summaryrefslogtreecommitdiff
path: root/includes/password/UserPasswordPolicy.php
diff options
context:
space:
mode:
Diffstat (limited to 'includes/password/UserPasswordPolicy.php')
-rw-r--r--includes/password/UserPasswordPolicy.php201
1 files changed, 201 insertions, 0 deletions
diff --git a/includes/password/UserPasswordPolicy.php b/includes/password/UserPasswordPolicy.php
new file mode 100644
index 00000000..d57adb8e
--- /dev/null
+++ b/includes/password/UserPasswordPolicy.php
@@ -0,0 +1,201 @@
+<?php
+/**
+ * Password policy checking for a user
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+/**
+ * Check if a user's password complies with any password policies that apply to that
+ * user, based on the user's group membership.
+ * @since 1.26
+ */
+class UserPasswordPolicy {
+
+ /**
+ * @var array
+ */
+ private $policies;
+
+ /**
+ * Mapping of statements to the function that will test the password for compliance. The
+ * checking functions take the policy value, the user, and password, and return a Status
+ * object indicating compliance.
+ * @var array
+ */
+ private $policyCheckFunctions;
+
+ /**
+ * @param array $policies
+ * @param array $checks mapping statement to its checking function. Checking functions are
+ * called with the policy value for this user, the user object, and the password to check.
+ */
+ public function __construct( array $policies, array $checks ) {
+ if ( !isset( $policies['default'] ) ) {
+ throw new InvalidArgumentException(
+ 'Must include a \'default\' password policy'
+ );
+ }
+ $this->policies = $policies;
+
+ foreach ( $checks as $statement => $check ) {
+ if ( !is_callable( $check ) ) {
+ throw new InvalidArgumentException(
+ "Policy check functions must be callable. '$statement' isn't callable."
+ );
+ }
+ $this->policyCheckFunctions[$statement] = $check;
+ }
+ }
+
+ /**
+ * Check if a passwords meets the effective password policy for a User.
+ * @param User $user who's policy we are checking
+ * @param string $password the password to check
+ * @param string $purpose one of 'login', 'create', 'reset'
+ * @return Status error to indicate the password didn't meet the policy, or fatal to
+ * indicate the user shouldn't be allowed to login.
+ */
+ public function checkUserPassword( User $user, $password, $purpose = 'login' ) {
+ $effectivePolicy = $this->getPoliciesForUser( $user, $purpose );
+ return $this->checkPolicies(
+ $user,
+ $password,
+ $effectivePolicy,
+ $this->policyCheckFunctions
+ );
+ }
+
+ /**
+ * Check if a passwords meets the effective password policy for a User, using a set
+ * of groups they may or may not belong to. This function does not use the DB, so can
+ * be used in the installer.
+ * @param User $user who's policy we are checking
+ * @param string $password the password to check
+ * @param array $groups list of groups to which we assume the user belongs
+ * @return Status error to indicate the password didn't meet the policy, or fatal to
+ * indicate the user shouldn't be allowed to login.
+ */
+ public function checkUserPasswordForGroups( User $user, $password, array $groups ) {
+ $effectivePolicy = self::getPoliciesForGroups(
+ $this->policies,
+ $groups,
+ $this->policies['default']
+ );
+ return $this->checkPolicies(
+ $user,
+ $password,
+ $effectivePolicy,
+ $this->policyCheckFunctions
+ );
+ }
+
+ /**
+ * @param User $user
+ * @param string $password
+ * @param array $policies
+ * @param array $policyCheckFunctions
+ * @return Status
+ */
+ private function checkPolicies( User $user, $password, $policies, $policyCheckFunctions ) {
+ $status = Status::newGood();
+ foreach ( $policies as $policy => $value ) {
+ if ( !isset( $policyCheckFunctions[$policy] ) ) {
+ throw new DomainException( "Invalid password policy config. No check defined for '$policy'." );
+ }
+ $status->merge(
+ call_user_func(
+ $policyCheckFunctions[$policy],
+ $value,
+ $user,
+ $password
+ )
+ );
+ }
+ return $status;
+ }
+
+ /**
+ * Get the policy for a user, based on their group membership. Public so
+ * UI elements can access and inform the user.
+ * @param User $user
+ * @param string $purpose one of 'login', 'create', 'reset'
+ * @return array the effective policy for $user
+ */
+ public function getPoliciesForUser( User $user, $purpose = 'login' ) {
+ $effectivePolicy = $this->policies['default'];
+ if ( $purpose !== 'create' ) {
+ $effectivePolicy = self::getPoliciesForGroups(
+ $this->policies,
+ $user->getEffectiveGroups(),
+ $this->policies['default']
+ );
+ }
+
+ Hooks::run( 'PasswordPoliciesForUser', array( $user, &$effectivePolicy, $purpose ) );
+
+ return $effectivePolicy;
+ }
+
+ /**
+ * Utility function to get the effective policy from a list of policies, based
+ * on a list of groups.
+ * @param array $policies list of policies to consider
+ * @param array $userGroups the groups from which we calculate the effective policy
+ * @param array $defaultPolicy the default policy to start from
+ * @return array effective policy
+ */
+ public static function getPoliciesForGroups( array $policies, array $userGroups,
+ array $defaultPolicy
+ ) {
+ $effectivePolicy = $defaultPolicy;
+ foreach ( $policies as $group => $policy ) {
+ if ( in_array( $group, $userGroups ) ) {
+ $effectivePolicy = self::maxOfPolicies(
+ $effectivePolicy,
+ $policies[$group]
+ );
+ }
+ }
+
+ return $effectivePolicy;
+ }
+
+ /**
+ * Utility function to get a policy that is the most restrictive of $p1 and $p2. For
+ * simplicity, we setup the policy values so the maximum value is always more restrictive.
+ * @param array $p1
+ * @param array $p2
+ * @return array containing the more restrictive values of $p1 and $p2
+ */
+ public static function maxOfPolicies( array $p1, array $p2 ) {
+ $ret = array();
+ $keys = array_merge( array_keys( $p1 ), array_keys( $p2 ) );
+ foreach ( $keys as $key ) {
+ if ( !isset( $p1[$key] ) ) {
+ $ret[$key] = $p2[$key];
+ } elseif ( !isset( $p2[$key] ) ) {
+ $ret[$key] = $p1[$key];
+ } else {
+ $ret[$key] = max( $p1[$key], $p2[$key] );
+ }
+ }
+ return $ret;
+ }
+
+}