master/php/LocalPasswordPrimaryAuthenticationProvider_8php_source.html

<?php

namespace MediaWiki\Auth;


use BadMethodCallException;

use MediaWiki\Deferred\DeferredUpdates;

use MediaWiki\MainConfigNames;

use MediaWiki\Password\InvalidPassword;

use MediaWiki\Status\Status;

use MediaWiki\User\UserRigorOptions;

use StatusValue;

use stdClass;

use Wikimedia\Rdbms\DBAccessObjectUtils;

use Wikimedia\Rdbms\IConnectionProvider;

use Wikimedia\Rdbms\IDBAccessObject;

use Wikimedia\Timestamp\TimestampFormat as TS;


class LocalPasswordPrimaryAuthenticationProvider

    extends AbstractPasswordPrimaryAuthenticationProvider

{


    protected $loginOnly = false;


    private IConnectionProvider $dbProvider;


    public function __construct( IConnectionProvider $dbProvider, $params = [] ) {

        parent::__construct( $params );

        $this->loginOnly = !empty( $params['loginOnly'] );

        $this->dbProvider = $dbProvider;

    }


    protected function getPasswordResetData( $username, $row ) {

        $now = (int)wfTimestamp();

        $expiration = wfTimestampOrNull( TS::UNIX, $row->user_password_expires );

        if ( $expiration === null || (int)$expiration >= $now ) {

            return null;

        }


        $grace = $this->config->get( MainConfigNames::PasswordExpireGrace );

        if ( (int)$expiration + $grace < $now ) {

            $data = [

                'hard' => true,

                'msg' => Status::newFatal( 'resetpass-expired' )->getMessage(),

            ];

        } else {

            $data = [

                'hard' => false,

                'msg' => Status::newFatal( 'resetpass-expired-soft' )->getMessage(),

            ];

        }


        return (object)$data;

    }


    public function beginPrimaryAuthentication( array $reqs ) {

        $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );

        if ( !$req || $req->username === null || $req->password === null ) {

            return AuthenticationResponse::newAbstain();

        }


        $username = $this->userNameUtils->getCanonical(

            $req->username, UserRigorOptions::RIGOR_USABLE );

        if ( $username === false ) {

            return AuthenticationResponse::newAbstain();

        }


        $row = $this->dbProvider->getReplicaDatabase()->newSelectQueryBuilder()

            ->select( [ 'user_id', 'user_password', 'user_password_expires' ] )

            ->from( 'user' )

            ->where( [ 'user_name' => $username ] )

            ->caller( __METHOD__ )->fetchRow();

        if ( !$row ) {

            // Do not reveal whether its bad username or

            // bad password to prevent username enumeration

            // on private wikis. (T134100)

            return $this->failResponse( $req );

        }


        $oldRow = clone $row;

        // Check for *really* old password hashes that don't even have a type

        // The old hash format was just an MD5 hex hash, with no type information

        if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {

            $row->user_password = ":B:{$row->user_id}:{$row->user_password}";

        }


        $status = $this->checkPasswordValidity( $username, $req->password );

        if ( !$status->isOK() ) {

            return $this->getFatalPasswordErrorResponse( $username, $status );

        }


        $pwhash = $this->getPassword( $row->user_password );

        if ( !$pwhash->verify( $req->password ) ) {

            if ( $this->config->get( MainConfigNames::LegacyEncoding ) ) {

                // Some wikis were converted from ISO 8859-1 to UTF-8, the passwords can't be converted

                // Check for this with iconv

                $cp1252Password = iconv( 'UTF-8', 'WINDOWS-1252//TRANSLIT', $req->password );

                if ( $cp1252Password === $req->password || !$pwhash->verify( $cp1252Password ) ) {

                    return $this->failResponse( $req );

                }

            } else {

                return $this->failResponse( $req );

            }

        }


        // @codeCoverageIgnoreStart

        if ( $this->getPasswordFactory()->needsUpdate( $pwhash ) ) {

            $newHash = $this->getPasswordFactory()->newFromPlaintext( $req->password );

            DeferredUpdates::addCallableUpdate( function ( $fname ) use ( $newHash, $oldRow ) {

                $dbw = $this->dbProvider->getPrimaryDatabase();

                $dbw->newUpdateQueryBuilder()

                    ->update( 'user' )

                    ->set( [ 'user_password' => $newHash->toString() ] )

                    ->where( [

                        'user_id' => $oldRow->user_id,

                        'user_password' => $oldRow->user_password,

                    ] )

                    ->caller( $fname )

                    ->execute();

            } );

        }

        // @codeCoverageIgnoreEnd


        $this->setPasswordResetFlag( $username, $status, $row );


        return AuthenticationResponse::newPass( $username );

    }


    public function testUserCanAuthenticate( $username ) {

        $username = $this->userNameUtils->getCanonical(

            $username,

            UserRigorOptions::RIGOR_USABLE

        );

        if ( $username === false ) {

            return false;

        }


        $password = $this->dbProvider->getReplicaDatabase()->newSelectQueryBuilder()

            ->select( [ 'user_password' ] )

            ->from( 'user' )

            ->where( [ 'user_name' => $username ] )

            ->caller( __METHOD__ )

            ->fetchField();

        if ( $password === false ) {

            return false;

        }


        // Check for *really* old password hashes that don't even have a type

        // The old hash format was just an MD5 hex hash, with no type information

        if ( preg_match( '/^[0-9a-f]{32}$/', $password ) ) {

            return true;

        }


        return !$this->getPassword( $password ) instanceof InvalidPassword;

    }


    public function testUserExists( $username, $flags = IDBAccessObject::READ_NORMAL ) {

        $username = $this->userNameUtils->getCanonical(

            $username,

            UserRigorOptions::RIGOR_USABLE

        );

        if ( $username === false ) {

            return false;

        }


        $db = DBAccessObjectUtils::getDBFromRecency( $this->dbProvider, $flags );

        return (bool)$db->newSelectQueryBuilder()

            ->select( [ 'user_id' ] )

            ->from( 'user' )

            ->where( [ 'user_name' => $username ] )

            ->caller( __METHOD__ )->fetchField();

    }


    public function providerAllowsAuthenticationDataChange(

        AuthenticationRequest $req, $checkData = true

    ) {

        // We only want to blank the password if something else will accept the

        // new authentication data, so return 'ignore' here.

        if ( $this->loginOnly ) {

            return StatusValue::newGood( 'ignored' );

        }


        if ( get_class( $req ) === PasswordAuthenticationRequest::class ) {

            if ( !$checkData ) {

                return StatusValue::newGood();

            }


            $username = $this->userNameUtils->getCanonical( $req->username,

                UserRigorOptions::RIGOR_USABLE );

            if ( $username !== false ) {

                $row = $this->dbProvider->getPrimaryDatabase()->newSelectQueryBuilder()

                    ->select( [ 'user_id' ] )

                    ->from( 'user' )

                    ->where( [ 'user_name' => $username ] )

                    ->caller( __METHOD__ )->fetchRow();

                if ( $row ) {

                    $sv = StatusValue::newGood();

                    if ( $req->password !== null ) {

                        if ( $req->password !== $req->retype ) {

                            $sv->fatal( 'badretype' );

                        } else {

                            $sv->merge( $this->checkPasswordValidity( $username, $req->password ) );

                        }

                    }

                    return $sv;

                }

            }

        }


        return StatusValue::newGood( 'ignored' );

    }


    public function providerChangeAuthenticationData( AuthenticationRequest $req ) {

        $username = $req->username !== null

            ? $this->userNameUtils->getCanonical( $req->username, UserRigorOptions::RIGOR_USABLE )

            : false;

        if ( $username === false ) {

            return;

        }


        $pwhash = null;


        if ( get_class( $req ) === PasswordAuthenticationRequest::class ) {

            if ( $this->loginOnly ) {

                $pwhash = $this->getPasswordFactory()->newFromCiphertext( null );

                $expiry = null;

            } else {

                $pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );

                $expiry = $this->getNewPasswordExpiry( $username );

            }

        }


        if ( $pwhash ) {

            $dbw = $this->dbProvider->getPrimaryDatabase();

            $dbw->newUpdateQueryBuilder()

                ->update( 'user' )

                ->set( [

                    'user_password' => $pwhash->toString(),

                    // @phan-suppress-next-line PhanPossiblyUndeclaredVariable expiry is set together with pwhash

                    'user_password_expires' => $dbw->timestampOrNull( $expiry ),

                ] )

                ->where( [ 'user_name' => $username ] )

                ->caller( __METHOD__ )->execute();

        }

    }


    public function accountCreationType() {

        return $this->loginOnly ? self::TYPE_NONE : self::TYPE_CREATE;

    }


    public function testForAccountCreation( $user, $creator, array $reqs ) {

        $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );


        $ret = StatusValue::newGood();

        if ( !$this->loginOnly && $req && $req->username !== null && $req->password !== null ) {

            if ( $req->password !== $req->retype ) {

                $ret->fatal( 'badretype' );

            } else {

                $ret->merge(

                    $this->checkPasswordValidity( $user->getName(), $req->password )

                );

            }

        }

        return $ret;

    }


    public function beginPrimaryAccountCreation( $user, $creator, array $reqs ) {

        if ( $this->accountCreationType() === self::TYPE_NONE ) {

            throw new BadMethodCallException( 'Shouldn\'t call this when accountCreationType() is NONE' );

        }


        $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );

        if ( $req && $req->username !== null && $req->password !== null ) {

            // Nothing we can do besides claim it, because the user isn't in

            // the DB yet

            if ( $req->username !== $user->getName() ) {

                $req = clone $req;

                $req->username = $user->getName();

            }

            $ret = AuthenticationResponse::newPass( $req->username );

            $ret->createRequest = $req;

            return $ret;

        }

        return AuthenticationResponse::newAbstain();

    }


    public function finishAccountCreation( $user, $creator, AuthenticationResponse $res ) {

        if ( $this->accountCreationType() === self::TYPE_NONE ) {

            throw new BadMethodCallException( 'Shouldn\'t call this when accountCreationType() is NONE' );

        }


        // Now that the user is in the DB, set the password on it.

        $this->providerChangeAuthenticationData( $res->createRequest );


        return null;

    }


}


wfTimestampOrNull
wfTimestampOrNull( $outputtype=TS::UNIX, $ts=null)
Return a formatted timestamp, or null if input is null.
Definition GlobalFunctions.php:1316

wfTimestamp
wfTimestamp( $outputtype=TS::UNIX, $ts=0)
Get a timestamp string in one of various formats.
Definition GlobalFunctions.php:1297

MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider
Basic framework for a primary authentication provider that uses passwords.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:28

MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\checkPasswordValidity
checkPasswordValidity( $username, $password)
Check that the password is valid.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:99

MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\failResponse
failResponse(PasswordAuthenticationRequest $req)
Return the appropriate response for failure.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:79

MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\setPasswordResetFlag
setPasswordResetFlag( $username, Status $status, $data=null)
Check if the password should be reset.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:133

MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getPasswordFactory
getPasswordFactory()
Definition AbstractPasswordPrimaryAuthenticationProvider.php:48

MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getNewPasswordExpiry
getNewPasswordExpiry( $username)
Get expiration date for a new password, if any.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:172

MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getPassword
getPassword( $hash)
Get a Password object from the hash.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:63

MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider\getFatalPasswordErrorResponse
getFatalPasswordErrorResponse(string $username, Status $status)
Adds user-friendly description to a fatal password validity check error.
Definition AbstractPasswordPrimaryAuthenticationProvider.php:111

MediaWiki\Auth\AuthenticationRequest
This is a value object for authentication requests.
Definition AuthenticationRequest.php:28

MediaWiki\Auth\AuthenticationRequest\getRequestByClass
static getRequestByClass(array $reqs, $class, $allowSubclasses=false)
Select a request by class name.
Definition AuthenticationRequest.php:287

MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:21

MediaWiki\Auth\AuthenticationResponse\newAbstain
static newAbstain()
Definition AuthenticationResponse.php:166

MediaWiki\Auth\AuthenticationResponse\newPass
static newPass( $username=null)
Definition AuthenticationResponse.php:128

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider
A primary authentication provider that uses the password field in the 'user' table.
Definition LocalPasswordPrimaryAuthenticationProvider.php:30

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\testUserExists
testUserExists( $username, $flags=IDBAccessObject::READ_NORMAL)
Test whether the named user exists.Single-sign-on providers can use this to reserve a username for au...
Definition LocalPasswordPrimaryAuthenticationProvider.php:184

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\accountCreationType
accountCreationType()
Fetch the account-creation type.string One of the TYPE_* constants
Definition LocalPasswordPrimaryAuthenticationProvider.php:276

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\__construct
__construct(IConnectionProvider $dbProvider, $params=[])
Definition LocalPasswordPrimaryAuthenticationProvider.php:44

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\beginPrimaryAccountCreation
beginPrimaryAccountCreation( $user, $creator, array $reqs)
Start an account creation flow.AuthenticationResponse Expected responses:PASS: The user may be create...
Definition LocalPasswordPrimaryAuthenticationProvider.php:298

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\testUserCanAuthenticate
testUserCanAuthenticate( $username)
Test whether the named user can authenticate with this provider.Should return true if the provider ha...
Definition LocalPasswordPrimaryAuthenticationProvider.php:155

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\providerAllowsAuthenticationDataChange
providerAllowsAuthenticationDataChange(AuthenticationRequest $req, $checkData=true)
Validate a change of authentication data (e.g.passwords)Return StatusValue::newGood( 'ignored' ) if y...
Definition LocalPasswordPrimaryAuthenticationProvider.php:202

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\beginPrimaryAuthentication
beginPrimaryAuthentication(array $reqs)
Start an authentication flow.AuthenticationResponse Expected responses:PASS: The user is authenticate...
Definition LocalPasswordPrimaryAuthenticationProvider.php:81

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\providerChangeAuthenticationData
providerChangeAuthenticationData(AuthenticationRequest $req)
Change or remove authentication data (e.g.
Definition LocalPasswordPrimaryAuthenticationProvider.php:241

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\$loginOnly
bool $loginOnly
If true, this instance is for legacy logins only.
Definition LocalPasswordPrimaryAuthenticationProvider.php:33

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\finishAccountCreation
finishAccountCreation( $user, $creator, AuthenticationResponse $res)
Post-creation callback.Called after the user is added to the database, before secondary authenticatio...
Definition LocalPasswordPrimaryAuthenticationProvider.php:319

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.Called from AuthManager::beginAccountCreation()No nee...
Definition LocalPasswordPrimaryAuthenticationProvider.php:281

MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider\getPasswordResetData
getPasswordResetData( $username, $row)
Check if the password has expired and needs a reset.
Definition LocalPasswordPrimaryAuthenticationProvider.php:57

MediaWiki\Deferred\DeferredUpdates
Defer callable updates to run later in the PHP process.
Definition DeferredUpdates.php:85

MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22

MediaWiki\MainConfigNames\LegacyEncoding
const LegacyEncoding
Name constant for the LegacyEncoding setting, for use with Config::get()
Definition MainConfigNames.php:1868

MediaWiki\MainConfigNames\PasswordExpireGrace
const PasswordExpireGrace
Name constant for the PasswordExpireGrace setting, for use with Config::get()
Definition MainConfigNames.php:996

MediaWiki\Password\InvalidPassword
Represents an invalid password hash.
Definition InvalidPassword.php:22

MediaWiki\Status\Status
Generic operation result class Has warning/error list, boolean status and arbitrary value.
Definition Status.php:44

StatusValue
Generic operation result class Has warning/error list, boolean status and arbitrary value.
Definition StatusValue.php:41

Wikimedia\Rdbms\DBAccessObjectUtils
Helper class for DAO classes.
Definition DBAccessObjectUtils.php:19

MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_CREATE
const TYPE_CREATE
Provider can create accounts.
Definition PrimaryAuthenticationProvider.php:60

MediaWiki\Auth\PrimaryAuthenticationProvider\TYPE_NONE
const TYPE_NONE
Provider cannot create or link to accounts.
Definition PrimaryAuthenticationProvider.php:64

MediaWiki\User\UserRigorOptions
Shared interface for rigor levels when dealing with User methods.
Definition UserRigorOptions.php:16

Wikimedia\Rdbms\IConnectionProvider
Provide primary and replica IDatabase connections.
Definition IConnectionProvider.php:21

Wikimedia\Rdbms\IDBAccessObject
Interface for database access objects.
Definition IDBAccessObject.php:45

MediaWiki\Auth
Definition AbstractAuthenticationProvider.php:7