MediaWiki  master
UserPasswordPolicy.php
Go to the documentation of this file.
1 <?php
28 class UserPasswordPolicy {
29 
33  private $policies;
34 
41  private $policyCheckFunctions;
42 
48  public function __construct( array $policies, array $checks ) {
49  if ( !isset( $policies['default'] ) ) {
50  throw new InvalidArgumentException(
51  'Must include a \'default\' password policy'
52  );
53  }
54  $this->policies = $policies;
55 
56  foreach ( $checks as $statement => $check ) {
57  if ( !is_callable( $check ) ) {
58  throw new InvalidArgumentException(
59  "Policy check functions must be callable. '$statement' isn't callable."
60  );
61  }
62  $this->policyCheckFunctions[$statement] = $check;
63  }
64  }
65 
76  public function checkUserPassword( User $user, $password ) {
77  $effectivePolicy = $this->getPoliciesForUser( $user );
78  return $this->checkPolicies(
79  $user,
80  $password,
81  $effectivePolicy,
82  $this->policyCheckFunctions
83  );
84  }
85 
99  public function checkUserPasswordForGroups( User $user, $password, array $groups ) {
100  $effectivePolicy = self::getPoliciesForGroups(
101  $this->policies,
102  $groups,
103  $this->policies['default']
104  );
105  return $this->checkPolicies(
106  $user,
107  $password,
108  $effectivePolicy,
109  $this->policyCheckFunctions
110  );
111  }
112 
120  private function checkPolicies( User $user, $password, $policies, $policyCheckFunctions ) {
121  $status = Status::newGood( [] );
122  $forceChange = false;
123  $suggestChangeOnLogin = false;
124  foreach ( $policies as $policy => $settings ) {
125  if ( !isset( $policyCheckFunctions[$policy] ) ) {
126  throw new DomainException( "Invalid password policy config. No check defined for '$policy'." );
127  }
128  if ( !is_array( $settings ) ) {
129  // legacy format
130  $settings = [ 'value' => $settings ];
131  }
132  if ( !array_key_exists( 'value', $settings ) ) {
133  throw new DomainException( "Invalid password policy config. No value defined for '$policy'." );
134  }
135  $value = $settings['value'];
137  $policyStatus = call_user_func(
138  $policyCheckFunctions[$policy],
139  $value,
140  $user,
141  $password
142  );
143 
144  if ( !$policyStatus->isGood() ) {
145  if ( !empty( $settings['forceChange'] ) ) {
146  $forceChange = true;
147  }
148 
149  if ( !empty( $settings['suggestChangeOnLogin'] ) ) {
150  $suggestChangeOnLogin = true;
151  }
152  }
153  $status->merge( $policyStatus );
154  }
155 
156  if ( $status->isOK() ) {
157  if ( $forceChange ) {
158  $status->value['forceChange'] = true;
159  } elseif ( $suggestChangeOnLogin ) {
160  $status->value['suggestChangeOnLogin'] = true;
161  }
162  }
163 
164  return $status;
165  }
166 
173  public function getPoliciesForUser( User $user ) {
174  $effectivePolicy = self::getPoliciesForGroups(
175  $this->policies,
176  $user->getEffectiveGroups(),
177  $this->policies['default']
178  );
179 
180  Hooks::runner()->onPasswordPoliciesForUser( $user, $effectivePolicy );
181 
182  return $effectivePolicy;
183  }
184 
193  public static function getPoliciesForGroups( array $policies, array $userGroups,
194  array $defaultPolicy
195  ) {
196  $effectivePolicy = $defaultPolicy;
197  foreach ( $policies as $group => $policy ) {
198  if ( in_array( $group, $userGroups ) ) {
199  $effectivePolicy = self::maxOfPolicies(
200  $effectivePolicy,
201  $policy
202  );
203  }
204  }
205 
206  return $effectivePolicy;
207  }
208 
217  public static function maxOfPolicies( array $p1, array $p2 ) {
218  $ret = [];
219  $keys = array_merge( array_keys( $p1 ), array_keys( $p2 ) );
220  foreach ( $keys as $key ) {
221  if ( !isset( $p1[$key] ) ) {
222  $ret[$key] = $p2[$key];
223  } elseif ( !isset( $p2[$key] ) ) {
224  $ret[$key] = $p1[$key];
225  } elseif ( !is_array( $p1[$key] ) && !is_array( $p2[$key] ) ) {
226  $ret[$key] = max( $p1[$key], $p2[$key] );
227  } else {
228  if ( !is_array( $p1[$key] ) ) {
229  $p1[$key] = [ 'value' => $p1[$key] ];
230  } elseif ( !is_array( $p2[$key] ) ) {
231  $p2[$key] = [ 'value' => $p2[$key] ];
232  }
233  $ret[$key] = self::maxOfPolicies( $p1[$key], $p2[$key] );
234  }
235  }
236  return $ret;
237  }
238 
239 }
UserPasswordPolicy\maxOfPolicies
static maxOfPolicies(array $p1, array $p2)
Utility function to get a policy that is the most restrictive of $p1 and $p2.
Definition: UserPasswordPolicy.php:217
UserPasswordPolicy\getPoliciesForUser
getPoliciesForUser(User $user)
Get the policy for a user, based on their group membership.
Definition: UserPasswordPolicy.php:173
UserPasswordPolicy\getPoliciesForGroups
static getPoliciesForGroups(array $policies, array $userGroups, array $defaultPolicy)
Utility function to get the effective policy from a list of policies, based on a list of groups.
Definition: UserPasswordPolicy.php:193
UserPasswordPolicy\checkUserPassword
checkUserPassword(User $user, $password)
Check if a password meets the effective password policy for a User.
Definition: UserPasswordPolicy.php:76
UserPasswordPolicy\checkPolicies
checkPolicies(User $user, $password, $policies, $policyCheckFunctions)
Definition: UserPasswordPolicy.php:120
UserPasswordPolicy\__construct
__construct(array $policies, array $checks)
Definition: UserPasswordPolicy.php:48
User\getEffectiveGroups
getEffectiveGroups( $recache=false)
Get the list of implicit group memberships this user has.
Definition: User.php:2966
UserPasswordPolicy
Check if a user's password complies with any password policies that apply to that user,...
Definition: UserPasswordPolicy.php:28
StatusValue\newGood
static newGood( $value=null)
Factory function for good results.
Definition: StatusValue.php:82
UserPasswordPolicy\checkUserPasswordForGroups
checkUserPasswordForGroups(User $user, $password, array $groups)
Check if a password meets the effective password policy for a User, using a set of groups they may or...
Definition: UserPasswordPolicy.php:99
Hooks\runner
static runner()
Get a HookRunner instance for calling hooks using the new interfaces.
Definition: Hooks.php:172
$keys
$keys
Definition: testCompression.php:72
UserPasswordPolicy\$policies
array $policies
Definition: UserPasswordPolicy.php:33
User
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition: User.php:66
UserPasswordPolicy\$policyCheckFunctions
array $policyCheckFunctions
Mapping of statements to the function that will test the password for compliance.
Definition: UserPasswordPolicy.php:41