mediawiki-extensions-OATHAuth/OATHAuth.hooks.php

<?php

/**
 * Hooks for Extension:OATHAuth
 *
 * @ingroup Extensions
 */
class OATHAuthHooks {
	/**
	 * @param $template UserloginTemplate
	 * @return bool
	 */
	static function ModifyUITemplate( &$template ) {
		$input = '<div><label for="wpOATHToken">'
			. wfMessage( 'oathauth-token' )->escaped()
			. '</label>'
			. Html::input( 'wpOATHToken', null, 'text', array(
					'class' => 'loginText', 'id' => 'wpOATHToken', 'tabindex' => '3', 'size' => '20'
				) ) . '</div>';

		$template->set( 'extrafields', $template->get( 'extrafields', '' ) . $input );

		return true;
	}

	/**
	 * Get the singleton OATH user repository
	 *
	 * @return OATHUserRepository
	 */
	public static function getOATHUserRepository() {
		global $wgOATHAuthDatabase;

		static $service = null;

		if ( $service == null ) {
			$service = new OATHUserRepository( wfGetLB( $wgOATHAuthDatabase ) );
		}

		return $service;
	}

	/**
	 * @param $extraFields array
	 * @return bool
	 */
	static function ChangePasswordForm( &$extraFields ) {
		$tokenField = array( 'wpOATHToken', 'oathauth-token', 'password', '' );
		array_push( $extraFields, $tokenField );

		return true;
	}

	/**
	 * @param $user User
	 * @param $password string
	 * @param $newpassword string
	 * @param &$errorMsg string
	 * @return bool
	 */
	static function AbortChangePassword( $user, $password, $newpassword, &$errorMsg ) {
		$result = self::authenticate( $user );

		if ( $result ) {
			return true;
		} else {
			$errorMsg = 'oathauth-abortlogin';

			return false;
		}
	}

	/**
	 * @param $user User
	 * @param $password string
	 * @param &$abort int
	 * @param &$errorMsg string
	 * @return bool
	 */
	static function AbortLogin( $user, $password, &$abort, &$errorMsg ) {
		$result = self::authenticate( $user );
		if ( $result ) {
			return true;
		} else {
			$abort = LoginForm::ABORTED;
			$errorMsg = 'oathauth-abortlogin';
			return false;
		}
	}

	/**
	 * @param $user User
	 * @return bool
	 */
	static function authenticate( $user ) {
		global $wgRequest;

		$token = $wgRequest->getText( 'wpOATHToken' );
		$oathuser = self::getOATHUserRepository()->findByUser( $user );
		# Though it's weird to default to true, we only want to deny
		# users who have two-factor enabled and have validated their
		# token.
		$result = true;

		if ( $oathuser->getKey() !== null ) {
			$result = $oathuser->getKey()->verifyToken( $token, $oathuser );
		}

		return $result;
	}

	/**
	 * Determine if two-factor authentication is enabled for $wgUser
	 *
	 * @param bool &$isEnabled Will be set to true if enabled, false otherwise
	 *
	 * @return bool False if enabled, true otherwise
	 */
	static function TwoFactorIsEnabled( &$isEnabled ) {
		global $wgUser;

		$user = self::getOATHUserRepository()->findByUser( $wgUser );
		if ( $user && $user->getKey() !== null ) {
			$isEnabled = true;
			# This two-factor extension is enabled by the user,
			# we don't need to check others.
			return false;
		} else {
			$isEnabled = false;
			# This two-factor extension isn't enabled by the user,
			# but others may be.
			return true;
		}
	}

	/**
	 * Add the necessary user preferences for OATHAuth
	 *
	 * @param User $user
	 * @param array $preferences
	 *
	 * @return bool
	 */
	public static function manageOATH( User $user, array &$preferences ) {
		if ( !$user->isAllowed( 'oathauth-enable' ) ) {
			return true;
		}

		$oathUser = self::getOATHUserRepository()->findByUser( $user );

		$title = SpecialPage::getTitleFor( 'OATH' );
		$msg = $oathUser->getKey() !== null ? 'oathauth-disable' : 'oathauth-enable';

		$preferences[$msg] = array(
			'type' => 'info',
			'raw' => 'true',
			'default' => Linker::link(
				$title,
				wfMessage( $msg )->escaped(),
				array(),
				array( 'returnto' => SpecialPage::getTitleFor( 'Preferences' )->getPrefixedText() )
			),
			'label-message' => 'oathauth-prefs-label',
			'section' => 'personal/info',
		);

		return true;
	}

	/**
	 * @param DatabaseUpdater $updater
	 * @return bool
	 */
	public static function OATHAuthSchemaUpdates( $updater ) {
		$base = dirname( __FILE__ );
		switch ( $updater->getDB()->getType() ) {
			case 'mysql':
			case 'sqlite':
				$updater->addExtensionTable( 'oathauth_users', "$base/sql/mysql/tables.sql" );
				$updater->addExtensionUpdate( array( array( __CLASS__, 'schemaUpdateOldUsersFromInstaller' ) ) );
				$updater->dropExtensionField( 'oathauth_users', 'secret_reset',
					"$base/sql/mysql/patch-remove_reset.sql" );
				break;
		}

		return true;
	}

	/**
	 * Helper function for converting old users to the new schema
	 * @see OATHAuthHooks::OATHAuthSchemaUpdates
	 *
	 * @param DatabaseUpdater $updater
	 *
	 * @return bool
	 */
	public static function schemaUpdateOldUsersFromInstaller( DatabaseUpdater $updater ) {
		return self::schemaUpdateOldUsers($updater->getDB());
	}

	/**
	 * Helper function for converting old users to the new schema
	 * @see OATHAuthHooks::OATHAuthSchemaUpdates
	 *
	 * @param DatabaseUpdater $updater
	 *
	 * @return bool
	 */
	public static function schemaUpdateOldUsers( DatabaseBase $db ) {
		if ( !$db->fieldExists( 'oathauth_users', 'secret_reset' ) ) {
			return true;
		}

		$res = $db->select( 'oathauth_users', array( 'id', 'scratch_tokens' ), '', __METHOD__ );

		foreach ( $res as $row ) {
			$scratchTokens = unserialize( base64_decode( $row->scratch_tokens ) );
			if ( $scratchTokens ) {
				$db->update(
					'oathauth_users',
					array( 'scratch_tokens' => implode( ',', $scratchTokens ) ),
					array( 'id' => $row->id ),
					__METHOD__
				);
			}
		}

		return true;
	}
}
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`<?php`

			`/**`
			`* Hooks for Extension:OATHAuth`
Refactored special pages into HTMLForm and proxy Made new class ProxySpecialPage, which acts as a proxy object to another SpecialPage object that is determined based on context information other than the title. Then Special:OATH has been split into two separate special page classes (both FormSpecialPages using HTMLForm) that are routed to by a ProxySpecialPage object. In addition, the form for enabling two-factor auth has been refactored into vform style, with some better instructions on how to enable two-factor authentication. Change-Id: Ib9117cbc9d7f044de9607db81a157e1b472b5ec0 2014-05-22 07:33:40 +00:00			`*`
			`* @ingroup Extensions`
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`*/`
			`class OATHAuthHooks {`
			`/**`
			`* @param $template UserloginTemplate`
			`* @return bool`
			`*/`
			`static function ModifyUITemplate( &$template ) {`
			`$input = '<div><label for="wpOATHToken">'`
			`. wfMessage( 'oathauth-token' )->escaped()`
			`. '</label>'`
			`. Html::input( 'wpOATHToken', null, 'text', array(`
			`'class' => 'loginText', 'id' => 'wpOATHToken', 'tabindex' => '3', 'size' => '20'`
			`) ) . '</div>';`
Make OAUTHAuth more friendly with other authnz extensions When setting QuickTemplate fields, query to see what is already there, and append to it. That way if another extension adds more fields, it won't be overridden. Bug: 53198 Change-Id: Ib0d67e450e8de372f875536abf82653ede2cdfda 2014-05-11 08:27:11 +00:00
			`$template->set( 'extrafields', $template->get( 'extrafields', '' ) . $input );`
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00
			`return true;`
			`}`

Allow for using separate database for OATH creds Add configuration variable for specifying what database the OATH credentials are stored in, that way wikis that use CentralAuth can centralize their two-factor authentication data as well. Bug: T100374 Change-Id: I285e2fe29fee43ddc6c5a6e51823911d43c596f6 2015-05-25 23:47:03 +00:00			`/**`
			`* Get the singleton OATH user repository`
			`*`
			`* @return OATHUserRepository`
			`*/`
			`public static function getOATHUserRepository() {`
			`global $wgOATHAuthDatabase;`

			`static $service = null;`

			`if ( $service == null ) {`
			`$service = new OATHUserRepository( wfGetLB( $wgOATHAuthDatabase ) );`
			`}`

			`return $service;`
			`}`

Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`/**`
			`* @param $extraFields array`
			`* @return bool`
			`*/`
			`static function ChangePasswordForm( &$extraFields ) {`
			`$tokenField = array( 'wpOATHToken', 'oathauth-token', 'password', '' );`
			`array_push( $extraFields, $tokenField );`
Make OAUTHAuth more friendly with other authnz extensions When setting QuickTemplate fields, query to see what is already there, and append to it. That way if another extension adds more fields, it won't be overridden. Bug: 53198 Change-Id: Ib0d67e450e8de372f875536abf82653ede2cdfda 2014-05-11 08:27:11 +00:00
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`return true;`
			`}`

			`/**`
			`* @param $user User`
			`* @param $password string`
			`* @param $newpassword string`
			`* @param &$errorMsg string`
			`* @return bool`
			`*/`
			`static function AbortChangePassword( $user, $password, $newpassword, &$errorMsg ) {`
			`$result = self::authenticate( $user );`
Allow for using separate database for OATH creds Add configuration variable for specifying what database the OATH credentials are stored in, that way wikis that use CentralAuth can centralize their two-factor authentication data as well. Bug: T100374 Change-Id: I285e2fe29fee43ddc6c5a6e51823911d43c596f6 2015-05-25 23:47:03 +00:00
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`if ( $result ) {`
			`return true;`
			`} else {`
			`$errorMsg = 'oathauth-abortlogin';`
Make OAUTHAuth more friendly with other authnz extensions When setting QuickTemplate fields, query to see what is already there, and append to it. That way if another extension adds more fields, it won't be overridden. Bug: 53198 Change-Id: Ib0d67e450e8de372f875536abf82653ede2cdfda 2014-05-11 08:27:11 +00:00
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`return false;`
			`}`
			`}`

			`/**`
			`* @param $user User`
			`* @param $password string`
			`* @param &$abort int`
			`* @param &$errorMsg string`
			`* @return bool`
			`*/`
			`static function AbortLogin( $user, $password, &$abort, &$errorMsg ) {`
			`$result = self::authenticate( $user );`
			`if ( $result ) {`
			`return true;`
			`} else {`
			`$abort = LoginForm::ABORTED;`
			`$errorMsg = 'oathauth-abortlogin';`
			`return false;`
			`}`
			`}`

			`/**`
			`* @param $user User`
			`* @return bool`
			`*/`
			`static function authenticate( $user ) {`
			`global $wgRequest;`
Make OAUTHAuth more friendly with other authnz extensions When setting QuickTemplate fields, query to see what is already there, and append to it. That way if another extension adds more fields, it won't be overridden. Bug: 53198 Change-Id: Ib0d67e450e8de372f875536abf82653ede2cdfda 2014-05-11 08:27:11 +00:00
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`$token = $wgRequest->getText( 'wpOATHToken' );`
Allow for using separate database for OATH creds Add configuration variable for specifying what database the OATH credentials are stored in, that way wikis that use CentralAuth can centralize their two-factor authentication data as well. Bug: T100374 Change-Id: I285e2fe29fee43ddc6c5a6e51823911d43c596f6 2015-05-25 23:47:03 +00:00			`$oathuser = self::getOATHUserRepository()->findByUser( $user );`
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`# Though it's weird to default to true, we only want to deny`
			`# users who have two-factor enabled and have validated their`
			`# token.`
			`$result = true;`
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19 2014-05-19 00:05:59 +00:00
			`if ( $oathuser->getKey() !== null ) {`
			`$result = $oathuser->getKey()->verifyToken( $token, $oathuser );`
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`}`
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19 2014-05-19 00:05:59 +00:00
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`return $result;`
			`}`

			`/**`
			`* Determine if two-factor authentication is enabled for $wgUser`
			`*`
			`* @param bool &$isEnabled Will be set to true if enabled, false otherwise`
			`*`
			`* @return bool False if enabled, true otherwise`
			`*/`
			`static function TwoFactorIsEnabled( &$isEnabled ) {`
			`global $wgUser;`

Allow for using separate database for OATH creds Add configuration variable for specifying what database the OATH credentials are stored in, that way wikis that use CentralAuth can centralize their two-factor authentication data as well. Bug: T100374 Change-Id: I285e2fe29fee43ddc6c5a6e51823911d43c596f6 2015-05-25 23:47:03 +00:00			`$user = self::getOATHUserRepository()->findByUser( $wgUser );`
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19 2014-05-19 00:05:59 +00:00			`if ( $user && $user->getKey() !== null ) {`
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`$isEnabled = true;`
			`# This two-factor extension is enabled by the user,`
			`# we don't need to check others.`
			`return false;`
			`} else {`
			`$isEnabled = false;`
			`# This two-factor extension isn't enabled by the user,`
			`# but others may be.`
			`return true;`
			`}`
			`}`

			`/**`
			`* Add the necessary user preferences for OATHAuth`
			`*`
			`* @param User $user`
			`* @param array $preferences`
			`*`
			`* @return bool`
			`*/`
			`public static function manageOATH( User $user, array &$preferences ) {`
Add user right for enabling two-factor auth Make new right oathauth-enable that the user must have to enable two factor authentication (disabling and logging in, of course, are still allowed). Bug: T100376 Change-Id: I18d43f8b2cf2c2ce9c2309a43961686498b5c999 2015-05-26 00:08:47 +00:00			`if ( !$user->isAllowed( 'oathauth-enable' ) ) {`
			`return true;`
			`}`

Allow for using separate database for OATH creds Add configuration variable for specifying what database the OATH credentials are stored in, that way wikis that use CentralAuth can centralize their two-factor authentication data as well. Bug: T100374 Change-Id: I285e2fe29fee43ddc6c5a6e51823911d43c596f6 2015-05-25 23:47:03 +00:00			`$oathUser = self::getOATHUserRepository()->findByUser( $user );`
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00
			`$title = SpecialPage::getTitleFor( 'OATH' );`
Refactored special pages into HTMLForm and proxy Made new class ProxySpecialPage, which acts as a proxy object to another SpecialPage object that is determined based on context information other than the title. Then Special:OATH has been split into two separate special page classes (both FormSpecialPages using HTMLForm) that are routed to by a ProxySpecialPage object. In addition, the form for enabling two-factor auth has been refactored into vform style, with some better instructions on how to enable two-factor authentication. Change-Id: Ib9117cbc9d7f044de9607db81a157e1b472b5ec0 2014-05-22 07:33:40 +00:00			`$msg = $oathUser->getKey() !== null ? 'oathauth-disable' : 'oathauth-enable';`

			`$preferences[$msg] = array(`
			`'type' => 'info',`
			`'raw' => 'true',`
			`'default' => Linker::link(`
			`$title,`
			`wfMessage( $msg )->escaped(),`
			`array(),`
			`array( 'returnto' => SpecialPage::getTitleFor( 'Preferences' )->getPrefixedText() )`
			`),`
			`'label-message' => 'oathauth-prefs-label',`
			`'section' => 'personal/info',`
			`);`
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00
			`return true;`
			`}`

			`/**`
			`* @param DatabaseUpdater $updater`
			`* @return bool`
			`*/`
			`public static function OATHAuthSchemaUpdates( $updater ) {`
			`$base = dirname( __FILE__ );`
			`switch ( $updater->getDB()->getType() ) {`
			`case 'mysql':`
Supports sqlite The updater did not run with a sqlite database backend. It was simply not registered and the MySQL schema is translated just fine by MediaWiki. Bug: 67297 Change-Id: Ic869c2c1f0d3b77f62bb950b8585cd731a414698 2014-06-30 13:20:39 +00:00			`case 'sqlite':`
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19 2014-05-19 00:05:59 +00:00			`$updater->addExtensionTable( 'oathauth_users', "$base/sql/mysql/tables.sql" );`
			`$updater->addExtensionUpdate( array( array( __CLASS__, 'schemaUpdateOldUsersFromInstaller' ) ) );`
			`$updater->dropExtensionField( 'oathauth_users', 'secret_reset',`
			`"$base/sql/mysql/patch-remove_reset.sql" );`
Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`break;`
			`}`
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19 2014-05-19 00:05:59 +00:00
			`return true;`
			`}`

			`/**`
			`* Helper function for converting old users to the new schema`
			`* @see OATHAuthHooks::OATHAuthSchemaUpdates`
			`*`
			`* @param DatabaseUpdater $updater`
			`*`
			`* @return bool`
			`*/`
			`public static function schemaUpdateOldUsersFromInstaller( DatabaseUpdater $updater ) {`
			`return self::schemaUpdateOldUsers($updater->getDB());`
			`}`

			`/**`
			`* Helper function for converting old users to the new schema`
			`* @see OATHAuthHooks::OATHAuthSchemaUpdates`
			`*`
			`* @param DatabaseUpdater $updater`
			`*`
			`* @return bool`
			`*/`
			`public static function schemaUpdateOldUsers( DatabaseBase $db ) {`
			`if ( !$db->fieldExists( 'oathauth_users', 'secret_reset' ) ) {`
			`return true;`
			`}`

			`$res = $db->select( 'oathauth_users', array( 'id', 'scratch_tokens' ), '', __METHOD__ );`

			`foreach ( $res as $row ) {`
			`$scratchTokens = unserialize( base64_decode( $row->scratch_tokens ) );`
			`if ( $scratchTokens ) {`
			`$db->update(`
			`'oathauth_users',`
			`array( 'scratch_tokens' => implode( ',', $scratchTokens ) ),`
			`array( 'id' => $row->id ),`
			`__METHOD__`
			`);`
			`}`
			`}`

Code-base cleanup * Removed use of deprecated core features * Made code style fixes * Made pass phpcs-strict * Fixed special page aliases Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6 2014-05-11 08:16:03 +00:00			`return true;`
			`}`
			`}`