dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge "Improve docs for Title::getInternalURL/getCanonicalURL"
[lhc/web/wiklou.git] / includes / auth / AbstractPasswordPrimaryAuthenticationProvider.php
1 <?php
2 /**
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
17 *
18 * @file
19 * @ingroup Auth
20 */
21
22 namespace MediaWiki\Auth;
23
24 use Password;
25 use PasswordFactory;
26 use Status;
27
28 /**
29 * Basic framework for a primary authentication provider that uses passwords
30 * @ingroup Auth
31 * @since 1.27
32 */
33 abstract class AbstractPasswordPrimaryAuthenticationProvider
34 extends AbstractPrimaryAuthenticationProvider
35 {
36 /** @var bool Whether this provider should ABSTAIN (false) or FAIL (true) on password failure */
37 protected $authoritative;
38
39 private $passwordFactory = null;
40
41 /**
42 * @param array $params Settings
43 * - authoritative: Whether this provider should ABSTAIN (false) or FAIL
44 * (true) on password failure
45 */
46 public function __construct( array $params = [] ) {
47 $this->authoritative = !isset( $params['authoritative'] ) || (bool)$params['authoritative'];
48 }
49
50 /**
51 * Get the PasswordFactory
52 * @return PasswordFactory
53 */
54 protected function getPasswordFactory() {
55 if ( $this->passwordFactory === null ) {
56 $this->passwordFactory = new PasswordFactory(
57 $this->config->get( 'PasswordConfig' ),
58 $this->config->get( 'PasswordDefault' )
59 );
60 }
61 return $this->passwordFactory;
62 }
63
64 /**
65 * Get a Password object from the hash
66 * @param string $hash
67 * @return Password
68 */
69 protected function getPassword( $hash ) {
70 $passwordFactory = $this->getPasswordFactory();
71 try {
72 return $passwordFactory->newFromCiphertext( $hash );
73 } catch ( \PasswordError $e ) {
74 $class = static::class;
75 $this->logger->debug( "Invalid password hash in {$class}::getPassword()" );
76 return $passwordFactory->newFromCiphertext( null );
77 }
78 }
79
80 /**
81 * Return the appropriate response for failure
82 * @param PasswordAuthenticationRequest $req
83 * @return AuthenticationResponse
84 */
85 protected function failResponse( PasswordAuthenticationRequest $req ) {
86 if ( $this->authoritative ) {
87 return AuthenticationResponse::newFail(
88 wfMessage( $req->password === '' ? 'wrongpasswordempty' : 'wrongpassword' )
89 );
90 } else {
91 return AuthenticationResponse::newAbstain();
92 }
93 }
94
95 /**
96 * Check that the password is valid
97 *
98 * This should be called *before* validating the password. If the result is
99 * not ok, login should fail immediately.
100 *
101 * @param string $username
102 * @param string $password
103 * @return Status
104 */
105 protected function checkPasswordValidity( $username, $password ) {
106 return \User::newFromName( $username )->checkPasswordValidity( $password );
107 }
108
109 /**
110 * Check if the password should be reset
111 *
112 * This should be called after a successful login. It sets 'reset-pass'
113 * authentication data if necessary, see
114 * ResetPassSecondaryAuthenticationProvider.
115 *
116 * @param string $username
117 * @param Status $status From $this->checkPasswordValidity()
118 * @param mixed|null $data Passed through to $this->getPasswordResetData()
119 */
120 protected function setPasswordResetFlag( $username, Status $status, $data = null ) {
121 $reset = $this->getPasswordResetData( $username, $data );
122
123 if ( !$reset && $this->config->get( 'InvalidPasswordReset' ) && !$status->isGood() ) {
124 $hard = $status->getValue()['forceChange'] ?? false;
125
126 if ( $hard || !empty( $status->getValue()['suggestChangeOnLogin'] ) ) {
127 $reset = (object)[
128 'msg' => $status->getMessage( $hard ? 'resetpass-validity' : 'resetpass-validity-soft' ),
129 'hard' => $hard,
130 ];
131 }
132 }
133
134 if ( $reset ) {
135 $this->manager->setAuthenticationSessionData( 'reset-pass', $reset );
136 }
137 }
138
139 /**
140 * Get password reset data, if any
141 *
142 * @param string $username
143 * @param mixed $data
144 * @return object|null { 'hard' => bool, 'msg' => Message }
145 */
146 protected function getPasswordResetData( $username, $data ) {
147 return null;
148 }
149
150 /**
151 * Get expiration date for a new password, if any
152 *
153 * @param string $username
154 * @return string|null
155 */
156 protected function getNewPasswordExpiry( $username ) {
157 $days = $this->config->get( 'PasswordExpirationDays' );
158 $expires = $days ? wfTimestamp( TS_MW, time() + $days * 86400 ) : null;
159
160 // Give extensions a chance to force an expiration
161 \Hooks::run( 'ResetPasswordExpiration', [ \User::newFromName( $username ), &$expires ] );
162
163 return $expires;
164 }
165
166 public function getAuthenticationRequests( $action, array $options ) {
167 switch ( $action ) {
168 case AuthManager::ACTION_LOGIN:
169 case AuthManager::ACTION_REMOVE:
170 case AuthManager::ACTION_CREATE:
171 case AuthManager::ACTION_CHANGE:
172 return [ new PasswordAuthenticationRequest() ];
173 default:
174 return [];
175 }
176 }
177 }
Wiklou, le Wiki du Wiklou