Add sslCAFile option to DatabaseMysqli
[mediawiki.git] / includes / password / UserPasswordPolicy.php
blobbf1f8acfb7d3aa48757cb39e47864d4b2f91486d
1 <?php
2 /**
3 * Password policy checking for a user
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
20 * @file
23 /**
24 * Check if a user's password complies with any password policies that apply to that
25 * user, based on the user's group membership.
26 * @since 1.26
28 class UserPasswordPolicy {
30 /**
31 * @var array
33 private $policies;
35 /**
36 * Mapping of statements to the function that will test the password for compliance. The
37 * checking functions take the policy value, the user, and password, and return a Status
38 * object indicating compliance.
39 * @var array
41 private $policyCheckFunctions;
43 /**
44 * @param array $policies
45 * @param array $checks mapping statement to its checking function. Checking functions are
46 * called with the policy value for this user, the user object, and the password to check.
48 public function __construct( array $policies, array $checks ) {
49 if ( !isset( $policies['default'] ) ) {
50 throw new InvalidArgumentException(
51 'Must include a \'default\' password policy'
54 $this->policies = $policies;
56 foreach ( $checks as $statement => $check ) {
57 if ( !is_callable( $check ) ) {
58 throw new InvalidArgumentException(
59 "Policy check functions must be callable. '$statement' isn't callable."
62 $this->policyCheckFunctions[$statement] = $check;
66 /**
67 * Check if a passwords meets the effective password policy for a User.
68 * @param User $user who's policy we are checking
69 * @param string $password the password to check
70 * @return Status error to indicate the password didn't meet the policy, or fatal to
71 * indicate the user shouldn't be allowed to login.
73 public function checkUserPassword( User $user, $password ) {
74 $effectivePolicy = $this->getPoliciesForUser( $user );
75 return $this->checkPolicies(
76 $user,
77 $password,
78 $effectivePolicy,
79 $this->policyCheckFunctions
83 /**
84 * Check if a passwords meets the effective password policy for a User, using a set
85 * of groups they may or may not belong to. This function does not use the DB, so can
86 * be used in the installer.
87 * @param User $user who's policy we are checking
88 * @param string $password the password to check
89 * @param array $groups list of groups to which we assume the user belongs
90 * @return Status error to indicate the password didn't meet the policy, or fatal to
91 * indicate the user shouldn't be allowed to login.
93 public function checkUserPasswordForGroups( User $user, $password, array $groups ) {
94 $effectivePolicy = self::getPoliciesForGroups(
95 $this->policies,
96 $groups,
97 $this->policies['default']
99 return $this->checkPolicies(
100 $user,
101 $password,
102 $effectivePolicy,
103 $this->policyCheckFunctions
108 * @param User $user
109 * @param string $password
110 * @param array $policies
111 * @param array $policyCheckFunctions
112 * @return Status
114 private function checkPolicies( User $user, $password, $policies, $policyCheckFunctions ) {
115 $status = Status::newGood();
116 foreach ( $policies as $policy => $value ) {
117 if ( !isset( $policyCheckFunctions[$policy] ) ) {
118 throw new DomainException( "Invalid password policy config. No check defined for '$policy'." );
120 $status->merge(
121 call_user_func(
122 $policyCheckFunctions[$policy],
123 $value,
124 $user,
125 $password
129 return $status;
133 * Get the policy for a user, based on their group membership. Public so
134 * UI elements can access and inform the user.
135 * @param User $user
136 * @return array the effective policy for $user
138 public function getPoliciesForUser( User $user ) {
139 $effectivePolicy = self::getPoliciesForGroups(
140 $this->policies,
141 $user->getEffectiveGroups(),
142 $this->policies['default']
145 Hooks::run( 'PasswordPoliciesForUser', [ $user, &$effectivePolicy ] );
147 return $effectivePolicy;
151 * Utility function to get the effective policy from a list of policies, based
152 * on a list of groups.
153 * @param array $policies list of policies to consider
154 * @param array $userGroups the groups from which we calculate the effective policy
155 * @param array $defaultPolicy the default policy to start from
156 * @return array effective policy
158 public static function getPoliciesForGroups( array $policies, array $userGroups,
159 array $defaultPolicy
161 $effectivePolicy = $defaultPolicy;
162 foreach ( $policies as $group => $policy ) {
163 if ( in_array( $group, $userGroups ) ) {
164 $effectivePolicy = self::maxOfPolicies(
165 $effectivePolicy,
166 $policies[$group]
171 return $effectivePolicy;
175 * Utility function to get a policy that is the most restrictive of $p1 and $p2. For
176 * simplicity, we setup the policy values so the maximum value is always more restrictive.
177 * @param array $p1
178 * @param array $p2
179 * @return array containing the more restrictive values of $p1 and $p2
181 public static function maxOfPolicies( array $p1, array $p2 ) {
182 $ret = [];
183 $keys = array_merge( array_keys( $p1 ), array_keys( $p2 ) );
184 foreach ( $keys as $key ) {
185 if ( !isset( $p1[$key] ) ) {
186 $ret[$key] = $p2[$key];
187 } elseif ( !isset( $p2[$key] ) ) {
188 $ret[$key] = $p1[$key];
189 } else {
190 $ret[$key] = max( $p1[$key], $p2[$key] );
193 return $ret;