includes/password/PasswordPolicyChecks.php

   1 <?php
   2 /**
   3  * Password policy checks
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 use Cdb\Reader as CdbReader;
  24 use MediaWiki\MediaWikiServices;
  25
  26 /**
  27  * Functions to check passwords against a policy requirement
  28  * @since 1.26
  29  */
  30 class PasswordPolicyChecks {
  31
  32         /**
  33          * Check password is longer than minimum, not fatal
  34          * @param int $policyVal minimal length
  35          * @param User $user
  36          * @param string $password
  37          * @return Status error if $password is shorter than $policyVal
  38          */
  39         public static function checkMinimalPasswordLength( $policyVal, User $user, $password ) {
  40                 $status = Status::newGood();
  41                 if ( $policyVal > strlen( $password ) ) {
  42                         $status->error( 'passwordtooshort', $policyVal );
  43                 }
  44                 return $status;
  45         }
  46
  47         /**
  48          * Check password is longer than minimum, fatal
  49          * @param int $policyVal minimal length
  50          * @param User $user
  51          * @param string $password
  52          * @return Status fatal if $password is shorter than $policyVal
  53          */
  54         public static function checkMinimumPasswordLengthToLogin( $policyVal, User $user, $password ) {
  55                 $status = Status::newGood();
  56                 if ( $policyVal > strlen( $password ) ) {
  57                         $status->fatal( 'passwordtooshort', $policyVal );
  58                 }
  59                 return $status;
  60         }
  61
  62         /**
  63          * Check password is shorter than maximum, fatal
  64          * @param int $policyVal maximum length
  65          * @param User $user
  66          * @param string $password
  67          * @return Status fatal if $password is shorter than $policyVal
  68          */
  69         public static function checkMaximalPasswordLength( $policyVal, User $user, $password ) {
  70                 $status = Status::newGood();
  71                 if ( $policyVal < strlen( $password ) ) {
  72                         $status->fatal( 'passwordtoolong', $policyVal );
  73                 }
  74                 return $status;
  75         }
  76
  77         /**
  78          * Check if username and password match
  79          * @param bool $policyVal true to force compliance.
  80          * @param User $user
  81          * @param string $password
  82          * @return Status error if username and password match, and policy is true
  83          */
  84         public static function checkPasswordCannotMatchUsername( $policyVal, User $user, $password ) {
  85                 $status = Status::newGood();
  86                 $username = $user->getName();
  87                 $contLang = MediaWikiServices::getInstance()->getContentLanguage();
  88                 if (
  89                         $policyVal && $contLang->lc( $password ) === $contLang->lc( $username )
  90                 ) {
  91                         $status->error( 'password-name-match' );
  92                 }
  93                 return $status;
  94         }
  95
  96         /**
  97          * Check if username and password are on a blacklist
  98          * @param bool $policyVal true to force compliance.
  99          * @param User $user
 100          * @param string $password
 101          * @return Status error if username and password match, and policy is true
 102          */
 103         public static function checkPasswordCannotMatchBlacklist( $policyVal, User $user, $password ) {
 104                 static $blockedLogins = [
 105                         'Useruser' => 'Passpass', 'Useruser1' => 'Passpass1', # r75589
 106                         'Apitestsysop' => 'testpass', 'Apitestuser' => 'testpass' # r75605
 107                 ];
 108
 109                 $status = Status::newGood();
 110                 $username = $user->getName();
 111                 if ( $policyVal ) {
 112                         if ( isset( $blockedLogins[$username] ) && $password == $blockedLogins[$username] ) {
 113                                 $status->error( 'password-login-forbidden' );
 114                         }
 115
 116                         // Example from ApiChangeAuthenticationRequest
 117                         if ( $password === 'ExamplePassword' ) {
 118                                 $status->error( 'password-login-forbidden' );
 119                         }
 120                 }
 121                 return $status;
 122         }
 123
 124         /**
 125          * Ensure that password isn't in top X most popular passwords
 126          *
 127          * @param int $policyVal Cut off to use. Will automatically shrink to the max
 128          *   supported for error messages if set to more than max number of passwords on file,
 129          *   so you can use the PHP_INT_MAX constant here safely.
 130          * @param User $user
 131          * @param string $password
 132          * @since 1.27
 133          * @return Status
 134          */
 135         public static function checkPopularPasswordBlacklist( $policyVal, User $user, $password ) {
 136                 global $wgPopularPasswordFile, $wgSitename;
 137                 $status = Status::newGood();
 138                 if ( $policyVal > 0 ) {
 139                         $langEn = Language::factory( 'en' );
 140                         $passwordKey = $langEn->lc( trim( $password ) );
 141
 142                         // People often use the name of the current site, which won't be
 143                         // in the common password file. Also check '' for people who use
 144                         // just whitespace.
 145                         $sitename = $langEn->lc( trim( $wgSitename ) );
 146                         $hardcodedCommonPasswords = [ '', 'wiki', 'mediawiki', $sitename ];
 147                         if ( in_array( $passwordKey, $hardcodedCommonPasswords ) ) {
 148                                 $status->error( 'passwordtoopopular' );
 149                                 return $status;
 150                         }
 151
 152                         // This could throw an exception, but there's not a good way
 153                         // of failing gracefully, if say the file is missing, so just
 154                         // let the exception fall through.
 155                         // Format of cdb file is mapping password => popularity rank.
 156                         // See maintenance/createCommonPasswordCdb.php
 157                         $db = CdbReader::open( $wgPopularPasswordFile );
 158
 159                         $res = $db->get( $passwordKey );
 160                         if ( $res && (int)$res <= $policyVal ) {
 161                                 // Note: If you want to find the true number of common
 162                                 // passwords stored (for reporting the error), you have to take
 163                                 // the max of the policyVal and $db->get( '_TOTALENTRIES' ).
 164                                 $status->error( 'passwordtoopopular' );
 165                         }
 166                 }
 167                 return $status;
 168         }
 169
 170 }