| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Change-Id: I4270e66ae19755953f248938665b1e7b2b38484f
|
| |
|
|
|
|
|
|
|
| |
In MediaWiki/Exception, to follow PSR-4 per plural vs. singular (this can be
changed later if people really care). Also, move the couple of exceptions in
here that were already namespaced in the MW-top-level into the new space.
Bug: T353458
Change-Id: I12ed850ae99effb699a6d7ada173f54e72f0570e
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Avoids profiler warnings for autocreation-related writes.
Follows up I66e54b00a7a0485d7d5e4d8d61d74e6fb6619ccb which only
did it for deferreds, but at least CheckUser uses an idle
transaction callback for recording autocreation PII, which was
stil emitting warnings.
Bug: T388165
Change-Id: Idb18fdebb76c17c88fa36d42f7317c4c6151baee
|
| |
|
|
|
| |
Bug: T353458
Change-Id: Ibe1810f1c71316a9124e1dc6ae405097dafd5267
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User autocreation involves various extension callback mechanisms
(like the LocalUserCreated hook), and it's common in the extensions
using those to defer related DB writes, which means scoped
silencing doesn't affect them. Set POST expectations for the
deferreds instead.
We use similar logic in
RollbackAction::enableTransactionalTimelimit() and in
AuthManagerSpecialPage::setPostTransactionProfilerExpectations()
except those also set POST expectations for the entire request.
But those are requests made with the purpose of writing data, that
can't be POST requests due to browser limitations; while
autocreation can happen on any request, so GET expectations make
more sense for the main request, outside the autocreation scope.
This wouldn't help with presend deferreds / idle transaction
callbacks, but it seems unlikely that those would be used during
autocreation.
Bug: T388165
Change-Id: I66e54b00a7a0485d7d5e4d8d61d74e6fb6619ccb
|
| |
|
|
| |
Change-Id: I697661fcfd8fd5225d56b9d4ebfb5cae2df6974e
|
| |
|
|
| |
Change-Id: I0f8a8cac36015bba52aea3ee2affd92f83d3574a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Same as Ia294bf4 did for 1-line comments. This patch removes slightly
more complex 2-line PHPDoc comments that don't add any new information
to the code, but literally repeat what the code already says.
They say "don't document the code, code the documentation", and we
are doing this more and more. We just tend to forget to remove the
obsolete comments.
Note I'm also removing a line of text in a few cases when it's very
short and literally says the same as the method name. Again, such
comments add zero new information.
Change-Id: I01535404bab458c6c47e48e5456403b7a64198ed
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
The whole merging process probably doesn't make a lot of sense
anyway, but one of the comparisons was an obvious typo.
Change-Id: Ic7f9454d7e4880435029a599fec55b65ae0ccfa8
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
* clarify what's the practical impact of $required
* clarify that some fields are typically not set by client code
* some other small clarifications
* fix the weird comment formatting
Change-Id: Ifaa7291e661ce7ad6ed819c674c8392d3b823ed5
|
| |/
|
|
|
| |
Bug: T381068
Change-Id: I779f2f995df1c330ce049daef2702f1af8569c33
|
| |
|
|
|
|
|
| |
The documentation made it sound like the 'creating' flage is never
true for autocreation, which would be incorrect.
Change-Id: I2bc6086ece88bb796386222fe64494f45d432d46
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Mostly used find-and-replace:
Find:
/\*[\*\s]+@var (I?[A-Z](\w+)(?:Interface)?)[\s\*]+/\s*(private|protected|public) (\$[a-z]\w+;\n)((?=\s*/\*[\*\s]+@var (I?[A-Z](\w+)(?:Interface)?))\n|)
Replace with:
\3 \1 \4
More could be done, but to keep this patch reasonably sized, I only
changed the most obvious and unambiguously correct cases.
In some cases, I also removed redundant doc comments on the
constructor, and re-ordered the properties to match the constructor.
Bonus: Fix some todos in AuthManagerTest.
Change-Id: Ife5313b821cf537984f6de364bfe1d9b4b992a07
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Most notably:
* The "bit depth" of an image is measures in – literally – bits,
not bytes. And it's not a "size". This is apparently a very old
copy-paste mistake.
* Add missing null in some very obvious places.
Change-Id: I9aa851cc8895410b95859377bd10f4659f2eed1e
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
== 1. testUserExists ==
Remove "LOCK IN SHARE MODE" from testUserExists(). Currently:
```
/* TemporaryPasswordPrimaryAuthenticationProvider::testUserExists */
SELECT user_id FROM `user` WHERE user_name = 'Test'
LIMIT 1
LOCK IN SHARE MODE
/* LocalPasswordPrimaryAuthenticationProvider::testUserExists */
SELECT user_id FROM `user` WHERE user_name = 'Test'
LIMIT 1
LOCK IN SHARE MODE
```
Unfortunately, this is abstracted and generalised more than seems
helpful. The code ultimately controlling `$flags` is
`AuthManager::canCreateAccount`, which creates $flags and passes it
to AuthManager::userExists, which in turn delegates by iterating all
providers, including LocalPasswordPrimaryAuthenticationProvider and
TemporaryPasswordPrimaryAuthenticationProvider, to then
call their `testUserExists(,$flags)` methods.
This structure implies that all queries relating in service of
answering "user exists", regardless of implementation or which table
being queries should use $flags, which is improbable for AuthManager
to know. And indeed, per the task analysis is turning out to be the
wrong approach for this query. Except, it is now encoded through
several layers of public and stable interfaces.
It was added in 2015 (I8385526a19, 08698e48e8, T104615) because:
> * This helps […] multiple account creation attempts [when] the
> slave selected was lagged.
> * The locking better handles concurrent [account creation],
> especially with CentralAuth […]. This [contention] is low enough
> […] to avoid gap locking issues.
NOTE: The above patch added a "FOR UPDATE" lock, this changed a few
days later to the current "LOCK IN SHARE MODE" with Ib8713938e0
(939dbec87a).
Before the account creation code begins, there is an early check
for whether the user already exists on a replica. This declines the
majority of attempts where a user clearly already exists. In the case
of a lagged replica, this could return a false positive for a recently
created account indeed. It's not clear why there would be many
concurrent attempts for the exact same username or why optimising
latency (by part of a second?) is important in those cases.
My understanding is that:
* Adding "LOCK IN SHARE MODE" (READ_LOCKING) to a query that's already
going to the primary doesn't make is significantly fresher in
relation to the lagged replica.
* Adding "LOCK IN SHARE MODE", once one web request made it past that,
does not prevent the second from going past this checkpoint as well.
It isn't blocking and doesn't make the account appear to exist
sooner.
* Later on, when the "INSERT" query happens, that's where the first
will succeed, and the second will wait for any previous ones,
until it fails either way (either with a deadlock today, with
READ_LOCKING; or one line later with "insert affected no rows", if
the first query used READ_LATEST).
As such, READ_LATEST seems just as good, but without the nasty
deadlock.
== Further more ==
AuthManager::continueAccountCreation has its own logic for denying
concurrent duplicate attempts as well, by way of BagOStuff::lock,
with the error "usernameinprogress".
At this point:
* user doesn't exist on replica.
* user doesn't exist on primary at start of request.
* best-effort memcached lock says we're the only one trying.
AuthManager::continueAccountCreation then proceeds:
* User::load(READ_LOCKING), which once again checks the primary.
* User::addToDatabase(), where the INSERT query tolerates conflicts
through "IGNORE", and checks affectedRows().
As such, we don't need to avoid conflicts with pre-emptive locking,
we tolerate such conflicts.
== 2. User::load ==
```
/* User::load */
SELECT actor_id,actor_user,actor_name FROM `actor`
WHERE actor_name = 'Test' LIMIT 1 LOCK IN SHARE MODE
```
For the same reason above, change this to READ_LATEST likewise.
Bug: T199393
Change-Id: Ib7c6023dceaffdae9c9cff939815cbd1dc850720
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
AuthManager::autoCreateUser() should be responsible of
logging to authevents stream. Caller (Setup) shouldn't
log those.
Bug: T341650
Bug: T375510
Bug: T375505
Change-Id: I5be3713ff0db62eb93bd721aba04031a8490a30d
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why:
* A hook is needed to allow extensions to run code when an
authentication throttle causes throttling.
** This is so that we (T&S product) can monitor how many users are
hitting the rate limits for temporary account creation on WMF
wikis.
What:
* Add the AuthenticationAttemptThrottled hook, which is called
from Throttle::increase when the method returns that the action
should be throttled.
* Update the tests for the class to verify the hook is called
when it should be.
Bug: T375500
Change-Id: I614ff6178d4a4f02b5c76d4b8818cb917c4d75aa
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why:
- Calls to callMethodOnProviders() specify bitmasks as decimal literals,
so it is not clear which authentication providers are being called
without referring to the doc comment and converting to binary.
What:
- Add four new private constants: three that match the values specified
in the doc comment, and one that is the bitwise OR of all the others.
- Use them throughout the class.
Change-Id: Ib67e5174f00a080e79f0b6f35c0eeec4b95b8d8e
|
| |
|
|
|
|
|
|
|
|
|
| |
Implicitly marking parameter $... as nullable is deprecated in php8.4,
the explicit nullable type must be used instead
Created with autofix from Ide15839e98a6229c22584d1c1c88c690982e1d7a
Break one long line in SpecialPage.php
Bug: T376276
Change-Id: I807257b2ba1ab2744ab74d9572c9c3d3ac2a968e
|
| |
|
|
|
| |
Bug: T353458
Change-Id: I23cf7991f8792d4d000d1780463d8ce76dc0aee0
|
| |
|
|
|
| |
Bug: T149003
Change-Id: I38c0de0ed52f4e35db443bc22d4ed110eafac97b
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Why:
- When signing up for an account, temporary users are currently forced
to provide a reason for creating an account, and also have the option
to send a temporary password to an email address.
- Neither of these options are useful for temporary users wanting to
create a full user account.
What:
- Don't show these two form fields on Special:CreateAccount for temporary users.
- Add a functional test for the temporary user account creation flow.
Bug: T328718
Change-Id: Ie545857f7647be89d9462ec2b0def48690f0a2bf
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows a primary auth providers to update the "remember me" status
of another primary provider in the same login request flow. If authentication
that happened elsewhere and a "remember me" / "keep me logged in" (extended
login period is selected), the value of this action applied by the remote
primary provider should be applied to the local wiki when the user is
redirected back to continue authentication there.
This is useful because:
In the case of Wikimedia's central domain wiki in SUL3 mode, we want to
apply the remember me (keep me logged in) flag value from the central domain
to the local domain.
Bug: T369668
Change-Id: I6e2e2d892d2b777cb4757c7c0d222afad9da506c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Session providers can provide a `canAlwaysAutocreate` flag which
indicates account creation is exempt from autocreate permission
checks. This is used, for example, for providers that provide
users for supporting applications in a wiki farm.
Pass that information along to pre-authentication providers so
they can respect the intent of the flag. We cannot simply skip
pre-authentication, it's used for non-permission-related things
like preventing CentralAuth username conflicts.
Bug: T373778
Change-Id: Ie3aeaf48e615e2fb85b2069203ab91ca0127ae05
|
| |
|
|
|
|
|
|
|
|
| |
Add doc-typehints to class properties found by the PropertyDocumentation
sniff to improve the documentation.
Once the sniff is enabled it avoids that new code is missing type
declarations. This is focused on documentation and does not change code.
Change-Id: Ib6081f5519d2294bb14f81bf399f9c45315f2b69
|
| |\
| |
| |
| | |
deployed""
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 9c62cd1af55b954ac5084d2215dca0dafcfb6a2a.
Temporary fix, not needed anymore.
Change-Id: I64211d50433f9b66c2599e5acca8e7ff5923b36f
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Update a few tests that relied on the feature flag to ignore
the 'requireemail' preference on "User1" to instead use "User2",
who doesn't have the preference set.
Bug: T242406
Change-Id: I996d3996272d704a071d1d2094c3568247b80f98
|
| |\ \ \
| |/ /
|/| /
| |/ |
|
| | |
| |
| |
| |
| |
| |
| | |
Follows up If5435b54a4fc08f685c04fc10eb44c6d72cd78fa.
Bug: T373504
Change-Id: I7cf157f04028a69f5893c9524c1d9a277033ad38
|
| |/
|
|
|
|
| |
Follows up I835b2fe2f43e6e81f23348165cbb9c93832e6583.
Change-Id: Ie7e8b57bfb3e7a0caf038446ece21d3cfa6df9e9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new hook that can be used to prevent authentication just
before AuthManager takes the main action (writing the session
for login, creating the local user account for account creation).
The driving use case is a wiki which supports both a local and
a central (wiki-farm-level) login or signup flow - various
security options (such as 2FA) are needed during local login
but unnecessary during central login (which will have those
security features centrally), so we need to skip much of the
security when the user is taking the central route, and a bug
in how that's done could result in circumvention of security
features during local login. The hook makes it easy to inspect
and potentially interrupt login near the end, when we know for
sure what route it took. (Specifically, we know which primary
provider was used. The hook doesn't expose other details,
such as the list of preauth or secondary provders that were
invoked, because they were not needed for the immediate use
case, but they are easy to add in the future.)
The hook is called after the secondary providers for login
and before them for account creation, since secondaries can
interrupt login but cannot interrupt account creation.
A shortcoming is that since the hook is called after a primary
provider succeeded, it cannot prevent the primary provider from
doing work, ie. it cannot prevent creation of the remote account
during account creation (although it will prevent the creation
of the local account). This is not great but acceptable, since
creating a new account isn't very security-sensitive.
This also means the hook would not be useful during account
linking, as AuthManager does not do anything there, all the work
happens in the primary provider. This is even less great but
few authentication extensions implement account linking.
The hook is not called for authentication happening via
CreatedAccountAuthenticationRequest, which is a weird internal
hack hook handlers should not have to know about.
Also rename a confusingly named variable.
Change-Id: I835b2fe2f43e6e81f23348165cbb9c93832e6583
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow disabling authentication providers. This allows for
extensions to replace core providers with their own.
This is using the $wgAuthManagerAutoConfig keys instead of
AuthenticationProvider::getUniqueId() as the keys to filter.
This makes it more useful for site administrators, and also
it's probably the better known of the two identifiers so
more intuitive.
No effort is made to prevent the hook from filtering
differently in different steps of the same authentication
process.
Bug: T369180
Change-Id: If5435b54a4fc08f685c04fc10eb44c6d72cd78fa
|
| |
|
|
|
|
|
| |
$flags is not used anymore.
Bug: T369372
Change-Id: I5456f88ebb78d2fcac685efd4a1f7a9f60d2bc0e
|
| |
|
|
|
| |
Bug: T353458
Change-Id: Id3202c0c4f4a2043bf97b7caee081acab684155c
|
| |
|
|
|
|
|
|
|
|
| |
This is more convenient for callers since they can avoid the pattern
of setting $fname to __METHOD__ and needing $fname in the "use" clause.
This is also more consistent with AutoCommitUpdate/AtomicSectionUpdate.
Remove @since tags from @internal MWCallableUpdate class.
Change-Id: I67c58897dc366a55f43e0a61d56064b26d520c17
|
| |
|
|
|
|
|
|
|
| |
And deprecated aliases for the the no namespaced classes.
ReplicatedBagOStuff that already is deprecated isn't moved.
Bug: T353458
Change-Id: Ie01962517e5b53e59b9721e9996d4f1ea95abb51
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why:
- User::loadFromId must avoid doing a replica read when the newly
autocreated user record isn't replicated yet; that would turn $user
into an anonymous user object, and eventually log the user out.
The old code tried to avoid this by using the same recency flag
for which UserIdentityLookup::getUserIdentityByName() returned a
non-anonymous user identity, but that's not actually a guarantee
that the user is in the database, because getUserIdentityByName()
has an internal in-process cache.
- For a specific example of this, Icf6be65a91437aa32684769c2858 broke
temp account autocreation because inserting the log entry triggered
ActorNormalization::acquireActorId() which set the in-process cache.
With this patch applied, temp account autocreation will work again
on wikis with database replication setup.
What:
- Use READ_LATEST flag when loading a user in an account
autocreation context
- See also I5456f88ebb78d2fcac685efd4a1f7a9f60d2bc0e for a proposed
follow-up to this patch
Bug: T369372
Change-Id: I04932d84aa0b0b5939706f3905f0fe7700d81327
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This hook enables extensions such as CentralAuth to preserve and
use query parameters needed for an authentication flow. Since there
is a provider that handles logins in a different wiki (central login
wiki), and movement to a different URL, this hook preserves query
parameters that can be used between these requests.
Bug: T363483
Bug: T362713
Change-Id: I86e629b07e6e4a0f1d1a4c78a6c77d41b4d68e18
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why:
* When a temporary account creates a named account, the 'newusers'
log currently links the temporary account username and the new
named account.
* This is an issue because temporary accounts are intended to be
anonymous and there is no path for a temporary account to
link their contributions to their new account. As such, there
should be no link between them.
What:
* Update AuthManager::continueAccountCreation to only mark the
performer of the 'newusers' log entry as the creator account
if the creator is named.
Bug: T364716
Change-Id: Ib95374949c5c72c9f7ee665943c16d177f2e31c0
|
| |
|
|
|
|
|
| |
Changes to the use statements done automatically via script
Addition of missing use statement done manually
Change-Id: Id9f3e775e143d1a17b6b96812a8230cfba14d9d3
|
| |
|
|
|
| |
Bug: T363770
Change-Id: I2335b315bec6a540409492df4891c518640966d5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was asked in a patch review to apply fully import
InvalidArgumentException where possible. I was guessing some
of my other already merged patches have but turned out such
thing exists other places style so for the sake of consistency
I've turned rest of inline import of the specific exception at
top of the file.
There are instances of source files that aren't in any namespace but
have fully qualified import which this patch doesn't touch.
Change-Id: I4071fc698b65746d9594cf4d5f45bae82843d436
|
| |
|
|
|
| |
Bug: T353458
Change-Id: I1a701b5b7ff65356692abb0efde9a2207b6135b6
|
