includes/password/PasswordPolicyChecks.php

   1 <?php
   2 /**
   3  * Password policy checks
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 use \Cdb\Reader as CdbReader;
  24
  25 /**
  26  * Functions to check passwords against a policy requirement
  27  * @since 1.26
  28  */
  29 class PasswordPolicyChecks {
  30
  31         /**
  32          * Check password is longer than minimum, not fatal
  33          * @param int $policyVal minimal length
  34          * @param User $user
  35          * @param string $password
  36          * @return Status error if $password is shorter than $policyVal
  37          */
  38         public static function checkMinimalPasswordLength( $policyVal, User $user, $password ) {
  39                 $status = Status::newGood();
  40                 if ( $policyVal > strlen( $password ) ) {
  41                         $status->error( 'passwordtooshort', $policyVal );
  42                 }
  43                 return $status;
  44         }
  45
  46         /**
  47          * Check password is longer than minimum, fatal
  48          * @param int $policyVal minimal length
  49          * @param User $user
  50          * @param string $password
  51          * @return Status fatal if $password is shorter than $policyVal
  52          */
  53         public static function checkMinimumPasswordLengthToLogin( $policyVal, User $user, $password ) {
  54                 $status = Status::newGood();
  55                 if ( $policyVal > strlen( $password ) ) {
  56                         $status->fatal( 'passwordtooshort', $policyVal );
  57                 }
  58                 return $status;
  59         }
  60
  61         /**
  62          * Check password is shorter than maximum, fatal
  63          * @param int $policyVal maximum length
  64          * @param User $user
  65          * @param string $password
  66          * @return Status fatal if $password is shorter than $policyVal
  67          */
  68         public static function checkMaximalPasswordLength( $policyVal, User $user, $password ) {
  69                 $status = Status::newGood();
  70                 if ( $policyVal < strlen( $password ) ) {
  71                         $status->fatal( 'passwordtoolong', $policyVal );
  72                 }
  73                 return $status;
  74         }
  75
  76         /**
  77          * Check if username and password match
  78          * @param bool $policyVal true to force compliance.
  79          * @param User $user
  80          * @param string $password
  81          * @return Status error if username and password match, and policy is true
  82          */
  83         public static function checkPasswordCannotMatchUsername( $policyVal, User $user, $password ) {
  84                 global $wgContLang;
  85                 $status = Status::newGood();
  86                 $username = $user->getName();
  87                 if ( $policyVal && $wgContLang->lc( $password ) === $wgContLang->lc( $username ) ) {
  88                         $status->error( 'password-name-match' );
  89                 }
  90                 return $status;
  91         }
  92
  93         /**
  94          * Check if username and password are on a blacklist
  95          * @param bool $policyVal true to force compliance.
  96          * @param User $user
  97          * @param string $password
  98          * @return Status error if username and password match, and policy is true
  99          */
 100         public static function checkPasswordCannotMatchBlacklist( $policyVal, User $user, $password ) {
 101                 static $blockedLogins = [
 102                         'Useruser' => 'Passpass', 'Useruser1' => 'Passpass1', # r75589
 103                         'Apitestsysop' => 'testpass', 'Apitestuser' => 'testpass' # r75605
 104                 ];
 105
 106                 $status = Status::newGood();
 107                 $username = $user->getName();
 108                 if ( $policyVal ) {
 109                         if ( isset( $blockedLogins[$username] ) && $password == $blockedLogins[$username] ) {
 110                                 $status->error( 'password-login-forbidden' );
 111                         }
 112
 113                         // Example from ApiChangeAuthenticationRequest
 114                         if ( $password === 'ExamplePassword' ) {
 115                                 $status->error( 'password-login-forbidden' );
 116                         }
 117                 }
 118                 return $status;
 119         }
 120
 121         /**
 122          * Ensure that password isn't in top X most popular passwords
 123          *
 124          * @param int $policyVal Cut off to use. Will automatically shrink to the max
 125          *   supported for error messages if set to more than max number of passwords on file,
 126          *   so you can use the PHP_INT_MAX constant here safely.
 127          * @param User $user
 128          * @param string $password
 129          * @since 1.27
 130          * @return Status
 131          */
 132         public static function checkPopularPasswordBlacklist( $policyVal, User $user, $password ) {
 133                 global $wgPopularPasswordFile, $wgSitename;
 134                 $status = Status::newGood();
 135                 if ( $policyVal > 0 ) {
 136                         $langEn = Language::factory( 'en' );
 137                         $passwordKey = $langEn->lc( trim( $password ) );
 138
 139                         // People often use the name of the current site, which won't be
 140                         // in the common password file. Also check '' for people who use
 141                         // just whitespace.
 142                         $sitename = $langEn->lc( trim( $wgSitename ) );
 143                         $hardcodedCommonPasswords = [ '', 'wiki', 'mediawiki', $sitename ];
 144                         if ( in_array( $passwordKey, $hardcodedCommonPasswords ) ) {
 145                                 $status->error( 'passwordtoopopular' );
 146                                 return $status;
 147                         }
 148
 149                         // This could throw an exception, but there's not a good way
 150                         // of failing gracefully, if say the file is missing, so just
 151                         // let the exception fall through.
 152                         // Format of cdb file is mapping password => popularity rank.
 153                         // See maintenance/createCommonPasswordCdb.php
 154                         $db = CdbReader::open( $wgPopularPasswordFile );
 155
 156                         $res = $db->get( $passwordKey );
 157                         if ( $res && (int)$res <= $policyVal ) {
 158                                 // Note: If you want to find the true number of common
 159                                 // passwords stored (for reporting the error), you have to take
 160                                 // the max of the policyVal and $db->get( '_TOTALENTRIES' ).
 161                                 $status->error( 'passwordtoopopular' );
 162                         }
 163                 }
 164                 return $status;
 165         }
 166
 167 }