public function provideAccountLink() { $req = $this->getMockForAbstractClass(AuthenticationRequest::class); $good = StatusValue::newGood(); return ['Pre-link test fail in pre' => [StatusValue::newFatal('fail-from-pre'), [], [AuthenticationResponse::newFail($this->message('fail-from-pre'))]], 'Failure in primary' => [$good, $tmp = [AuthenticationResponse::newFail($this->message('fail-from-primary'))], $tmp], 'All primary abstain' => [$good, [AuthenticationResponse::newAbstain()], [AuthenticationResponse::newFail($this->message('authmanager-link-no-primary'))]], 'Primary UI, then redirect, then fail' => [$good, $tmp = [AuthenticationResponse::newUI([$req], $this->message('...')), AuthenticationResponse::newRedirect([$req], '/foo.html', ['foo' => 'bar']), AuthenticationResponse::newFail($this->message('fail-in-primary-continue'))], $tmp], 'Primary redirect, then abstain' => [$good, [$tmp = AuthenticationResponse::newRedirect([$req], '/foo.html', ['foo' => 'bar']), AuthenticationResponse::newAbstain()], [$tmp, new \DomainException('MockPrimaryAuthenticationProvider::continuePrimaryAccountLink() returned ABSTAIN')]], 'Primary UI, then pass' => [$good, [$tmp1 = AuthenticationResponse::newUI([$req], $this->message('...')), AuthenticationResponse::newPass()], [$tmp1, AuthenticationResponse::newPass('')]], 'Primary pass' => [$good, [AuthenticationResponse::newPass('')], [AuthenticationResponse::newPass('')]]]; }
/** * Continue the link attempt * @param User $user * @param string $key Session key to look in * @param AuthenticationRequest[] $reqs * @return AuthenticationResponse */ protected function continueLinkAttempt($user, $key, array $reqs) { $req = ButtonAuthenticationRequest::getRequestByName($reqs, 'linkOk'); if ($req) { return AuthenticationResponse::newPass(); } $req = AuthenticationRequest::getRequestByClass($reqs, ConfirmLinkAuthenticationRequest::class); if (!$req) { // WTF? Retry. return $this->beginLinkAttempt($user, $key); } $session = $this->manager->getRequest()->getSession(); $state = $session->getSecret($key); if (!is_array($state)) { return AuthenticationResponse::newAbstain(); } $maybeLink = []; foreach ($state['maybeLink'] as $linkReq) { $maybeLink[$linkReq->getUniqueId()] = $linkReq; } if (!$maybeLink) { return AuthenticationResponse::newAbstain(); } $state['maybeLink'] = []; $session->setSecret($key, $state); $statuses = []; $anyFailed = false; foreach ($req->confirmedLinkIDs as $id) { if (isset($maybeLink[$id])) { $req = $maybeLink[$id]; $req->username = $user->getName(); if (!$req->action) { // Make sure the action is set, but don't override it if // the provider filled it in. $req->action = AuthManager::ACTION_CHANGE; } $status = $this->manager->allowsAuthenticationDataChange($req); $statuses[] = [$req, $status]; if ($status->isGood()) { $this->manager->changeAuthenticationData($req); } else { $anyFailed = true; } } } if (!$anyFailed) { return AuthenticationResponse::newPass(); } $combinedStatus = \Status::newGood(); foreach ($statuses as $data) { list($req, $status) = $data; $descriptionInfo = $req->describeCredentials(); $description = wfMessage('authprovider-confirmlink-option', $descriptionInfo['provider']->text(), $descriptionInfo['account']->text())->text(); if ($status->isGood()) { $combinedStatus->error(wfMessage('authprovider-confirmlink-success-line', $description)); } else { $combinedStatus->error(wfMessage('authprovider-confirmlink-failure-line', $description, $status->getMessage()->text())); } } return AuthenticationResponse::newUI([new ButtonAuthenticationRequest('linkOk', wfMessage('ok'), wfMessage('authprovider-confirmlink-ok-help'))], $combinedStatus->getMessage('authprovider-confirmlink-failed')); }
/** * Start an account creation flow * @param User $creator User doing the account creation * @param AuthenticationRequest[] $reqs * @param string $returnToUrl Url that REDIRECT responses should eventually * return to. * @return AuthenticationResponse */ public function beginAccountCreation(User $creator, array $reqs, $returnToUrl) { $session = $this->request->getSession(); if (!$this->canCreateAccounts()) { // Caller should have called canCreateAccounts() $session->remove('AuthManager::accountCreationState'); throw new \LogicException('Account creation is not possible'); } try { $username = AuthenticationRequest::getUsernameFromRequests($reqs); } catch (\UnexpectedValueException $ex) { $username = null; } if ($username === null) { $this->logger->debug(__METHOD__ . ': No username provided'); return AuthenticationResponse::newFail(wfMessage('noname')); } // Permissions check $status = $this->checkAccountCreatePermissions($creator); if (!$status->isGood()) { $this->logger->debug(__METHOD__ . ': {creator} cannot create users: {reason}', ['user' => $username, 'creator' => $creator->getName(), 'reason' => $status->getWikiText(null, null, 'en')]); return AuthenticationResponse::newFail($status->getMessage()); } $status = $this->canCreateAccount($username, User::READ_LOCKING); if (!$status->isGood()) { $this->logger->debug(__METHOD__ . ': {user} cannot be created: {reason}', ['user' => $username, 'creator' => $creator->getName(), 'reason' => $status->getWikiText(null, null, 'en')]); return AuthenticationResponse::newFail($status->getMessage()); } $user = User::newFromName($username, 'creatable'); foreach ($reqs as $req) { $req->username = $username; $req->returnToUrl = $returnToUrl; if ($req instanceof UserDataAuthenticationRequest) { $status = $req->populateUser($user); if (!$status->isGood()) { $status = Status::wrap($status); $session->remove('AuthManager::accountCreationState'); $this->logger->debug(__METHOD__ . ': UserData is invalid: {reason}', ['user' => $user->getName(), 'creator' => $creator->getName(), 'reason' => $status->getWikiText(null, null, 'en')]); return AuthenticationResponse::newFail($status->getMessage()); } } } $this->removeAuthenticationSessionData(null); $state = ['username' => $username, 'userid' => 0, 'creatorid' => $creator->getId(), 'creatorname' => $creator->getName(), 'reqs' => $reqs, 'returnToUrl' => $returnToUrl, 'primary' => null, 'primaryResponse' => null, 'secondary' => [], 'continueRequests' => [], 'maybeLink' => [], 'ranPreTests' => false]; // Special case: converting a login to an account creation $req = AuthenticationRequest::getRequestByClass($reqs, CreateFromLoginAuthenticationRequest::class); if ($req) { $state['maybeLink'] = $req->maybeLink; // If we get here, the user didn't submit a form with any of the // usual AuthenticationRequests that are needed for an account // creation. So we need to determine if there are any and return a // UI response if so. if ($req->createRequest) { // We have a createRequest from a // PrimaryAuthenticationProvider, so don't ask. $providers = $this->getPreAuthenticationProviders() + $this->getSecondaryAuthenticationProviders(); } else { // We're only preserving maybeLink, so ask for primary fields // too. $providers = $this->getPreAuthenticationProviders() + $this->getPrimaryAuthenticationProviders() + $this->getSecondaryAuthenticationProviders(); } $reqs = $this->getAuthenticationRequestsInternal(self::ACTION_CREATE, [], $providers); // See if we need any requests to begin foreach ((array) $reqs as $r) { if (!$r instanceof UsernameAuthenticationRequest && !$r instanceof UserDataAuthenticationRequest && !$r instanceof CreationReasonAuthenticationRequest) { // Needs some reqs, so request them $reqs[] = new CreateFromLoginAuthenticationRequest($req->createRequest, []); $state['continueRequests'] = $reqs; $session->setSecret('AuthManager::accountCreationState', $state); $session->persist(); return AuthenticationResponse::newUI($reqs, wfMessage('authmanager-create-from-login')); } } // No reqs needed, so we can just continue. $req->createRequest->returnToUrl = $returnToUrl; $reqs = [$req->createRequest]; } $session->setSecret('AuthManager::accountCreationState', $state); $session->persist(); return $this->continueAccountCreation($reqs); }