UserPasswordPolicy.php

Go to the documentation of this file.

<?php
declare( strict_types = 1 );
 
namespace MediaWiki\Password;
 
use DomainException;
use InvalidArgumentException;
use MediaWiki\HookContainer\HookRunner;
use MediaWiki\MediaWikiServices;
use MediaWiki\Status\Status;
use MediaWiki\User\UserIdentity;
use StatusValue;
 
class UserPasswordPolicy {
 
    private array $policies;
 
    private array $policyCheckFunctions = [];
 
    public function __construct( array $policies, array $checks ) {
        if ( !isset( $policies['default'] ) ) {
            throw new InvalidArgumentException(
                'Must include a \'default\' password policy'
            );
        }
        $this->policies = $policies;
 
        foreach ( $checks as $statement => $check ) {
            if ( !is_callable( $check ) ) {
                throw new InvalidArgumentException(
                    "Policy check functions must be callable. '$statement' isn't callable."
                );
            }
            $this->policyCheckFunctions[$statement] = $check;
        }
    }
 
    public function checkUserPassword( UserIdentity $user, string $password ): Status {
        $effectivePolicy = $this->getPoliciesForUser( $user );
        return $this->checkPolicies(
            $user,
            $password,
            $effectivePolicy,
            $this->policyCheckFunctions
        );
    }
 
    public function checkUserPasswordForGroups( UserIdentity $user, string $password, array $groups ): Status {
        $effectivePolicy = self::getPoliciesForGroups(
            $this->policies,
            $groups,
            $this->policies['default']
        );
        return $this->checkPolicies(
            $user,
            $password,
            $effectivePolicy,
            $this->policyCheckFunctions
        );
    }
 
    private function checkPolicies(
        UserIdentity $user,
        string $password,
        array $policies,
        array $policyCheckFunctions
    ): Status {
        $status = Status::newGood( [] );
        $forceChange = false;
        $suggestChangeOnLogin = false;
        $legacyUser = MediaWikiServices::getInstance()
            ->getUserFactory()
            ->newFromUserIdentity( $user );
        foreach ( $policies as $policy => $settings ) {
            if ( !isset( $policyCheckFunctions[$policy] ) ) {
                throw new DomainException( "Invalid password policy config. No check defined for '$policy'." );
            }
            if ( !is_array( $settings ) ) {
                // legacy format
                $settings = [ 'value' => $settings ];
            }
            if ( !array_key_exists( 'value', $settings ) ) {
                throw new DomainException( "Invalid password policy config. No value defined for '$policy'." );
            }
            $value = $settings['value'];
            $policyStatus = $policyCheckFunctions[$policy](
                $value,
                $legacyUser,
                $password
            );
 
            if ( !$policyStatus->isGood() ) {
                if ( !empty( $settings['forceChange'] ) ) {
                    $forceChange = true;
                }
 
                if ( !empty( $settings['suggestChangeOnLogin'] ) ) {
                    $suggestChangeOnLogin = true;
                }
            }
            $status->merge( $policyStatus );
        }
 
        if ( $status->isOK() ) {
            if ( $forceChange ) {
                $status->value['forceChange'] = true;
            } elseif ( $suggestChangeOnLogin ) {
                $status->value['suggestChangeOnLogin'] = true;
            }
        }
 
        return $status;
    }
 
    public function getPoliciesForUser( UserIdentity $user ): array {
        $services = MediaWikiServices::getInstance();
        $effectivePolicy = self::getPoliciesForGroups(
            $this->policies,
            $services->getUserGroupManager()
                ->getUserEffectiveGroups( $user ),
            $this->policies['default']
        );
 
        $legacyUser = $services->getUserFactory()
            ->newFromUserIdentity( $user );
        ( new HookRunner( $services->getHookContainer() ) )->onPasswordPoliciesForUser( $legacyUser, $effectivePolicy );
 
        return $effectivePolicy;
    }
 
    public static function getPoliciesForGroups( array $policies, array $userGroups,
        array $defaultPolicy
    ): array {
        $effectivePolicy = $defaultPolicy;
        foreach ( $policies as $group => $policy ) {
            if ( in_array( $group, $userGroups ) ) {
                $effectivePolicy = self::maxOfPolicies(
                    $effectivePolicy,
                    $policy
                );
            }
        }
 
        return $effectivePolicy;
    }
 
    public static function maxOfPolicies( array $p1, array $p2 ): array {
        $ret = [];
        $keys = array_merge( array_keys( $p1 ), array_keys( $p2 ) );
        foreach ( $keys as $key ) {
            if ( !isset( $p1[$key] ) ) {
                $ret[$key] = $p2[$key];
            } elseif ( !isset( $p2[$key] ) ) {
                $ret[$key] = $p1[$key];
            } elseif ( !is_array( $p1[$key] ) && !is_array( $p2[$key] ) ) {
                $ret[$key] = max( $p1[$key], $p2[$key] );
            } else {
                if ( !is_array( $p1[$key] ) ) {
                    $p1[$key] = [ 'value' => $p1[$key] ];
                } elseif ( !is_array( $p2[$key] ) ) {
                    $p2[$key] = [ 'value' => $p2[$key] ];
                }
                $ret[$key] = self::maxOfPolicies( $p1[$key], $p2[$key] );
            }
        }
        return $ret;
    }
 
}
 
class_alias( UserPasswordPolicy::class, 'UserPasswordPolicy' );