dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
RCFilters: Export config vars in the RL modules where possible
[lhc/web/wiklou.git] / includes / password / UserPasswordPolicy.php
1 <?php
2 /**
3 * Password policy checking for a user
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 */
22
23 /**
24 * Check if a user's password complies with any password policies that apply to that
25 * user, based on the user's group membership.
26 * @since 1.26
27 */
28 class UserPasswordPolicy {
29
30 /**
31 * @var array
32 */
33 private $policies;
34
35 /**
36 * Mapping of statements to the function that will test the password for compliance. The
37 * checking functions take the policy value, the user, and password, and return a Status
38 * object indicating compliance.
39 * @var array
40 */
41 private $policyCheckFunctions;
42
43 /**
44 * @param array $policies
45 * @param array $checks mapping statement to its checking function. Checking functions are
46 * called with the policy value for this user, the user object, and the password to check.
47 */
48 public function __construct( array $policies, array $checks ) {
49 if ( !isset( $policies['default'] ) ) {
50 throw new InvalidArgumentException(
51 'Must include a \'default\' password policy'
52 );
53 }
54 $this->policies = $policies;
55
56 foreach ( $checks as $statement => $check ) {
57 if ( !is_callable( $check ) ) {
58 throw new InvalidArgumentException(
59 "Policy check functions must be callable. '$statement' isn't callable."
60 );
61 }
62 $this->policyCheckFunctions[$statement] = $check;
63 }
64 }
65
66 /**
67 * Check if a passwords meets the effective password policy for a User.
68 * @param User $user who's policy we are checking
69 * @param string $password the password to check
70 * @return Status error to indicate the password didn't meet the policy, or fatal to
71 * indicate the user shouldn't be allowed to login. The status value will be an array,
72 * potentially with the following keys:
73 * - forceChange: do not allow the user to login without changing the password if invalid.
74 */
75 public function checkUserPassword( User $user, $password ) {
76 $effectivePolicy = $this->getPoliciesForUser( $user );
77 return $this->checkPolicies(
78 $user,
79 $password,
80 $effectivePolicy,
81 $this->policyCheckFunctions
82 );
83 }
84
85 /**
86 * Check if a passwords meets the effective password policy for a User, using a set
87 * of groups they may or may not belong to. This function does not use the DB, so can
88 * be used in the installer.
89 * @param User $user who's policy we are checking
90 * @param string $password the password to check
91 * @param array $groups list of groups to which we assume the user belongs
92 * @return Status error to indicate the password didn't meet the policy, or fatal to
93 * indicate the user shouldn't be allowed to login. The status value will be an array,
94 * potentially with the following keys:
95 * - forceChange: do not allow the user to login without changing the password if invalid.
96 */
97 public function checkUserPasswordForGroups( User $user, $password, array $groups ) {
98 $effectivePolicy = self::getPoliciesForGroups(
99 $this->policies,
100 $groups,
101 $this->policies['default']
102 );
103 return $this->checkPolicies(
104 $user,
105 $password,
106 $effectivePolicy,
107 $this->policyCheckFunctions
108 );
109 }
110
111 /**
112 * @param User $user
113 * @param string $password
114 * @param array $policies
115 * @param array $policyCheckFunctions
116 * @return Status
117 */
118 private function checkPolicies( User $user, $password, $policies, $policyCheckFunctions ) {
119 $status = Status::newGood( [] );
120 $forceChange = false;
121 foreach ( $policies as $policy => $settings ) {
122 if ( !isset( $policyCheckFunctions[$policy] ) ) {
123 throw new DomainException( "Invalid password policy config. No check defined for '$policy'." );
124 }
125 if ( !is_array( $settings ) ) {
126 // legacy format
127 $settings = [ 'value' => $settings ];
128 }
129 if ( !array_key_exists( 'value', $settings ) ) {
130 throw new DomainException( "Invalid password policy config. No value defined for '$policy'." );
131 }
132 $value = $settings['value'];
133 /** @var StatusValue $policyStatus */
134 $policyStatus = call_user_func(
135 $policyCheckFunctions[$policy],
136 $value,
137 $user,
138 $password
139 );
140 if ( !$policyStatus->isGood() && !empty( $settings['forceChange'] ) ) {
141 $forceChange = true;
142 }
143 $status->merge( $policyStatus );
144 }
145 if ( $status->isOK() && $forceChange ) {
146 $status->value['forceChange'] = true;
147 }
148 return $status;
149 }
150
151 /**
152 * Get the policy for a user, based on their group membership. Public so
153 * UI elements can access and inform the user.
154 * @param User $user
155 * @return array the effective policy for $user
156 */
157 public function getPoliciesForUser( User $user ) {
158 $effectivePolicy = self::getPoliciesForGroups(
159 $this->policies,
160 $user->getEffectiveGroups(),
161 $this->policies['default']
162 );
163
164 Hooks::run( 'PasswordPoliciesForUser', [ $user, &$effectivePolicy ] );
165
166 return $effectivePolicy;
167 }
168
169 /**
170 * Utility function to get the effective policy from a list of policies, based
171 * on a list of groups.
172 * @param array $policies list of policies to consider
173 * @param array $userGroups the groups from which we calculate the effective policy
174 * @param array $defaultPolicy the default policy to start from
175 * @return array effective policy
176 */
177 public static function getPoliciesForGroups( array $policies, array $userGroups,
178 array $defaultPolicy
179 ) {
180 $effectivePolicy = $defaultPolicy;
181 foreach ( $policies as $group => $policy ) {
182 if ( in_array( $group, $userGroups ) ) {
183 $effectivePolicy = self::maxOfPolicies(
184 $effectivePolicy,
185 $policies[$group]
186 );
187 }
188 }
189
190 return $effectivePolicy;
191 }
192
193 /**
194 * Utility function to get a policy that is the most restrictive of $p1 and $p2. For
195 * simplicity, we setup the policy values so the maximum value is always more restrictive.
196 * It is also used recursively to merge settings within the same policy.
197 * @param array $p1
198 * @param array $p2
199 * @return array containing the more restrictive values of $p1 and $p2
200 */
201 public static function maxOfPolicies( array $p1, array $p2 ) {
202 $ret = [];
203 $keys = array_merge( array_keys( $p1 ), array_keys( $p2 ) );
204 foreach ( $keys as $key ) {
205 if ( !isset( $p1[$key] ) ) {
206 $ret[$key] = $p2[$key];
207 } elseif ( !isset( $p2[$key] ) ) {
208 $ret[$key] = $p1[$key];
209 } elseif ( !is_array( $p1[$key] ) && !is_array( $p2[$key] ) ) {
210 $ret[$key] = max( $p1[$key], $p2[$key] );
211 } else {
212 if ( !is_array( $p1[$key] ) ) {
213 $p1[$key] = [ 'value' => $p1[$key] ];
214 } elseif ( !is_array( $p2[$key] ) ) {
215 $p2[$key] = [ 'value' => $p2[$key] ];
216 }
217 $ret[$key] = self::maxOfPolicies( $p1[$key], $p2[$key] );
218 }
219 }
220 return $ret;
221 }
222
223 }
Wiklou, le Wiki du Wiklou