master/php/PasswordPolicyChecks_8php_source.html

<?php

declare( strict_types = 1 );


namespace MediaWiki\Password;


use MediaWiki\Status\Status;

use MediaWiki\User\UserIdentity;

use Wikimedia\CommonPasswords\CommonPasswords;


class PasswordPolicyChecks {


    public static function checkMinimalPasswordLength( int $policyVal, UserIdentity $user, string $password ): Status {

        $status = Status::newGood();

        if ( $policyVal > strlen( $password ) ) {

            $status->error( 'passwordtooshort', $policyVal );

        }

        return $status;

    }


    public static function checkMinimumPasswordLengthToLogin(

        int $policyVal,

        UserIdentity $user,

        string $password

    ): Status {

        $status = Status::newGood();

        if ( $policyVal > strlen( $password ) ) {

            $status->fatal( 'passwordtooshort', $policyVal );

        }

        return $status;

    }


    public static function checkMaximalPasswordLength(

        int $policyVal,

        UserIdentity $user,

        string $password

    ): Status {

        $status = Status::newGood();

        if ( $policyVal < strlen( $password ) ) {

            $status->fatal( 'passwordtoolong', $policyVal );

        }

        return $status;

    }


    public static function checkPasswordCannotBeSubstringInUsername(

        bool $policyVal,

        UserIdentity $user,

        string $password

    ): Status {

        $status = Status::newGood();

        $username = $user->getName();

        if ( $policyVal && stripos( $username, $password ) !== false ) {

            $status->error( 'password-substring-username-match' );

        }

        return $status;

    }


    public static function checkPasswordCannotMatchDefaults(

        bool $policyVal,

        UserIdentity $user,

        string $password

    ): Status {

        static $blockedLogins = [

            // r75589

            'Useruser' => 'Passpass',

            'Useruser1' => 'Passpass1',

            // r75605

            'Apitestsysop' => 'testpass',

            'Apitestuser' => 'testpass',

        ];


        $status = Status::newGood();

        $username = $user->getName();

        if ( $policyVal ) {

            if (

                isset( $blockedLogins[$username] ) &&

                hash_equals( $blockedLogins[$username], $password )

            ) {

                $status->error( 'password-login-forbidden' );

            }


            // Example from ApiChangeAuthenticationRequest

            if ( hash_equals( 'ExamplePassword', $password ) ) {

                $status->error( 'password-login-forbidden' );

            }

        }

        return $status;

    }


    public static function checkPasswordNotInCommonList(

        bool $policyVal,

        UserIdentity $user,

        string $password

    ): Status {

        $status = Status::newGood();

        if ( $policyVal && CommonPasswords::isCommon( $password ) ) {

            $status->error( 'passwordincommonlist' );

        }


        return $status;

    }


}


MediaWiki\Password\PasswordPolicyChecks
Functions to check passwords against a policy requirement.
Definition PasswordPolicyChecks.php:28

MediaWiki\Password\PasswordPolicyChecks\checkPasswordCannotMatchDefaults
static checkPasswordCannotMatchDefaults(bool $policyVal, UserIdentity $user, string $password)
Check if username and password are on a list of past MediaWiki default passwords.
Definition PasswordPolicyChecks.php:113

MediaWiki\Password\PasswordPolicyChecks\checkPasswordNotInCommonList
static checkPasswordNotInCommonList(bool $policyVal, UserIdentity $user, string $password)
Ensure the password isn't in the list of common passwords by the wikimedia/common-passwords library,...
Definition PasswordPolicyChecks.php:159

MediaWiki\Password\PasswordPolicyChecks\checkMinimumPasswordLengthToLogin
static checkMinimumPasswordLengthToLogin(int $policyVal, UserIdentity $user, string $password)
Check password is longer than the minimum, fatal.
Definition PasswordPolicyChecks.php:54

MediaWiki\Password\PasswordPolicyChecks\checkMaximalPasswordLength
static checkMaximalPasswordLength(int $policyVal, UserIdentity $user, string $password)
Check password is shorter than the maximum, fatal.
Definition PasswordPolicyChecks.php:74

MediaWiki\Password\PasswordPolicyChecks\checkMinimalPasswordLength
static checkMinimalPasswordLength(int $policyVal, UserIdentity $user, string $password)
Check password is longer than the minimum, not fatal.
Definition PasswordPolicyChecks.php:37

MediaWiki\Password\PasswordPolicyChecks\checkPasswordCannotBeSubstringInUsername
static checkPasswordCannotBeSubstringInUsername(bool $policyVal, UserIdentity $user, string $password)
Check if a password is a (case-insensitive) substring within the username.
Definition PasswordPolicyChecks.php:93

MediaWiki\Status\Status
Generic operation result class Has warning/error list, boolean status and arbitrary value.
Definition Status.php:44

StatusValue\fatal
fatal( $message,... $parameters)
Add an error and set OK to false, indicating that the operation as a whole was fatal.
Definition StatusValue.php:335

StatusValue\error
error( $message,... $parameters)
Add an error, do not set fatal flag This can be used for non-fatal errors.
Definition StatusValue.php:317

MediaWiki\User\UserIdentity
Interface for objects representing user identity.
Definition UserIdentity.php:24

MediaWiki\User\UserIdentity\getName
getName()

MediaWiki\Password
Definition AbstractPbkdf2Password.php:11