Added release notes for 'ContentHandler::runLegacyHooks' removal
[mediawiki.git] / includes / auth / LocalPasswordPrimaryAuthenticationProvider.php
blobfd36887c0620aee1abe322366720b3fda8abc22d
1 <?php
2 /**
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
18 * @file
19 * @ingroup Auth
22 namespace MediaWiki\Auth;
24 use User;
26 /**
27 * A primary authentication provider that uses the password field in the 'user' table.
28 * @ingroup Auth
29 * @since 1.27
31 class LocalPasswordPrimaryAuthenticationProvider
32 extends AbstractPasswordPrimaryAuthenticationProvider
35 /** @var bool If true, this instance is for legacy logins only. */
36 protected $loginOnly = false;
38 /**
39 * @param array $params Settings
40 * - loginOnly: If true, the local passwords are for legacy logins only:
41 * the local password will be invalidated when authentication is changed
42 * and new users will not have a valid local password set.
44 public function __construct( $params = [] ) {
45 parent::__construct( $params );
46 $this->loginOnly = !empty( $params['loginOnly'] );
49 protected function getPasswordResetData( $username, $row ) {
50 $now = wfTimestamp();
51 $expiration = wfTimestampOrNull( TS_UNIX, $row->user_password_expires );
52 if ( $expiration === null || $expiration >= $now ) {
53 return null;
56 $grace = $this->config->get( 'PasswordExpireGrace' );
57 if ( $expiration + $grace < $now ) {
58 $data = [
59 'hard' => true,
60 'msg' => \Status::newFatal( 'resetpass-expired' )->getMessage(),
62 } else {
63 $data = [
64 'hard' => false,
65 'msg' => \Status::newFatal( 'resetpass-expired-soft' )->getMessage(),
69 return (object)$data;
72 public function beginPrimaryAuthentication( array $reqs ) {
73 $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );
74 if ( !$req ) {
75 return AuthenticationResponse::newAbstain();
78 if ( $req->username === null || $req->password === null ) {
79 return AuthenticationResponse::newAbstain();
82 $username = User::getCanonicalName( $req->username, 'usable' );
83 if ( $username === false ) {
84 return AuthenticationResponse::newAbstain();
87 $fields = [
88 'user_id', 'user_password', 'user_password_expires',
91 $dbr = wfGetDB( DB_REPLICA );
92 $row = $dbr->selectRow(
93 'user',
94 $fields,
95 [ 'user_name' => $username ],
96 __METHOD__
98 if ( !$row ) {
99 return AuthenticationResponse::newAbstain();
102 $oldRow = clone $row;
103 // Check for *really* old password hashes that don't even have a type
104 // The old hash format was just an md5 hex hash, with no type information
105 if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
106 if ( $this->config->get( 'PasswordSalt' ) ) {
107 $row->user_password = ":B:{$row->user_id}:{$row->user_password}";
108 } else {
109 $row->user_password = ":A:{$row->user_password}";
113 $status = $this->checkPasswordValidity( $username, $req->password );
114 if ( !$status->isOK() ) {
115 // Fatal, can't log in
116 return AuthenticationResponse::newFail( $status->getMessage() );
119 $pwhash = $this->getPassword( $row->user_password );
120 if ( !$pwhash->equals( $req->password ) ) {
121 if ( $this->config->get( 'LegacyEncoding' ) ) {
122 // Some wikis were converted from ISO 8859-1 to UTF-8, the passwords can't be converted
123 // Check for this with iconv
124 $cp1252Password = iconv( 'UTF-8', 'WINDOWS-1252//TRANSLIT', $req->password );
125 if ( $cp1252Password === $req->password || !$pwhash->equals( $cp1252Password ) ) {
126 return $this->failResponse( $req );
128 } else {
129 return $this->failResponse( $req );
133 // @codeCoverageIgnoreStart
134 if ( $this->getPasswordFactory()->needsUpdate( $pwhash ) ) {
135 $newHash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
136 \DeferredUpdates::addCallableUpdate( function () use ( $newHash, $oldRow ) {
137 $dbw = wfGetDB( DB_MASTER );
138 $dbw->update(
139 'user',
140 [ 'user_password' => $newHash->toString() ],
142 'user_id' => $oldRow->user_id,
143 'user_password' => $oldRow->user_password
145 __METHOD__
147 } );
149 // @codeCoverageIgnoreEnd
151 $this->setPasswordResetFlag( $username, $status, $row );
153 return AuthenticationResponse::newPass( $username );
156 public function testUserCanAuthenticate( $username ) {
157 $username = User::getCanonicalName( $username, 'usable' );
158 if ( $username === false ) {
159 return false;
162 $dbr = wfGetDB( DB_REPLICA );
163 $row = $dbr->selectRow(
164 'user',
165 [ 'user_password' ],
166 [ 'user_name' => $username ],
167 __METHOD__
169 if ( !$row ) {
170 return false;
173 // Check for *really* old password hashes that don't even have a type
174 // The old hash format was just an md5 hex hash, with no type information
175 if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
176 return true;
179 return !$this->getPassword( $row->user_password ) instanceof \InvalidPassword;
182 public function testUserExists( $username, $flags = User::READ_NORMAL ) {
183 $username = User::getCanonicalName( $username, 'usable' );
184 if ( $username === false ) {
185 return false;
188 list( $db, $options ) = \DBAccessObjectUtils::getDBOptions( $flags );
189 return (bool)wfGetDB( $db )->selectField(
190 [ 'user' ],
191 [ 'user_id' ],
192 [ 'user_name' => $username ],
193 __METHOD__,
194 $options
198 public function providerAllowsAuthenticationDataChange(
199 AuthenticationRequest $req, $checkData = true
201 // We only want to blank the password if something else will accept the
202 // new authentication data, so return 'ignore' here.
203 if ( $this->loginOnly ) {
204 return \StatusValue::newGood( 'ignored' );
207 if ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
208 if ( !$checkData ) {
209 return \StatusValue::newGood();
212 $username = User::getCanonicalName( $req->username, 'usable' );
213 if ( $username !== false ) {
214 $row = wfGetDB( DB_MASTER )->selectRow(
215 'user',
216 [ 'user_id' ],
217 [ 'user_name' => $username ],
218 __METHOD__
220 if ( $row ) {
221 $sv = \StatusValue::newGood();
222 if ( $req->password !== null ) {
223 if ( $req->password !== $req->retype ) {
224 $sv->fatal( 'badretype' );
225 } else {
226 $sv->merge( $this->checkPasswordValidity( $username, $req->password ) );
229 return $sv;
234 return \StatusValue::newGood( 'ignored' );
237 public function providerChangeAuthenticationData( AuthenticationRequest $req ) {
238 $username = $req->username !== null ? User::getCanonicalName( $req->username, 'usable' ) : false;
239 if ( $username === false ) {
240 return;
243 $pwhash = null;
245 if ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
246 if ( $this->loginOnly ) {
247 $pwhash = $this->getPasswordFactory()->newFromCiphertext( null );
248 $expiry = null;
249 } else {
250 $pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
251 $expiry = $this->getNewPasswordExpiry( $username );
255 if ( $pwhash ) {
256 $dbw = wfGetDB( DB_MASTER );
257 $dbw->update(
258 'user',
260 'user_password' => $pwhash->toString(),
261 'user_password_expires' => $dbw->timestampOrNull( $expiry ),
263 [ 'user_name' => $username ],
264 __METHOD__
269 public function accountCreationType() {
270 return $this->loginOnly ? self::TYPE_NONE : self::TYPE_CREATE;
273 public function testForAccountCreation( $user, $creator, array $reqs ) {
274 $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );
276 $ret = \StatusValue::newGood();
277 if ( !$this->loginOnly && $req && $req->username !== null && $req->password !== null ) {
278 if ( $req->password !== $req->retype ) {
279 $ret->fatal( 'badretype' );
280 } else {
281 $ret->merge(
282 $this->checkPasswordValidity( $user->getName(), $req->password )
286 return $ret;
289 public function beginPrimaryAccountCreation( $user, $creator, array $reqs ) {
290 if ( $this->accountCreationType() === self::TYPE_NONE ) {
291 throw new \BadMethodCallException( 'Shouldn\'t call this when accountCreationType() is NONE' );
294 $req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );
295 if ( $req ) {
296 if ( $req->username !== null && $req->password !== null ) {
297 // Nothing we can do besides claim it, because the user isn't in
298 // the DB yet
299 if ( $req->username !== $user->getName() ) {
300 $req = clone( $req );
301 $req->username = $user->getName();
303 $ret = AuthenticationResponse::newPass( $req->username );
304 $ret->createRequest = $req;
305 return $ret;
308 return AuthenticationResponse::newAbstain();
311 public function finishAccountCreation( $user, $creator, AuthenticationResponse $res ) {
312 if ( $this->accountCreationType() === self::TYPE_NONE ) {
313 throw new \BadMethodCallException( 'Shouldn\'t call this when accountCreationType() is NONE' );
316 // Now that the user is in the DB, set the password on it.
317 $this->providerChangeAuthenticationData( $res->createRequest );
319 return null;