MediaWiki  master
PasswordPolicyChecks.php
Go to the documentation of this file.
1 <?php
23 use MediaWiki\Status\Status;
24 use MediaWiki\User\UserIdentity;
25 use Wikimedia\CommonPasswords\CommonPasswords;
26 
38 class PasswordPolicyChecks {
39 
47  public static function checkMinimalPasswordLength( $policyVal, UserIdentity $user, $password ) {
48  $status = Status::newGood();
49  if ( $policyVal > strlen( $password ) ) {
50  $status->error( 'passwordtooshort', $policyVal );
51  }
52  return $status;
53  }
54 
64  public static function checkMinimumPasswordLengthToLogin( $policyVal, UserIdentity $user, $password ) {
65  $status = Status::newGood();
66  if ( $policyVal > strlen( $password ) ) {
67  $status->fatal( 'passwordtooshort', $policyVal );
68  }
69  return $status;
70  }
71 
80  public static function checkMaximalPasswordLength( $policyVal, UserIdentity $user, $password ) {
81  $status = Status::newGood();
82  if ( $policyVal < strlen( $password ) ) {
83  $status->fatal( 'passwordtoolong', $policyVal );
84  }
85  return $status;
86  }
87 
95  public static function checkPasswordCannotBeSubstringInUsername(
96  $policyVal,
97  UserIdentity $user,
98  $password
99  ) {
100  $status = Status::newGood();
101  $username = $user->getName();
102  if ( $policyVal && stripos( $username, $password ) !== false ) {
103  $status->error( 'password-substring-username-match' );
104  }
105  return $status;
106  }
107 
115  public static function checkPasswordCannotMatchDefaults( $policyVal, UserIdentity $user, $password ) {
116  static $blockedLogins = [
117  // r75589
118  'Useruser' => 'Passpass',
119  'Useruser1' => 'Passpass1',
120  // r75605
121  'Apitestsysop' => 'testpass',
122  'Apitestuser' => 'testpass',
123  ];
124 
125  $status = Status::newGood();
126  $username = $user->getName();
127  if ( $policyVal ) {
128  if (
129  isset( $blockedLogins[$username] ) &&
130  hash_equals( $blockedLogins[$username], $password )
131  ) {
132  $status->error( 'password-login-forbidden' );
133  }
134 
135  // Example from ApiChangeAuthenticationRequest
136  if ( hash_equals( 'ExamplePassword', $password ) ) {
137  $status->error( 'password-login-forbidden' );
138  }
139  }
140  return $status;
141  }
142 
157  public static function checkPasswordNotInCommonList( $policyVal, UserIdentity $user, $password ) {
158  $status = Status::newGood();
159  if ( $policyVal && CommonPasswords::isCommon( $password ) ) {
160  $status->error( 'passwordincommonlist' );
161  }
162 
163  return $status;
164  }
165 
166 }
MediaWiki\Status\Status
Generic operation result class Has warning/error list, boolean status and arbitrary value.
Definition: Status.php:58
PasswordPolicyChecks
Functions to check passwords against a policy requirement.
Definition: PasswordPolicyChecks.php:38
PasswordPolicyChecks\checkMinimumPasswordLengthToLogin
static checkMinimumPasswordLengthToLogin( $policyVal, UserIdentity $user, $password)
Check password is longer than minimum, fatal.
Definition: PasswordPolicyChecks.php:64
PasswordPolicyChecks\checkPasswordNotInCommonList
static checkPasswordNotInCommonList( $policyVal, UserIdentity $user, $password)
Ensure the password isn't in the list of common passwords by the wikimedia/common-passwords library,...
Definition: PasswordPolicyChecks.php:157
PasswordPolicyChecks\checkMaximalPasswordLength
static checkMaximalPasswordLength( $policyVal, UserIdentity $user, $password)
Check password is shorter than maximum, fatal.
Definition: PasswordPolicyChecks.php:80
PasswordPolicyChecks\checkPasswordCannotBeSubstringInUsername
static checkPasswordCannotBeSubstringInUsername( $policyVal, UserIdentity $user, $password)
Check if password is a (case-insensitive) substring within the username.
Definition: PasswordPolicyChecks.php:95
PasswordPolicyChecks\checkMinimalPasswordLength
static checkMinimalPasswordLength( $policyVal, UserIdentity $user, $password)
Check password is longer than minimum, not fatal.
Definition: PasswordPolicyChecks.php:47
PasswordPolicyChecks\checkPasswordCannotMatchDefaults
static checkPasswordCannotMatchDefaults( $policyVal, UserIdentity $user, $password)
Check if username and password are on a list of past MediaWiki default passwords.
Definition: PasswordPolicyChecks.php:115
MediaWiki\User\UserIdentity
Interface for objects representing user identity.
Definition: UserIdentity.php:39