3 * Authentication (and possibly Authorization in the future) system entry point
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
24 namespace MediaWiki\Auth
;
27 use Psr\Log\LoggerAwareInterface
;
28 use Psr\Log\LoggerInterface
;
35 * This serves as the entry point to the authentication system.
37 * In the future, it may also serve as the entry point to the authorization
43 class AuthManager
implements LoggerAwareInterface
{
44 /** Log in with an existing (not necessarily local) user */
45 const ACTION_LOGIN
= 'login';
46 /** Continue a login process that was interrupted by the need for user input or communication
47 * with an external provider */
48 const ACTION_LOGIN_CONTINUE
= 'login-continue';
49 /** Create a new user */
50 const ACTION_CREATE
= 'create';
51 /** Continue a user creation process that was interrupted by the need for user input or
52 * communication with an external provider */
53 const ACTION_CREATE_CONTINUE
= 'create-continue';
54 /** Link an existing user to a third-party account */
55 const ACTION_LINK
= 'link';
56 /** Continue a user linking process that was interrupted by the need for user input or
57 * communication with an external provider */
58 const ACTION_LINK_CONTINUE
= 'link-continue';
59 /** Change a user's credentials */
60 const ACTION_CHANGE
= 'change';
61 /** Remove a user's credentials */
62 const ACTION_REMOVE
= 'remove';
63 /** Like ACTION_REMOVE but for linking providers only */
64 const ACTION_UNLINK
= 'unlink';
66 /** Security-sensitive operations are ok. */
68 /** Security-sensitive operations should re-authenticate. */
69 const SEC_REAUTH
= 'reauth';
70 /** Security-sensitive should not be performed. */
71 const SEC_FAIL
= 'fail';
73 /** Auto-creation is due to SessionManager */
74 const AUTOCREATE_SOURCE_SESSION
= \MediaWiki\Session\SessionManager
::class;
76 /** @var AuthManager|null */
77 private static $instance = null;
79 /** @var WebRequest */
85 /** @var LoggerInterface */
88 /** @var AuthenticationProvider[] */
89 private $allAuthenticationProviders = [];
91 /** @var PreAuthenticationProvider[] */
92 private $preAuthenticationProviders = null;
94 /** @var PrimaryAuthenticationProvider[] */
95 private $primaryAuthenticationProviders = null;
97 /** @var SecondaryAuthenticationProvider[] */
98 private $secondaryAuthenticationProviders = null;
100 /** @var CreatedAccountAuthenticationRequest[] */
101 private $createdAccountAuthenticationRequests = [];
104 * Get the global AuthManager
105 * @return AuthManager
107 public static function singleton() {
108 global $wgDisableAuthManager;
110 if ( $wgDisableAuthManager ) {
111 throw new \
BadMethodCallException( '$wgDisableAuthManager is set' );
114 if ( self
::$instance === null ) {
115 self
::$instance = new self(
116 \RequestContext
::getMain()->getRequest(),
117 \ConfigFactory
::getDefaultInstance()->makeConfig( 'main' )
120 return self
::$instance;
124 * @param WebRequest $request
125 * @param Config $config
127 public function __construct( WebRequest
$request, Config
$config ) {
128 $this->request
= $request;
129 $this->config
= $config;
130 $this->setLogger( \MediaWiki\Logger\LoggerFactory
::getInstance( 'authentication' ) );
134 * @param LoggerInterface $logger
136 public function setLogger( LoggerInterface
$logger ) {
137 $this->logger
= $logger;
143 public function getRequest() {
144 return $this->request
;
148 * Force certain PrimaryAuthenticationProviders
149 * @deprecated For backwards compatibility only
150 * @param PrimaryAuthenticationProvider[] $providers
153 public function forcePrimaryAuthenticationProviders( array $providers, $why ) {
154 $this->logger
->warning( "Overriding AuthManager primary authn because $why" );
156 if ( $this->primaryAuthenticationProviders
!== null ) {
157 $this->logger
->warning(
158 'PrimaryAuthenticationProviders have already been accessed! I hope nothing breaks.'
161 $this->allAuthenticationProviders
= array_diff_key(
162 $this->allAuthenticationProviders
,
163 $this->primaryAuthenticationProviders
165 $session = $this->request
->getSession();
166 $session->remove( 'AuthManager::authnState' );
167 $session->remove( 'AuthManager::accountCreationState' );
168 $session->remove( 'AuthManager::accountLinkState' );
169 $this->createdAccountAuthenticationRequests
= [];
172 $this->primaryAuthenticationProviders
= [];
173 foreach ( $providers as $provider ) {
174 if ( !$provider instanceof PrimaryAuthenticationProvider
) {
175 throw new \
RuntimeException(
176 'Expected instance of MediaWiki\\Auth\\PrimaryAuthenticationProvider, got ' .
177 get_class( $provider )
180 $provider->setLogger( $this->logger
);
181 $provider->setManager( $this );
182 $provider->setConfig( $this->config
);
183 $id = $provider->getUniqueId();
184 if ( isset( $this->allAuthenticationProviders
[$id] ) ) {
185 throw new \
RuntimeException(
186 "Duplicate specifications for id $id (classes " .
187 get_class( $provider ) . ' and ' .
188 get_class( $this->allAuthenticationProviders
[$id] ) . ')'
191 $this->allAuthenticationProviders
[$id] = $provider;
192 $this->primaryAuthenticationProviders
[$id] = $provider;
197 * Call a legacy AuthPlugin method, if necessary
198 * @codeCoverageIgnore
199 * @deprecated For backwards compatibility only, should be avoided in new code
200 * @param string $method AuthPlugin method to call
201 * @param array $params Parameters to pass
202 * @param mixed $return Return value if AuthPlugin wasn't called
203 * @return mixed Return value from the AuthPlugin method, or $return
205 public static function callLegacyAuthPlugin( $method, array $params, $return = null ) {
208 if ( $wgAuth && !$wgAuth instanceof AuthManagerAuthPlugin
) {
209 return call_user_func_array( [ $wgAuth, $method ], $params );
216 * @name Authentication
221 * Indicate whether user authentication is possible
223 * It may not be if the session is provided by something like OAuth
224 * for which each individual request includes authentication data.
228 public function canAuthenticateNow() {
229 return $this->request
->getSession()->canSetUser();
233 * Start an authentication flow
234 * @param AuthenticationRequest[] $reqs
235 * @param string $returnToUrl Url that REDIRECT responses should eventually
237 * @return AuthenticationResponse See self::continueAuthentication()
239 public function beginAuthentication( array $reqs, $returnToUrl ) {
240 $session = $this->request
->getSession();
241 if ( !$session->canSetUser() ) {
242 // Caller should have called canAuthenticateNow()
243 $session->remove( 'AuthManager::authnState' );
244 throw new \
LogicException( 'Authentication is not possible now' );
247 $guessUserName = null;
248 foreach ( $reqs as $req ) {
249 $req->returnToUrl
= $returnToUrl;
250 // @codeCoverageIgnoreStart
251 if ( $req->username
!== null && $req->username
!== '' ) {
252 if ( $guessUserName === null ) {
253 $guessUserName = $req->username
;
254 } elseif ( $guessUserName !== $req->username
) {
255 $guessUserName = null;
259 // @codeCoverageIgnoreEnd
262 // Check for special-case login of a just-created account
263 $req = AuthenticationRequest
::getRequestByClass(
264 $reqs, CreatedAccountAuthenticationRequest
::class
267 if ( !in_array( $req, $this->createdAccountAuthenticationRequests
, true ) ) {
268 throw new \
LogicException(
269 'CreatedAccountAuthenticationRequests are only valid on ' .
270 'the same AuthManager that created the account'
274 $user = User
::newFromName( $req->username
);
275 // @codeCoverageIgnoreStart
277 throw new \
UnexpectedValueException(
278 "CreatedAccountAuthenticationRequest had invalid username \"{$req->username}\""
280 } elseif ( $user->getId() != $req->id
) {
281 throw new \
UnexpectedValueException(
282 "ID for \"{$req->username}\" was {$user->getId()}, expected {$req->id}"
285 // @codeCoverageIgnoreEnd
287 $this->logger
->info( 'Logging in {user} after account creation', [
288 'user' => $user->getName(),
290 $ret = AuthenticationResponse
::newPass( $user->getName() );
291 $this->setSessionDataForUser( $user );
292 $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
293 $session->remove( 'AuthManager::authnState' );
294 \Hooks
::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName() ] );
298 $this->removeAuthenticationSessionData( null );
300 foreach ( $this->getPreAuthenticationProviders() as $provider ) {
301 $status = $provider->testForAuthentication( $reqs );
302 if ( !$status->isGood() ) {
303 $this->logger
->debug( 'Login failed in pre-authentication by ' . $provider->getUniqueId() );
304 $ret = AuthenticationResponse
::newFail(
305 Status
::wrap( $status )->getMessage()
307 $this->callMethodOnProviders( 7, 'postAuthentication',
308 [ User
::newFromName( $guessUserName ) ?
: null, $ret ]
310 \Hooks
::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, null, $guessUserName ] );
317 'returnToUrl' => $returnToUrl,
318 'guessUserName' => $guessUserName,
320 'primaryResponse' => null,
323 'continueRequests' => [],
326 // Preserve state from a previous failed login
327 $req = AuthenticationRequest
::getRequestByClass(
328 $reqs, CreateFromLoginAuthenticationRequest
::class
331 $state['maybeLink'] = $req->maybeLink
;
334 $session = $this->request
->getSession();
335 $session->setSecret( 'AuthManager::authnState', $state );
338 return $this->continueAuthentication( $reqs );
342 * Continue an authentication flow
344 * Return values are interpreted as follows:
345 * - status FAIL: Authentication failed. If $response->createRequest is
346 * set, that may be passed to self::beginAuthentication() or to
347 * self::beginAccountCreation() (after adding a username, if necessary)
349 * - status REDIRECT: The client should be redirected to the contained URL,
350 * new AuthenticationRequests should be made (if any), then
351 * AuthManager::continueAuthentication() should be called.
352 * - status UI: The client should be presented with a user interface for
353 * the fields in the specified AuthenticationRequests, then new
354 * AuthenticationRequests should be made, then
355 * AuthManager::continueAuthentication() should be called.
356 * - status RESTART: The user logged in successfully with a third-party
357 * service, but the third-party credentials aren't attached to any local
358 * account. This could be treated as a UI or a FAIL.
359 * - status PASS: Authentication was successful.
361 * @param AuthenticationRequest[] $reqs
362 * @return AuthenticationResponse
364 public function continueAuthentication( array $reqs ) {
365 $session = $this->request
->getSession();
367 if ( !$session->canSetUser() ) {
368 // Caller should have called canAuthenticateNow()
369 // @codeCoverageIgnoreStart
370 throw new \
LogicException( 'Authentication is not possible now' );
371 // @codeCoverageIgnoreEnd
374 $state = $session->getSecret( 'AuthManager::authnState' );
375 if ( !is_array( $state ) ) {
376 return AuthenticationResponse
::newFail(
377 wfMessage( 'authmanager-authn-not-in-progress' )
380 $state['continueRequests'] = [];
382 $guessUserName = $state['guessUserName'];
384 foreach ( $reqs as $req ) {
385 $req->returnToUrl
= $state['returnToUrl'];
388 // Step 1: Choose an primary authentication provider, and call it until it succeeds.
390 if ( $state['primary'] === null ) {
391 // We haven't picked a PrimaryAuthenticationProvider yet
392 // @codeCoverageIgnoreStart
393 $guessUserName = null;
394 foreach ( $reqs as $req ) {
395 if ( $req->username
!== null && $req->username
!== '' ) {
396 if ( $guessUserName === null ) {
397 $guessUserName = $req->username
;
398 } elseif ( $guessUserName !== $req->username
) {
399 $guessUserName = null;
404 $state['guessUserName'] = $guessUserName;
405 // @codeCoverageIgnoreEnd
406 $state['reqs'] = $reqs;
408 foreach ( $this->getPrimaryAuthenticationProviders() as $id => $provider ) {
409 $res = $provider->beginPrimaryAuthentication( $reqs );
410 switch ( $res->status
) {
411 case AuthenticationResponse
::PASS
;
412 $state['primary'] = $id;
413 $state['primaryResponse'] = $res;
414 $this->logger
->debug( "Primary login with $id succeeded" );
416 case AuthenticationResponse
::FAIL
;
417 $this->logger
->debug( "Login failed in primary authentication by $id" );
418 if ( $res->createRequest ||
$state['maybeLink'] ) {
419 $res->createRequest
= new CreateFromLoginAuthenticationRequest(
420 $res->createRequest
, $state['maybeLink']
423 $this->callMethodOnProviders( 7, 'postAuthentication',
424 [ User
::newFromName( $guessUserName ) ?
: null, $res ]
426 $session->remove( 'AuthManager::authnState' );
427 \Hooks
::run( 'AuthManagerLoginAuthenticateAudit', [ $res, null, $guessUserName ] );
429 case AuthenticationResponse
::ABSTAIN
;
432 case AuthenticationResponse
::REDIRECT
;
433 case AuthenticationResponse
::UI
;
434 $this->logger
->debug( "Primary login with $id returned $res->status" );
435 $state['primary'] = $id;
436 $state['continueRequests'] = $res->neededRequests
;
437 $session->setSecret( 'AuthManager::authnState', $state );
440 // @codeCoverageIgnoreStart
442 throw new \
DomainException(
443 get_class( $provider ) . "::beginPrimaryAuthentication() returned $res->status"
445 // @codeCoverageIgnoreEnd
448 if ( $state['primary'] === null ) {
449 $this->logger
->debug( 'Login failed in primary authentication because no provider accepted' );
450 $ret = AuthenticationResponse
::newFail(
451 wfMessage( 'authmanager-authn-no-primary' )
453 $this->callMethodOnProviders( 7, 'postAuthentication',
454 [ User
::newFromName( $guessUserName ) ?
: null, $ret ]
456 $session->remove( 'AuthManager::authnState' );
459 } elseif ( $state['primaryResponse'] === null ) {
460 $provider = $this->getAuthenticationProvider( $state['primary'] );
461 if ( !$provider instanceof PrimaryAuthenticationProvider
) {
462 // Configuration changed? Force them to start over.
463 // @codeCoverageIgnoreStart
464 $ret = AuthenticationResponse
::newFail(
465 wfMessage( 'authmanager-authn-not-in-progress' )
467 $this->callMethodOnProviders( 7, 'postAuthentication',
468 [ User
::newFromName( $guessUserName ) ?
: null, $ret ]
470 $session->remove( 'AuthManager::authnState' );
472 // @codeCoverageIgnoreEnd
474 $id = $provider->getUniqueId();
475 $res = $provider->continuePrimaryAuthentication( $reqs );
476 switch ( $res->status
) {
477 case AuthenticationResponse
::PASS
;
478 $state['primaryResponse'] = $res;
479 $this->logger
->debug( "Primary login with $id succeeded" );
481 case AuthenticationResponse
::FAIL
;
482 $this->logger
->debug( "Login failed in primary authentication by $id" );
483 if ( $res->createRequest ||
$state['maybeLink'] ) {
484 $res->createRequest
= new CreateFromLoginAuthenticationRequest(
485 $res->createRequest
, $state['maybeLink']
488 $this->callMethodOnProviders( 7, 'postAuthentication',
489 [ User
::newFromName( $guessUserName ) ?
: null, $res ]
491 $session->remove( 'AuthManager::authnState' );
492 \Hooks
::run( 'AuthManagerLoginAuthenticateAudit', [ $res, null, $guessUserName ] );
494 case AuthenticationResponse
::REDIRECT
;
495 case AuthenticationResponse
::UI
;
496 $this->logger
->debug( "Primary login with $id returned $res->status" );
497 $state['continueRequests'] = $res->neededRequests
;
498 $session->setSecret( 'AuthManager::authnState', $state );
501 throw new \
DomainException(
502 get_class( $provider ) . "::continuePrimaryAuthentication() returned $res->status"
507 $res = $state['primaryResponse'];
508 if ( $res->username
=== null ) {
509 $provider = $this->getAuthenticationProvider( $state['primary'] );
510 if ( !$provider instanceof PrimaryAuthenticationProvider
) {
511 // Configuration changed? Force them to start over.
512 // @codeCoverageIgnoreStart
513 $ret = AuthenticationResponse
::newFail(
514 wfMessage( 'authmanager-authn-not-in-progress' )
516 $this->callMethodOnProviders( 7, 'postAuthentication',
517 [ User
::newFromName( $guessUserName ) ?
: null, $ret ]
519 $session->remove( 'AuthManager::authnState' );
521 // @codeCoverageIgnoreEnd
524 if ( $provider->accountCreationType() === PrimaryAuthenticationProvider
::TYPE_LINK
&&
526 // don't confuse the user with an incorrect message if linking is disabled
527 $this->getAuthenticationProvider( ConfirmLinkSecondaryAuthenticationProvider
::class )
529 $state['maybeLink'][$res->linkRequest
->getUniqueId()] = $res->linkRequest
;
530 $msg = 'authmanager-authn-no-local-user-link';
532 $msg = 'authmanager-authn-no-local-user';
534 $this->logger
->debug(
535 "Primary login with {$provider->getUniqueId()} succeeded, but returned no user"
537 $ret = AuthenticationResponse
::newRestart( wfMessage( $msg ) );
538 $ret->neededRequests
= $this->getAuthenticationRequestsInternal(
541 $this->getPrimaryAuthenticationProviders() +
$this->getSecondaryAuthenticationProviders()
543 if ( $res->createRequest ||
$state['maybeLink'] ) {
544 $ret->createRequest
= new CreateFromLoginAuthenticationRequest(
545 $res->createRequest
, $state['maybeLink']
547 $ret->neededRequests
[] = $ret->createRequest
;
549 $session->setSecret( 'AuthManager::authnState', [
550 'reqs' => [], // Will be filled in later
552 'primaryResponse' => null,
554 'continueRequests' => $ret->neededRequests
,
559 // Step 2: Primary authentication succeeded, create the User object
560 // (and add the user locally if necessary)
562 $user = User
::newFromName( $res->username
, 'usable' );
564 throw new \
DomainException(
565 get_class( $provider ) . " returned an invalid username: {$res->username}"
568 if ( $user->getId() === 0 ) {
569 // User doesn't exist locally. Create it.
570 $this->logger
->info( 'Auto-creating {user} on login', [
571 'user' => $user->getName(),
573 $status = $this->autoCreateUser( $user, $state['primary'], false );
574 if ( !$status->isGood() ) {
575 $ret = AuthenticationResponse
::newFail(
576 Status
::wrap( $status )->getMessage( 'authmanager-authn-autocreate-failed' )
578 $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
579 $session->remove( 'AuthManager::authnState' );
580 \Hooks
::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName() ] );
585 // Step 3: Iterate over all the secondary authentication providers.
587 $beginReqs = $state['reqs'];
589 foreach ( $this->getSecondaryAuthenticationProviders() as $id => $provider ) {
590 if ( !isset( $state['secondary'][$id] ) ) {
591 // This provider isn't started yet, so we pass it the set
592 // of reqs from beginAuthentication instead of whatever
593 // might have been used by a previous provider in line.
594 $func = 'beginSecondaryAuthentication';
595 $res = $provider->beginSecondaryAuthentication( $user, $beginReqs );
596 } elseif ( !$state['secondary'][$id] ) {
597 $func = 'continueSecondaryAuthentication';
598 $res = $provider->continueSecondaryAuthentication( $user, $reqs );
602 switch ( $res->status
) {
603 case AuthenticationResponse
::PASS
;
604 $this->logger
->debug( "Secondary login with $id succeeded" );
606 case AuthenticationResponse
::ABSTAIN
;
607 $state['secondary'][$id] = true;
609 case AuthenticationResponse
::FAIL
;
610 $this->logger
->debug( "Login failed in secondary authentication by $id" );
611 $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $res ] );
612 $session->remove( 'AuthManager::authnState' );
613 \Hooks
::run( 'AuthManagerLoginAuthenticateAudit', [ $res, $user, $user->getName() ] );
615 case AuthenticationResponse
::REDIRECT
;
616 case AuthenticationResponse
::UI
;
617 $this->logger
->debug( "Secondary login with $id returned " . $res->status
);
618 $state['secondary'][$id] = false;
619 $state['continueRequests'] = $res->neededRequests
;
620 $session->setSecret( 'AuthManager::authnState', $state );
623 // @codeCoverageIgnoreStart
625 throw new \
DomainException(
626 get_class( $provider ) . "::{$func}() returned $res->status"
628 // @codeCoverageIgnoreEnd
632 // Step 4: Authentication complete! Set the user in the session and
635 $this->logger
->info( 'Login for {user} succeeded', [
636 'user' => $user->getName(),
638 $req = AuthenticationRequest
::getRequestByClass(
639 $beginReqs, RememberMeAuthenticationRequest
::class
641 $this->setSessionDataForUser( $user, $req && $req->rememberMe
);
642 $ret = AuthenticationResponse
::newPass( $user->getName() );
643 $this->callMethodOnProviders( 7, 'postAuthentication', [ $user, $ret ] );
644 $session->remove( 'AuthManager::authnState' );
645 $this->removeAuthenticationSessionData( null );
646 \Hooks
::run( 'AuthManagerLoginAuthenticateAudit', [ $ret, $user, $user->getName() ] );
648 } catch ( \Exception
$ex ) {
649 $session->remove( 'AuthManager::authnState' );
655 * Whether security-sensitive operations should proceed.
657 * A "security-sensitive operation" is something like a password or email
658 * change, that would normally have a "reenter your password to confirm"
659 * box if we only supported password-based authentication.
661 * @param string $operation Operation being checked. This should be a
662 * message-key-like string such as 'change-password' or 'change-email'.
663 * @return string One of the SEC_* constants.
665 public function securitySensitiveOperationStatus( $operation ) {
666 $status = self
::SEC_OK
;
668 $this->logger
->debug( __METHOD__
. ": Checking $operation" );
670 $session = $this->request
->getSession();
671 $aId = $session->getUser()->getId();
673 // User isn't authenticated. DWIM?
674 $status = $this->canAuthenticateNow() ? self
::SEC_REAUTH
: self
::SEC_FAIL
;
675 $this->logger
->info( __METHOD__
. ": Not logged in! $operation is $status" );
679 if ( $session->canSetUser() ) {
680 $id = $session->get( 'AuthManager:lastAuthId' );
681 $last = $session->get( 'AuthManager:lastAuthTimestamp' );
682 if ( $id !== $aId ||
$last === null ) {
683 $timeSinceLogin = PHP_INT_MAX
; // Forever ago
685 $timeSinceLogin = max( 0, time() - $last );
688 $thresholds = $this->config
->get( 'ReauthenticateTime' );
689 if ( isset( $thresholds[$operation] ) ) {
690 $threshold = $thresholds[$operation];
691 } elseif ( isset( $thresholds['default'] ) ) {
692 $threshold = $thresholds['default'];
694 throw new \
UnexpectedValueException( '$wgReauthenticateTime lacks a default' );
697 if ( $threshold >= 0 && $timeSinceLogin > $threshold ) {
698 $status = self
::SEC_REAUTH
;
701 $timeSinceLogin = -1;
703 $pass = $this->config
->get( 'AllowSecuritySensitiveOperationIfCannotReauthenticate' );
704 if ( isset( $pass[$operation] ) ) {
705 $status = $pass[$operation] ? self
::SEC_OK
: self
::SEC_FAIL
;
706 } elseif ( isset( $pass['default'] ) ) {
707 $status = $pass['default'] ? self
::SEC_OK
: self
::SEC_FAIL
;
709 throw new \
UnexpectedValueException(
710 '$wgAllowSecuritySensitiveOperationIfCannotReauthenticate lacks a default'
715 \Hooks
::run( 'SecuritySensitiveOperationStatus', [
716 &$status, $operation, $session, $timeSinceLogin
719 // If authentication is not possible, downgrade from "REAUTH" to "FAIL".
720 if ( !$this->canAuthenticateNow() && $status === self
::SEC_REAUTH
) {
721 $status = self
::SEC_FAIL
;
724 $this->logger
->info( __METHOD__
. ": $operation is $status" );
730 * Determine whether a username can authenticate
732 * @param string $username
735 public function userCanAuthenticate( $username ) {
736 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
737 if ( $provider->testUserCanAuthenticate( $username ) ) {
745 * Provide normalized versions of the username for security checks
747 * Since different providers can normalize the input in different ways,
748 * this returns an array of all the different ways the name might be
749 * normalized for authentication.
751 * The returned strings should not be revealed to the user, as that might
752 * leak private information (e.g. an email address might be normalized to a
755 * @param string $username
758 public function normalizeUsername( $username ) {
760 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
761 $normalized = $provider->providerNormalizeUsername( $username );
762 if ( $normalized !== null ) {
763 $ret[$normalized] = true;
766 return array_keys( $ret );
772 * @name Authentication data changing
777 * Revoke any authentication credentials for a user
779 * After this, the user should no longer be able to log in.
781 * @param string $username
783 public function revokeAccessForUser( $username ) {
784 $this->logger
->info( 'Revoking access for {user}', [
787 $this->callMethodOnProviders( 6, 'providerRevokeAccessForUser', [ $username ] );
791 * Validate a change of authentication data (e.g. passwords)
792 * @param AuthenticationRequest $req
793 * @param bool $checkData If false, $req hasn't been loaded from the
794 * submission so checks on user-submitted fields should be skipped. $req->username is
795 * considered user-submitted for this purpose, even if it cannot be changed via
796 * $req->loadFromSubmission.
799 public function allowsAuthenticationDataChange( AuthenticationRequest
$req, $checkData = true ) {
801 $providers = $this->getPrimaryAuthenticationProviders() +
802 $this->getSecondaryAuthenticationProviders();
803 foreach ( $providers as $provider ) {
804 $status = $provider->providerAllowsAuthenticationDataChange( $req, $checkData );
805 if ( !$status->isGood() ) {
806 return Status
::wrap( $status );
808 $any = $any ||
$status->value
!== 'ignored';
811 $status = Status
::newGood( 'ignored' );
812 $status->warning( 'authmanager-change-not-supported' );
815 return Status
::newGood();
819 * Change authentication data (e.g. passwords)
821 * If $req was returned for AuthManager::ACTION_CHANGE, using $req should
822 * result in a successful login in the future.
824 * If $req was returned for AuthManager::ACTION_REMOVE, using $req should
825 * no longer result in a successful login.
827 * @param AuthenticationRequest $req
829 public function changeAuthenticationData( AuthenticationRequest
$req ) {
830 $this->logger
->info( 'Changing authentication data for {user} class {what}', [
831 'user' => is_string( $req->username
) ?
$req->username
: '<no name>',
832 'what' => get_class( $req ),
835 $this->callMethodOnProviders( 6, 'providerChangeAuthenticationData', [ $req ] );
837 // When the main account's authentication data is changed, invalidate
838 // all BotPasswords too.
839 \BotPassword
::invalidateAllPasswordsForUser( $req->username
);
845 * @name Account creation
850 * Determine whether accounts can be created
853 public function canCreateAccounts() {
854 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
855 switch ( $provider->accountCreationType() ) {
856 case PrimaryAuthenticationProvider
::TYPE_CREATE
:
857 case PrimaryAuthenticationProvider
::TYPE_LINK
:
865 * Determine whether a particular account can be created
866 * @param string $username
867 * @param int $flags Bitfield of User:READ_* constants
870 public function canCreateAccount( $username, $flags = User
::READ_NORMAL
) {
871 if ( !$this->canCreateAccounts() ) {
872 return Status
::newFatal( 'authmanager-create-disabled' );
875 if ( $this->userExists( $username, $flags ) ) {
876 return Status
::newFatal( 'userexists' );
879 $user = User
::newFromName( $username, 'creatable' );
880 if ( !is_object( $user ) ) {
881 return Status
::newFatal( 'noname' );
883 $user->load( $flags ); // Explicitly load with $flags, auto-loading always uses READ_NORMAL
884 if ( $user->getId() !== 0 ) {
885 return Status
::newFatal( 'userexists' );
889 // Denied by providers?
890 $providers = $this->getPreAuthenticationProviders() +
891 $this->getPrimaryAuthenticationProviders() +
892 $this->getSecondaryAuthenticationProviders();
893 foreach ( $providers as $provider ) {
894 $status = $provider->testUserForCreation( $user, false );
895 if ( !$status->isGood() ) {
896 return Status
::wrap( $status );
900 return Status
::newGood();
904 * Basic permissions checks on whether a user can create accounts
905 * @param User $creator User doing the account creation
908 public function checkAccountCreatePermissions( User
$creator ) {
909 // Wiki is read-only?
910 if ( wfReadOnly() ) {
911 return Status
::newFatal( 'readonlytext', wfReadOnlyReason() );
914 // This is awful, this permission check really shouldn't go through Title.
915 $permErrors = \SpecialPage
::getTitleFor( 'CreateAccount' )
916 ->getUserPermissionsErrors( 'createaccount', $creator, 'secure' );
918 $status = Status
::newGood();
919 foreach ( $permErrors as $args ) {
920 call_user_func_array( [ $status, 'fatal' ], $args );
925 $block = $creator->isBlockedFromCreateAccount();
929 $block->mReason ?
: wfMessage( 'blockednoreason' )->text(),
933 if ( $block->getType() === \Block
::TYPE_RANGE
) {
934 $errorMessage = 'cantcreateaccount-range-text';
935 $errorParams[] = $this->getRequest()->getIP();
937 $errorMessage = 'cantcreateaccount-text';
940 return Status
::newFatal( wfMessage( $errorMessage, $errorParams ) );
943 $ip = $this->getRequest()->getIP();
944 if ( $creator->isDnsBlacklisted( $ip, true /* check $wgProxyWhitelist */ ) ) {
945 return Status
::newFatal( 'sorbs_create_account_reason' );
948 return Status
::newGood();
952 * Start an account creation flow
953 * @param User $creator User doing the account creation
954 * @param AuthenticationRequest[] $reqs
955 * @param string $returnToUrl Url that REDIRECT responses should eventually
957 * @return AuthenticationResponse
959 public function beginAccountCreation( User
$creator, array $reqs, $returnToUrl ) {
960 $session = $this->request
->getSession();
961 if ( !$this->canCreateAccounts() ) {
962 // Caller should have called canCreateAccounts()
963 $session->remove( 'AuthManager::accountCreationState' );
964 throw new \
LogicException( 'Account creation is not possible' );
968 $username = AuthenticationRequest
::getUsernameFromRequests( $reqs );
969 } catch ( \UnexpectedValueException
$ex ) {
972 if ( $username === null ) {
973 $this->logger
->debug( __METHOD__
. ': No username provided' );
974 return AuthenticationResponse
::newFail( wfMessage( 'noname' ) );
978 $status = $this->checkAccountCreatePermissions( $creator );
979 if ( !$status->isGood() ) {
980 $this->logger
->debug( __METHOD__
. ': {creator} cannot create users: {reason}', [
982 'creator' => $creator->getName(),
983 'reason' => $status->getWikiText( null, null, 'en' )
985 return AuthenticationResponse
::newFail( $status->getMessage() );
988 $status = $this->canCreateAccount( $username, User
::READ_LOCKING
);
989 if ( !$status->isGood() ) {
990 $this->logger
->debug( __METHOD__
. ': {user} cannot be created: {reason}', [
992 'creator' => $creator->getName(),
993 'reason' => $status->getWikiText( null, null, 'en' )
995 return AuthenticationResponse
::newFail( $status->getMessage() );
998 $user = User
::newFromName( $username, 'creatable' );
999 foreach ( $reqs as $req ) {
1000 $req->username
= $username;
1001 $req->returnToUrl
= $returnToUrl;
1002 if ( $req instanceof UserDataAuthenticationRequest
) {
1003 $status = $req->populateUser( $user );
1004 if ( !$status->isGood() ) {
1005 $status = Status
::wrap( $status );
1006 $session->remove( 'AuthManager::accountCreationState' );
1007 $this->logger
->debug( __METHOD__
. ': UserData is invalid: {reason}', [
1008 'user' => $user->getName(),
1009 'creator' => $creator->getName(),
1010 'reason' => $status->getWikiText( null, null, 'en' ),
1012 return AuthenticationResponse
::newFail( $status->getMessage() );
1017 $this->removeAuthenticationSessionData( null );
1020 'username' => $username,
1022 'creatorid' => $creator->getId(),
1023 'creatorname' => $creator->getName(),
1025 'returnToUrl' => $returnToUrl,
1027 'primaryResponse' => null,
1029 'continueRequests' => [],
1031 'ranPreTests' => false,
1034 // Special case: converting a login to an account creation
1035 $req = AuthenticationRequest
::getRequestByClass(
1036 $reqs, CreateFromLoginAuthenticationRequest
::class
1039 $state['maybeLink'] = $req->maybeLink
;
1041 // If we get here, the user didn't submit a form with any of the
1042 // usual AuthenticationRequests that are needed for an account
1043 // creation. So we need to determine if there are any and return a
1044 // UI response if so.
1045 if ( $req->createRequest
) {
1046 // We have a createRequest from a
1047 // PrimaryAuthenticationProvider, so don't ask.
1048 $providers = $this->getPreAuthenticationProviders() +
1049 $this->getSecondaryAuthenticationProviders();
1051 // We're only preserving maybeLink, so ask for primary fields
1053 $providers = $this->getPreAuthenticationProviders() +
1054 $this->getPrimaryAuthenticationProviders() +
1055 $this->getSecondaryAuthenticationProviders();
1057 $reqs = $this->getAuthenticationRequestsInternal(
1058 self
::ACTION_CREATE
,
1062 // See if we need any requests to begin
1063 foreach ( (array)$reqs as $r ) {
1064 if ( !$r instanceof UsernameAuthenticationRequest
&&
1065 !$r instanceof UserDataAuthenticationRequest
&&
1066 !$r instanceof CreationReasonAuthenticationRequest
1068 // Needs some reqs, so request them
1069 $reqs[] = new CreateFromLoginAuthenticationRequest( $req->createRequest
, [] );
1070 $state['continueRequests'] = $reqs;
1071 $session->setSecret( 'AuthManager::accountCreationState', $state );
1072 $session->persist();
1073 return AuthenticationResponse
::newUI( $reqs, wfMessage( 'authmanager-create-from-login' ) );
1076 // No reqs needed, so we can just continue.
1077 $req->createRequest
->returnToUrl
= $returnToUrl;
1078 $reqs = [ $req->createRequest
];
1081 $session->setSecret( 'AuthManager::accountCreationState', $state );
1082 $session->persist();
1084 return $this->continueAccountCreation( $reqs );
1088 * Continue an account creation flow
1089 * @param AuthenticationRequest[] $reqs
1090 * @return AuthenticationResponse
1092 public function continueAccountCreation( array $reqs ) {
1093 $session = $this->request
->getSession();
1095 if ( !$this->canCreateAccounts() ) {
1096 // Caller should have called canCreateAccounts()
1097 $session->remove( 'AuthManager::accountCreationState' );
1098 throw new \
LogicException( 'Account creation is not possible' );
1101 $state = $session->getSecret( 'AuthManager::accountCreationState' );
1102 if ( !is_array( $state ) ) {
1103 return AuthenticationResponse
::newFail(
1104 wfMessage( 'authmanager-create-not-in-progress' )
1107 $state['continueRequests'] = [];
1109 // Step 0: Prepare and validate the input
1111 $user = User
::newFromName( $state['username'], 'creatable' );
1112 if ( !is_object( $user ) ) {
1113 $session->remove( 'AuthManager::accountCreationState' );
1114 $this->logger
->debug( __METHOD__
. ': Invalid username', [
1115 'user' => $state['username'],
1117 return AuthenticationResponse
::newFail( wfMessage( 'noname' ) );
1120 if ( $state['creatorid'] ) {
1121 $creator = User
::newFromId( $state['creatorid'] );
1123 $creator = new User
;
1124 $creator->setName( $state['creatorname'] );
1127 // Avoid account creation races on double submissions
1128 $cache = \ObjectCache
::getLocalClusterInstance();
1129 $lock = $cache->getScopedLock( $cache->makeGlobalKey( 'account', md5( $user->getName() ) ) );
1131 // Don't clear AuthManager::accountCreationState for this code
1132 // path because the process that won the race owns it.
1133 $this->logger
->debug( __METHOD__
. ': Could not acquire account creation lock', [
1134 'user' => $user->getName(),
1135 'creator' => $creator->getName(),
1137 return AuthenticationResponse
::newFail( wfMessage( 'usernameinprogress' ) );
1140 // Permissions check
1141 $status = $this->checkAccountCreatePermissions( $creator );
1142 if ( !$status->isGood() ) {
1143 $this->logger
->debug( __METHOD__
. ': {creator} cannot create users: {reason}', [
1144 'user' => $user->getName(),
1145 'creator' => $creator->getName(),
1146 'reason' => $status->getWikiText( null, null, 'en' )
1148 $ret = AuthenticationResponse
::newFail( $status->getMessage() );
1149 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1150 $session->remove( 'AuthManager::accountCreationState' );
1154 // Load from master for existence check
1155 $user->load( User
::READ_LOCKING
);
1157 if ( $state['userid'] === 0 ) {
1158 if ( $user->getId() != 0 ) {
1159 $this->logger
->debug( __METHOD__
. ': User exists locally', [
1160 'user' => $user->getName(),
1161 'creator' => $creator->getName(),
1163 $ret = AuthenticationResponse
::newFail( wfMessage( 'userexists' ) );
1164 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1165 $session->remove( 'AuthManager::accountCreationState' );
1169 if ( $user->getId() == 0 ) {
1170 $this->logger
->debug( __METHOD__
. ': User does not exist locally when it should', [
1171 'user' => $user->getName(),
1172 'creator' => $creator->getName(),
1173 'expected_id' => $state['userid'],
1175 throw new \
UnexpectedValueException(
1176 "User \"{$state['username']}\" should exist now, but doesn't!"
1179 if ( $user->getId() != $state['userid'] ) {
1180 $this->logger
->debug( __METHOD__
. ': User ID/name mismatch', [
1181 'user' => $user->getName(),
1182 'creator' => $creator->getName(),
1183 'expected_id' => $state['userid'],
1184 'actual_id' => $user->getId(),
1186 throw new \
UnexpectedValueException(
1187 "User \"{$state['username']}\" exists, but " .
1188 "ID {$user->getId()} != {$state['userid']}!"
1192 foreach ( $state['reqs'] as $req ) {
1193 if ( $req instanceof UserDataAuthenticationRequest
) {
1194 $status = $req->populateUser( $user );
1195 if ( !$status->isGood() ) {
1196 // This should never happen...
1197 $status = Status
::wrap( $status );
1198 $this->logger
->debug( __METHOD__
. ': UserData is invalid: {reason}', [
1199 'user' => $user->getName(),
1200 'creator' => $creator->getName(),
1201 'reason' => $status->getWikiText( null, null, 'en' ),
1203 $ret = AuthenticationResponse
::newFail( $status->getMessage() );
1204 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1205 $session->remove( 'AuthManager::accountCreationState' );
1211 foreach ( $reqs as $req ) {
1212 $req->returnToUrl
= $state['returnToUrl'];
1213 $req->username
= $state['username'];
1216 // If we're coming in from a create-from-login UI response, we need
1217 // to extract the createRequest (if any).
1218 $req = AuthenticationRequest
::getRequestByClass(
1219 $reqs, CreateFromLoginAuthenticationRequest
::class
1221 if ( $req && $req->createRequest
) {
1222 $reqs[] = $req->createRequest
;
1225 // Run pre-creation tests, if we haven't already
1226 if ( !$state['ranPreTests'] ) {
1227 $providers = $this->getPreAuthenticationProviders() +
1228 $this->getPrimaryAuthenticationProviders() +
1229 $this->getSecondaryAuthenticationProviders();
1230 foreach ( $providers as $id => $provider ) {
1231 $status = $provider->testForAccountCreation( $user, $creator, $reqs );
1232 if ( !$status->isGood() ) {
1233 $this->logger
->debug( __METHOD__
. ": Fail in pre-authentication by $id", [
1234 'user' => $user->getName(),
1235 'creator' => $creator->getName(),
1237 $ret = AuthenticationResponse
::newFail(
1238 Status
::wrap( $status )->getMessage()
1240 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1241 $session->remove( 'AuthManager::accountCreationState' );
1246 $state['ranPreTests'] = true;
1249 // Step 1: Choose a primary authentication provider and call it until it succeeds.
1251 if ( $state['primary'] === null ) {
1252 // We haven't picked a PrimaryAuthenticationProvider yet
1253 foreach ( $this->getPrimaryAuthenticationProviders() as $id => $provider ) {
1254 if ( $provider->accountCreationType() === PrimaryAuthenticationProvider
::TYPE_NONE
) {
1257 $res = $provider->beginPrimaryAccountCreation( $user, $creator, $reqs );
1258 switch ( $res->status
) {
1259 case AuthenticationResponse
::PASS
;
1260 $this->logger
->debug( __METHOD__
. ": Primary creation passed by $id", [
1261 'user' => $user->getName(),
1262 'creator' => $creator->getName(),
1264 $state['primary'] = $id;
1265 $state['primaryResponse'] = $res;
1267 case AuthenticationResponse
::FAIL
;
1268 $this->logger
->debug( __METHOD__
. ": Primary creation failed by $id", [
1269 'user' => $user->getName(),
1270 'creator' => $creator->getName(),
1272 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $res ] );
1273 $session->remove( 'AuthManager::accountCreationState' );
1275 case AuthenticationResponse
::ABSTAIN
;
1278 case AuthenticationResponse
::REDIRECT
;
1279 case AuthenticationResponse
::UI
;
1280 $this->logger
->debug( __METHOD__
. ": Primary creation $res->status by $id", [
1281 'user' => $user->getName(),
1282 'creator' => $creator->getName(),
1284 $state['primary'] = $id;
1285 $state['continueRequests'] = $res->neededRequests
;
1286 $session->setSecret( 'AuthManager::accountCreationState', $state );
1289 // @codeCoverageIgnoreStart
1291 throw new \
DomainException(
1292 get_class( $provider ) . "::beginPrimaryAccountCreation() returned $res->status"
1294 // @codeCoverageIgnoreEnd
1297 if ( $state['primary'] === null ) {
1298 $this->logger
->debug( __METHOD__
. ': Primary creation failed because no provider accepted', [
1299 'user' => $user->getName(),
1300 'creator' => $creator->getName(),
1302 $ret = AuthenticationResponse
::newFail(
1303 wfMessage( 'authmanager-create-no-primary' )
1305 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1306 $session->remove( 'AuthManager::accountCreationState' );
1309 } elseif ( $state['primaryResponse'] === null ) {
1310 $provider = $this->getAuthenticationProvider( $state['primary'] );
1311 if ( !$provider instanceof PrimaryAuthenticationProvider
) {
1312 // Configuration changed? Force them to start over.
1313 // @codeCoverageIgnoreStart
1314 $ret = AuthenticationResponse
::newFail(
1315 wfMessage( 'authmanager-create-not-in-progress' )
1317 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1318 $session->remove( 'AuthManager::accountCreationState' );
1320 // @codeCoverageIgnoreEnd
1322 $id = $provider->getUniqueId();
1323 $res = $provider->continuePrimaryAccountCreation( $user, $creator, $reqs );
1324 switch ( $res->status
) {
1325 case AuthenticationResponse
::PASS
;
1326 $this->logger
->debug( __METHOD__
. ": Primary creation passed by $id", [
1327 'user' => $user->getName(),
1328 'creator' => $creator->getName(),
1330 $state['primaryResponse'] = $res;
1332 case AuthenticationResponse
::FAIL
;
1333 $this->logger
->debug( __METHOD__
. ": Primary creation failed by $id", [
1334 'user' => $user->getName(),
1335 'creator' => $creator->getName(),
1337 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $res ] );
1338 $session->remove( 'AuthManager::accountCreationState' );
1340 case AuthenticationResponse
::REDIRECT
;
1341 case AuthenticationResponse
::UI
;
1342 $this->logger
->debug( __METHOD__
. ": Primary creation $res->status by $id", [
1343 'user' => $user->getName(),
1344 'creator' => $creator->getName(),
1346 $state['continueRequests'] = $res->neededRequests
;
1347 $session->setSecret( 'AuthManager::accountCreationState', $state );
1350 throw new \
DomainException(
1351 get_class( $provider ) . "::continuePrimaryAccountCreation() returned $res->status"
1356 // Step 2: Primary authentication succeeded, create the User object
1357 // and add the user locally.
1359 if ( $state['userid'] === 0 ) {
1360 $this->logger
->info( 'Creating user {user} during account creation', [
1361 'user' => $user->getName(),
1362 'creator' => $creator->getName(),
1364 $status = $user->addToDatabase();
1365 if ( !$status->isOk() ) {
1366 // @codeCoverageIgnoreStart
1367 $ret = AuthenticationResponse
::newFail( $status->getMessage() );
1368 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1369 $session->remove( 'AuthManager::accountCreationState' );
1371 // @codeCoverageIgnoreEnd
1373 $this->setDefaultUserOptions( $user, $creator->isAnon() );
1374 \Hooks
::run( 'LocalUserCreated', [ $user, false ] );
1375 $user->saveSettings();
1376 $state['userid'] = $user->getId();
1378 // Update user count
1379 \DeferredUpdates
::addUpdate( new \
SiteStatsUpdate( 0, 0, 0, 0, 1 ) );
1381 // Watch user's userpage and talk page
1382 $user->addWatch( $user->getUserPage(), User
::IGNORE_USER_RIGHTS
);
1384 // Inform the provider
1385 $logSubtype = $provider->finishAccountCreation( $user, $creator, $state['primaryResponse'] );
1388 if ( $this->config
->get( 'NewUserLog' ) ) {
1389 $isAnon = $creator->isAnon();
1390 $logEntry = new \
ManualLogEntry(
1392 $logSubtype ?
: ( $isAnon ?
'create' : 'create2' )
1394 $logEntry->setPerformer( $isAnon ?
$user : $creator );
1395 $logEntry->setTarget( $user->getUserPage() );
1396 $req = AuthenticationRequest
::getRequestByClass(
1397 $state['reqs'], CreationReasonAuthenticationRequest
::class
1399 $logEntry->setComment( $req ?
$req->reason
: '' );
1400 $logEntry->setParameters( [
1401 '4::userid' => $user->getId(),
1403 $logid = $logEntry->insert();
1404 $logEntry->publish( $logid );
1408 // Step 3: Iterate over all the secondary authentication providers.
1410 $beginReqs = $state['reqs'];
1412 foreach ( $this->getSecondaryAuthenticationProviders() as $id => $provider ) {
1413 if ( !isset( $state['secondary'][$id] ) ) {
1414 // This provider isn't started yet, so we pass it the set
1415 // of reqs from beginAuthentication instead of whatever
1416 // might have been used by a previous provider in line.
1417 $func = 'beginSecondaryAccountCreation';
1418 $res = $provider->beginSecondaryAccountCreation( $user, $creator, $beginReqs );
1419 } elseif ( !$state['secondary'][$id] ) {
1420 $func = 'continueSecondaryAccountCreation';
1421 $res = $provider->continueSecondaryAccountCreation( $user, $creator, $reqs );
1425 switch ( $res->status
) {
1426 case AuthenticationResponse
::PASS
;
1427 $this->logger
->debug( __METHOD__
. ": Secondary creation passed by $id", [
1428 'user' => $user->getName(),
1429 'creator' => $creator->getName(),
1432 case AuthenticationResponse
::ABSTAIN
;
1433 $state['secondary'][$id] = true;
1435 case AuthenticationResponse
::REDIRECT
;
1436 case AuthenticationResponse
::UI
;
1437 $this->logger
->debug( __METHOD__
. ": Secondary creation $res->status by $id", [
1438 'user' => $user->getName(),
1439 'creator' => $creator->getName(),
1441 $state['secondary'][$id] = false;
1442 $state['continueRequests'] = $res->neededRequests
;
1443 $session->setSecret( 'AuthManager::accountCreationState', $state );
1445 case AuthenticationResponse
::FAIL
;
1446 throw new \
DomainException(
1447 get_class( $provider ) . "::{$func}() returned $res->status." .
1448 ' Secondary providers are not allowed to fail account creation, that' .
1449 ' should have been done via testForAccountCreation().'
1451 // @codeCoverageIgnoreStart
1453 throw new \
DomainException(
1454 get_class( $provider ) . "::{$func}() returned $res->status"
1456 // @codeCoverageIgnoreEnd
1460 $id = $user->getId();
1461 $name = $user->getName();
1462 $req = new CreatedAccountAuthenticationRequest( $id, $name );
1463 $ret = AuthenticationResponse
::newPass( $name );
1464 $ret->loginRequest
= $req;
1465 $this->createdAccountAuthenticationRequests
[] = $req;
1467 $this->logger
->info( __METHOD__
. ': Account creation succeeded for {user}', [
1468 'user' => $user->getName(),
1469 'creator' => $creator->getName(),
1472 $this->callMethodOnProviders( 7, 'postAccountCreation', [ $user, $creator, $ret ] );
1473 $session->remove( 'AuthManager::accountCreationState' );
1474 $this->removeAuthenticationSessionData( null );
1476 } catch ( \Exception
$ex ) {
1477 $session->remove( 'AuthManager::accountCreationState' );
1483 * Auto-create an account, and log into that account
1484 * @param User $user User to auto-create
1485 * @param string $source What caused the auto-creation? This must be the ID
1486 * of a PrimaryAuthenticationProvider or the constant self::AUTOCREATE_SOURCE_SESSION.
1487 * @param bool $login Whether to also log the user in
1488 * @return Status Good if user was created, Ok if user already existed, otherwise Fatal
1490 public function autoCreateUser( User
$user, $source, $login = true ) {
1491 if ( $source !== self
::AUTOCREATE_SOURCE_SESSION
&&
1492 !$this->getAuthenticationProvider( $source ) instanceof PrimaryAuthenticationProvider
1494 throw new \
InvalidArgumentException( "Unknown auto-creation source: $source" );
1497 $username = $user->getName();
1499 // Try the local user from the slave DB
1500 $localId = User
::idFromName( $username );
1501 $flags = User
::READ_NORMAL
;
1503 // Fetch the user ID from the master, so that we don't try to create the user
1504 // when they already exist, due to replication lag
1505 // @codeCoverageIgnoreStart
1506 if ( !$localId && wfGetLB()->getReaderIndex() != 0 ) {
1507 $localId = User
::idFromName( $username, User
::READ_LATEST
);
1508 $flags = User
::READ_LATEST
;
1510 // @codeCoverageIgnoreEnd
1513 $this->logger
->debug( __METHOD__
. ': {username} already exists locally', [
1514 'username' => $username,
1516 $user->setId( $localId );
1517 $user->loadFromId( $flags );
1519 $this->setSessionDataForUser( $user );
1521 $status = Status
::newGood();
1522 $status->warning( 'userexists' );
1526 // Wiki is read-only?
1527 if ( wfReadOnly() ) {
1528 $this->logger
->debug( __METHOD__
. ': denied by wfReadOnly(): {reason}', [
1529 'username' => $username,
1530 'reason' => wfReadOnlyReason(),
1533 $user->loadFromId();
1534 return Status
::newFatal( 'readonlytext', wfReadOnlyReason() );
1537 // Check the session, if we tried to create this user already there's
1538 // no point in retrying.
1539 $session = $this->request
->getSession();
1540 if ( $session->get( 'AuthManager::AutoCreateBlacklist' ) ) {
1541 $this->logger
->debug( __METHOD__
. ': blacklisted in session {sessionid}', [
1542 'username' => $username,
1543 'sessionid' => $session->getId(),
1546 $user->loadFromId();
1547 $reason = $session->get( 'AuthManager::AutoCreateBlacklist' );
1548 if ( $reason instanceof StatusValue
) {
1549 return Status
::wrap( $reason );
1551 return Status
::newFatal( $reason );
1555 // Is the username creatable?
1556 if ( !User
::isCreatableName( $username ) ) {
1557 $this->logger
->debug( __METHOD__
. ': name "{username}" is not creatable', [
1558 'username' => $username,
1560 $session->set( 'AuthManager::AutoCreateBlacklist', 'noname', 600 );
1562 $user->loadFromId();
1563 return Status
::newFatal( 'noname' );
1566 // Is the IP user able to create accounts?
1568 if ( !$anon->isAllowedAny( 'createaccount', 'autocreateaccount' ) ) {
1569 $this->logger
->debug( __METHOD__
. ': IP lacks the ability to create or autocreate accounts', [
1570 'username' => $username,
1571 'ip' => $anon->getName(),
1573 $session->set( 'AuthManager::AutoCreateBlacklist', 'authmanager-autocreate-noperm', 600 );
1574 $session->persist();
1576 $user->loadFromId();
1577 return Status
::newFatal( 'authmanager-autocreate-noperm' );
1580 // Avoid account creation races on double submissions
1581 $cache = \ObjectCache
::getLocalClusterInstance();
1582 $lock = $cache->getScopedLock( $cache->makeGlobalKey( 'account', md5( $username ) ) );
1584 $this->logger
->debug( __METHOD__
. ': Could not acquire account creation lock', [
1585 'user' => $username,
1588 $user->loadFromId();
1589 return Status
::newFatal( 'usernameinprogress' );
1592 // Denied by providers?
1593 $providers = $this->getPreAuthenticationProviders() +
1594 $this->getPrimaryAuthenticationProviders() +
1595 $this->getSecondaryAuthenticationProviders();
1596 foreach ( $providers as $provider ) {
1597 $status = $provider->testUserForCreation( $user, $source );
1598 if ( !$status->isGood() ) {
1599 $ret = Status
::wrap( $status );
1600 $this->logger
->debug( __METHOD__
. ': Provider denied creation of {username}: {reason}', [
1601 'username' => $username,
1602 'reason' => $ret->getWikiText( null, null, 'en' ),
1604 $session->set( 'AuthManager::AutoCreateBlacklist', $status, 600 );
1606 $user->loadFromId();
1611 // Ignore warnings about master connections/writes...hard to avoid here
1612 \Profiler
::instance()->getTransactionProfiler()->resetExpectations();
1614 $backoffKey = wfMemcKey( 'AuthManager', 'autocreate-failed', md5( $username ) );
1615 if ( $cache->get( $backoffKey ) ) {
1616 $this->logger
->debug( __METHOD__
. ': {username} denied by prior creation attempt failures', [
1617 'username' => $username,
1620 $user->loadFromId();
1621 return Status
::newFatal( 'authmanager-autocreate-exception' );
1624 // Checks passed, create the user...
1625 $from = isset( $_SERVER['REQUEST_URI'] ) ?
$_SERVER['REQUEST_URI'] : 'CLI';
1626 $this->logger
->info( __METHOD__
. ': creating new user ({username}) - from: {from}', [
1627 'username' => $username,
1632 $status = $user->addToDatabase();
1633 if ( !$status->isOk() ) {
1634 // double-check for a race condition (T70012)
1635 $localId = User
::idFromName( $username, User
::READ_LATEST
);
1637 $this->logger
->info( __METHOD__
. ': {username} already exists locally (race)', [
1638 'username' => $username,
1640 $user->setId( $localId );
1641 $user->loadFromId( User
::READ_LATEST
);
1643 $this->setSessionDataForUser( $user );
1645 $status = Status
::newGood();
1646 $status->warning( 'userexists' );
1648 $this->logger
->error( __METHOD__
. ': {username} failed with message {message}', [
1649 'username' => $username,
1650 'message' => $status->getWikiText( null, null, 'en' )
1653 $user->loadFromId();
1657 } catch ( \Exception
$ex ) {
1658 $this->logger
->error( __METHOD__
. ': {username} failed with exception {exception}', [
1659 'username' => $username,
1662 // Do not keep throwing errors for a while
1663 $cache->set( $backoffKey, 1, 600 );
1664 // Bubble up error; which should normally trigger DB rollbacks
1668 $this->setDefaultUserOptions( $user, true );
1670 // Inform the providers
1671 $this->callMethodOnProviders( 6, 'autoCreatedAccount', [ $user, $source ] );
1673 \Hooks
::run( 'AuthPluginAutoCreate', [ $user ], '1.27' );
1674 \Hooks
::run( 'LocalUserCreated', [ $user, true ] );
1675 $user->saveSettings();
1677 // Update user count
1678 \DeferredUpdates
::addUpdate( new \
SiteStatsUpdate( 0, 0, 0, 0, 1 ) );
1680 // Watch user's userpage and talk page
1681 $user->addWatch( $user->getUserPage(), User
::IGNORE_USER_RIGHTS
);
1684 if ( $this->config
->get( 'NewUserLog' ) ) {
1685 $logEntry = new \
ManualLogEntry( 'newusers', 'autocreate' );
1686 $logEntry->setPerformer( $user );
1687 $logEntry->setTarget( $user->getUserPage() );
1688 $logEntry->setComment( '' );
1689 $logEntry->setParameters( [
1690 '4::userid' => $user->getId(),
1692 $logid = $logEntry->insert();
1696 $this->setSessionDataForUser( $user );
1699 return Status
::newGood();
1705 * @name Account linking
1710 * Determine whether accounts can be linked
1713 public function canLinkAccounts() {
1714 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
1715 if ( $provider->accountCreationType() === PrimaryAuthenticationProvider
::TYPE_LINK
) {
1723 * Start an account linking flow
1725 * @param User $user User being linked
1726 * @param AuthenticationRequest[] $reqs
1727 * @param string $returnToUrl Url that REDIRECT responses should eventually
1729 * @return AuthenticationResponse
1731 public function beginAccountLink( User
$user, array $reqs, $returnToUrl ) {
1732 $session = $this->request
->getSession();
1733 $session->remove( 'AuthManager::accountLinkState' );
1735 if ( !$this->canLinkAccounts() ) {
1736 // Caller should have called canLinkAccounts()
1737 throw new \
LogicException( 'Account linking is not possible' );
1740 if ( $user->getId() === 0 ) {
1741 if ( !User
::isUsableName( $user->getName() ) ) {
1742 $msg = wfMessage( 'noname' );
1744 $msg = wfMessage( 'authmanager-userdoesnotexist', $user->getName() );
1746 return AuthenticationResponse
::newFail( $msg );
1748 foreach ( $reqs as $req ) {
1749 $req->username
= $user->getName();
1750 $req->returnToUrl
= $returnToUrl;
1753 $this->removeAuthenticationSessionData( null );
1755 $providers = $this->getPreAuthenticationProviders();
1756 foreach ( $providers as $id => $provider ) {
1757 $status = $provider->testForAccountLink( $user );
1758 if ( !$status->isGood() ) {
1759 $this->logger
->debug( __METHOD__
. ": Account linking pre-check failed by $id", [
1760 'user' => $user->getName(),
1762 $ret = AuthenticationResponse
::newFail(
1763 Status
::wrap( $status )->getMessage()
1765 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1771 'username' => $user->getName(),
1772 'userid' => $user->getId(),
1773 'returnToUrl' => $returnToUrl,
1775 'continueRequests' => [],
1778 $providers = $this->getPrimaryAuthenticationProviders();
1779 foreach ( $providers as $id => $provider ) {
1780 if ( $provider->accountCreationType() !== PrimaryAuthenticationProvider
::TYPE_LINK
) {
1784 $res = $provider->beginPrimaryAccountLink( $user, $reqs );
1785 switch ( $res->status
) {
1786 case AuthenticationResponse
::PASS
;
1787 $this->logger
->info( "Account linked to {user} by $id", [
1788 'user' => $user->getName(),
1790 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1793 case AuthenticationResponse
::FAIL
;
1794 $this->logger
->debug( __METHOD__
. ": Account linking failed by $id", [
1795 'user' => $user->getName(),
1797 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1800 case AuthenticationResponse
::ABSTAIN
;
1804 case AuthenticationResponse
::REDIRECT
;
1805 case AuthenticationResponse
::UI
;
1806 $this->logger
->debug( __METHOD__
. ": Account linking $res->status by $id", [
1807 'user' => $user->getName(),
1809 $state['primary'] = $id;
1810 $state['continueRequests'] = $res->neededRequests
;
1811 $session->setSecret( 'AuthManager::accountLinkState', $state );
1812 $session->persist();
1815 // @codeCoverageIgnoreStart
1817 throw new \
DomainException(
1818 get_class( $provider ) . "::beginPrimaryAccountLink() returned $res->status"
1820 // @codeCoverageIgnoreEnd
1824 $this->logger
->debug( __METHOD__
. ': Account linking failed because no provider accepted', [
1825 'user' => $user->getName(),
1827 $ret = AuthenticationResponse
::newFail(
1828 wfMessage( 'authmanager-link-no-primary' )
1830 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1835 * Continue an account linking flow
1836 * @param AuthenticationRequest[] $reqs
1837 * @return AuthenticationResponse
1839 public function continueAccountLink( array $reqs ) {
1840 $session = $this->request
->getSession();
1842 if ( !$this->canLinkAccounts() ) {
1843 // Caller should have called canLinkAccounts()
1844 $session->remove( 'AuthManager::accountLinkState' );
1845 throw new \
LogicException( 'Account linking is not possible' );
1848 $state = $session->getSecret( 'AuthManager::accountLinkState' );
1849 if ( !is_array( $state ) ) {
1850 return AuthenticationResponse
::newFail(
1851 wfMessage( 'authmanager-link-not-in-progress' )
1854 $state['continueRequests'] = [];
1856 // Step 0: Prepare and validate the input
1858 $user = User
::newFromName( $state['username'], 'usable' );
1859 if ( !is_object( $user ) ) {
1860 $session->remove( 'AuthManager::accountLinkState' );
1861 return AuthenticationResponse
::newFail( wfMessage( 'noname' ) );
1863 if ( $user->getId() != $state['userid'] ) {
1864 throw new \
UnexpectedValueException(
1865 "User \"{$state['username']}\" is valid, but " .
1866 "ID {$user->getId()} != {$state['userid']}!"
1870 foreach ( $reqs as $req ) {
1871 $req->username
= $state['username'];
1872 $req->returnToUrl
= $state['returnToUrl'];
1875 // Step 1: Call the primary again until it succeeds
1877 $provider = $this->getAuthenticationProvider( $state['primary'] );
1878 if ( !$provider instanceof PrimaryAuthenticationProvider
) {
1879 // Configuration changed? Force them to start over.
1880 // @codeCoverageIgnoreStart
1881 $ret = AuthenticationResponse
::newFail(
1882 wfMessage( 'authmanager-link-not-in-progress' )
1884 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $ret ] );
1885 $session->remove( 'AuthManager::accountLinkState' );
1887 // @codeCoverageIgnoreEnd
1889 $id = $provider->getUniqueId();
1890 $res = $provider->continuePrimaryAccountLink( $user, $reqs );
1891 switch ( $res->status
) {
1892 case AuthenticationResponse
::PASS
;
1893 $this->logger
->info( "Account linked to {user} by $id", [
1894 'user' => $user->getName(),
1896 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1897 $session->remove( 'AuthManager::accountLinkState' );
1899 case AuthenticationResponse
::FAIL
;
1900 $this->logger
->debug( __METHOD__
. ": Account linking failed by $id", [
1901 'user' => $user->getName(),
1903 $this->callMethodOnProviders( 3, 'postAccountLink', [ $user, $res ] );
1904 $session->remove( 'AuthManager::accountLinkState' );
1906 case AuthenticationResponse
::REDIRECT
;
1907 case AuthenticationResponse
::UI
;
1908 $this->logger
->debug( __METHOD__
. ": Account linking $res->status by $id", [
1909 'user' => $user->getName(),
1911 $state['continueRequests'] = $res->neededRequests
;
1912 $session->setSecret( 'AuthManager::accountLinkState', $state );
1915 throw new \
DomainException(
1916 get_class( $provider ) . "::continuePrimaryAccountLink() returned $res->status"
1919 } catch ( \Exception
$ex ) {
1920 $session->remove( 'AuthManager::accountLinkState' );
1928 * @name Information methods
1933 * Return the applicable list of AuthenticationRequests
1935 * Possible values for $action:
1936 * - ACTION_LOGIN: Valid for passing to beginAuthentication
1937 * - ACTION_LOGIN_CONTINUE: Valid for passing to continueAuthentication in the current state
1938 * - ACTION_CREATE: Valid for passing to beginAccountCreation
1939 * - ACTION_CREATE_CONTINUE: Valid for passing to continueAccountCreation in the current state
1940 * - ACTION_LINK: Valid for passing to beginAccountLink
1941 * - ACTION_LINK_CONTINUE: Valid for passing to continueAccountLink in the current state
1942 * - ACTION_CHANGE: Valid for passing to changeAuthenticationData to change credentials
1943 * - ACTION_REMOVE: Valid for passing to changeAuthenticationData to remove credentials.
1944 * - ACTION_UNLINK: Same as ACTION_REMOVE, but limited to linked accounts.
1946 * @param string $action One of the AuthManager::ACTION_* constants
1947 * @param User|null $user User being acted on, instead of the current user.
1948 * @return AuthenticationRequest[]
1950 public function getAuthenticationRequests( $action, User
$user = null ) {
1952 $providerAction = $action;
1954 // Figure out which providers to query
1955 switch ( $action ) {
1956 case self
::ACTION_LOGIN
:
1957 case self
::ACTION_CREATE
:
1958 $providers = $this->getPreAuthenticationProviders() +
1959 $this->getPrimaryAuthenticationProviders() +
1960 $this->getSecondaryAuthenticationProviders();
1963 case self
::ACTION_LOGIN_CONTINUE
:
1964 $state = $this->request
->getSession()->getSecret( 'AuthManager::authnState' );
1965 return is_array( $state ) ?
$state['continueRequests'] : [];
1967 case self
::ACTION_CREATE_CONTINUE
:
1968 $state = $this->request
->getSession()->getSecret( 'AuthManager::accountCreationState' );
1969 return is_array( $state ) ?
$state['continueRequests'] : [];
1971 case self
::ACTION_LINK
:
1972 $providers = array_filter( $this->getPrimaryAuthenticationProviders(), function ( $p ) {
1973 return $p->accountCreationType() === PrimaryAuthenticationProvider
::TYPE_LINK
;
1977 case self
::ACTION_UNLINK
:
1978 $providers = array_filter( $this->getPrimaryAuthenticationProviders(), function ( $p ) {
1979 return $p->accountCreationType() === PrimaryAuthenticationProvider
::TYPE_LINK
;
1982 // To providers, unlink and remove are identical.
1983 $providerAction = self
::ACTION_REMOVE
;
1986 case self
::ACTION_LINK_CONTINUE
:
1987 $state = $this->request
->getSession()->getSecret( 'AuthManager::accountLinkState' );
1988 return is_array( $state ) ?
$state['continueRequests'] : [];
1990 case self
::ACTION_CHANGE
:
1991 case self
::ACTION_REMOVE
:
1992 $providers = $this->getPrimaryAuthenticationProviders() +
1993 $this->getSecondaryAuthenticationProviders();
1996 // @codeCoverageIgnoreStart
1998 throw new \
DomainException( __METHOD__
. ": Invalid action \"$action\"" );
2000 // @codeCoverageIgnoreEnd
2002 return $this->getAuthenticationRequestsInternal( $providerAction, $options, $providers, $user );
2006 * Internal request lookup for self::getAuthenticationRequests
2008 * @param string $providerAction Action to pass to providers
2009 * @param array $options Options to pass to providers
2010 * @param AuthenticationProvider[] $providers
2011 * @param User|null $user
2012 * @return AuthenticationRequest[]
2014 private function getAuthenticationRequestsInternal(
2015 $providerAction, array $options, array $providers, User
$user = null
2017 $user = $user ?
: \RequestContext
::getMain()->getUser();
2018 $options['username'] = $user->isAnon() ?
null : $user->getName();
2020 // Query them and merge results
2022 $allPrimaryRequired = null;
2023 foreach ( $providers as $provider ) {
2024 $isPrimary = $provider instanceof PrimaryAuthenticationProvider
;
2026 foreach ( $provider->getAuthenticationRequests( $providerAction, $options ) as $req ) {
2027 $id = $req->getUniqueId();
2029 // If it's from a Primary, mark it as "primary-required" but
2030 // track it for later.
2032 if ( $req->required
) {
2033 $thisRequired[$id] = true;
2034 $req->required
= AuthenticationRequest
::PRIMARY_REQUIRED
;
2038 if ( !isset( $reqs[$id] ) ||
$req->required
=== AuthenticationRequest
::REQUIRED
) {
2043 // Track which requests are required by all primaries
2045 $allPrimaryRequired = $allPrimaryRequired === null
2047 : array_intersect_key( $allPrimaryRequired, $thisRequired );
2050 // Any requests that were required by all primaries are required.
2051 foreach ( (array)$allPrimaryRequired as $id => $dummy ) {
2052 $reqs[$id]->required
= AuthenticationRequest
::REQUIRED
;
2055 // AuthManager has its own req for some actions
2056 switch ( $providerAction ) {
2057 case self
::ACTION_LOGIN
:
2058 $reqs[] = new RememberMeAuthenticationRequest
;
2061 case self
::ACTION_CREATE
:
2062 $reqs[] = new UsernameAuthenticationRequest
;
2063 $reqs[] = new UserDataAuthenticationRequest
;
2064 if ( $options['username'] !== null ) {
2065 $reqs[] = new CreationReasonAuthenticationRequest
;
2066 $options['username'] = null; // Don't fill in the username below
2071 // Fill in reqs data
2072 foreach ( $reqs as $req ) {
2073 $req->action
= $providerAction;
2074 if ( $req->username
=== null ) {
2075 $req->username
= $options['username'];
2079 // For self::ACTION_CHANGE, filter out any that something else *doesn't* allow changing
2080 if ( $providerAction === self
::ACTION_CHANGE ||
$providerAction === self
::ACTION_REMOVE
) {
2081 $reqs = array_filter( $reqs, function ( $req ) {
2082 return $this->allowsAuthenticationDataChange( $req, false )->isGood();
2086 return array_values( $reqs );
2090 * Determine whether a username exists
2091 * @param string $username
2092 * @param int $flags Bitfield of User:READ_* constants
2095 public function userExists( $username, $flags = User
::READ_NORMAL
) {
2096 foreach ( $this->getPrimaryAuthenticationProviders() as $provider ) {
2097 if ( $provider->testUserExists( $username, $flags ) ) {
2106 * Determine whether a user property should be allowed to be changed.
2108 * Supported properties are:
2113 * @param string $property
2116 public function allowsPropertyChange( $property ) {
2117 $providers = $this->getPrimaryAuthenticationProviders() +
2118 $this->getSecondaryAuthenticationProviders();
2119 foreach ( $providers as $provider ) {
2120 if ( !$provider->providerAllowsPropertyChange( $property ) ) {
2130 * @name Internal methods
2135 * Store authentication in the current session
2136 * @protected For use by AuthenticationProviders
2137 * @param string $key
2138 * @param mixed $data Must be serializable
2140 public function setAuthenticationSessionData( $key, $data ) {
2141 $session = $this->request
->getSession();
2142 $arr = $session->getSecret( 'authData' );
2143 if ( !is_array( $arr ) ) {
2147 $session->setSecret( 'authData', $arr );
2151 * Fetch authentication data from the current session
2152 * @protected For use by AuthenticationProviders
2153 * @param string $key
2154 * @param mixed $default
2157 public function getAuthenticationSessionData( $key, $default = null ) {
2158 $arr = $this->request
->getSession()->getSecret( 'authData' );
2159 if ( is_array( $arr ) && array_key_exists( $key, $arr ) ) {
2167 * Remove authentication data
2168 * @protected For use by AuthenticationProviders
2169 * @param string|null $key If null, all data is removed
2171 public function removeAuthenticationSessionData( $key ) {
2172 $session = $this->request
->getSession();
2173 if ( $key === null ) {
2174 $session->remove( 'authData' );
2176 $arr = $session->getSecret( 'authData' );
2177 if ( is_array( $arr ) && array_key_exists( $key, $arr ) ) {
2178 unset( $arr[$key] );
2179 $session->setSecret( 'authData', $arr );
2185 * Create an array of AuthenticationProviders from an array of ObjectFactory specs
2186 * @param string $class
2187 * @param array[] $specs
2188 * @return AuthenticationProvider[]
2190 protected function providerArrayFromSpecs( $class, array $specs ) {
2192 foreach ( $specs as &$spec ) {
2193 $spec = [ 'sort2' => $i++
] +
$spec +
[ 'sort' => 0 ];
2196 usort( $specs, function ( $a, $b ) {
2197 return ( (int)$a['sort'] ) - ( (int)$b['sort'] )
2198 ?
: $a['sort2'] - $b['sort2'];
2202 foreach ( $specs as $spec ) {
2203 $provider = \ObjectFactory
::getObjectFromSpec( $spec );
2204 if ( !$provider instanceof $class ) {
2205 throw new \
RuntimeException(
2206 "Expected instance of $class, got " . get_class( $provider )
2209 $provider->setLogger( $this->logger
);
2210 $provider->setManager( $this );
2211 $provider->setConfig( $this->config
);
2212 $id = $provider->getUniqueId();
2213 if ( isset( $this->allAuthenticationProviders
[$id] ) ) {
2214 throw new \
RuntimeException(
2215 "Duplicate specifications for id $id (classes " .
2216 get_class( $provider ) . ' and ' .
2217 get_class( $this->allAuthenticationProviders
[$id] ) . ')'
2220 $this->allAuthenticationProviders
[$id] = $provider;
2221 $ret[$id] = $provider;
2227 * Get the configuration
2230 private function getConfiguration() {
2231 return $this->config
->get( 'AuthManagerConfig' ) ?
: $this->config
->get( 'AuthManagerAutoConfig' );
2235 * Get the list of PreAuthenticationProviders
2236 * @return PreAuthenticationProvider[]
2238 protected function getPreAuthenticationProviders() {
2239 if ( $this->preAuthenticationProviders
=== null ) {
2240 $conf = $this->getConfiguration();
2241 $this->preAuthenticationProviders
= $this->providerArrayFromSpecs(
2242 PreAuthenticationProvider
::class, $conf['preauth']
2245 return $this->preAuthenticationProviders
;
2249 * Get the list of PrimaryAuthenticationProviders
2250 * @return PrimaryAuthenticationProvider[]
2252 protected function getPrimaryAuthenticationProviders() {
2253 if ( $this->primaryAuthenticationProviders
=== null ) {
2254 $conf = $this->getConfiguration();
2255 $this->primaryAuthenticationProviders
= $this->providerArrayFromSpecs(
2256 PrimaryAuthenticationProvider
::class, $conf['primaryauth']
2259 return $this->primaryAuthenticationProviders
;
2263 * Get the list of SecondaryAuthenticationProviders
2264 * @return SecondaryAuthenticationProvider[]
2266 protected function getSecondaryAuthenticationProviders() {
2267 if ( $this->secondaryAuthenticationProviders
=== null ) {
2268 $conf = $this->getConfiguration();
2269 $this->secondaryAuthenticationProviders
= $this->providerArrayFromSpecs(
2270 SecondaryAuthenticationProvider
::class, $conf['secondaryauth']
2273 return $this->secondaryAuthenticationProviders
;
2277 * Get a provider by ID
2279 * @return AuthenticationProvider|null
2281 protected function getAuthenticationProvider( $id ) {
2283 if ( isset( $this->allAuthenticationProviders
[$id] ) ) {
2284 return $this->allAuthenticationProviders
[$id];
2287 // Slow version: instantiate each kind and check
2288 $providers = $this->getPrimaryAuthenticationProviders();
2289 if ( isset( $providers[$id] ) ) {
2290 return $providers[$id];
2292 $providers = $this->getSecondaryAuthenticationProviders();
2293 if ( isset( $providers[$id] ) ) {
2294 return $providers[$id];
2296 $providers = $this->getPreAuthenticationProviders();
2297 if ( isset( $providers[$id] ) ) {
2298 return $providers[$id];
2306 * @param bool|null $remember
2308 private function setSessionDataForUser( $user, $remember = null ) {
2309 $session = $this->request
->getSession();
2310 $delay = $session->delaySave();
2312 $session->resetId();
2313 if ( $session->canSetUser() ) {
2314 $session->setUser( $user );
2316 if ( $remember !== null ) {
2317 $session->setRememberUser( $remember );
2319 $session->set( 'AuthManager:lastAuthId', $user->getId() );
2320 $session->set( 'AuthManager:lastAuthTimestamp', time() );
2321 $session->persist();
2323 \ScopedCallback
::consume( $delay );
2325 \Hooks
::run( 'UserLoggedIn', [ $user ] );
2330 * @param bool $useContextLang Use 'uselang' to set the user's language
2332 private function setDefaultUserOptions( User
$user, $useContextLang ) {
2335 \MediaWiki\Session\SessionManager
::singleton()->invalidateSessionsForUser( $user );
2337 $lang = $useContextLang ? \RequestContext
::getMain()->getLanguage() : $wgContLang;
2338 $user->setOption( 'language', $lang->getPreferredVariant() );
2340 if ( $wgContLang->hasVariants() ) {
2341 $user->setOption( 'variant', $wgContLang->getPreferredVariant() );
2346 * @param int $which Bitmask: 1 = pre, 2 = primary, 4 = secondary
2347 * @param string $method
2348 * @param array $args
2350 private function callMethodOnProviders( $which, $method, array $args ) {
2353 $providers +
= $this->getPreAuthenticationProviders();
2356 $providers +
= $this->getPrimaryAuthenticationProviders();
2359 $providers +
= $this->getSecondaryAuthenticationProviders();
2361 foreach ( $providers as $provider ) {
2362 call_user_func_array( [ $provider, $method ], $args );
2367 * Reset the internal caching for unit testing
2369 public static function resetCache() {
2370 if ( !defined( 'MW_PHPUNIT_TEST' ) ) {
2371 // @codeCoverageIgnoreStart
2372 throw new \
MWException( __METHOD__
. ' may only be called from unit tests!' );
2373 // @codeCoverageIgnoreEnd
2376 self
::$instance = null;
2384 * For really cool vim folding this needs to be at the end:
2385 * vim: foldmarker=@{,@} foldmethod=marker