From a1789ddde42033f1b05cc4929491214ee6e79383 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Thu, 17 Dec 2015 09:15:42 +0100
Subject: Update to MediaWiki 1.26.0

---
 includes/password/EncryptedPassword.php    |   2 +-
 includes/password/PasswordPolicyChecks.php | 115 +++++++++++++++++
 includes/password/UserPasswordPolicy.php   | 201 +++++++++++++++++++++++++++++
 3 files changed, 317 insertions(+), 1 deletion(-)
 create mode 100644 includes/password/PasswordPolicyChecks.php
 create mode 100644 includes/password/UserPasswordPolicy.php

(limited to 'includes/password')

diff --git a/includes/password/EncryptedPassword.php b/includes/password/EncryptedPassword.php
index 39da32d1..6723793c 100644
--- a/includes/password/EncryptedPassword.php
+++ b/includes/password/EncryptedPassword.php
@@ -47,7 +47,7 @@ class EncryptedPassword extends ParameterizedPassword {
 					$secret, 0, base64_decode( $this->args[0] )
 				) );
 		} else {
-			$underlyingPassword = $this->factory->newFromType( $this->config['underlying'], $this->config );
+			$underlyingPassword = $this->factory->newFromType( $this->config['underlying'] );
 		}
 
 		$underlyingPassword->crypt( $password );
diff --git a/includes/password/PasswordPolicyChecks.php b/includes/password/PasswordPolicyChecks.php
new file mode 100644
index 00000000..eb4a9582
--- /dev/null
+++ b/includes/password/PasswordPolicyChecks.php
@@ -0,0 +1,115 @@
+<?php
+/**
+ * Password policy checks
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+/**
+ * Functions to check passwords against a policy requirement
+ * @since 1.26
+ */
+class PasswordPolicyChecks {
+
+	/**
+	 * Check password is longer than minimum, not fatal
+	 * @param int $policyVal minimal length
+	 * @param User $user
+	 * @param string $password
+	 * @return Status error if $password is shorter than $policyVal
+	 */
+	public static function checkMinimalPasswordLength( $policyVal, User $user, $password ) {
+		$status = Status::newGood();
+		if ( $policyVal > strlen( $password ) ) {
+			$status->error( 'passwordtooshort', $policyVal );
+		}
+		return $status;
+	}
+
+	/**
+	 * Check password is longer than minimum, fatal
+	 * @param int $policyVal minimal length
+	 * @param User $user
+	 * @param string $password
+	 * @return Status fatal if $password is shorter than $policyVal
+	 */
+	public static function checkMinimumPasswordLengthToLogin( $policyVal, User $user, $password ) {
+		$status = Status::newGood();
+		if ( $policyVal > strlen( $password ) ) {
+			$status->fatal( 'passwordtooshort', $policyVal );
+		}
+		return $status;
+	}
+
+	/**
+	 * Check password is shorter than maximum, fatal
+	 * @param int $policyVal maximum length
+	 * @param User $user
+	 * @param string $password
+	 * @return Status fatal if $password is shorter than $policyVal
+	 */
+	public static function checkMaximalPasswordLength( $policyVal, User $user, $password ) {
+		$status = Status::newGood();
+		if ( $policyVal < strlen( $password ) ) {
+			$status->fatal( 'passwordtoolong', $policyVal );
+		}
+		return $status;
+	}
+
+	/**
+	 * Check if username and password match
+	 * @param bool $policyVal true to force compliance.
+	 * @param User $user
+	 * @param string $password
+	 * @return Status error if username and password match, and policy is true
+	 */
+	public static function checkPasswordCannotMatchUsername( $policyVal, User $user, $password ) {
+		global $wgContLang;
+		$status = Status::newGood();
+		$username = $user->getName();
+		if ( $policyVal && $wgContLang->lc( $password ) === $wgContLang->lc( $username ) ) {
+			$status->error( 'password-name-match' );
+		}
+		return $status;
+	}
+
+	/**
+	 * Check if username and password are on a blacklist
+	 * @param bool $policyVal true to force compliance.
+	 * @param User $user
+	 * @param string $password
+	 * @return Status error if username and password match, and policy is true
+	 */
+	public static function checkPasswordCannotMatchBlacklist( $policyVal, User $user, $password ) {
+		static $blockedLogins = array(
+			'Useruser' => 'Passpass', 'Useruser1' => 'Passpass1', # r75589
+			'Apitestsysop' => 'testpass', 'Apitestuser' => 'testpass' # r75605
+		);
+
+		$status = Status::newGood();
+		$username = $user->getName();
+		if ( $policyVal
+			&& isset( $blockedLogins[$username] )
+			&& $password == $blockedLogins[$username]
+		) {
+			$status->error( 'password-login-forbidden' );
+		}
+		return $status;
+	}
+
+}
diff --git a/includes/password/UserPasswordPolicy.php b/includes/password/UserPasswordPolicy.php
new file mode 100644
index 00000000..d57adb8e
--- /dev/null
+++ b/includes/password/UserPasswordPolicy.php
@@ -0,0 +1,201 @@
+<?php
+/**
+ * Password policy checking for a user
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+/**
+ * Check if a user's password complies with any password policies that apply to that
+ * user, based on the user's group membership.
+ * @since 1.26
+ */
+class UserPasswordPolicy {
+
+	/**
+	 * @var array
+	 */
+	private $policies;
+
+	/**
+	 * Mapping of statements to the function that will test the password for compliance. The
+	 * checking functions take the policy value, the user, and password, and return a Status
+	 * object indicating compliance.
+	 * @var array
+	 */
+	private $policyCheckFunctions;
+
+	/**
+	 * @param array $policies
+	 * @param array $checks mapping statement to its checking function. Checking functions are
+	 * called with the policy value for this user, the user object, and the password to check.
+	 */
+	public function __construct( array $policies, array $checks ) {
+		if ( !isset( $policies['default'] ) ) {
+			throw new InvalidArgumentException(
+				'Must include a \'default\' password policy'
+			);
+		}
+		$this->policies = $policies;
+
+		foreach ( $checks as $statement => $check ) {
+			if ( !is_callable( $check ) ) {
+				throw new InvalidArgumentException(
+					"Policy check functions must be callable. '$statement' isn't callable."
+				);
+			}
+			$this->policyCheckFunctions[$statement] = $check;
+		}
+	}
+
+	/**
+	 * Check if a passwords meets the effective password policy for a User.
+	 * @param User $user who's policy we are checking
+	 * @param string $password the password to check
+	 * @param string $purpose one of 'login', 'create', 'reset'
+	 * @return Status error to indicate the password didn't meet the policy, or fatal to
+	 *	indicate the user shouldn't be allowed to login.
+	 */
+	public function checkUserPassword( User $user, $password, $purpose = 'login' ) {
+		$effectivePolicy = $this->getPoliciesForUser( $user, $purpose );
+		return $this->checkPolicies(
+			$user,
+			$password,
+			$effectivePolicy,
+			$this->policyCheckFunctions
+		);
+	}
+
+	/**
+	 * Check if a passwords meets the effective password policy for a User, using a set
+	 * of groups they may or may not belong to. This function does not use the DB, so can
+	 * be used in the installer.
+	 * @param User $user who's policy we are checking
+	 * @param string $password the password to check
+	 * @param array $groups list of groups to which we assume the user belongs
+	 * @return Status error to indicate the password didn't meet the policy, or fatal to
+	 *	indicate the user shouldn't be allowed to login.
+	 */
+	public function checkUserPasswordForGroups( User $user, $password, array $groups ) {
+		$effectivePolicy = self::getPoliciesForGroups(
+			$this->policies,
+			$groups,
+			$this->policies['default']
+		);
+		return $this->checkPolicies(
+			$user,
+			$password,
+			$effectivePolicy,
+			$this->policyCheckFunctions
+		);
+	}
+
+	/**
+	 * @param User $user
+	 * @param string $password
+	 * @param array $policies
+	 * @param array $policyCheckFunctions
+	 * @return Status
+	 */
+	private function checkPolicies( User $user, $password, $policies, $policyCheckFunctions ) {
+		$status = Status::newGood();
+		foreach ( $policies as $policy => $value ) {
+			if ( !isset( $policyCheckFunctions[$policy] ) ) {
+				throw new DomainException( "Invalid password policy config. No check defined for '$policy'." );
+			}
+			$status->merge(
+				call_user_func(
+					$policyCheckFunctions[$policy],
+					$value,
+					$user,
+					$password
+				)
+			);
+		}
+		return $status;
+	}
+
+	/**
+	 * Get the policy for a user, based on their group membership. Public so
+	 * UI elements can access and inform the user.
+	 * @param User $user
+	 * @param string $purpose one of 'login', 'create', 'reset'
+	 * @return array the effective policy for $user
+	 */
+	public function getPoliciesForUser( User $user, $purpose = 'login' ) {
+		$effectivePolicy = $this->policies['default'];
+		if ( $purpose !== 'create' ) {
+			$effectivePolicy = self::getPoliciesForGroups(
+				$this->policies,
+				$user->getEffectiveGroups(),
+				$this->policies['default']
+			);
+		}
+
+		Hooks::run( 'PasswordPoliciesForUser', array( $user, &$effectivePolicy, $purpose ) );
+
+		return $effectivePolicy;
+	}
+
+	/**
+	 * Utility function to get the effective policy from a list of policies, based
+	 * on a list of groups.
+	 * @param array $policies list of policies to consider
+	 * @param array $userGroups the groups from which we calculate the effective policy
+	 * @param array $defaultPolicy the default policy to start from
+	 * @return array effective policy
+	 */
+	public static function getPoliciesForGroups( array $policies, array $userGroups,
+		array $defaultPolicy
+	) {
+		$effectivePolicy = $defaultPolicy;
+		foreach ( $policies as $group => $policy ) {
+			if ( in_array( $group, $userGroups ) ) {
+				$effectivePolicy = self::maxOfPolicies(
+					$effectivePolicy,
+					$policies[$group]
+				);
+			}
+		}
+
+		return $effectivePolicy;
+	}
+
+	/**
+	 * Utility function to get a policy that is the most restrictive of $p1 and $p2. For
+	 * simplicity, we setup the policy values so the maximum value is always more restrictive.
+	 * @param array $p1
+	 * @param array $p2
+	 * @return array containing the more restrictive values of $p1 and $p2
+	 */
+	public static function maxOfPolicies( array $p1, array $p2 ) {
+		$ret = array();
+		$keys = array_merge( array_keys( $p1 ), array_keys( $p2 ) );
+		foreach ( $keys as $key ) {
+			if ( !isset( $p1[$key] ) ) {
+				$ret[$key] = $p2[$key];
+			} elseif ( !isset( $p2[$key] ) ) {
+				$ret[$key] = $p1[$key];
+			} else {
+				$ret[$key] = max( $p1[$key], $p2[$key] );
+			}
+		}
+		return $ret;
+	}
+
+}
-- 
cgit v1.2.2