the input
1176 
1177  $user = User::newFromName( $state['username'], 'creatable' );
1178  if ( !is_object( $user ) ) {
1179  $session->remove( 'AuthManager::accountCreationState' );
1180  $this->logger->debug( __METHOD__ . ': Invalid username', [
1181  'user' => $state['username'],
1182  ] );
1183  return AuthenticationResponse::newFail( wfMessage( 'noname' ) );
1184  }
1185 
1186  if ( $state['creatorid'] ) {
1187  $creator = User::newFromId( $state['creatorid'] );
1188  } else {
1189  $creator = new User;
1190  $creator->setName( $state['creatorname'] );
1191  }
1192 
1193  // Avoid account creation races on double submissions
1194  $cache = \ObjectCache::getLocalClusterInstance();
1195  $lock = $cache->getScopedLock( $cache->makeGlobalKey( 'account', md5( $user->getName() ) ) );
1196  if ( !$lock ) {
1197  // Don't clear AuthManager::accountCreationState for this code
1198  // path because the process that won the race owns it.
1199  $this->logger->debug( __METHOD__ . ': Could not acquire account creation lock', [
1200  'user' => $user->getName(),
1201  'creator' => $creator->getName(),
1202  ] );
1203  return AuthenticationResponse::newFail( wfMessage( 'usernameinprogress' ) );
1204  }
1205 
1206  // Permissions check
1207  $status = $this->checkAccountCreatePermissions( $creator );
1208  if ( !$status->isGood() ) {
1209  $this->logger->debug( __METHOD__ . ': {creator} cannot create users: {reason}', [
1210  'user' => $user->getName(),
1211  'creator' => $creator->getName(),
1212  'reason' => $status->getWikiText( null, null, 'en' )
1213  ] );
1214  $ret = AuthenticationResponse::newFail( $status->getMessage() );
1215  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1216  $session->remove( 'AuthManager::accountCreationState' );
1217  return $ret;
1218  }
1219 
1220  // Load from master for existence check
1221  $user->load( User::READ_LOCKING );
1222 
1223  if ( $state['userid'] === 0 ) {
1224  if ( $user->getId() !== 0 ) {
1225  $this->logger->debug( __METHOD__ . ': User exists locally', [
1226  'user' => $user->getName(),
1227  'creator' => $creator->getName(),
1228  ] );
1229  $ret = AuthenticationResponse::newFail( wfMessage( 'userexists' ) );
1230  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1231  $session->remove( 'AuthManager::accountCreationState' );
1232  return $ret;
1233  }
1234  } else {
1235  if ( $user->getId() === 0 ) {
1236  $this->logger->debug( __METHOD__ . ': User does not exist locally when it should', [
1237  'user' => $user->getName(),
1238  'creator' => $creator->getName(),
1239  'expected_id' => $state['userid'],
1240  ] );
1241  throw new \UnexpectedValueException(
1242  "User \"{$state['username']}\" should exist now, but doesn't!"
1243  );
1244  }
1245  if ( $user->getId() !== $state['userid'] ) {
1246  $this->logger->debug( __METHOD__ . ': User ID/name mismatch', [
1247  'user' => $user->getName(),
1248  'creator' => $creator->getName(),
1249  'expected_id' => $state['userid'],
1250  'actual_id' => $user->getId(),
1251  ] );
1252  throw new \UnexpectedValueException(
1253  "User \"{$state['username']}\" exists, but " .
1254  "ID {$user->getId()} !== {$state['userid']}!"
1255  );
1256  }
1257  }
1258  foreach ( $state['reqs'] as $req ) {
1259  if ( $req instanceof UserDataAuthenticationRequest ) {
1260  $status = $req->populateUser( $user );
1261  if ( !$status->isGood() ) {
1262  // This should never happen...
1263  $status = Status::wrap( $status );
1264  $this->logger->debug( __METHOD__ . ': UserData is invalid: {reason}', [
1265  'user' => $user->getName(),
1266  'creator' => $creator->getName(),
1267  'reason' => $status->getWikiText( null, null, 'en' ),
1268  ] );
1269  $ret = AuthenticationResponse::newFail( $status->getMessage() );
1270  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1271  $session->remove( 'AuthManager::accountCreationState' );
1272  return $ret;
1273  }
1274  }
1275  }
1276 
1277  foreach ( $reqs as $req ) {
1278  $req->returnToUrl = $state['returnToUrl'];
1279  $req->username = $state['username'];
1280  }
1281 
1282  // Run pre-creation tests, if we haven't already
1283  if ( !$state['ranPreTests'] ) {
1284  $providers = $this->getPreAuthenticationProviders() +
1285  $this->getPrimaryAuthenticationProviders() +
1286  $this->getSecondaryAuthenticationProviders();
1287  foreach ( $providers as $id => $provider ) {
1288  $status = $provider->testForAccountCreation( $user, $creator, $reqs );
1289  if ( !$status->isGood() ) {
1290  $this->logger->debug( __METHOD__ . ": Fail in pre-authentication by $id", [
1291  'user' => $user->getName(),
1292  'creator' => $creator->getName(),
1293  ] );
1294  $ret = AuthenticationResponse::newFail(
1295  Status::wrap( $status )->getMessage()
1296  );
1297  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1298  $session->remove( 'AuthManager::accountCreationState' );
1299  return $ret;
1300  }
1301  }
1302 
1303  $state['ranPreTests'] = true;
1304  }
1305 
1306  // Step 1: Choose a primary authentication provider and call it until it succeeds.
1307 
1308  if ( $state['primary'] === null ) {
1309  // We haven't picked a PrimaryAuthenticationProvider yet
1310  foreach ( $this->getPrimaryAuthenticationProviders() as $id => $provider ) {
1311  if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_NONE ) {
1312  continue;
1313  }
1314  $res = $provider->beginPrimaryAccountCreation( $user, $creator, $reqs );
1315  switch ( $res->status ) {
1316  case AuthenticationResponse::PASS;
1317  $this->logger->debug( __METHOD__ . ": Primary creation passed by $id", [
1318  'user' => $user->getName(),
1319  'creator' => $creator->getName(),
1320  ] );
1321  $state['primary'] = $id;
1322  $state['primaryResponse'] = $res;
1323  break 2;
1324  case AuthenticationResponse::FAIL;
1325  $this->logger->debug( __METHOD__ . ": Primary creation failed by $id", [
1326  'user' => $user->getName(),
1327  'creator' => $creator->getName(),
1328  ] );
1329  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $res ] );
1330  $session->remove( 'AuthManager::accountCreationState' );
1331  return $res;
1332  case AuthenticationResponse::ABSTAIN;
1333  // Continue loop
1334  break;
1335  case AuthenticationResponse::REDIRECT;
1336  case AuthenticationResponse::UI;
1337  $this->logger->debug( __METHOD__ . ": Primary creation $res->status by $id", [
1338  'user' => $user->getName(),
1339  'creator' => $creator->getName(),
1340  ] );
1341  $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null );
1342  $state['primary'] = $id;
1343  $state['continueRequests'] = $res->neededRequests;
1344  $session->setSecret( 'AuthManager::accountCreationState', $state );
1345  return $res;
1346 
1347  // @codeCoverageIgnoreStart
1348  default:
1349  throw new \DomainException(
1350  get_class( $provider ) . "::beginPrimaryAccountCreation() returned $res->status"
1351  );
1352  // @codeCoverageIgnoreEnd
1353  }
1354  }
1355  if ( $state['primary'] === null ) {
1356  $this->logger->debug( __METHOD__ . ': Primary creation failed because no provider accepted', [
1357  'user' => $user->getName(),
1358  'creator' => $creator->getName(),
1359  ] );
1360  $ret = AuthenticationResponse::newFail(
1361  wfMessage( 'authmanager-create-no-primary' )
1362  );
1363  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1364  $session->remove( 'AuthManager::accountCreationState' );
1365  return $ret;
1366  }
1367  } elseif ( $state['primaryResponse'] === null ) {
1368  $provider = $this->getAuthenticationProvider( $state['primary'] );
1369  if ( !$provider instanceof PrimaryAuthenticationProvider ) {
1370  // Configuration changed? Force them to start over.
1371  // @codeCoverageIgnoreStart
1372  $ret = AuthenticationResponse::newFail(
1373  wfMessage( 'authmanager-create-not-in-progress' )
1374  );
1375  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1376  $session->remove( 'AuthManager::accountCreationState' );
1377  return $ret;
1378  // @codeCoverageIgnoreEnd
1379  }
1380  $id = $provider->getUniqueId();
1381  $res = $provider->continuePrimaryAccountCreation( $user, $creator, $reqs );
1382  switch ( $res->status ) {
1383  case AuthenticationResponse::PASS;
1384  $this->logger->debug( __METHOD__ . ": Primary creation passed by $id", [
1385  'user' => $user->getName(),
1386  'creator' => $creator->getName(),
1387  ] );
1388  $state['primaryResponse'] = $res;
1389  break;
1390  case AuthenticationResponse::FAIL;
1391  $this->logger->debug( __METHOD__ . ": Primary creation failed by $id", [
1392  'user' => $user->getName(),
1393  'creator' => $creator->getName(),
1394  ] );
1395  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $res ] );
1396  $session->remove( 'AuthManager::accountCreationState' );
1397  return $res;
1398  case AuthenticationResponse::REDIRECT;
1399  case AuthenticationResponse::UI;
1400  $this->logger->debug( __METHOD__ . ": Primary creation $res->status by $id", [
1401  'user' => $user->getName(),
1402  'creator' => $creator->getName(),
1403  ] );
1404  $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null );
1405  $state['continueRequests'] = $res->neededRequests;
1406  $session->setSecret( 'AuthManager::accountCreationState', $state );
1407  return $res;
1408  default:
1409  throw new \DomainException(
1410  get_class( $provider ) . "::continuePrimaryAccountCreation() returned $res->status"
1411  );
1412  }
1413  }
1414 
1415  // Step 2: Primary authentication succeeded, create the User object
1416  // and add the user locally.
1417 
1418  if ( $state['userid'] === 0 ) {
1419  $this->logger->info( 'Creating user {user} during account creation', [
1420  'user' => $user->getName(),
1421  'creator' => $creator->getName(),
1422  ] );
1423  $status = $user->addToDatabase();
1424  if ( !$status->isOK() ) {
1425  // @codeCoverageIgnoreStart
1426  $ret = AuthenticationResponse::newFail( $status->getMessage() );
1427  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1428  $session->remove( 'AuthManager::accountCreationState' );
1429  return $ret;
1430  // @codeCoverageIgnoreEnd
1431  }
1432  $this->setDefaultUserOptions( $user, $creator->isAnon() );
1433  \Hooks::runWithoutAbort( 'LocalUserCreated', [ $user, false ] );
1434  $user->saveSettings();
1435  $state['userid'] = $user->getId();
1436 
1437  // Update user count
1438  \DeferredUpdates::addUpdate( \SiteStatsUpdate::factory( [ 'users' => 1 ] ) );
1439 
1440  // Watch user's userpage and talk page
1441  $user->addWatch( $user->getUserPage(), User::IGNORE_USER_RIGHTS );
1442 
1443  // Inform the provider
1444  $logSubtype = $provider->finishAccountCreation( $user, $creator, $state['primaryResponse'] );
1445 
1446  // Log the creation
1447  if ( $this->config->get( 'NewUserLog' ) ) {
1448  $isAnon = $creator->isAnon();
1449  $logEntry = new \ManualLogEntry(
1450  'newusers',
1451  $logSubtype ?: ( $isAnon ? 'create' : 'create2' )
1452  );
1453  $logEntry->setPerformer( $isAnon ? $user : $creator );
1454  $logEntry->setTarget( $user->getUserPage() );
1456  $req = AuthenticationRequest::getRequestByClass(
1457  $state['reqs'], CreationReasonAuthenticationRequest::class
1458  );
1459  $logEntry->setComment( $req ? $req->reason : '' );
1460  $logEntry->setParameters( [
1461  '4::userid' => $user->getId(),
1462  ] );
1463  $logid = $logEntry->insert();
1464  $logEntry->publish( $logid );
1465  }
1466  }
1467 
1468  // Step 3: Iterate over all the secondary authentication providers.
1469 
1470  $beginReqs = $state['reqs'];
1471 
1472  foreach ( $this->getSecondaryAuthenticationProviders() as $id => $provider ) {
1473  if ( !isset( $state['secondary'][$id] ) ) {
1474  // This provider isn't started yet, so we pass it the set
1475  // of reqs from beginAuthentication instead of whatever
1476  // might have been used by a previous provider in line.
1477  $func = 'beginSecondaryAccountCreation';
1478  $res = $provider->beginSecondaryAccountCreation( $user, $creator, $beginReqs );
1479  } elseif ( !$state['secondary'][$id] ) {
1480  $func = 'continueSecondaryAccountCreation';
1481  $res = $provider->continueSecondaryAccountCreation( $user, $creator, $reqs );
1482  } else {
1483  continue;
1484  }
1485  switch ( $res->status ) {
1486  case AuthenticationResponse::PASS;
1487  $this->logger->debug( __METHOD__ . ": Secondary creation passed by $id", [
1488  'user' => $user->getName(),
1489  'creator' => $creator->getName(),
1490  ] );
1491  // fall through
1492  case AuthenticationResponse::ABSTAIN;
1493  $state['secondary'][$id] = true;
1494  break;
1495  case AuthenticationResponse::REDIRECT;
1496  case AuthenticationResponse::UI;
1497  $this->logger->debug( __METHOD__ . ": Secondary creation $res->status by $id", [
1498  'user' => $user->getName(),
1499  'creator' => $creator->getName(),
1500  ] );
1501  $this->fillRequests( $res->neededRequests, self::ACTION_CREATE, null );
1502  $state['secondary'][$id] = false;
1503  $state['continueRequests'] = $res->neededRequests;
1504  $session->setSecret( 'AuthManager::accountCreationState', $state );
1505  return $res;
1506  case AuthenticationResponse::FAIL;
1507  throw new \DomainException(
1508  get_class( $provider ) . "::{$func}() returned $res->status." .
1509  ' Secondary providers are not allowed to fail account creation, that' .
1510  ' should have been done via testForAccountCreation().'
1511  );
1512  // @codeCoverageIgnoreStart
1513  default:
1514  throw new \DomainException(
1515  get_class( $provider ) . "::{$func}() returned $res->status"
1516  );
1517  // @codeCoverageIgnoreEnd
1518  }
1519  }
1520 
1521  $id = $user->getId();
1522  $name = $user->getName();
1523  $req = new CreatedAccountAuthenticationRequest( $id, $name );
1524  $ret = AuthenticationResponse::newPass( $name );
1525  $ret->loginRequest = $req;
1526  $this->createdAccountAuthenticationRequests[] = $req;
1527 
1528  $this->logger->info( __METHOD__ . ': Account creation succeeded for {user}', [
1529  'user' => $user->getName(),
1530  'creator' => $creator->getName(),
1531  ] );
1532 
1533  $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1534  $session->remove( 'AuthManager::accountCreationState' );
1535  $this->removeAuthenticationSessionData( null );
1536  return $ret;
1537  } catch ( \Exception $ex ) {
1538  $session->remove( 'AuthManager::accountCreationState' );
1539  throw $ex;
1540  }
1541  }
1542 
1560  public function autoCreateUser( User $user, $source, $login = true ) {
1561  if ( $source !== self::AUTOCREATE_SOURCE_SESSION &&
1562  $source !== self::AUTOCREATE_SOURCE_MAINT &&
1563  !$this->getAuthenticationProvider( $source ) instanceof PrimaryAuthenticationProvider
1564  ) {
1565  throw new \InvalidArgumentException( "Unknown auto-creation source: $source" );
1566  }
1567 
1568  $username = $user->getName();
1569 
1570  // Try the local user from the replica DB
1571  $localId = User::idFromName( $username );
1572  $flags = User::READ_NORMAL;
1573 
1574  // Fetch the user ID from the master, so that we don't try to create the user
1575  // when they already exist, due to replication lag
1576  // @codeCoverageIgnoreStart
1577  if (
1578  !$localId &&
1579  MediaWikiServices::getInstance()->getDBLoadBalancer()->getReaderIndex() !== 0
1580  ) {
1581  $localId = User::idFromName( $username, User::READ_LATEST );
1582  $flags = User::READ_LATEST;
1583  }
1584  // @codeCoverageIgnoreEnd
1585 
1586  if ( $localId ) {
1587  $this->logger->debug( __METHOD__ . ': {username} already exists locally', [
1588  'username' => $username,
1589  ] );
1590  $user->setId( $localId );
1591  $user->loadFromId( $flags );
1592  if ( $login ) {
1593  $this->setSessionDataForUser( $user );
1594  }
1595  $status = Status::newGood();
1596  $status->warning( 'userexists' );
1597  return $status;
1598  }
1599 
1600  // Wiki is read-only?
1601  if ( wfReadOnly() ) {
1602  $this->logger->debug( __METHOD__ . ': denied by wfReadOnly(): {reason}', [
1603  'username' => $username,
1604  'reason' => wfReadOnlyReason(),
1605  ] );
1606  $user->setId( 0 );
1607  $user->loadFromId();
1608  return Status::newFatal( wfMessage( 'readonlytext', wfReadOnlyReason() ) );
1609  }
1610 
1611  // Check the session, if we tried to create this user already there's
1612  // no point in retrying.
1613  $session = $this->request->getSession();
1614  if ( $session->get( 'AuthManager::AutoCreateBlacklist' ) ) {
1615  $this->logger->debug( __METHOD__ . ': blacklisted in session {sessionid}', [
1616  'username' => $username,
1617  'sessionid' => $session->getId(),
1618  ] );
1619  $user->setId( 0 );
1620  $user->loadFromId();
1621  $reason = $session->get( 'AuthManager::AutoCreateBlacklist' );
1622  if ( $reason instanceof StatusValue ) {
1623  return Status::wrap( $reason );
1624  } else {
1625  return Status::newFatal( $reason );
1626  }
1627  }
1628 
1629  // Is the username creatable?
1630  if ( !User::isCreatableName( $username ) ) {
1631  $this->logger->debug( __METHOD__ . ': name "{username}" is not creatable', [
1632  'username' => $username,
1633  ] );
1634  $session->set( 'AuthManager::AutoCreateBlacklist', 'noname' );
1635  $user->setId( 0 );
1636  $user->loadFromId();
1637  return Status::newFatal( 'noname' );
1638  }
1639 
1640  // Is the IP user able to create accounts?
1641  $anon = new User;
1642  if ( $source !== self::AUTOCREATE_SOURCE_MAINT && !MediaWikiServices::getInstance()
1643  ->getPermissionManager()
1644  ->userHasAnyRight( $anon, 'createaccount', 'autocreateaccount' )
1645  ) {
1646  $this->logger->debug( __METHOD__ . ': IP lacks the ability to create or autocreate accounts', [
1647  'username' => $username,
1648  'ip' => $anon->getName(),
1649  ] );
1650  $session->set( 'AuthManager::AutoCreateBlacklist', 'authmanager-autocreate-noperm' );
1651  $session->persist();
1652  $user->setId( 0 );
1653  $user->loadFromId();
1654  return Status::newFatal( 'authmanager-autocreate-noperm' );
1655  }
1656 
1657  // Avoid account creation races on double submissions
1658  $cache = \ObjectCache::getLocalClusterInstance();
1659  $lock = $cache->getScopedLock( $cache->makeGlobalKey( 'account', md5( $username ) ) );
1660  if ( !$lock ) {
1661  $this->logger->debug( __METHOD__ . ': Could not acquire account creation lock', [
1662  'user' => $username,
1663  ] );
1664  $user->setId( 0 );
1665  $user->loadFromId();
1666  return Status::newFatal( 'usernameinprogress' );
1667  }
1668 
1669  // Denied by providers?
1670  $options = [
1671  'flags' => User::READ_LATEST,
1672  'creating' => true,
1673  ];
1674  $providers = $this->getPreAuthenticationProviders() +
1675  $this->getPrimaryAuthenticationProviders() +
1676  $this->getSecondaryAuthenticationProviders();
1677  foreach ( $providers as $provider ) {
1678  $status = $provider->testUserForCreation( $user, $source, $options );
1679  if ( !$status->isGood() ) {
1680  $ret = Status::wrap( $status );
1681  $this->logger->debug( __METHOD__ . ': Provider denied creation of {username}: {reason}', [
1682  'username' => $username,
1683  'reason' => $ret->getWikiText( null, null, 'en' ),
1684  ] );
1685  $session->set( 'AuthManager::AutoCreateBlacklist', $status );
1686  $user->setId( 0 );
1687  $user->loadFromId();
1688  return $ret;
1689  }
1690  }
1691 
1692  $backoffKey = $cache->makeKey( 'AuthManager', 'autocreate-failed', md5( $username ) );
1693  if ( $cache->get( $backoffKey ) ) {
1694  $this->logger->debug( __METHOD__ . ': {username} denied by prior creation attempt failures', [
1695  'username' => $username,
1696  ] );
1697  $user->setId( 0 );
1698  $user->loadFromId();
1699  return Status::newFatal( 'authmanager-autocreate-exception' );
1700  }
1701 
1702  // Checks passed, create the user...
1703  $from = $_SERVER['REQUEST_URI'] ?? 'CLI';
1704  $this->logger->info( __METHOD__ . ': creating new user ({username}) - from: {from}', [
1705  'username' => $username,
1706  'from' => $from,
1707  ] );
1708 
1709  // Ignore warnings about master connections/writes...hard to avoid here
1710  $trxProfiler = \Profiler::instance()->getTransactionProfiler();
1711  $old = $trxProfiler->setSilenced( true );
1712  try {
1713  $status = $user->addToDatabase();
1714  if ( !$status->isOK() ) {
1715  // Double-check for a race condition (T70012). We make use of the fact that when
1716  // addToDatabase fails due to the user already existing, the user object gets loaded.
1717  if ( $user->getId() ) {
1718  $this->logger->info( __METHOD__ . ': {username} already exists locally (race)', [
1719  'username' => $username,
1720  ] );
1721  if ( $login ) {
1722  $this->setSessionDataForUser( $user );
1723  }
1724  $status = Status::newGood();
1725  $status->warning( 'userexists' );
1726  } else {
1727  $this->logger->error( __METHOD__ . ': {username} failed with message {msg}', [
1728  'username' => $username,
1729  'msg' => $status->getWikiText( null, null, 'en' )
1730  ] );
1731  $user->setId( 0 );
1732  $user->loadFromId();
1733  }
1734  return $status;
1735  }
1736  } catch ( \Exception $ex ) {
1737  $trxProfiler->setSilenced( $old );
1738  $this->logger->error( __METHOD__ . ': {username} failed with exception {exception}', [
1739  'username' => $username,
1740  'exception' => $ex,
1741  ] );
1742  // Do not keep throwing errors for a while
1743  $cache->set( $backoffKey, 1, 600 );
1744  // Bubble up error; which should normally trigger DB rollbacks
1745  throw $ex;
1746  }
1747 
1748  $this->setDefaultUserOptions( $user, false );
1749 
1750  // Inform the providers
1751  $this->callMethodOnProviders( 6, 'autoCreatedAccount', [ $user, $source ] );
1752 
1753  \Hooks::run( 'LocalUserCreated', [ $user, true ] );
1754  $user->saveSettings();
1755 
1756  // Update user count
1757  \DeferredUpdates::addUpdate( \SiteStatsUpdate::factory( [ 'users' => 1 ] ) );
1758  // Watch user's userpage and talk page
1759  \DeferredUpdates::addCallableUpdate( function () use ( $user ) {
1760  $user->addWatch( $user->getUserPage(), User::IGNORE_USER_RIGHTS );
1761  } );
1762 
1763  // Log the creation
1764  if ( $this->config->get( 'NewUserLog' ) ) {
1765  $logEntry = new \ManualLogEntry( 'newusers', 'autocreate' );
1766  $logEntry->setPerformer( $user );
1767  $logEntry->setTarget( $user->getUserPage() );
1768  $logEntry->setComment( '' );
1769  $logEntry->setParameters( [
1770  '4::userid' => $user->getId(),
1771  ] );
1772  $logEntry->insert();
1773  }
1774 
1775  $trxProfiler->setSilenced( $old );
1776 
1777  if ( $login ) {
1778  $this->setSessionDataForUser( $user );
1779  }
1780 
1781  return Status::newGood();
1782  }
1783 
1795  public function canLinkAccounts() {
1796  foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
1797  if ( $provider->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK ) {
1798  return true;
1799  }
1800  }
1801  return false;
1802  }
1803 
1813  public function beginAccountLink( User $user, array $reqs, $returnToUrl ) {
1814  $session = $this->request->getSession();
1815  $session->remove( 'AuthManager::accountLinkState' );
1816 
1817  if ( !$this->canLinkAccounts() ) {
1818  // Caller should have called canLinkAccounts()
1819  throw new \LogicException( 'Account linking is not possible' );
1820  }
1821 
1822  if ( $user->getId() === 0 ) {
1823  if ( !User::isUsableName( $user->getName() ) ) {
1824  $msg = wfMessage( 'noname' );
1825  } else {
1826  $msg = wfMessage( 'authmanager-userdoesnotexist', $user->getName() );
1827  }
1828  return AuthenticationResponse::newFail( $msg );
1829  }
1830  foreach ( $reqs as $req ) {
1831  $req->username = $user->getName();
1832  $req->returnToUrl = $returnToUrl;
1833  }
1834 
1835  $this->removeAuthenticationSessionData( null );
1836 
1837  $providers = $this->getPreAuthenticationProviders();
1838  foreach ( $providers as $id => $provider ) {
1839  $status = $provider->testForAccountLink( $user );
1840  if ( !$status->isGood() ) {
1841  $this->logger->debug( __METHOD__ . ": Account linking pre-check failed by $id", [
1842  'user' => $user->getName(),
1843  ] );
1844  $ret = AuthenticationResponse::newFail(
1845  Status::wrap( $status )->getMessage()
1846  );
1847  $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1848  return $ret;
1849  }
1850  }
1851 
1852  $state = [
1853  'username' => $user->getName(),
1854  'userid' => $user->getId(),
1855  'returnToUrl' => $returnToUrl,
1856  'primary' => null,
1857  'continueRequests' => [],
1858  ];
1859 
1860  $providers = $this->getPrimaryAuthenticationProviders();
1861  foreach ( $providers as $id => $provider ) {
1862  if ( $provider->accountCreationType() !== PrimaryAuthenticationProvider::TYPE_LINK ) {
1863  continue;
1864  }
1865 
1866  $res = $provider->beginPrimaryAccountLink( $user, $reqs );
1867  switch ( $res->status ) {
1868  case AuthenticationResponse::PASS;
1869  $this->logger->info( "Account linked to {user} by $id", [
1870  'user' => $user->getName(),
1871  ] );
1872  $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1873  return $res;
1874 
1875  case AuthenticationResponse::FAIL;
1876  $this->logger->debug( __METHOD__ . ": Account linking failed by $id", [
1877  'user' => $user->getName(),
1878  ] );
1879  $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1880  return $res;
1881 
1882  case AuthenticationResponse::ABSTAIN;
1883  // Continue loop
1884  break;
1885 
1886  case AuthenticationResponse::REDIRECT;
1887  case AuthenticationResponse::UI;
1888  $this->logger->debug( __METHOD__ . ": Account linking $res->status by $id", [
1889  'user' => $user->getName(),
1890  ] );
1891  $this->fillRequests( $res->neededRequests, self::ACTION_LINK, $user->getName() );
1892  $state['primary'] = $id;
1893  $state['continueRequests'] = $res->neededRequests;
1894  $session->setSecret( 'AuthManager::accountLinkState', $state );
1895  $session->persist();
1896  return $res;
1897 
1898  // @codeCoverageIgnoreStart
1899  default:
1900  throw new \DomainException(
1901  get_class( $provider ) . "::beginPrimaryAccountLink() returned $res->status"
1902  );
1903  // @codeCoverageIgnoreEnd
1904  }
1905  }
1906 
1907  $this->logger->debug( __METHOD__ . ': Account linking failed because no provider accepted', [
1908  'user' => $user->getName(),
1909  ] );
1910  $ret = AuthenticationResponse::newFail(
1911  wfMessage( 'authmanager-link-no-primary' )
1912  );
1913  $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1914  return $ret;
1915  }
1916 
1922  public function continueAccountLink( array $reqs ) {
1923  $session = $this->request->getSession();
1924  try {
1925  if ( !$this->canLinkAccounts() ) {
1926  // Caller should have called canLinkAccounts()
1927  $session->remove( 'AuthManager::accountLinkState' );
1928  throw new \LogicException( 'Account linking is not possible' );
1929  }
1930 
1931  $state = $session->getSecret( 'AuthManager::accountLinkState' );
1932  if ( !is_array( $state ) ) {
1933  return AuthenticationResponse::newFail(
1934  wfMessage( 'authmanager-link-not-in-progress' )
1935  );
1936  }
1937  $state['continueRequests'] = [];
1938 
1939  // Step 0: Prepare and validate the input
1940 
1941  $user = User::newFromName( $state['username'], 'usable' );
1942  if ( !is_object( $user ) ) {
1943  $session->remove( 'AuthManager::accountLinkState' );
1944  return AuthenticationResponse::newFail( wfMessage( 'noname' ) );
1945  }
1946  if ( $user->getId() !== $state['userid'] ) {
1947  throw new \UnexpectedValueException(
1948  "User \"{$state['username']}\" is valid, but " .
1949  "ID {$user->getId()} !== {$state['userid']}!"
1950  );
1951  }
1952 
1953  foreach ( $reqs as $req ) {
1954  $req->username = $state['username'];
1955  $req->returnToUrl = $state['returnToUrl'];
1956  }
1957 
1958  // Step 1: Call the primary again until it succeeds
1959 
1960  $provider = $this->getAuthenticationProvider( $state['primary'] );
1961  if ( !$provider instanceof PrimaryAuthenticationProvider ) {
1962  // Configuration changed? Force them to start over.
1963  // @codeCoverageIgnoreStart
1964  $ret = AuthenticationResponse::newFail(
1965  wfMessage( 'authmanager-link-not-in-progress' )
1966  );
1967  $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1968  $session->remove( 'AuthManager::accountLinkState' );
1969  return $ret;
1970  // @codeCoverageIgnoreEnd
1971  }
1972  $id = $provider->getUniqueId();
1973  $res = $provider->continuePrimaryAccountLink( $user, $reqs );
1974  switch ( $res->status ) {
1975  case AuthenticationResponse::PASS;
1976  $this->logger->info( "Account linked to {user} by $id", [
1977  'user' => $user->getName(),
1978  ] );
1979  $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1980  $session->remove( 'AuthManager::accountLinkState' );
1981  return $res;
1982  case AuthenticationResponse::FAIL;
1983  $this->logger->debug( __METHOD__ . ": Account linking failed by $id", [
1984  'user' => $user->getName(),
1985  ] );
1986  $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1987  $session->remove( 'AuthManager::accountLinkState' );
1988  return $res;
1989  case AuthenticationResponse::REDIRECT;
1990  case AuthenticationResponse::UI;
1991  $this->logger->debug( __METHOD__ . ": Account linking $res->status by $id", [
1992  'user' => $user->getName(),
1993  ] );
1994  $this->fillRequests( $res->neededRequests, self::ACTION_LINK, $user->getName() );
1995  $state['continueRequests'] = $res->neededRequests;
1996  $session->setSecret( 'AuthManager::accountLinkState', $state );
1997  return $res;
1998  default:
1999  throw new \DomainException(
2000  get_class( $provider ) . "::continuePrimaryAccountLink() returned $res->status"
2001  );
2002  }
2003  } catch ( \Exception $ex ) {
2004  $session->remove( 'AuthManager::accountLinkState' );
2005  throw $ex;
2006  }
2007  }
2008 
2034  public function getAuthenticationRequests( $action, User $user = null ) {
2035  $options = [];
2036  $providerAction = $action;
2037 
2038  // Figure out which providers to query
2039  switch ( $action ) {
2040  case self::ACTION_LOGIN:
2041  case self::ACTION_CREATE:
2042  $providers = $this->getPreAuthenticationProviders() +
2043  $this->getPrimaryAuthenticationProviders() +
2044  $this->getSecondaryAuthenticationProviders();
2045  break;
2046 
2047  case self::ACTION_LOGIN_CONTINUE:
2048  $state = $this->request->getSession()->getSecret( 'AuthManager::authnState' );
2049  return is_array( $state ) ? $state['continueRequests'] : [];
2050 
2051  case self::ACTION_CREATE_CONTINUE:
2052  $state = $this->request->getSession()->getSecret( 'AuthManager::accountCreationState' );
2053  return is_array( $state ) ? $state['continueRequests'] : [];
2054 
2055  case self::ACTION_LINK:
2056  $providers = array_filter( $this->getPrimaryAuthenticationProviders(), function ( $p ) {
2057  return $p->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK;
2058  } );
2059  break;
2060 
2061  case self::ACTION_UNLINK:
2062  $providers = array_filter( $this->getPrimaryAuthenticationProviders(), function ( $p ) {
2063  return $p->accountCreationType() === PrimaryAuthenticationProvider::TYPE_LINK;
2064  } );
2065 
2066  // To providers, unlink and remove are identical.
2067  $providerAction = self::ACTION_REMOVE;
2068  break;
2069 
2070  case self::ACTION_LINK_CONTINUE:
2071  $state = $this->request->getSession()->getSecret( 'AuthManager::accountLinkState' );
2072  return is_array( $state ) ? $state['continueRequests'] : [];
2073 
2074  case self::ACTION_CHANGE:
2075  case self::ACTION_REMOVE:
2076  $providers = $this->getPrimaryAuthenticationProviders() +
2077  $this->getSecondaryAuthenticationProviders();
2078  break;
2079 
2080  // @codeCoverageIgnoreStart
2081  default:
2082  throw new \DomainException( __METHOD__ . ": Invalid action \"$action\"" );
2083  }
2084  // @codeCoverageIgnoreEnd
2085 
2086  return $this->getAuthenticationRequestsInternal( $providerAction, $options, $providers, $user );
2087  }
2088 
2098  private function getAuthenticationRequestsInternal(
2099  $providerAction, array $options, array $providers, User $user = null
2100  ) {
2101  $user = $user ?: \RequestContext::getMain()->getUser();
2102  $options['username'] = $user->isAnon() ? null : $user->getName();
2103 
2104  // Query them and merge results
2105  $reqs = [];
2106  foreach ( $providers as $provider ) {
2107  $isPrimary = $provider instanceof PrimaryAuthenticationProvider;
2108  foreach ( $provider->getAuthenticationRequests( $providerAction, $options ) as $req ) {
2109  $id = $req->getUniqueId();
2110 
2111  // If a required request if from a Primary, mark it as "primary-required" instead
2112  if ( $isPrimary && $req->required ) {
2113  $req->required = AuthenticationRequest::PRIMARY_REQUIRED;
2114  }
2115 
2116  if (
2117  !isset( $reqs[$id] )
2118  || $req->required === AuthenticationRequest::REQUIRED
2119  || $reqs[$id] === AuthenticationRequest::OPTIONAL
2120  ) {
2121  $reqs[$id] = $req;
2122  }
2123  }
2124  }
2125 
2126  // AuthManager has its own req for some actions
2127  switch ( $providerAction ) {
2128  case self::ACTION_LOGIN:
2129  $reqs[] = new RememberMeAuthenticationRequest;
2130  break;
2131 
2132  case self::ACTION_CREATE:
2133  $reqs[] = new UsernameAuthenticationRequest;
2134  $reqs[] = new UserDataAuthenticationRequest;
2135  if ( $options['username'] !== null ) {
2136  $reqs[] = new CreationReasonAuthenticationRequest;
2137  $options['username'] = null; // Don't fill in the username below
2138  }
2139  break;
2140  }
2141 
2142  // Fill in reqs data
2143  $this->fillRequests( $reqs, $providerAction, $options['username'], true );
2144 
2145  // For self::ACTION_CHANGE, filter out any that something else *doesn't* allow changing
2146  if ( $providerAction === self::ACTION_CHANGE || $providerAction === self::ACTION_REMOVE ) {
2147  $reqs = array_filter( $reqs, function ( $req ) {
2148  return $this->allowsAuthenticationDataChange( $req, false )->isGood();
2149  } );
2150  }
2151 
2152  return array_values( $reqs );
2153  }
2154 
2162  private function fillRequests( array &$reqs, $action, $username, $forceAction = false ) {
2163  foreach ( $reqs as $req ) {
2164  if ( !$req->action || $forceAction ) {
2165  $req->action = $action;
2166  }
2167  if ( $req->username === null ) {
2168  $req->username = $username;
2169  }
2170  }
2171  }
2172 
2179  public function userExists( $username, $flags = User::READ_NORMAL ) {
2180  foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
2181  if ( $provider->testUserExists( $username, $flags ) ) {
2182  return true;
2183  }
2184  }
2185 
2186  return false;
2187  }
2188 
2200  public function allowsPropertyChange( $property ) {
2201  $providers = $this->getPrimaryAuthenticationProviders() +
2202  $this->getSecondaryAuthenticationProviders();
2203  foreach ( $providers as $provider ) {
2204  if ( !$provider->providerAllowsPropertyChange( $property ) ) {
2205  return false;
2206  }
2207  }
2208  return true;
2209  }
2210 
2219  public function getAuthenticationProvider( $id ) {
2220  // Fast version
2221  if ( isset( $this->allAuthenticationProviders[$id] ) ) {
2222  return $this->allAuthenticationProviders[$id];
2223  }
2224 
2225  // Slow version: instantiate each kind and check
2226  $providers = $this->getPrimaryAuthenticationProviders();
2227  if ( isset( $providers[$id] ) ) {
2228  return $providers[$id];
2229  }
2230  $providers = $this->getSecondaryAuthenticationProviders();
2231  if ( isset( $providers[$id] ) ) {
2232  return $providers[$id];
2233  }
2234  $providers = $this->getPreAuthenticationProviders();
2235  if ( isset( $providers[$id] ) ) {
2236  return $providers[$id];
2237  }
2238 
2239  return null;
2240  }
2241 
2255  public function setAuthenticationSessionData( $key, $data ) {
2256  $session = $this->request->getSession();
2257  $arr = $session->getSecret( 'authData' );
2258  if ( !is_array( $arr ) ) {
2259  $arr = [];
2260  }
2261  $arr[$key] = $data;
2262  $session->setSecret( 'authData', $arr );
2263  }
2264 
2272  public function getAuthenticationSessionData( $key, $default = null ) {
2273  $arr = $this->request->getSession()->getSecret( 'authData' );
2274  if ( is_array( $arr ) && array_key_exists( $key, $arr ) ) {
2275  return $arr[$key];
2276  } else {
2277  return $default;
2278  }
2279  }
2280 
2286  public function removeAuthenticationSessionData( $key ) {
2287  $session = $this->request->getSession();
2288  if ( $key === null ) {
2289  $session->remove( 'authData' );
2290  } else {
2291  $arr = $session->getSecret( 'authData' );
2292  if ( is_array( $arr ) && array_key_exists( $key, $arr ) ) {
2293  unset( $arr[$key] );
2294  $session->setSecret( 'authData', $arr );
2295  }
2296  }
2297  }
2298 
2305  protected function providerArrayFromSpecs( $class, array $specs ) {
2306  $i = 0;
2307  foreach ( $specs as &$spec ) {
2308  $spec = [ 'sort2' => $i++ ] + $spec + [ 'sort' => 0 ];
2309  }
2310  unset( $spec );
2311  // Sort according to the 'sort' field, and if they are equal, according to 'sort2'
2312  usort( $specs, function ( $a, $b ) {
2313  return $a['sort'] <=> $b['sort']
2314  ?: $a['sort2'] <=> $b['sort2'];
2315  } );
2316 
2317  $ret = [];
2318  foreach ( $specs as $spec ) {
2319  $provider = ObjectFactory::getObjectFromSpec( $spec );
2320  if ( !$provider instanceof $class ) {
2321  throw new \RuntimeException(
2322  "Expected instance of $class, got " . get_class( $provider )
2323  );
2324  }
2325  $provider->setLogger( $this->logger );
2326  $provider->setManager( $this );
2327  $provider->setConfig( $this->config );
2328  $id = $provider->getUniqueId();
2329  if ( isset( $this->allAuthenticationProviders[$id] ) ) {
2330  throw new \RuntimeException(
2331  "Duplicate specifications for id $id (classes " .
2332  get_class( $provider ) . ' and ' .
2333  get_class( $this->allAuthenticationProviders[$id] ) . ')'
2334  );
2335  }
2336  $this->allAuthenticationProviders[$id] = $provider;
2337  $ret[$id] = $provider;
2338  }
2339  return $ret;
2340  }
2341 
2346  private function getConfiguration() {
2347  return $this->config->get( 'AuthManagerConfig' ) ?: $this->config->get( 'AuthManagerAutoConfig' );
2348  }
2349 
2354  protected function getPreAuthenticationProviders() {
2355  if ( $this->preAuthenticationProviders === null ) {
2356  $conf = $this->getConfiguration();
2357  $this->preAuthenticationProviders = $this->providerArrayFromSpecs(
2358  PreAuthenticationProvider::class, $conf['preauth']
2359  );
2360  }
2361  return $this->preAuthenticationProviders;
2362  }
2363 
2368  protected function getPrimaryAuthenticationProviders() {
2369  if ( $this->primaryAuthenticationProviders === null ) {
2370  $conf = $this->getConfiguration();
2371  $this->primaryAuthenticationProviders = $this->providerArrayFromSpecs(
2372  PrimaryAuthenticationProvider::class, $conf['primaryauth']
2373  );
2374  }
2375  return $this->primaryAuthenticationProviders;
2376  }
2377 
2382  protected function getSecondaryAuthenticationProviders() {
2383  if ( $this->secondaryAuthenticationProviders === null ) {
2384  $conf = $this->getConfiguration();
2385  $this->secondaryAuthenticationProviders = $this->providerArrayFromSpecs(
2386  SecondaryAuthenticationProvider::class, $conf['secondaryauth']
2387  );
2388  }
2389  return $this->secondaryAuthenticationProviders;
2390  }
2391 
2397  private function setSessionDataForUser( $user, $remember = null ) {
2398  $session = $this->request->getSession();
2399  $delay = $session->delaySave();
2400 
2401  $session->resetId();
2402  $session->resetAllTokens();
2403  if ( $session->canSetUser() ) {
2404  $session->setUser( $user );
2405  }
2406  if ( $remember !== null ) {
2407  $session->setRememberUser( $remember );
2408  }
2409  $session->set( 'AuthManager:lastAuthId', $user->getId() );
2410  $session->set( 'AuthManager:lastAuthTimestamp', time() );
2411  $session->persist();
2412 
2413  \Wikimedia\ScopedCallback::consume( $delay );
2414 
2415  \Hooks::run( 'UserLoggedIn', [ $user ] );
2416  }
2417 
2422  private function setDefaultUserOptions( User $user, $useContextLang ) {
2423  $user->setToken();
2424 
2425  $contLang = MediaWikiServices::getInstance()->getContentLanguage();
2426 
2427  $lang = $useContextLang ? \RequestContext::getMain()->getLanguage() : $contLang;
2428  $user->setOption( 'language', $lang->getPreferredVariant() );
2429 
2430  if ( $contLang->hasVariants() ) {
2431  $user->setOption( 'variant', $contLang->getPreferredVariant() );
2432  }
2433  }
2434 
2440  private function callMethodOnProviders( $which, $method, array $args ) {
2441  $providers = [];
2442  if ( $which & 1 ) {
2443  $providers += $this->getPreAuthenticationProviders();
2444  }
2445  if ( $which & 2 ) {
2446  $providers += $this->getPrimaryAuthenticationProviders();
2447  }
2448  if ( $which & 4 ) {
2449  $providers += $this->getSecondaryAuthenticationProviders();
2450  }
2451  foreach ( $providers as $provider ) {
2452  $provider->$method( ...$args );
2453  }
2454  }
2455 
2460  public static function resetCache() {
2461  if ( !defined( 'MW_PHPUNIT_TEST' ) ) {
2462  // @codeCoverageIgnoreStart
2463  throw new \MWException( __METHOD__ . ' may only be called from unit tests!' );
2464  // @codeCoverageIgnoreEnd
2465  }
2466 
2467  self::$instance = null;
2468  }
2469 
2472 }
2473 
StatusValue\newFatal
static newFatal( $message,... $parameters)
Factory function for fatal errors.
Definition: StatusValue.php:69
MediaWiki\Auth\CreateFromLoginAuthenticationRequest
This transfers state between the login and account creation flows.
Definition: CreateFromLoginAuthenticationRequest.php:34
MediaWiki\Auth\AuthenticationRequest\PRIMARY_REQUIRED
const PRIMARY_REQUIRED
Indicates that the request is required by a primary authentication provider.
Definition: AuthenticationRequest.php:52
MediaWiki\Auth\AuthManager\changeAuthenticationData
changeAuthenticationData(AuthenticationRequest $req, $isAddition=false)
Change authentication data (e.g.
Definition: AuthManager.php:899
User\addWatch
addWatch( $title, $checkRights=self::CHECK_USER_RIGHTS)
Watch an article.
Definition: User.php:3659
MediaWiki\Auth\AuthManager\securitySensitiveOperationStatus
securitySensitiveOperationStatus( $operation)
Whether security-sensitive operations should proceed.
Definition: AuthManager.php:721
MediaWiki\Auth\AuthenticationResponse\ABSTAIN
const ABSTAIN
Indicates that the authentication provider does not handle this request.
Definition: AuthenticationResponse.php:52
MediaWiki\Auth\AuthManager\beginAuthentication
beginAuthentication(array $reqs, $returnToUrl)
Start an authentication flow.
Definition: AuthManager.php:289
MediaWiki\Auth\AuthManager\continueAuthentication
continueAuthentication(array $reqs)
Continue an authentication flow.
Definition: AuthManager.php:413
MediaWiki\Auth\AuthManager\canCreateAccounts
canCreateAccounts()
Determine whether accounts can be created.
Definition: AuthManager.php:925
User\saveSettings
saveSettings()
Save this user&#39;s settings into the database.
Definition: User.php:3918
User\setId
setId( $v)
Set the user and reload all fields according to a given ID.
Definition: User.php:2220
Profiler\instance
static instance()
Singleton.
Definition: Profiler.php:63
$lang
if(!isset( $args[0])) $lang
Definition: testCompression.php:33
User\setName
setName( $str)
Set the user name.
Definition: User.php:2257
MediaWiki\Auth\AuthManager\ACTION_UNLINK
const ACTION_UNLINK
Like ACTION_REMOVE but for linking providers only.
Definition: AuthManager.php:109
MediaWiki\Auth\AuthManager\removeAuthenticationSessionData
removeAuthenticationSessionData( $key)
Remove authentication data.
Definition: AuthManager.php:2286
IDBAccessObject\READ_LOCKING
const READ_LOCKING
Constants for object loading bitfield flags (higher => higher QoS)
Definition: IDBAccessObject.php:64
$source
$source
Definition: mwdoc-filter.php:34
MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition: AuthenticationRequest.php:283
MediaWiki\Auth\AuthManager\allowsPropertyChange
allowsPropertyChange( $property)
Determine whether a user property should be allowed to be changed.
Definition: AuthManager.php:2200
MediaWiki\Auth\AuthenticationProvider\getUniqueId
getUniqueId()
Return a unique identifier for this instance.
ObjectCache\getLocalClusterInstance
static getLocalClusterInstance()
Get the main cluster-local cache object.
Definition: ObjectCache.php:267
MediaWiki\Logger\LoggerFactory\getInstance
static getInstance( $channel)
Get a named logger instance from the currently configured logger factory.
Definition: LoggerFactory.php:92
MediaWiki\$action
string $action
Cache what action this request is.
Definition: MediaWiki.php:42
User\setToken
setToken( $token=false)
Set the random token (used for persistent authentication) Called from loadDefaults() among other plac...
Definition: User.php:2782
User\idFromName
static idFromName( $name, $flags=self::READ_NORMAL)
Get database id given a user name.
Definition: User.php:829
MediaWiki\Auth\AuthManager\continueAccountCreation
continueAccountCreation(array $reqs)
Continue an account creation flow.
Definition: AuthManager.php:1158
MediaWiki\Auth\CreationReasonAuthenticationRequest
Authentication request for the reason given for account creation.
Definition: CreationReasonAuthenticationRequest.php:9
MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition: MediaWikiServices.php:140
MediaWiki
A helper class for throttling authentication attempts.
User\setOption
setOption( $oname, $val)
Set the given option for a user.
Definition: User.php:3002
MediaWiki\Auth\AuthManager\getAuthenticationRequests
getAuthenticationRequests( $action, User $user=null)
Return the applicable list of AuthenticationRequests.
Definition: AuthManager.php:2034
User\getName
getName()
Get the user name, or the IP of an anonymous user.
Definition: User.php:2229
MediaWiki\Auth\AuthManager\$preAuthenticationProviders
PreAuthenticationProvider [] $preAuthenticationProviders
Definition: AuthManager.php:140
MediaWiki\Auth\AuthManager\$createdAccountAuthenticationRequests
CreatedAccountAuthenticationRequest [] $createdAccountAuthenticationRequests
Definition: AuthManager.php:149
MediaWiki\Auth\PrimaryAuthenticationProvider
A primary authentication provider is responsible for associating the submitted authentication data wi...
Definition: PrimaryAuthenticationProvider.php:75
$args
if( $line===false) $args
Definition: cdb.php:64
MediaWiki\Auth\AuthManager\beginAccountLink
beginAccountLink(User $user, array $reqs, $returnToUrl)
Start an account linking flow.
Definition: AuthManager.php:1813
User
The User object encapsulates all of the user-specific settings (user_id, name, rights, email address, options, last login time).
Definition: User.php:51
MediaWiki\Auth\AuthManager\canCreateAccount
canCreateAccount( $username, $options=[])
Determine whether a particular account can be created.
Definition: AuthManager.php:944
$last
$last
Definition: profileinfo.php:419
getPermissionManager
getPermissionManager()
User\loadFromId
loadFromId( $flags=self::READ_NORMAL)
Load user table data, given mId has already been set.
Definition: User.php:388
User\isBlockedFromCreateAccount
isBlockedFromCreateAccount()
Get whether the user is explicitly blocked from account creation.
Definition: User.php:4219
DeferredUpdates\addCallableUpdate
static addCallableUpdate( $callable, $stage=self::POSTSEND, $dbw=null)
Add a callable update.
Definition: DeferredUpdates.php:124
MediaWiki\Auth\AuthManager\$allAuthenticationProviders
AuthenticationProvider [] $allAuthenticationProviders
Definition: AuthManager.php:137
wfReadOnly
wfReadOnly()
Check whether the wiki is in read-only mode.
Definition: GlobalFunctions.php:1171
MediaWiki\Auth\AuthManager\resetCache
static resetCache()
Reset the internal caching for unit testing.
Definition: AuthManager.php:2460
RequestContext\getMain
static getMain()
Get the RequestContext object associated with the main request.
Definition: RequestContext.php:431
User\isCreatableName
static isCreatableName( $name)
Usernames which fail to pass this function will be blocked from new account registrations, but may be used internally either by batch processes or by user accounts which have already been created.
Definition: User.php:1041
MediaWiki\Auth\AuthManager\canLinkAccounts
canLinkAccounts()
Determine whether accounts can be linked.
Definition: AuthManager.php:1795
Config
Interface for configuration instances.
Definition: Config.php:28
MediaWiki\Auth\UserDataAuthenticationRequest
This represents additional user data requested on the account creation form.
Definition: UserDataAuthenticationRequest.php:34
MediaWiki\Auth\AuthenticationResponse\FAIL
const FAIL
Indicates that the authentication failed.
Definition: AuthenticationResponse.php:42
MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_LINK
const TYPE_LINK
Provider can link to existing accounts elsewhere.
Definition: PrimaryAuthenticationProvider.php:79
MediaWiki\Auth\AuthManager\callLegacyAuthPlugin
static callLegacyAuthPlugin( $method, array $params, $return=null)
This used to call a legacy AuthPlugin method, if necessary.
Definition: AuthManager.php:249
SiteStatsUpdate\factory
static factory(array $deltas)
Definition: SiteStatsUpdate.php:71
MediaWiki\Auth\AuthManager\$instance
static AuthManager null $instance
Definition: AuthManager.php:125
MediaWiki\Auth\AuthManager\$primaryAuthenticationProviders
PrimaryAuthenticationProvider [] $primaryAuthenticationProviders
Definition: AuthManager.php:143
MediaWiki\Auth\AuthManager\getAuthenticationProvider
getAuthenticationProvider( $id)
Get a provider by ID.
Definition: AuthManager.php:2219
MediaWiki\Auth\AuthManager\singleton
static singleton()
Get the global AuthManager.
Definition: AuthManager.php:155
MediaWiki\Auth\AuthManager\getAuthenticationRequestsInternal
getAuthenticationRequestsInternal( $providerAction, array $options, array $providers, User $user=null)
Internal request lookup for self::getAuthenticationRequests.
Definition: AuthManager.php:2098
StatusValue\newGood
static newGood( $value=null)
Factory function for good results.
Definition: StatusValue.php:81
MediaWiki\Auth\AuthManager\userExists
userExists( $username, $flags=User::READ_NORMAL)
Determine whether a username exists.
Definition: AuthManager.php:2179
MediaWiki\Auth\AuthManager\ACTION_CHANGE
const ACTION_CHANGE
Change a user&#39;s credentials.
Definition: AuthManager.php:105
MediaWiki\Auth\AuthManager\SEC_FAIL
const SEC_FAIL
Security-sensitive should not be performed.
Definition: AuthManager.php:116
MediaWiki\Auth\AuthManager\AUTOCREATE_SOURCE_MAINT
const AUTOCREATE_SOURCE_MAINT
Auto-creation is due to a Maintenance script.
Definition: AuthManager.php:122
MediaWiki\Auth\AuthManager\SEC_REAUTH
const SEC_REAUTH
Security-sensitive operations should re-authenticate.
Definition: AuthManager.php:114
MediaWiki\Auth\AuthManager\AUTOCREATE_SOURCE_SESSION
const AUTOCREATE_SOURCE_SESSION
Auto-creation is due to SessionManager.
Definition: AuthManager.php:119
MediaWiki\Auth\AuthenticationRequest\OPTIONAL
const OPTIONAL
Indicates that the request is not required for authentication to proceed.
Definition: AuthenticationRequest.php:40
$cache
$cache
Definition: mcc.php:33
User\IGNORE_USER_RIGHTS
const IGNORE_USER_RIGHTS
Definition: User.php:83
MediaWiki\Auth\AuthManager\getConfiguration
getConfiguration()
Get the configuration.
Definition: AuthManager.php:2346
MediaWiki\Auth\AuthenticationRequest\REQUIRED
const REQUIRED
Indicates that the request is required for authentication to proceed.
Definition: AuthenticationRequest.php:46
User\isUsableName
static isUsableName( $name)
Usernames which fail to pass this function will be blocked from user login and new account registrati...
Definition: User.php:966
Hooks\runWithoutAbort
static runWithoutAbort( $event, array $args=[], $deprecatedVersion=null)
Call hook functions defined in Hooks::register and $wgHooks.
Definition: Hooks.php:231
MediaWiki\Auth\CreatedAccountAuthenticationRequest
Returned from account creation to allow for logging into the created account.
Definition: CreatedAccountAuthenticationRequest.php:29
MediaWiki\Auth\RememberMeAuthenticationRequest
This is an authentication request added by AuthManager to show a "remember me" checkbox.
Definition: RememberMeAuthenticationRequest.php:33
MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition: AuthenticationResponse.php:39
MediaWiki\Auth\AuthManager
This serves as the entry point to the authentication system.
Definition: AuthManager.php:85
MediaWiki\Auth\AuthManager\canAuthenticateNow
canAuthenticateNow()
Indicate whether user authentication is possible.
Definition: AuthManager.php:267
SpecialPage\getTitleFor
static getTitleFor( $name, $subpage=false, $fragment='')
Get a localised Title object for a specified special page name If you don&#39;t need a full Title object...
Definition: SpecialPage.php:83
MediaWiki\Auth\AuthManager\setLogger
setLogger(LoggerInterface $logger)
Definition: AuthManager.php:178
MediaWiki\Auth\UsernameAuthenticationRequest
AuthenticationRequest to ensure something with a username is present.
Definition: UsernameAuthenticationRequest.php:29
MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_NONE
const TYPE_NONE
Provider cannot create or link to accounts.
Definition: PrimaryAuthenticationProvider.php:81
MediaWiki\Auth\AuthManager\ACTION_LINK
const ACTION_LINK
Link an existing user to a third-party account.
Definition: AuthManager.php:99
MediaWiki\Auth\AuthManager\checkAccountCreatePermissions
checkAccountCreatePermissions(User $creator)
Basic permissions checks on whether a user can create accounts.
Definition: AuthManager.php:992
MediaWiki\Auth\AuthManager\allowsAuthenticationDataChange
allowsAuthenticationDataChange(AuthenticationRequest $req, $checkData=true)
Validate a change of authentication data (e.g.
Definition: AuthManager.php:863
MediaWiki\Auth\AuthenticationResponse\REDIRECT
const REDIRECT
Indicates that the authentication needs to be redirected to a third party to proceed.
Definition: AuthenticationResponse.php:58
MediaWiki\Auth\AuthManager\forcePrimaryAuthenticationProviders
forcePrimaryAuthenticationProviders(array $providers, $why)
Force certain PrimaryAuthenticationProviders.
Definition: AuthManager.php:195
Status\wrap
static wrap( $sv)
Succinct helper method to wrap a StatusValue.
Definition: Status.php:55
MediaWiki\Auth\AuthManager\setAuthenticationSessionData
setAuthenticationSessionData( $key, $data)
Store authentication in the current session.
Definition: AuthManager.php:2255
MediaWiki\Auth\AuthManager\beginAccountCreation
beginAccountCreation(User $creator, array $reqs, $returnToUrl)
Start an account creation flow.
Definition: AuthManager.php:1057
User\newFromId
static newFromId( $id)
Static factory method for creation from a given user ID.
Definition: User.php:539
DeferredUpdates\addUpdate
static addUpdate(DeferrableUpdate $update, $stage=self::POSTSEND)
Add an update to the deferred list to be run later by execute()
Definition: DeferredUpdates.php:85
wfReadOnlyReason
wfReadOnlyReason()
Check if the site is in read-only mode and return the message if so.
Definition: GlobalFunctions.php:1184
MediaWiki\Auth\AuthManager\callMethodOnProviders
callMethodOnProviders( $which, $method, array $args)
Definition: AuthManager.php:2440
User\getId
getId()
Get the user&#39;s ID.
Definition: User.php:2200
User\addToDatabase
addToDatabase()
Add this existing user object to the database.
Definition: User.php:4103
MediaWiki\Auth\AuthManager\revokeAccessForUser
revokeAccessForUser( $username)
Revoke any authentication credentials for a user.
Definition: AuthManager.php:847
MediaWiki\Auth\AuthManager\getPrimaryAuthenticationProviders
getPrimaryAuthenticationProviders()
Get the list of PrimaryAuthenticationProviders.
Definition: AuthManager.php:2368
MediaWiki\Auth\AuthManager\ACTION_LOGIN_CONTINUE
const ACTION_LOGIN_CONTINUE
Continue a login process that was interrupted by the need for user input or communication with an ext...
Definition: AuthManager.php:91
MediaWiki\Auth\AuthManager\ACTION_REMOVE
const ACTION_REMOVE
Remove a user&#39;s credentials.
Definition: AuthManager.php:107
wfDeprecated
wfDeprecated( $function, $version=false, $component=false, $callerOffset=2)
Throws a warning that $function is deprecated.
Definition: GlobalFunctions.php:1044
MediaWiki\Auth\AuthManager\autoCreateUser
autoCreateUser(User $user, $source, $login=true)
Auto-create an account, and log into that account.
Definition: AuthManager.php:1560
User\getUserPage
getUserPage()
Get this user&#39;s personal page title.
Definition: User.php:4272
BotPassword\invalidateAllPasswordsForUser
static invalidateAllPasswordsForUser( $username)
Invalidate all passwords for a user, by name.
Definition: BotPassword.php:339
MediaWiki\Auth\AuthenticationRequest\getRequestByClass
static getRequestByClass(array $reqs, $class, $allowSubclasses=false)
Select a request by class name.
Definition: AuthenticationRequest.php:263
MediaWiki\Auth\AuthManager\ACTION_CREATE_CONTINUE
const ACTION_CREATE_CONTINUE
Continue a user creation process that was interrupted by the need for user input or communication wit...
Definition: AuthManager.php:97
MediaWiki\Auth\AuthManager\continueAccountLink
continueAccountLink(array $reqs)
Continue an account linking flow.
Definition: AuthManager.php:1922
MediaWiki\Auth\AuthManager\setSessionDataForUser
setSessionDataForUser( $user, $remember=null)
Log the user in.
Definition: AuthManager.php:2397
MediaWiki\Auth\AuthManager\__construct
__construct(WebRequest $request, Config $config)
Definition: AuthManager.php:169
MediaWiki\Auth\AuthManager\setDefaultUserOptions
setDefaultUserOptions(User $user, $useContextLang)
Definition: AuthManager.php:2422
MediaWiki\Auth\AuthManager\ACTION_CREATE
const ACTION_CREATE
Create a new user.
Definition: AuthManager.php:93
MediaWiki\Auth\AuthManager\providerArrayFromSpecs
providerArrayFromSpecs( $class, array $specs)
Create an array of AuthenticationProviders from an array of ObjectFactory specs.
Definition: AuthManager.php:2305
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition: GlobalFunctions.php:1264
MediaWiki\Auth\AuthManager\SEC_OK
const SEC_OK
Security-sensitive operations are ok.
Definition: AuthManager.php:112
User\newFromName
static newFromName( $name, $validate='valid')
Static factory method for creation from username.
Definition: User.php:515
MediaWiki\Auth\AuthManager\ACTION_LOGIN
const ACTION_LOGIN
Log in with an existing (not necessarily local) user.
Definition: AuthManager.php:87
MediaWiki\Auth\AuthManager\ACTION_LINK_CONTINUE
const ACTION_LINK_CONTINUE
Continue a user linking process that was interrupted by the need for user input or communication with...
Definition: AuthManager.php:103
MediaWiki\Auth\AuthManager\getAuthenticationSessionData
getAuthenticationSessionData( $key, $default=null)
Fetch authentication data from the current session.
Definition: AuthManager.php:2272
MediaWiki\Auth\AuthManager\fillRequests
fillRequests(array &$reqs, $action, $username, $forceAction=false)
Set values in an array of requests.
Definition: AuthManager.php:2162
MediaWiki\Auth\AuthManager\getPreAuthenticationProviders
getPreAuthenticationProviders()
Get the list of PreAuthenticationProviders.
Definition: AuthManager.php:2354
MediaWiki\Auth\AuthManager\userCanAuthenticate
userCanAuthenticate( $username)
Determine whether a username can authenticate.
Definition: AuthManager.php:799
MediaWiki\Auth\AuthManager\$secondaryAuthenticationProviders
SecondaryAuthenticationProvider [] $secondaryAuthenticationProviders
Definition: AuthManager.php:146
MediaWiki\Auth\AuthenticationRequest
This is a value object for authentication requests.
Definition: AuthenticationRequest.php:37
Hooks\run
static run( $event, array $args=[], $deprecatedVersion=null)
Call hook functions defined in Hooks::register and $wgHooks.
Definition: Hooks.php:200
MediaWiki\Auth\AuthManager\normalizeUsername
normalizeUsername( $username)
Provide normalized versions of the username for security checks.
Definition: AuthManager.php:822
MediaWiki\Auth\AuthManager\getSecondaryAuthenticationProviders
getSecondaryAuthenticationProviders()
Get the list of SecondaryAuthenticationProviders.
Definition: AuthManager.php:2382
MediaWiki\Auth\AuthenticationResponse\UI
const UI
Indicates that the authentication needs further user input of some sort.
Definition: AuthenticationResponse.php:55