Add AuthManager

This implements the AuthManager class and its needed interfaces and
subclasses, and integrates them into the backend portion of MediaWiki.
Integration with frontend portions of MediaWiki (e.g. ApiLogin,
Special:Login) is left for a followup.

Bug: T91699
Bug: T71589
Bug: T111299
Co-Authored-By: Gergő Tisza <gtisza@wikimedia.org>
Change-Id: If89d24838e326fe25fe867d02181eebcfbb0e196

1 files changed, 251 insertions, 0 deletions

diff --git a/includes/auth/AuthManagerAuthPlugin.php b/includes/auth/AuthManagerAuthPlugin.php
new file mode 100644
index 000000000000..bf1e0215bc8e
--- /dev/null
+++ b/includes/auth/AuthManagerAuthPlugin.php
@@ -0,0 +1,251 @@
+<?php
+/**
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+namespace MediaWiki\Auth;
+
+use User;
+
+/**
+ * Backwards-compatibility wrapper for AuthManager via $wgAuth
+ * @since 1.27
+ * @deprecated since 1.27
+ */
+class AuthManagerAuthPlugin extends \AuthPlugin {
+	/** @var string|null */
+	protected $domain = null;
+
+	/** @var \\Psr\\Log\\LoggerInterface */
+	protected $logger = null;
+
+	public function __construct() {
+		$this->logger = \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' );
+	}
+
+	public function userExists( $name ) {
+		return AuthManager::singleton()->userExists( $name );
+	}
+
+	public function authenticate( $username, $password ) {
+		$data = [
+			'username' => $username,
+			'password' => $password,
+		];
+		if ( $this->domain !== null && $this->domain !== '' ) {
+			$data['domain'] = $this->domain;
+		}
+		$reqs = AuthManager::singleton()->getAuthenticationRequests( AuthManager::ACTION_LOGIN );
+		$reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data );
+
+		$res = AuthManager::singleton()->beginAuthentication( $reqs, 'null:' );
+		switch ( $res->status ) {
+			case AuthenticationResponse::PASS:
+				return true;
+			case AuthenticationResponse::FAIL:
+				// Hope it's not a PreAuthenticationProvider that failed...
+				$msg = $res->message instanceof \Message ? $res->message : new \Message( $res->message );
+				$this->logger->info( __METHOD__ . ': Authentication failed: ' . $msg->plain() );
+				return false;
+			default:
+				throw new \BadMethodCallException(
+					'AuthManager does not support such simplified authentication'
+				);
+		}
+	}
+
+	public function modifyUITemplate( &$template, &$type ) {
+		// AuthManager does not support direct UI screwing-around-with
+	}
+
+	public function setDomain( $domain ) {
+		$this->domain = $domain;
+	}
+
+	public function getDomain() {
+		if ( isset( $this->domain ) ) {
+			return $this->domain;
+		} else {
+			return 'invaliddomain';
+		}
+	}
+
+	public function validDomain( $domain ) {
+		$domainList = $this->domainList();
+		return $domainList ? in_array( $domain, $domainList, true ) : $domain === '';
+	}
+
+	public function updateUser( &$user ) {
+		\Hooks::run( 'UserLoggedIn', [ $user ] );
+		return true;
+	}
+
+	public function autoCreate() {
+		return true;
+	}
+
+	public function allowPropChange( $prop = '' ) {
+		return AuthManager::singleton()->allowsPropertyChange( $prop );
+	}
+
+	public function allowPasswordChange() {
+		$reqs = AuthManager::singleton()->getAuthenticationRequests( AuthManager::ACTION_CHANGE );
+		foreach ( $reqs as $req ) {
+			if ( $req instanceof PasswordAuthenticationRequest ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	public function allowSetLocalPassword() {
+		// There should be a PrimaryAuthenticationProvider that does this, if necessary
+		return false;
+	}
+
+	public function setPassword( $user, $password ) {
+		$data = [
+			'username' => $user->getName(),
+			'password' => $password,
+		];
+		if ( $this->domain !== null && $this->domain !== '' ) {
+			$data['domain'] = $this->domain;
+		}
+		$reqs = AuthManager::singleton()->getAuthenticationRequests( AuthManager::ACTION_CHANGE );
+		$reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data );
+		foreach ( $reqs as $req ) {
+			$status = AuthManager::singleton()->allowsAuthenticationDataChange( $req );
+			if ( !$status->isOk() ) {
+				$this->logger->info( __METHOD__ . ': Password change rejected: {reason}', [
+					'username' => $data['username'],
+					'reason' => $status->getWikiText( null, null, 'en' ),
+				] );
+				return false;
+			}
+		}
+		foreach ( $reqs as $req ) {
+			AuthManager::singleton()->changeAuthenticationData( $req );
+		}
+		return true;
+	}
+
+	public function updateExternalDB( $user ) {
+		// This fires the necessary hook
+		$user->saveSettings();
+		return true;
+	}
+
+	public function updateExternalDBGroups( $user, $addgroups, $delgroups = [] ) {
+		\Hooks::run( 'UserGroupsChanged', [ $user, $addgroups, $delgroups ] );
+		return true;
+	}
+
+	public function canCreateAccounts() {
+		return AuthManager::singleton()->canCreateAccounts();
+	}
+
+	public function addUser( $user, $password, $email = '', $realname = '' ) {
+		global $wgUser;
+
+		$data = [
+			'username' => $user->getName(),
+			'password' => $password,
+			'retype' => $password,
+			'email' => $email,
+			'realname' => $realname,
+		];
+		if ( $this->domain !== null && $this->domain !== '' ) {
+			$data['domain'] = $this->domain;
+		}
+		$reqs = AuthManager::singleton()->getAuthenticationRequests( AuthManager::ACTION_CREATE );
+		$reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data );
+
+		$res = AuthManager::singleton()->beginAccountCreation( $wgUser, $reqs, 'null:' );
+		switch ( $res->status ) {
+			case AuthenticationResponse::PASS:
+				return true;
+			case AuthenticationResponse::FAIL:
+				// Hope it's not a PreAuthenticationProvider that failed...
+				$msg = $res->message instanceof \Message ? $res->message : new \Message( $res->message );
+				$this->logger->info( __METHOD__ . ': Authentication failed: ' . $msg->plain() );
+				return false;
+			default:
+				throw new \BadMethodCallException(
+					'AuthManager does not support such simplified account creation'
+				);
+		}
+	}
+
+	public function strict() {
+		// There should be a PrimaryAuthenticationProvider that does this, if necessary
+		return true;
+	}
+
+	public function strictUserAuth( $username ) {
+		// There should be a PrimaryAuthenticationProvider that does this, if necessary
+		return true;
+	}
+
+	public function initUser( &$user, $autocreate = false ) {
+		\Hooks::run( 'LocalUserCreated', [ $user, $autocreate ] );
+	}
+
+	public function getCanonicalName( $username ) {
+		// AuthManager doesn't support restrictions beyond MediaWiki's
+		return $username;
+	}
+
+	public function getUserInstance( User &$user ) {
+		return new AuthManagerAuthPluginUser( $user );
+	}
+
+	public function domainList() {
+		return [];
+	}
+}
+
+/**
+ * @since 1.27
+ * @deprecated since 1.27
+ */
+class AuthManagerAuthPluginUser extends \AuthPluginUser {
+	/** @var User */
+	private $user;
+
+	function __construct( $user ) {
+		$this->user = $user;
+	}
+
+	public function getId() {
+		return $this->user->getId();
+	}
+
+	public function isLocked() {
+		return $this->user->isLocked();
+	}
+
+	public function isHidden() {
+		return $this->user->isHidden();
+	}
+
+	public function resetAuthToken() {
+		\MediaWiki\Session\SessionManager::singleton()->invalidateSessionsForUser( $this->user );
+		return true;
+	}
+}