2017-06-16 21:21:18 +00:00
|
|
|
<?php
|
|
|
|
|
2023-10-10 21:10:48 +00:00
|
|
|
use MediaWiki\Extension\OATHAuth\OATHAuthServices;
|
2024-10-20 08:59:39 +00:00
|
|
|
use MediaWiki\Maintenance\Maintenance;
|
2020-01-14 08:27:29 +00:00
|
|
|
use MediaWiki\MediaWikiServices;
|
|
|
|
use MediaWiki\Session\SessionManager;
|
2018-11-21 03:55:17 +00:00
|
|
|
|
2017-06-16 21:21:18 +00:00
|
|
|
if ( getenv( 'MW_INSTALL_PATH' ) ) {
|
|
|
|
$IP = getenv( 'MW_INSTALL_PATH' );
|
|
|
|
} else {
|
2017-08-11 04:08:50 +00:00
|
|
|
$IP = __DIR__ . '/../../..';
|
2017-06-16 21:21:18 +00:00
|
|
|
}
|
|
|
|
require_once "$IP/maintenance/Maintenance.php";
|
|
|
|
|
|
|
|
class DisableOATHAuthForUser extends Maintenance {
|
2018-11-02 10:26:41 +00:00
|
|
|
public function __construct() {
|
2017-06-16 21:21:18 +00:00
|
|
|
parent::__construct();
|
2023-01-31 09:42:52 +00:00
|
|
|
$this->addDescription( 'Remove all two-factor authentication devices from a specific user' );
|
|
|
|
$this->addArg( 'user', 'The username to remove 2FA devices from.' );
|
2017-06-16 21:21:18 +00:00
|
|
|
$this->requireExtension( 'OATHAuth' );
|
|
|
|
}
|
|
|
|
|
|
|
|
public function execute() {
|
|
|
|
$username = $this->getArg( 0 );
|
|
|
|
|
2023-10-10 21:42:36 +00:00
|
|
|
$user = MediaWikiServices::getInstance()->getUserFactory()
|
|
|
|
->newFromName( $username );
|
|
|
|
if ( $user === null || $user->getId() === 0 ) {
|
2020-11-20 02:40:17 +00:00
|
|
|
$this->fatalError( "User $username doesn't exist!" );
|
2017-06-16 21:21:18 +00:00
|
|
|
}
|
|
|
|
|
2023-10-10 21:10:48 +00:00
|
|
|
$repo = OATHAuthServices::getInstance()->getUserRepository();
|
2017-06-16 21:21:18 +00:00
|
|
|
$oathUser = $repo->findByUser( $user );
|
2023-10-10 21:10:48 +00:00
|
|
|
if ( !$oathUser->isTwoFactorAuthEnabled() ) {
|
2023-01-31 09:42:52 +00:00
|
|
|
$this->fatalError( "User $username does not have two-factor authentication enabled!" );
|
2017-06-16 21:21:18 +00:00
|
|
|
}
|
|
|
|
|
2023-01-31 09:42:52 +00:00
|
|
|
$repo->removeAll( $oathUser, 'Maintenance script', false );
|
2023-10-10 21:42:36 +00:00
|
|
|
// Kill all existing sessions.
|
|
|
|
// If this request to disable 2FA was social-engineered by an attacker,
|
|
|
|
// the legitimate user will hopefully log in again to the wiki, and notice that the second factor
|
2018-11-21 03:55:17 +00:00
|
|
|
// is missing or different, and alert the operators.
|
|
|
|
SessionManager::singleton()->invalidateSessionsForUser( $user );
|
|
|
|
|
2023-01-31 09:42:52 +00:00
|
|
|
$this->output( "Two-factor authentication disabled for $username.\n" );
|
2017-06-16 21:21:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-03-03 01:05:56 +00:00
|
|
|
$maintClass = DisableOATHAuthForUser::class;
|
2017-06-16 21:21:18 +00:00
|
|
|
require_once RUN_MAINTENANCE_IF_MAIN;
|