search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Localisation updates from https://translatewiki.net.
[mediawiki.git] / includes / auth / ThrottlePreAuthenticationProvider.php
blobc84e39d8b8210839a249a90f3eacb43effb92cc8
1 <?php
2 /**
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
17 *
18 * @file
19 * @ingroup Auth
20 */
21
22 namespace MediaWiki\Auth;
23
24 use MediaWiki\MainConfigNames;
25 use MediaWiki\MediaWikiServices;
26 use MediaWiki\User\User;
27 use Wikimedia\ObjectCache\BagOStuff;
28
29 /**
30 * A pre-authentication provider to throttle authentication actions.
31 *
32 * Adding this provider will throttle account creations and primary authentication attempts
33 * (more specifically, any authentication that returns FAIL on failure). Secondary authentication
34 * cannot be easily throttled on a framework level (since it would typically return UI on failure);
35 * secondary providers are expected to do their own throttling.
36 * @ingroup Auth
37 * @since 1.27
38 */
39 class ThrottlePreAuthenticationProvider extends AbstractPreAuthenticationProvider {
40 /** @var array */
41 protected $throttleSettings;
42
43 protected ?Throttler $accountCreationThrottle = null;
44 protected ?Throttler $passwordAttemptThrottle = null;
45 protected BagOStuff $cache;
46
47 /**
48 * @param array $params
49 * - accountCreationThrottle: (array) Condition array for the account creation throttle; an array
50 * of arrays in a format like $wgPasswordAttemptThrottle, passed to the Throttler constructor.
51 * - passwordAttemptThrottle: (array) Condition array for the password attempt throttle, in the
52 * same format as accountCreationThrottle.
53 * - cache: (BagOStuff) Where to store the throttle, defaults to the local cluster instance.
54 */
55 public function __construct( $params = [] ) {
56 $this->throttleSettings = array_intersect_key( $params,
57 [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );
58 $services = MediaWikiServices::getInstance();
59 $this->cache = $params['cache'] ?? $services->getObjectCacheFactory()
60 ->getLocalClusterInstance();
61 }
62
63 protected function postInitSetup() {
64 $accountCreationThrottle = $this->config->get( MainConfigNames::AccountCreationThrottle );
65 // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)
66 if ( !is_array( $accountCreationThrottle ) ) {
67 $accountCreationThrottle = [ [
68 'count' => $accountCreationThrottle,
69 'seconds' => 86400,
70 ] ];
71 }
72
73 // @codeCoverageIgnoreStart
74 $this->throttleSettings += [
75 // @codeCoverageIgnoreEnd
76 'accountCreationThrottle' => $accountCreationThrottle,
77 'passwordAttemptThrottle' =>
78 $this->config->get( MainConfigNames::PasswordAttemptThrottle ),
79 ];
80
81 if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {
82 $this->accountCreationThrottle = new Throttler(
83 $this->throttleSettings['accountCreationThrottle'], [
84 'type' => 'acctcreate',
85 'cache' => $this->cache,
86 ]
87 );
88 }
89 if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {
90 $this->passwordAttemptThrottle = new Throttler(
91 $this->throttleSettings['passwordAttemptThrottle'], [
92 'type' => 'password',
93 'cache' => $this->cache,
94 ]
95 );
96 }
97 }
98
99 public function testForAccountCreation( $user, $creator, array $reqs ) {
100 if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {
101 return \StatusValue::newGood();
102 }
103
104 $ip = $this->manager->getRequest()->getIP();
105
106 if ( !$this->getHookRunner()->onExemptFromAccountCreationThrottle( $ip ) ) {
107 $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle" );
108 return \StatusValue::newGood();
109 }
110
111 $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );
112 if ( $result ) {
113 $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )
114 ->durationParams( $result['wait'] );
115 return \StatusValue::newFatal( $message );
116 }
117
118 return \StatusValue::newGood();
119 }
120
121 public function testForAuthentication( array $reqs ) {
122 if ( !$this->passwordAttemptThrottle ) {
123 return \StatusValue::newGood();
124 }
125
126 $ip = $this->manager->getRequest()->getIP();
127 try {
128 $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
129 } catch ( \UnexpectedValueException $e ) {
130 $username = null;
131 }
132
133 // Get everything this username could normalize to, and throttle each one individually.
134 // If nothing uses usernames, just throttle by IP.
135 if ( $username !== null ) {
136 $usernames = $this->manager->normalizeUsername( $username );
137 } else {
138 $usernames = [ null ];
139 }
140 $result = false;
141 foreach ( $usernames as $name ) {
142 $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );
143 if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {
144 $result = $r;
145 }
146 }
147
148 if ( $result ) {
149 $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
150 return \StatusValue::newFatal( $message );
151 } else {
152 $this->manager->setAuthenticationSessionData( 'LoginThrottle',
153 [ 'users' => $usernames, 'ip' => $ip ] );
154 return \StatusValue::newGood();
155 }
156 }
157
158 /**
159 * @param null|User $user
160 * @param AuthenticationResponse $response
161 */
162 public function postAuthentication( $user, AuthenticationResponse $response ) {
163 if ( $response->status !== AuthenticationResponse::PASS ) {
164 return;
165 } elseif ( !$this->passwordAttemptThrottle ) {
166 return;
167 }
168
169 $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );
170 if ( !$data ) {
171 // this can occur when login is happening via AuthenticationRequest::$loginRequest
172 // so testForAuthentication is skipped
173 $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );
174 return;
175 }
176
177 foreach ( $data['users'] as $name ) {
178 $this->passwordAttemptThrottle->clear( $name, $data['ip'] );
179 }
180 }
181 }
MediaWiki Core