includes/auth/AbstractPasswordPrimaryAuthenticationProvider.php

   1 <?php
   2 /**
   3  * This program is free software; you can redistribute it and/or modify
   4  * it under the terms of the GNU General Public License as published by
   5  * the Free Software Foundation; either version 2 of the License, or
   6  * (at your option) any later version.
   7  *
   8  * This program is distributed in the hope that it will be useful,
   9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11  * GNU General Public License for more details.
  12  *
  13  * You should have received a copy of the GNU General Public License along
  14  * with this program; if not, write to the Free Software Foundation, Inc.,
  15  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  16  * http://www.gnu.org/copyleft/gpl.html
  17  *
  18  * @file
  19  * @ingroup Auth
  20  */
  21
  22 namespace MediaWiki\Auth;
  23
  24 use MediaWiki\MainConfigNames;
  25 use MediaWiki\Password\Password;
  26 use MediaWiki\Password\PasswordError;
  27 use MediaWiki\Password\PasswordFactory;
  28 use MediaWiki\SpecialPage\SpecialPage;
  29 use MediaWiki\Status\Status;
  30 use MediaWiki\User\User;
  31 use Wikimedia\Assert\Assert;
  32
  33 /**
  34  * Basic framework for a primary authentication provider that uses passwords
  35  *
  36  * @stable to extend
  37  * @ingroup Auth
  38  * @since 1.27
  39  */
  40 abstract class AbstractPasswordPrimaryAuthenticationProvider
  41         extends AbstractPrimaryAuthenticationProvider
  42 {
  43         /** @var bool Whether this provider should ABSTAIN (false) or FAIL (true) on password failure */
  44         protected $authoritative;
  45
  46         /** @var PasswordFactory|null */
  47         private $passwordFactory = null;
  48
  49         /**
  50          * @stable to call
  51          * @param array $params Settings
  52          *  - authoritative: Whether this provider should ABSTAIN (false) or FAIL
  53          *    (true) on password failure
  54          */
  55         public function __construct( array $params = [] ) {
  56                 $this->authoritative = !isset( $params['authoritative'] ) || (bool)$params['authoritative'];
  57         }
  58
  59         /**
  60          * @return PasswordFactory
  61          */
  62         protected function getPasswordFactory() {
  63                 if ( $this->passwordFactory === null ) {
  64                         $this->passwordFactory = new PasswordFactory(
  65                                 $this->config->get( MainConfigNames::PasswordConfig ),
  66                                 $this->config->get( MainConfigNames::PasswordDefault )
  67                         );
  68                 }
  69                 return $this->passwordFactory;
  70         }
  71
  72         /**
  73          * Get a Password object from the hash
  74          * @param string $hash
  75          * @return Password
  76          */
  77         protected function getPassword( $hash ) {
  78                 $passwordFactory = $this->getPasswordFactory();
  79                 try {
  80                         return $passwordFactory->newFromCiphertext( $hash );
  81                 } catch ( PasswordError $e ) {
  82                         $class = static::class;
  83                         $this->logger->debug( "Invalid password hash in {$class}::getPassword()" );
  84                         return $passwordFactory->newFromCiphertext( null );
  85                 }
  86         }
  87
  88         /**
  89          * Return the appropriate response for failure
  90          * @param PasswordAuthenticationRequest $req
  91          * @return AuthenticationResponse
  92          */
  93         protected function failResponse( PasswordAuthenticationRequest $req ) {
  94                 if ( $this->authoritative ) {
  95                         return AuthenticationResponse::newFail(
  96                                 wfMessage( $req->password === '' ? 'wrongpasswordempty' : 'wrongpassword' )
  97                         );
  98                 } else {
  99                         return AuthenticationResponse::newAbstain();
 100                 }
 101         }
 102
 103         /**
 104          * Check that the password is valid
 105          *
 106          * This should be called *before* validating the password. If the result is
 107          * not ok, login should fail immediately.
 108          *
 109          * @param string $username
 110          * @param string $password
 111          * @return Status
 112          */
 113         protected function checkPasswordValidity( $username, $password ) {
 114                 return User::newFromName( $username )->checkPasswordValidity( $password );
 115         }
 116
 117         /**
 118          * Adds user-friendly description to a fatal password validity check error.
 119          * These errors prevent login even when the password is correct, so just displaying the
 120          * description of the error would be somewhat confusing.
 121          * @param string $username
 122          * @param Status $status The status returned by checkPasswordValidity(); must be a fatal.
 123          * @return AuthenticationResponse A FAIL response with an improved description.
 124          */
 125         protected function getFatalPasswordErrorResponse(
 126                 string $username,
 127                 Status $status
 128         ): AuthenticationResponse {
 129                 Assert::precondition( !$status->isOK(), __METHOD__ . ' expects a fatal Status' );
 130                 $resetLinkUrl = SpecialPage::getTitleFor( 'PasswordReset' )
 131                         ->getFullURL( [ 'wpUsername' => $username ] );
 132                 return AuthenticationResponse::newFail( wfMessage( 'fatalpassworderror',
 133                         $status->getMessage(), $resetLinkUrl ) );
 134         }
 135
 136         /**
 137          * Check if the password should be reset
 138          *
 139          * This should be called after a successful login. It sets 'reset-pass'
 140          * authentication data if necessary, see
 141          * ResetPassSecondaryAuthenticationProvider.
 142          *
 143          * @param string $username
 144          * @param Status $status From $this->checkPasswordValidity()
 145          * @param \stdClass|null $data Passed through to $this->getPasswordResetData()
 146          */
 147         protected function setPasswordResetFlag( $username, Status $status, $data = null ) {
 148                 $reset = $this->getPasswordResetData( $username, $data );
 149
 150                 if ( !$reset && $this->config->get( MainConfigNames::InvalidPasswordReset ) &&
 151                 !$status->isGood() ) {
 152                         $hard = $status->getValue()['forceChange'] ?? false;
 153
 154                         if ( $hard || !empty( $status->getValue()['suggestChangeOnLogin'] ) ) {
 155                                 $reset = (object)[
 156                                         'msg' => $status->getMessage( $hard ? 'resetpass-validity' : 'resetpass-validity-soft' ),
 157                                         'hard' => $hard,
 158                                 ];
 159                         }
 160                 }
 161
 162                 if ( $reset ) {
 163                         $this->manager->setAuthenticationSessionData( 'reset-pass', $reset );
 164                 }
 165         }
 166
 167         /**
 168          * Get password reset data, if any
 169          *
 170          * @stable to override
 171          * @param string $username
 172          * @param \stdClass|null $data
 173          * @return \stdClass|null { 'hard' => bool, 'msg' => Message }
 174          */
 175         protected function getPasswordResetData( $username, $data ) {
 176                 return null;
 177         }
 178
 179         /**
 180          * Get expiration date for a new password, if any
 181          *
 182          * @stable to override
 183          * @param string $username
 184          * @return string|null
 185          */
 186         protected function getNewPasswordExpiry( $username ) {
 187                 $days = $this->config->get( MainConfigNames::PasswordExpirationDays );
 188                 $expires = $days ? wfTimestamp( TS_MW, time() + $days * 86400 ) : null;
 189
 190                 // Give extensions a chance to force an expiration
 191                 $this->getHookRunner()->onResetPasswordExpiration(
 192                         User::newFromName( $username ), $expires );
 193
 194                 return $expires;
 195         }
 196
 197         /**
 198          * @stable to override
 199          * @param string $action
 200          * @param array $options
 201          *
 202          * @return AuthenticationRequest[]
 203          */
 204         public function getAuthenticationRequests( $action, array $options ) {
 205                 switch ( $action ) {
 206                         case AuthManager::ACTION_LOGIN:
 207                         case AuthManager::ACTION_REMOVE:
 208                         case AuthManager::ACTION_CREATE:
 209                         case AuthManager::ACTION_CHANGE:
 210                                 return [ new PasswordAuthenticationRequest() ];
 211                         default:
 212                                 return [];
 213                 }
 214         }
 215 }