Remove deprecated PasswordCannotBePopular

Change-Id: I77432ef0257c0dc8aa7c26e075616592e639bfec

7 files changed, 7 insertions, 103 deletions

diff --git a/RELEASE-NOTES-1.35 b/RELEASE-NOTES-1.35
index fa0a62fda1a5..75044ffb6c02 100644
--- a/RELEASE-NOTES-1.35
+++ b/RELEASE-NOTES-1.35
@@ -163,6 +163,8 @@ For notes on 1.34.x and older releases, see HISTORY.
   completely in 1.36.
 * $wgObjectCaches – The 'slaveOnly' option for SqlBagOStuff, deprecated in 1.34,
   was removed. Use 'replicaOnly' instead.
+* The deprecated PasswordPolicy 'PasswordCannotBePopular' has been removed.
+  Use PasswordNotInCommonList instead which covers many more passwords.
 * …
 
 === New user-facing features in 1.35 ===
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index dc5afc399165..ea86f1484d7e 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -4826,11 +4826,6 @@ $wgCentralIdLookupProvider = 'local';
  *		(contained within) the username.
  *	- PasswordCannotMatchBlacklist - Username/password combination cannot
  *		match a blacklist of default passwords used by MediaWiki in the past.
- *	- PasswordCannotBePopular - Blacklist passwords which are known to be
- *		commonly chosen. Set to integer n to ban the top n passwords.
- *		If you want to ban all common passwords on file, use the
- *		PHP_INT_MAX constant.
- *		Deprecated since 1.33. Use PasswordNotInCommonList instead.
  *	- PasswordNotInLargeBlacklist - Password not in best practices list of
  *		100,000 commonly used passwords. Due to the size of the list this
  *		is a probabilistic test.
@@ -4888,7 +4883,6 @@ $wgPasswordPolicy = [
 			'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',
 		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
 		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
-		'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist',
 		'PasswordNotInLargeBlacklist' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',
 		'PasswordNotInCommonList' => 'PasswordPolicyChecks::checkPasswordNotInCommonList',
 	],
@@ -9182,20 +9176,6 @@ $wgVirtualRestConfig = [
  */
 $wgSearchRunSuggestedQuery = true;
 
-/**
- * Where popular password file is located.
- *
- * Default in core contains 10,000 most popular. This config
- * allows you to change which file, in case you want to generate
- * a password file with > 10000 entries in it.
- *
- * @see maintenance/createCommonPasswordCdb.php
- * @since 1.27
- * @deprecated since 1.33
- * @var string path to file
- */
-$wgPopularPasswordFile = __DIR__ . '/password/commonpasswords.cdb';
-
 /*
  * Max time (in seconds) a user-generated transaction can spend in writes.
  * If exceeded, the transaction is rolled back with an error instead of being committed.
diff --git a/includes/password/PasswordPolicyChecks.php b/includes/password/PasswordPolicyChecks.php
index a563b7d6d4c8..b11c38c445dd 100644
--- a/includes/password/PasswordPolicyChecks.php
+++ b/includes/password/PasswordPolicyChecks.php
@@ -20,7 +20,6 @@
  * @file
  */
 
-use Cdb\Reader as CdbReader;
 use MediaWiki\MediaWikiServices;
 use Wikimedia\CommonPasswords\CommonPasswords;
 
@@ -156,55 +155,6 @@ class PasswordPolicyChecks {
 	}
 
 	/**
-	 * Ensure that password isn't in top X most popular passwords, as defined by
-	 * $wgPopularPasswordFile.
-	 *
-	 * @param int $policyVal Cut off to use. Will automatically shrink to the max
-	 *   supported for error messages if set to more than max number of passwords on file,
-	 *   so you can use the PHP_INT_MAX constant here safely.
-	 * @param User $user
-	 * @param string $password
-	 * @since 1.27
-	 * @deprecated since 1.33
-	 * @return Status
-	 * @see $wgPopularPasswordFile
-	 */
-	public static function checkPopularPasswordBlacklist( $policyVal, User $user, $password ) {
-		global $wgPopularPasswordFile, $wgSitename;
-		$status = Status::newGood();
-		if ( $policyVal > 0 ) {
-			$langEn = MediaWikiServices::getInstance()->getLanguageFactory()->getLanguage( 'en' );
-			$passwordKey = $langEn->lc( trim( $password ) );
-
-			// People often use the name of the current site, which won't be
-			// in the common password file. Also check '' for people who use
-			// just whitespace.
-			$sitename = $langEn->lc( trim( $wgSitename ) );
-			$hardcodedCommonPasswords = [ '', 'wiki', 'mediawiki', $sitename ];
-			if ( in_array( $passwordKey, $hardcodedCommonPasswords ) ) {
-				$status->error( 'passwordtoopopular' );
-				return $status;
-			}
-
-			// This could throw an exception, but there's not a good way
-			// of failing gracefully, if say the file is missing, so just
-			// let the exception fall through.
-			// Format of cdb file is mapping password => popularity rank.
-			// See maintenance/createCommonPasswordCdb.php
-			$db = CdbReader::open( $wgPopularPasswordFile );
-
-			$res = $db->get( $passwordKey );
-			if ( $res && (int)$res <= $policyVal ) {
-				// Note: If you want to find the true number of common
-				// passwords stored (for reporting the error), you have to take
-				// the max of the policyVal and $db->get( '_TOTALENTRIES' ).
-				$status->error( 'passwordtoopopular' );
-			}
-		}
-		return $status;
-	}
-
-	/**
 	 * Ensure the password isn't in the list of common passwords by the
 	 * wikimedia/common-passwords library, which contains (as of 0.2.0) the
 	 * 100,000 top passwords from SecLists (as a Bloom filter, with an
diff --git a/includes/password/commonpasswords.cdb b/includes/password/commonpasswords.cdb
deleted file mode 100644
index 7b7b043171d9..000000000000
--- a/includes/password/commonpasswords.cdb
+++ /dev/null
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index b14fea10f5f3..9b89170ebe6b 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -489,7 +489,6 @@
 	"wrongpasswordempty": "Password entered was blank.\nPlease try again.",
 	"passwordtooshort": "Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.",
 	"passwordtoolong": "Passwords cannot be longer than {{PLURAL:$1|1 character|$1 characters}}.",
-	"passwordtoopopular": "Commonly chosen passwords cannot be used. Please choose a password that is more difficult to guess.",
 	"passwordincommonlist": "The password entered is in a list of very commonly used passwords. Please choose a more unique password.",
 	"password-name-match": "Your password must be different from your username.",
 	"password-substring-username-match": "Your password must not appear within your username.",
@@ -4287,7 +4286,6 @@
 	"passwordpolicies-policy-passwordcannotbesubstringinusername": "Password cannot be a substring within the username",
 	"passwordpolicies-policy-passwordcannotmatchblacklist": "Password cannot match specifically blacklisted passwords",
 	"passwordpolicies-policy-maximalpasswordlength": "Password must be less than $1 {{PLURAL:$1|character|characters}} long",
-	"passwordpolicies-policy-passwordcannotbepopular": "Password cannot be {{PLURAL:$1|the popular password|in the list of $1 popular passwords}}",
 	"passwordpolicies-policy-passwordnotinlargeblacklist": "Password cannot be in the list of 100,000 most commonly used passwords.",
 	"passwordpolicies-policy-passwordnotincommonlist": "Password cannot be in the list of 100,000 most commonly used passwords.",
 	"passwordpolicies-policyflag-forcechange": "must change on login",
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index 59ed889a3407..6cee94d03e8a 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -704,7 +704,6 @@
 	"wrongpasswordempty": "Error message displayed when entering a blank password.\n{{Identical|Please try again}}",
 	"passwordtooshort": "This message is shown in [[Special:Preferences]] and [[Special:CreateAccount]].\n\nParameters:\n* $1 - the minimum number of characters in the password",
 	"passwordtoolong": "This message is shown in [[Special:Preferences]], [[Special:CreateAccount]], and [[Special:Userlogin]].\n\nParameters:\n* $1 - the maximum number of characters in the password",
-	"passwordtoopopular": "Shown if the user chooses a really popular password.",
 	"passwordincommonlist": "Shown if the user chooses a very common password.",
 	"password-name-match": "Used as error message when password validity check failed.",
 	"password-substring-username-match": "Used as error message when password validity check failed.",
@@ -867,13 +866,13 @@
 	"preview": "The title of the Preview page shown after clicking the \"Show preview\" button in the edit page. Since this is a heading, it should probably be translated as a noun and not as a verb.\n\n{{Identical|Preview}}",
 	"showpreview": "The text of the button to preview the page you are editing. See also {{msg-mw|showdiff}} and {{msg-mw|savearticle}} for the other buttons.\n\nSee also:\n* {{msg-mw|Showpreview}}\n* {{msg-mw|Accesskey-preview}}\n* {{msg-mw|Tooltip-preview}}\n{{Identical|Show preview}}",
 	"showdiff": "Button below the edit page. See also {{msg-mw|Showpreview}} and {{msg-mw|Savearticle}} for the other buttons.\n\nSee also:\n* {{msg-mw|Showdiff}}\n* {{msg-mw|Accesskey-diff}}\n* {{msg-mw|Tooltip-diff}}\n{{Identical|Show change}}",
-	"blankarticle": "Notice displayed once after the user tries to save an empty page.\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.",
+	"blankarticle": "Notice displayed once after the user tries to save an empty page.\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.",
 	"anoneditwarning": "Shown when editing a page anonymously.\n\nParameters:\n* $1 – A link to log in, <nowiki>{{fullurl:Special:UserLogin|returnto={{FULLPAGENAMEE}}}}</nowiki>\n* $2 – A link to sign up, <nowiki>{{fullurl:Special:CreateAccount|returnto={{FULLPAGENAMEE}}}}</nowiki>\n\nSee also:\n* {{msg-mw|Mobile-frontend-editor-anonwarning}}",
 	"anonpreviewwarning": "See also:\n* {{msg-mw|Anoneditwarning}}",
-	"missingsummary": "The text \"edit summary\" is in {{msg-mw|Summary}}.\n\nSee also:\n* {{msg-mw|Missingcommentheader}}\n* {{msg-mw|Savearticle}}\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.",
-	"selfredirect": "Notice displayed once after the user tries to create a redirect to the same article.\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.",
+	"missingsummary": "The text \"edit summary\" is in {{msg-mw|Summary}}.\n\nSee also:\n* {{msg-mw|Missingcommentheader}}\n* {{msg-mw|Savearticle}}\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.",
+	"selfredirect": "Notice displayed once after the user tries to create a redirect to the same article.\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.",
 	"missingcommenttext": "This message is shown when the user tries to save a textbox created by the new section links, and the textbox is empty. \"Comment\" refers to the content that is supposed to be posted in the new section, usually a talk page comment.",
-	"missingcommentheader": "Edit summary that is shown if you enable \"Prompt me when entering a blank summary\" and add a new section without headline to a talk page.\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.\n\n\"Subject\" is {{msg-mw|subject}}.\n\nSee also:\n* {{msg-mw|Missingsummary}}\n* {{msg-mw|Savearticle}}",
+	"missingcommentheader": "Edit summary that is shown if you enable \"Prompt me when entering a blank summary\" and add a new section without headline to a talk page.\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.\n\n\"Subject\" is {{msg-mw|subject}}.\n\nSee also:\n* {{msg-mw|Missingsummary}}\n* {{msg-mw|Savearticle}}",
 	"summary-preview": "Preview of the edit summary, shown under the edit summary itself.\nShould match: {{msg-mw|summary}}.",
 	"subject-preview": "Used as label for preview of the section title when adding a new section on a talk page.\n\nShould match {{msg-mw|subject}}.\n\nSee also:\n* {{msg-mw|Summary-preview}}\n\n{{Identical|Subject}}",
 	"previewerrortext": "When a user has the editing preference LivePreview enabled, clicked the Preview or Show Changes button in the edit page and the action did not succeed.",
@@ -936,7 +935,7 @@
 	"editingcomment": "This message displays at the top of the page when a user is creating a new section. Parameters:\n* $1 - page name\n{{Related|Editing}}",
 	"editconflict": "Alert message when saving a page causes an edit conflict. Parameters:\n* $1 - page name\n{{Related|Editing}}",
 	"editnotice-notext": "{{ignored}}\nCustom message on top of the edit page if no edit notices apply to this page.",
-	"explainconflict": "Appears at the top of a page when there is an edit conflict.\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.\n\nSee also:\n* {{msg-mw|Savearticle}}",
+	"explainconflict": "Appears at the top of a page when there is an edit conflict.\n\nParameters:\n* $1 – The label of the save button – one of {{msg-mw|savearticle}} or {{msg-mw|savechanges}} on save-labelled wiki, or {{msg-mw|publishpage}} or {{msg-mw|publishchanges}} on publish-labelled wikis.\n\nSee also:\n* {{msg-mw|Savearticle}}",
 	"yourtext": "Used in Diff Preview page. The diff is between {{msg-mw|currentrev}} and {{msg-mw|yourtext}}.\n\nAlso used in Edit Conflict page; the diff between {{msg-mw|yourtext}} and {{msg-mw|storedversion}}.",
 	"storedversion": "This is used in an edit conflict as the label for the top revision that has been stored, as opposed to your version {{msg-mw|yourtext}} that has not been stored which is shown at the bottom of the page.",
 	"editingold": "Used as warning when editing an old revision of a page.",
@@ -4502,7 +4501,6 @@
 	"passwordpolicies-policy-passwordcannotbesubstringinusername": "Password policy that enforces that the password of the account cannot be a substring within the username",
 	"passwordpolicies-policy-passwordcannotmatchblacklist": "Password policy that enforces that passwords are not on a list of blacklisted passwords (often previously used during MediaWiki automated testing)",
 	"passwordpolicies-policy-maximalpasswordlength": "Password policy that enforces a maximum number of characters a password must be. $1 - maximum number of characters that a password can be",
-	"passwordpolicies-policy-passwordcannotbepopular": "Password policy that enforces that a password is not in a list of $1 number of \"popular\" passwords. $1 - number of popular passwords the password will be checked against",
 	"passwordpolicies-policy-passwordnotinlargeblacklist": "Password policy that enforces that a password is not in a list of 100,000 number of \"popular\" passwords.",
 	"passwordpolicies-policy-passwordnotincommonlist": "Password policy that enforces that a password is not in a list of 100,000 number of \"popular\" passwords.",
 	"passwordpolicies-policyflag-forcechange": "Password policy flag that enforces changing invalid passwords on login.",
diff --git a/tests/phpunit/includes/password/PasswordPolicyChecksTest.php b/tests/phpunit/includes/password/PasswordPolicyChecksTest.php
index 72e261355b38..9b941d0b0c96 100644
--- a/tests/phpunit/includes/password/PasswordPolicyChecksTest.php
+++ b/tests/phpunit/includes/password/PasswordPolicyChecksTest.php
@@ -173,30 +173,6 @@ class PasswordPolicyChecksTest extends MediaWikiTestCase {
 		];
 	}
 
-	public static function providePopularBlacklist() {
-		return [
-			[ false, 'sitename' ],
-			[ false, 'password' ],
-			[ false, '12345' ],
-			[ true, 'hqY98gCZ6qM8s8' ],
-		];
-	}
-
-	/**
-	 * @covers PasswordPolicyChecks::checkPopularPasswordBlacklist
-	 * @dataProvider providePopularBlacklist
-	 */
-	public function testCheckPopularPasswordBlacklist( $expected, $password ) {
-		global $IP;
-		$this->setMwGlobals( [
-			'wgSitename' => 'sitename',
-			'wgPopularPasswordFile' => "$IP/includes/password/commonpasswords.cdb"
-		] );
-		$user = User::newFromName( 'username' );
-		$status = PasswordPolicyChecks::checkPopularPasswordBlacklist( PHP_INT_MAX, $user, $password );
-		$this->assertSame( $expected, $status->isGood() );
-	}
-
 	public static function provideCommonList() {
 		return [
 			[ false, 'testpass' ],