| blob | 0f4e585136812fe52f88f3c265f6da012c571939 |
1 <?php
2 /**
3 * Primary authentication provider interface
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 * @ingroup Auth
22 */
30 /**
31 * A primary authentication provider is responsible for associating the submitted
32 * authentication data with a MediaWiki account.
33 *
34 * When multiple primary authentication providers are configured for a site, they
35 * act as alternatives; the first one that recognizes the data will handle it,
36 * and further primary providers are not called (although they all get a chance
37 * to prevent actions).
38 *
39 * For login, the PrimaryAuthenticationProvider takes form data and determines
40 * which authenticated user (if any) corresponds to that form data. It might
41 * do this on the basis of a username and password in that data, or by
42 * interacting with an external authentication service (e.g. using OpenID),
43 * or by some other mechanism.
44 *
45 * (A PrimaryAuthenticationProvider would not be appropriate for something like
46 * HTTP authentication, OAuth, or SSL client certificates where each HTTP
47 * request contains all the information needed to identify the user. In that
48 * case you'll want to be looking at a \MediaWiki\Session\SessionProvider
49 * instead.)
50 *
51 * For account creation, the PrimaryAuthenticationProvider takes form data and
52 * stores some authentication details which will allow it to verify a login by
53 * that user in the future. This might for example involve saving it in the
54 * database in a table that can be joined to the user table, or sending it to
55 * some external service for account creation, or authenticating the user with
56 * some remote service and then recording that the remote identity is linked to
57 * the local account.
58 * The creation of the local user (i.e. calling User::addToDatabase()) is handled
59 * by AuthManager once the primary authentication provider returns a PASS
60 * from begin/continueAccountCreation; do not try to do it yourself.
61 *
62 * For account linking, the PrimaryAuthenticationProvider verifies the user's
63 * identity at some external service (typically by redirecting the user and
64 * asking the external service to verify) and then records which local account
65 * is linked to which remote accounts. It should keep track of this and be able
66 * to enumerate linked accounts via getAuthenticationRequests(ACTION_REMOVE).
67 *
68 * This interface also provides methods for changing authentication data such
69 * as passwords, and callbacks that are invoked after login / account creation
70 * / account linking succeeded or failed.
71 *
72 * @ingroup Auth
73 * @since 1.27
74 * @see https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager
75 */
77 /** Provider can create accounts */
79 /** Provider can link to existing accounts elsewhere */
81 /** Provider cannot create or link to accounts */
84 /**
85 * @inheritDoc
86 *
87 * Of the requests returned by this method, exactly one should have
88 * {@link AuthenticationRequest::$required} set to REQUIRED.
89 */
92 /**
93 * Start an authentication flow
94 *
95 * @param AuthenticationRequest[] $reqs
96 * @return AuthenticationResponse Expected responses:
97 * - PASS: The user is authenticated. Secondary providers will now run.
98 * - FAIL: The user is not authenticated. Fail the authentication process.
99 * - ABSTAIN: These $reqs are not handled. Some other primary provider may handle it.
100 * - UI: The $reqs are accepted, no other primary provider will run.
101 * Additional AuthenticationRequests are needed to complete the process.
102 * - REDIRECT: The $reqs are accepted, no other primary provider will run.
103 * Redirection to a third party is needed to complete the process.
104 */
107 /**
108 * Continue an authentication flow
109 * @param AuthenticationRequest[] $reqs
110 * @return AuthenticationResponse Expected responses:
111 * - PASS: The user is authenticated. Secondary providers will now run.
112 * - FAIL: The user is not authenticated. Fail the authentication process.
113 * - UI: Additional AuthenticationRequests are needed to complete the process.
114 * - REDIRECT: Redirection to a third party is needed to complete the process.
115 */
118 /**
119 * Post-login callback
120 *
121 * This will be called at the end of any login attempt, regardless of whether this provider was
122 * the one that handled it. It will not be called for unfinished login attempts that fail by
123 * the session timing out.
124 *
125 * @param User|null $user User that was attempted to be logged in, if known.
126 * This may become a "UserValue" in the future, or User may be refactored
127 * into such.
128 * @param AuthenticationResponse $response Authentication response that will be returned
129 * (PASS or FAIL)
130 */
133 /**
134 * Test whether the named user exists
135 *
136 * Single-sign-on providers can use this to reserve a username for autocreation.
137 *
138 * @param string $username MediaWiki username
139 * @param int $flags Bitfield of IDBAccessObject::READ_* constants
140 * @return bool
141 */
144 /**
145 * Test whether the named user can authenticate with this provider
146 *
147 * Should return true if the provider has any data for this user which can be used to
148 * authenticate it, even if the user is temporarily prevented from authentication somehow.
149 *
150 * @param string $username MediaWiki username
151 * @return bool
152 */
155 /**
156 * Normalize the username for authentication
157 *
158 * Any two inputs that would result in the same user being authenticated
159 * should return the same string here, while inputs that would result in
160 * different users should return different strings.
161 *
162 * If possible, the best thing to do here is to return the canonicalized
163 * name of the local user account that would be used. If not, return
164 * something that would be invalid as a local username (e.g. wrap an email
165 * address in "<>", or append "#servicename" to the username passed to a
166 * third-party service).
167 *
168 * If the provider doesn't use a username at all in its
169 * AuthenticationRequests, return null. If the name is syntactically
170 * invalid, it's probably best to return null.
171 *
172 * @param string $username
173 * @return string|null
174 */
177 /**
178 * Revoke the user's credentials
179 *
180 * This may cause the user to no longer exist for the provider, or the user
181 * may continue to exist in a "disabled" state.
182 *
183 * The intention is that the named account will never again be usable for
184 * normal login (i.e. there is no way to undo the revocation of access).
185 *
186 * @param string $username
187 */
190 /**
191 * Determine whether a property can change
192 * @see AuthManager::allowsPropertyChange()
193 * @param string $property
194 * @return bool
195 */
198 /**
199 * Validate a change of authentication data (e.g. passwords)
200 *
201 * Return StatusValue::newGood( 'ignored' ) if you don't support this
202 * AuthenticationRequest type.
203 *
204 * @param AuthenticationRequest $req
205 * @param bool $checkData If false, $req hasn't been loaded from the
206 * submission so checks on user-submitted fields should be skipped.
207 * $req->username is considered user-submitted for this purpose, even
208 * if it cannot be changed via $req->loadFromSubmission.
209 * @return StatusValue
210 */
213 );
215 /**
216 * Change or remove authentication data (e.g. passwords)
217 *
218 * If $req was returned for AuthManager::ACTION_CHANGE, the corresponding
219 * credentials should result in a successful login in the future.
220 *
221 * If $req was returned for AuthManager::ACTION_REMOVE, the corresponding
222 * credentials should no longer result in a successful login.
223 *
224 * It can be assumed that providerAllowsAuthenticationDataChange with $checkData === true
225 * was called before this, and passed. This method should never fail (other than throwing an
226 * exception).
227 *
228 * @param AuthenticationRequest $req
229 */
232 /**
233 * Fetch the account-creation type
234 * @return string One of the TYPE_* constants
235 */
238 /**
239 * Determine whether an account creation may begin
240 *
241 * Called from AuthManager::beginAccountCreation()
242 *
243 * @note No need to test if the account exists, AuthManager checks that
244 * @param User $user User being created (not added to the database yet).
245 * This may become a "UserValue" in the future, or User may be refactored
246 * into such.
247 * @param User $creator User doing the creation. This may become a
248 * "UserValue" in the future, or User may be refactored into such.
249 * @param AuthenticationRequest[] $reqs
250 * @return StatusValue
251 */
254 /**
255 * Start an account creation flow
256 * @param User $user User being created (not added to the database yet).
257 * This may become a "UserValue" in the future, or User may be refactored
258 * into such.
259 * @param User $creator User doing the creation. This may become a
260 * "UserValue" in the future, or User may be refactored into such.
261 * @param AuthenticationRequest[] $reqs
262 * @return AuthenticationResponse Expected responses:
263 * - PASS: The user may be created. Secondary providers will now run.
264 * - FAIL: The user may not be created. Fail the creation process.
265 * - ABSTAIN: These $reqs are not handled. Some other primary provider may handle it.
266 * - UI: The $reqs are accepted, no other primary provider will run.
267 * Additional AuthenticationRequests are needed to complete the process.
268 * - REDIRECT: The $reqs are accepted, no other primary provider will run.
269 * Redirection to a third party is needed to complete the process.
270 */
273 /**
274 * Continue an account creation flow
275 * @param User $user User being created (not added to the database yet).
276 * This may become a "UserValue" in the future, or User may be refactored
277 * into such.
278 * @param User $creator User doing the creation. This may become a
279 * "UserValue" in the future, or User may be refactored into such.
280 * @param AuthenticationRequest[] $reqs
281 * @return AuthenticationResponse Expected responses:
282 * - PASS: The user may be created. Secondary providers will now run.
283 * - FAIL: The user may not be created. Fail the creation process.
284 * - UI: Additional AuthenticationRequests are needed to complete the process.
285 * - REDIRECT: Redirection to a third party is needed to complete the process.
286 */
289 /**
290 * Post-creation callback
291 *
292 * Called after the user is added to the database, before secondary
293 * authentication providers are run. Only called if this provider was the one that issued
294 * a PASS.
295 *
296 * @param User $user User being created (has been added to the database now).
297 * This may become a "UserValue" in the future, or User may be refactored
298 * into such.
299 * @param User $creator User doing the creation. This may become a
300 * "UserValue" in the future, or User may be refactored into such.
301 * @param AuthenticationResponse $response PASS response returned earlier
302 * @return string|null 'newusers' log subtype to use for logging the
303 * account creation. If null, either 'create' or 'create2' will be used
304 * depending on $creator.
305 */
308 /**
309 * Post-creation callback
310 *
311 * This will be called at the end of any account creation attempt, regardless of whether this
312 * provider was the one that handled it. It will not be called if the account creation process
313 * results in a session timeout (possibly after a successful user creation, while a secondary
314 * provider is waiting for a response).
315 *
316 * @param User $user User that was attempted to be created.
317 * This may become a "UserValue" in the future, or User may be refactored
318 * into such.
319 * @param User $creator User doing the creation. This may become a
320 * "UserValue" in the future, or User may be refactored into such.
321 * @param AuthenticationResponse $response Authentication response that will be returned
322 * (PASS or FAIL)
323 */
326 /**
327 * Determine whether an account may be created
328 *
329 * @param User $user User being created (not added to the database yet).
330 * This may become a "UserValue" in the future, or User may be refactored
331 * into such.
332 * @param bool|string $autocreate False if this is not an auto-creation, or
333 * the source of the auto-creation passed to AuthManager::autoCreateUser().
334 * @param array $options
335 * - flags: (int) Bitfield of IDBAccessObject::READ_* constants, default IDBAccessObject::READ_NORMAL
336 * - creating: (bool) If false (or missing), this call is only testing if
337 * a user could be created. If set, this is for actually creating an account.
338 * If set and $autocreate is false, it's guaranteed to be followed by a call to
339 * testForAccountCreation(). In this case, the provider might return
340 * StatusValue::newGood() here and let the later call to
341 * testForAccountCreation() do a more thorough test.
342 * - canAlwaysAutocreate: (bool) If true the session provider is exempt from
343 * autocreate user permissions checks.
344 * @return StatusValue
345 */
348 /**
349 * Post-auto-creation callback
350 * @param User $user User being created (has been added to the database now).
351 * This may become a "UserValue" in the future, or User may be refactored
352 * into such.
353 * @param string $source The source of the auto-creation passed to
354 * AuthManager::autoCreateUser().
355 */
358 /**
359 * Start linking an account to an existing user
360 * @param User $user User being linked.
361 * This may become a "UserValue" in the future, or User may be refactored
362 * into such.
363 * @param AuthenticationRequest[] $reqs
364 * @return AuthenticationResponse Expected responses:
365 * - PASS: The user is linked.
366 * - FAIL: The user is not linked. Fail the linking process.
367 * - ABSTAIN: These $reqs are not handled. Some other primary provider may handle it.
368 * - UI: The $reqs are accepted, no other primary provider will run.
369 * Additional AuthenticationRequests are needed to complete the process.
370 * - REDIRECT: The $reqs are accepted, no other primary provider will run.
371 * Redirection to a third party is needed to complete the process.
372 */
375 /**
376 * Continue linking an account to an existing user
377 * @param User $user User being linked.
378 * This may become a "UserValue" in the future, or User may be refactored
379 * into such.
380 * @param AuthenticationRequest[] $reqs
381 * @return AuthenticationResponse Expected responses:
382 * - PASS: The user is linked.
383 * - FAIL: The user is not linked. Fail the linking process.
384 * - UI: Additional AuthenticationRequests are needed to complete the process.
385 * - REDIRECT: Redirection to a third party is needed to complete the process.
386 */
389 /**
390 * Post-link callback
391 *
392 * This will be called at the end of any account linking attempt, regardless of whether this
393 * provider was the one that handled it.
394 *
395 * @param User $user User that was attempted to be linked.
396 * This may become a "UserValue" in the future, or User may be refactored
397 * into such.
398 * @param AuthenticationResponse $response Authentication response that will be returned
399 * (PASS or FAIL)
400 */
403 }