public function execute() { if (!$this->getUser()->isLoggedIn()) { $this->dieUsage('Must be logged in to link accounts', 'notloggedin'); } $params = $this->extractRequestParams(); $this->requireAtLeastOneParameter($params, 'continue', 'returnurl'); if ($params['returnurl'] !== null) { $bits = wfParseUrl($params['returnurl']); if (!$bits || $bits['scheme'] === '') { $encParamName = $this->encodeParamName('returnurl'); $this->dieUsage("Invalid value '{$params['returnurl']}' for url parameter {$encParamName}", "badurl_{$encParamName}"); } } $helper = new ApiAuthManagerHelper($this); $manager = AuthManager::singleton(); // Check security-sensitive operation status $helper->securitySensitiveOperation('LinkAccounts'); // Make sure it's possible to link accounts if (!$manager->canLinkAccounts()) { $this->getResult()->addValue(null, 'linkaccount', $helper->formatAuthenticationResponse(AuthenticationResponse::newFail($this->msg('userlogin-cannot-' . AuthManager::ACTION_LINK)))); return; } // Perform the link step if ($params['continue']) { $reqs = $helper->loadAuthenticationRequests(AuthManager::ACTION_LINK_CONTINUE); $res = $manager->continueAccountLink($reqs); } else { $reqs = $helper->loadAuthenticationRequests(AuthManager::ACTION_LINK); $res = $manager->beginAccountLink($this->getUser(), $reqs, $params['returnurl']); } $this->getResult()->addValue(null, 'linkaccount', $helper->formatAuthenticationResponse($res)); }
public function execute() { $params = $this->extractRequestParams(); $this->requireAtLeastOneParameter($params, 'continue', 'returnurl'); if ($params['returnurl'] !== null) { $bits = wfParseUrl($params['returnurl']); if (!$bits || $bits['scheme'] === '') { $encParamName = $this->encodeParamName('returnurl'); $this->dieUsage("Invalid value '{$params['returnurl']}' for url parameter {$encParamName}", "badurl_{$encParamName}"); } } $helper = new ApiAuthManagerHelper($this); $manager = AuthManager::singleton(); // Make sure it's possible to log in if (!$manager->canAuthenticateNow()) { $this->getResult()->addValue(null, 'clientlogin', $helper->formatAuthenticationResponse(AuthenticationResponse::newFail($this->msg('userlogin-cannot-' . AuthManager::ACTION_LOGIN)))); return; } // Perform the login step if ($params['continue']) { $reqs = $helper->loadAuthenticationRequests(AuthManager::ACTION_LOGIN_CONTINUE); $res = $manager->continueAuthentication($reqs); } else { $reqs = $helper->loadAuthenticationRequests(AuthManager::ACTION_LOGIN); if ($params['preservestate']) { $req = $helper->getPreservedRequest(); if ($req) { $reqs[] = $req; } } $res = $manager->beginAuthentication($reqs, $params['returnurl']); } $this->getResult()->addValue(null, 'clientlogin', $helper->formatAuthenticationResponse($res)); }
/** * Return the appropriate response for failure * @param PasswordAuthenticationRequest $req * @return AuthenticationResponse */ protected function failResponse(PasswordAuthenticationRequest $req) { if ($this->authoritative) { return AuthenticationResponse::newFail(wfMessage($req->password === '' ? 'wrongpasswordempty' : 'wrongpassword')); } else { return AuthenticationResponse::newAbstain(); } }
public function beginSecondaryAccountCreation($user, $creator, array $reqs) { if ($this->sendConfirmationEmail && $user->getEmail() && !$this->manager->getAuthenticationSessionData('no-email')) { // TODO show 'confirmemail_oncreate'/'confirmemail_sendfailed' message wfGetDB(DB_MASTER)->onTransactionIdle(function () use($user) { $user = $user->getInstanceForUpdate(); $status = $user->sendConfirmationMail(); $user->saveSettings(); if (!$status->isGood()) { $this->logger->warning('Could not send confirmation email: ' . $status->getWikiText(false, false, 'en')); } }, __METHOD__); } return AuthenticationResponse::newPass(); }
public function execute() { $params = $this->extractRequestParams(); $this->requireAtLeastOneParameter($params, 'continue', 'returnurl'); if ($params['returnurl'] !== null) { $bits = wfParseUrl($params['returnurl']); if (!$bits || $bits['scheme'] === '') { $encParamName = $this->encodeParamName('returnurl'); $this->dieUsage("Invalid value '{$params['returnurl']}' for url parameter {$encParamName}", "badurl_{$encParamName}"); } } $helper = new ApiAuthManagerHelper($this); $manager = AuthManager::singleton(); // Make sure it's possible to log in if (!$manager->canAuthenticateNow()) { $this->getResult()->addValue(null, 'clientlogin', $helper->formatAuthenticationResponse(AuthenticationResponse::newFail($this->msg('userlogin-cannot-' . AuthManager::ACTION_LOGIN)))); $helper->logAuthenticationResult('login', 'userlogin-cannot-' . AuthManager::ACTION_LOGIN); return; } // Perform the login step if ($params['continue']) { $reqs = $helper->loadAuthenticationRequests(AuthManager::ACTION_LOGIN_CONTINUE); $res = $manager->continueAuthentication($reqs); } else { $reqs = $helper->loadAuthenticationRequests(AuthManager::ACTION_LOGIN); if ($params['preservestate']) { $req = $helper->getPreservedRequest(); if ($req) { $reqs[] = $req; } } $res = $manager->beginAuthentication($reqs, $params['returnurl']); } // Remove CreateFromLoginAuthenticationRequest from $res->neededRequests. // It's there so a RESTART treated as UI will work right, but showing // it to the API client is just confusing. $res->neededRequests = ApiAuthManagerHelper::blacklistAuthenticationRequests($res->neededRequests, [CreateFromLoginAuthenticationRequest::class]); $this->getResult()->addValue(null, 'clientlogin', $helper->formatAuthenticationResponse($res)); $helper->logAuthenticationResult('login', $res); }
/** * Continue the link attempt * @param User $user * @param string $key Session key to look in * @param AuthenticationRequest[] $reqs * @return AuthenticationResponse */ protected function continueLinkAttempt($user, $key, array $reqs) { $req = ButtonAuthenticationRequest::getRequestByName($reqs, 'linkOk'); if ($req) { return AuthenticationResponse::newPass(); } $req = AuthenticationRequest::getRequestByClass($reqs, ConfirmLinkAuthenticationRequest::class); if (!$req) { // WTF? Retry. return $this->beginLinkAttempt($user, $key); } $session = $this->manager->getRequest()->getSession(); $state = $session->getSecret($key); if (!is_array($state)) { return AuthenticationResponse::newAbstain(); } $maybeLink = []; foreach ($state['maybeLink'] as $linkReq) { $maybeLink[$linkReq->getUniqueId()] = $linkReq; } if (!$maybeLink) { return AuthenticationResponse::newAbstain(); } $state['maybeLink'] = []; $session->setSecret($key, $state); $statuses = []; $anyFailed = false; foreach ($req->confirmedLinkIDs as $id) { if (isset($maybeLink[$id])) { $req = $maybeLink[$id]; $req->username = $user->getName(); if (!$req->action) { // Make sure the action is set, but don't override it if // the provider filled it in. $req->action = AuthManager::ACTION_CHANGE; } $status = $this->manager->allowsAuthenticationDataChange($req); $statuses[] = [$req, $status]; if ($status->isGood()) { $this->manager->changeAuthenticationData($req); } else { $anyFailed = true; } } } if (!$anyFailed) { return AuthenticationResponse::newPass(); } $combinedStatus = \Status::newGood(); foreach ($statuses as $data) { list($req, $status) = $data; $descriptionInfo = $req->describeCredentials(); $description = wfMessage('authprovider-confirmlink-option', $descriptionInfo['provider']->text(), $descriptionInfo['account']->text())->text(); if ($status->isGood()) { $combinedStatus->error(wfMessage('authprovider-confirmlink-success-line', $description)); } else { $combinedStatus->error(wfMessage('authprovider-confirmlink-failure-line', $description, $status->getMessage()->text())); } } return AuthenticationResponse::newUI([new ButtonAuthenticationRequest('linkOk', wfMessage('ok'), wfMessage('authprovider-confirmlink-ok-help'))], $combinedStatus->getMessage('authprovider-confirmlink-failed')); }
public function beginSecondaryAccountCreation($user, $creator, array $reqs) { return AuthenticationResponse::newAbstain(); }
/** * @param string $action One of the AuthManager::ACTION_* constants * @param AuthenticationRequest[] $requests * @return AuthenticationResponse * @throws LogicException if $action is invalid */ protected function performAuthenticationStep($action, array $requests) { if (!in_array($action, static::$allowedActions, true)) { throw new InvalidArgumentException('invalid action: ' . $action); } $authManager = AuthManager::singleton(); $returnToUrl = $this->getPageTitle('return')->getFullURL($this->getPreservedParams(true), false, PROTO_HTTPS); switch ($action) { case AuthManager::ACTION_LOGIN: return $authManager->beginAuthentication($requests, $returnToUrl); case AuthManager::ACTION_LOGIN_CONTINUE: return $authManager->continueAuthentication($requests); case AuthManager::ACTION_CREATE: return $authManager->beginAccountCreation($this->getUser(), $requests, $returnToUrl); case AuthManager::ACTION_CREATE_CONTINUE: return $authManager->continueAccountCreation($requests); case AuthManager::ACTION_LINK: return $authManager->beginAccountLink($this->getUser(), $requests, $returnToUrl); case AuthManager::ACTION_LINK_CONTINUE: return $authManager->continueAccountLink($requests); case AuthManager::ACTION_CHANGE: case AuthManager::ACTION_REMOVE: case AuthManager::ACTION_UNLINK: if (count($requests) > 1) { throw new InvalidArgumentException('only one auth request can be changed at a time'); } elseif (!$requests) { throw new InvalidArgumentException('no auth request'); } $req = reset($requests); $status = $authManager->allowsAuthenticationDataChange($req); Hooks::run('ChangeAuthenticationDataAudit', [$req, $status]); if (!$status->isOK()) { return AuthenticationResponse::newFail($status->getMessage()); } $authManager->changeAuthenticationData($req); return AuthenticationResponse::newPass(); default: // should never reach here but makes static code analyzers happy throw new InvalidArgumentException('invalid action: ' . $action); } }
public function provideAccountLink() { $req = $this->getMockForAbstractClass(AuthenticationRequest::class); $good = StatusValue::newGood(); return ['Pre-link test fail in pre' => [StatusValue::newFatal('fail-from-pre'), [], [AuthenticationResponse::newFail($this->message('fail-from-pre'))]], 'Failure in primary' => [$good, $tmp = [AuthenticationResponse::newFail($this->message('fail-from-primary'))], $tmp], 'All primary abstain' => [$good, [AuthenticationResponse::newAbstain()], [AuthenticationResponse::newFail($this->message('authmanager-link-no-primary'))]], 'Primary UI, then redirect, then fail' => [$good, $tmp = [AuthenticationResponse::newUI([$req], $this->message('...')), AuthenticationResponse::newRedirect([$req], '/foo.html', ['foo' => 'bar']), AuthenticationResponse::newFail($this->message('fail-in-primary-continue'))], $tmp], 'Primary redirect, then abstain' => [$good, [$tmp = AuthenticationResponse::newRedirect([$req], '/foo.html', ['foo' => 'bar']), AuthenticationResponse::newAbstain()], [$tmp, new \DomainException('MockPrimaryAuthenticationProvider::continuePrimaryAccountLink() returned ABSTAIN')]], 'Primary UI, then pass' => [$good, [$tmp1 = AuthenticationResponse::newUI([$req], $this->message('...')), AuthenticationResponse::newPass()], [$tmp1, AuthenticationResponse::newPass('')]], 'Primary pass' => [$good, [AuthenticationResponse::newPass('')], [AuthenticationResponse::newPass('')]]]; }
public function beginPrimaryAccountCreation($user, $creator, array $reqs) { /** @var TemporaryPasswordAuthenticationRequest $req */ $req = AuthenticationRequest::getRequestByClass($reqs, TemporaryPasswordAuthenticationRequest::class); if ($req) { if ($req->username !== null && $req->password !== null) { // Nothing we can do yet, because the user isn't in the DB yet if ($req->username !== $user->getName()) { $req = clone $req; $req->username = $user->getName(); } if ($req->mailpassword) { // prevent EmailNotificationSecondaryAuthenticationProvider from sending another mail $this->manager->setAuthenticationSessionData('no-email', true); } $ret = AuthenticationResponse::newPass($req->username); $ret->createRequest = $req; return $ret; } } return AuthenticationResponse::newAbstain(); }
public function beginPrimaryAccountCreation($user, $creator, array $reqs) { if ($this->accountCreationType() === self::TYPE_NONE) { throw new \BadMethodCallException('Shouldn\'t call this when accountCreationType() is NONE'); } $req = AuthenticationRequest::getRequestByClass($reqs, PasswordAuthenticationRequest::class); if ($req) { if ($req->username !== null && $req->password !== null) { // Nothing we can do besides claim it, because the user isn't in // the DB yet if ($req->username !== $user->getName()) { $req = clone $req; $req->username = $user->getName(); } $ret = AuthenticationResponse::newPass($req->username); $ret->createRequest = $req; return $ret; } } return AuthenticationResponse::newAbstain(); }
public function testBeginSecondaryAuthentication() { $provider = new EmailNotificationSecondaryAuthenticationProvider(['sendConfirmationEmail' => true]); $this->assertEquals(AuthenticationResponse::newAbstain(), $provider->beginSecondaryAuthentication(\User::newFromName('Foo'), [])); }
/** * Continue an account linking flow * @param AuthenticationRequest[] $reqs * @return AuthenticationResponse */ public function continueAccountLink(array $reqs) { $session = $this->request->getSession(); try { if (!$this->canLinkAccounts()) { // Caller should have called canLinkAccounts() $session->remove('AuthManager::accountLinkState'); throw new \LogicException('Account linking is not possible'); } $state = $session->getSecret('AuthManager::accountLinkState'); if (!is_array($state)) { return AuthenticationResponse::newFail(wfMessage('authmanager-link-not-in-progress')); } $state['continueRequests'] = []; // Step 0: Prepare and validate the input $user = User::newFromName($state['username'], 'usable'); if (!is_object($user)) { $session->remove('AuthManager::accountLinkState'); return AuthenticationResponse::newFail(wfMessage('noname')); } if ($user->getId() != $state['userid']) { throw new \UnexpectedValueException("User \"{$state['username']}\" is valid, but " . "ID {$user->getId()} != {$state['userid']}!"); } foreach ($reqs as $req) { $req->username = $state['username']; $req->returnToUrl = $state['returnToUrl']; } // Step 1: Call the primary again until it succeeds $provider = $this->getAuthenticationProvider($state['primary']); if (!$provider instanceof PrimaryAuthenticationProvider) { // Configuration changed? Force them to start over. // @codeCoverageIgnoreStart $ret = AuthenticationResponse::newFail(wfMessage('authmanager-link-not-in-progress')); $this->callMethodOnProviders(3, 'postAccountLink', [$user, $ret]); $session->remove('AuthManager::accountLinkState'); return $ret; // @codeCoverageIgnoreEnd } $id = $provider->getUniqueId(); $res = $provider->continuePrimaryAccountLink($user, $reqs); switch ($res->status) { case AuthenticationResponse::PASS: $this->logger->info("Account linked to {user} by {$id}", ['user' => $user->getName()]); $this->callMethodOnProviders(3, 'postAccountLink', [$user, $res]); $session->remove('AuthManager::accountLinkState'); return $res; case AuthenticationResponse::FAIL: $this->logger->debug(__METHOD__ . ": Account linking failed by {$id}", ['user' => $user->getName()]); $this->callMethodOnProviders(3, 'postAccountLink', [$user, $res]); $session->remove('AuthManager::accountLinkState'); return $res; case AuthenticationResponse::REDIRECT: case AuthenticationResponse::UI: $this->logger->debug(__METHOD__ . ": Account linking {$res->status} by {$id}", ['user' => $user->getName()]); $state['continueRequests'] = $res->neededRequests; $session->setSecret('AuthManager::accountLinkState', $state); return $res; default: throw new \DomainException(get_class($provider) . "::continuePrimaryAccountLink() returned {$res->status}"); } } catch (\Exception $ex) { $session->remove('AuthManager::accountLinkState'); throw $ex; } }
public function testAccountCreationEmail() { $creator = \User::newFromName('Foo'); $user = self::getMutableTestUser()->getUser(); $user->setEmail(null); $req = TemporaryPasswordAuthenticationRequest::newRandom(); $req->username = $user->getName(); $req->mailpassword = true; $provider = $this->getProvider(['emailEnabled' => false]); $status = $provider->testForAccountCreation($user, $creator, [$req]); $this->assertEquals(\StatusValue::newFatal('emaildisabled'), $status); $req->hasBackchannel = true; $status = $provider->testForAccountCreation($user, $creator, [$req]); $this->assertFalse($status->hasMessage('emaildisabled')); $req->hasBackchannel = false; $provider = $this->getProvider(['emailEnabled' => true]); $status = $provider->testForAccountCreation($user, $creator, [$req]); $this->assertEquals(\StatusValue::newFatal('noemailcreate'), $status); $req->hasBackchannel = true; $status = $provider->testForAccountCreation($user, $creator, [$req]); $this->assertFalse($status->hasMessage('noemailcreate')); $req->hasBackchannel = false; $user->setEmail('*****@*****.**'); $status = $provider->testForAccountCreation($user, $creator, [$req]); $this->assertEquals(\StatusValue::newGood(), $status); $mailed = false; $resetMailer = $this->hookMailer(function ($headers, $to, $from, $subject, $body) use(&$mailed, $req) { $mailed = true; $this->assertSame('*****@*****.**', $to[0]->address); $this->assertContains($req->password, $body); return false; }); $expect = AuthenticationResponse::newPass($user->getName()); $expect->createRequest = clone $req; $expect->createRequest->username = $user->getName(); $res = $provider->beginPrimaryAccountCreation($user, $creator, [$req]); $this->assertEquals($expect, $res); $this->assertTrue($this->manager->getAuthenticationSessionData('no-email')); $this->assertFalse($mailed); $this->assertSame('byemail', $provider->finishAccountCreation($user, $creator, $res)); $this->assertTrue($mailed); ScopedCallback::consume($resetMailer); $this->assertTrue($mailed); }
public function beginPrimaryAccountCreation($user, $creator, array $reqs) { if ($this->accountCreationType() === self::TYPE_NONE) { throw new \BadMethodCallException('Shouldn\'t call this when accountCreationType() is NONE'); } $req = AuthenticationRequest::getRequestByClass($reqs, $this->requestType); if (!$req || $req->username === null || $req->password === null || $this->hasDomain && $req->domain === null) { return AuthenticationResponse::newAbstain(); } $username = User::getCanonicalName($req->username, 'usable'); if ($username === false) { return AuthenticationResponse::newAbstain(); } $this->setDomain($req); if ($this->auth->addUser($user, $req->password, $user->getEmail(), $user->getRealName())) { return AuthenticationResponse::newPass(); } else { return AuthenticationResponse::newFail(new \Message('authmanager-authplugin-create-fail')); } }