From ed5cc1b5fc7c9800d058648dc5cc01ec6ef8103a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <gtisza@wikimedia.org>
Date: Sun, 15 May 2016 15:35:33 +0000
Subject: [PATCH] Update for AuthManager

Repeats I61e4327ef3c7a31b19feef727de7d683f69e260b (which had to be
reverted due to a problem with an ancestor patch) without any
significant change.

Bug: T110448
Bug: T135360
Change-Id: I1688cf9fbcb04bb56d075c9f0876bd0ffeced4f6
---
 AbuseFilter.class.php                    |  9 +++--
 AbuseFilter.hooks.php                    | 18 +++++++++-
 AbuseFilterPreAuthenticationProvider.php | 45 ++++++++++++++++++++++++
 extension.json                           |  3 +-
 4 files changed, 70 insertions(+), 5 deletions(-)
 create mode 100644 AbuseFilterPreAuthenticationProvider.php

diff --git a/AbuseFilter.class.php b/AbuseFilter.class.php
index 4d5759abd..663610d28 100644
--- a/AbuseFilter.class.php
+++ b/AbuseFilter.class.php
@@ -864,9 +864,10 @@ class AbuseFilter {
 	 * @param $vars AbuseFilterVariableHolder
 	 * @param $title Title
 	 * @param string $group The filter's group (as defined in $wgAbuseFilterValidGroups)
+	 * @param User $user The user performing the action; defaults to $wgUser
 	 * @return Status
 	 */
-	public static function filterAction( $vars, $title, $group = 'default' ) {
+	public static function filterAction( $vars, $title, $group = 'default', $user = null ) {
 		global $wgUser, $wgTitle, $wgRequest;
 
 		$context = RequestContext::getMain();
@@ -877,6 +878,10 @@ class AbuseFilter {
 			$wgTitle = SpecialPage::getTitleFor( 'AbuseFilter' );
 		}
 
+		if ( !$user ) {
+			$user = $wgUser;
+		}
+
 		// Add vars from extensions
 		Hooks::run( 'AbuseFilter-filterAction', array( &$vars, $title ) );
 
@@ -904,7 +909,7 @@ class AbuseFilter {
 
 			// If $wgUser isn't safe to load (e.g. a failure during
 			// AbortAutoAccount), create a dummy anonymous user instead.
-			$user = $wgUser->isSafeToLoad() ? $wgUser : new User;
+			$user = $user->isSafeToLoad() ? $user : new User;
 
 			// Create a template
 			$log_template = array(
diff --git a/AbuseFilter.hooks.php b/AbuseFilter.hooks.php
index c65a6f480..13dd8baef 100644
--- a/AbuseFilter.hooks.php
+++ b/AbuseFilter.hooks.php
@@ -1,5 +1,7 @@
 <?php
 
+use MediaWiki\Auth\AuthManager;
+
 class AbuseFilterHooks {
 	public static $successful_action_vars = false;
 	/** @var WikiPage|Article|bool */
@@ -11,7 +13,8 @@ class AbuseFilterHooks {
 	 * Called right after configuration has been loaded.
 	 */
 	public static function onRegistration() {
-		global $wgAbuseFilterAvailableActions, $wgAbuseFilterRestrictedActions;
+		global $wgAbuseFilterAvailableActions, $wgAbuseFilterRestrictedActions,
+			$wgDisableAuthManager, $wgAuthManagerAutoConfig;
 
 		if ( isset( $wgAbuseFilterAvailableActions ) || isset( $wgAbuseFilterRestrictedActions ) ) {
 			wfWarn( '$wgAbuseFilterAvailableActions and $wgAbuseFilterRestrictedActions have been'
@@ -19,6 +22,16 @@ class AbuseFilterHooks {
 				. 'instead. The format is the same except the action names are the keys of the'
 				. 'array and the values are booleans.' );
 		}
+
+		if ( class_exists( AuthManager::class ) && !$wgDisableAuthManager ) {
+			$wgAuthManagerAutoConfig['preauth'][AbuseFilterPreAuthenticationProvider::class] = [
+				'class' => AbuseFilterPreAuthenticationProvider::class,
+				'sort' => 5, // run after normal preauth providers to keep the log cleaner
+			];
+		} else {
+			Hooks::register( 'AbortNewAccount', 'AbuseFilterHooks::onAbortNewAccount' );
+			Hooks::register( 'AbortAutoAccount', 'AbuseFilterHooks::onAbortAutoAccount' );
+		}
 	}
 
 	/**
@@ -387,6 +400,7 @@ class AbuseFilterHooks {
 	 * @param $message
 	 * @param $autocreate bool Indicates whether the account is created automatically.
 	 * @return bool
+	 * @deprecated AbuseFilterPreAuthenticationProvider will take over this functionality
 	 */
 	private static function checkNewAccount( $user, &$message, $autocreate ) {
 		if ( $user->getName() == wfMessage( 'abusefilter-blocker' )->inContentLanguage()->text() ) {
@@ -419,6 +433,7 @@ class AbuseFilterHooks {
 	 * @param $user User
 	 * @param $message
 	 * @return bool
+	 * @deprecated AbuseFilterPreAuthenticationProvider will take over this functionality
 	 */
 	public static function onAbortNewAccount( $user, &$message ) {
 		return self::checkNewAccount( $user, $message, false );
@@ -428,6 +443,7 @@ class AbuseFilterHooks {
 	 * @param $user User
 	 * @param $message
 	 * @return bool
+	 * @deprecated AbuseFilterPreAuthenticationProvider will take over this functionality
 	 */
 	public static function onAbortAutoAccount( $user, &$message ) {
 		// FIXME: ERROR MESSAGE IS SHOWN IN A WEIRD WAY, BEACUSE $message
diff --git a/AbuseFilterPreAuthenticationProvider.php b/AbuseFilterPreAuthenticationProvider.php
new file mode 100644
index 000000000..d1e2f4f20
--- /dev/null
+++ b/AbuseFilterPreAuthenticationProvider.php
@@ -0,0 +1,45 @@
+<?php
+
+use MediaWiki\Auth\AbstractPreAuthenticationProvider;
+
+class AbuseFilterPreAuthenticationProvider extends AbstractPreAuthenticationProvider {
+	public function testForAccountCreation( $user, $creator, array $reqs ) {
+		return $this->testUser( $user, $creator, false );
+	}
+
+	public function testUserForCreation( $user, $autocreate ) {
+		// if this is not an autocreation, testForAccountCreation already handled it
+		if ( $autocreate ) {
+			return $this->testUser( $user, $user, true );
+		}
+		return StatusValue::newGood();
+	}
+
+	/**
+	 * @param User $user The user being created or autocreated
+	 * @param User $creator The user who caused $user to be created (or $user itself on autocreation)
+	 * @param bool $autocreate Is this an autocreation?
+	 * @return StatusValue
+	 */
+	protected function testUser( $user, $creator, $autocreate ) {
+		if ( $user->getName() == wfMessage( 'abusefilter-blocker' )->inContentLanguage()->text() ) {
+			return StatusValue::newFatal( 'abusefilter-accountreserved' );
+		}
+
+		$vars = new AbuseFilterVariableHolder;
+
+		// generateUserVars records $creator->getName() which would be the IP for unregistered users
+		if ( $creator->isLoggedIn() ) {
+			$vars->addHolders( AbuseFilter::generateUserVars( $creator ) );
+		}
+
+		$vars->setVar( 'ACTION', $autocreate ? 'autocreateaccount' : 'createaccount' );
+		$vars->setVar( 'ACCOUNTNAME', $user->getName() );
+
+		// pass creator in explicitly to prevent recording the current user on autocreation - T135360
+		$status = AbuseFilter::filterAction( $vars, SpecialPage::getTitleFor( 'Userlogin' ),
+			'default', $creator );
+
+		return $status->getStatusValue();
+	}
+}
diff --git a/extension.json b/extension.json
index 9b7c76a29..444bea88e 100644
--- a/extension.json
+++ b/extension.json
@@ -74,6 +74,7 @@
 		"AbuseFilterParser": "AbuseFilter.parser.php",
 		"AbuseFilterTokenizer": "AbuseFilterTokenizer.php",
 		"AbuseFilterHooks": "AbuseFilter.hooks.php",
+		"AbuseFilterPreAuthenticationProvider": "AbuseFilterPreAuthenticationProvider.php",
 		"SpecialAbuseLog": "special/SpecialAbuseLog.php",
 		"AbuseLogPager": "special/SpecialAbuseLog.php",
 		"SpecialAbuseFilter": "special/SpecialAbuseFilter.php",
@@ -171,8 +172,6 @@
 		"GetAutoPromoteGroups": "AbuseFilterHooks::onGetAutoPromoteGroups",
 		"AbortMove": "AbuseFilterHooks::onAbortMove",
 		"MovePageCheckPermissions": "AbuseFilterHooks::onMovePageCheckPermissions",
-		"AbortNewAccount": "AbuseFilterHooks::onAbortNewAccount",
-		"AbortAutoAccount": "AbuseFilterHooks::onAbortAutoAccount",
 		"ArticleDelete": "AbuseFilterHooks::onArticleDelete",
 		"RecentChange_save": "AbuseFilterHooks::onRecentChangeSave",
 		"ListDefinedTags": "AbuseFilterHooks::onListDefinedTags",