wikimedia/mediawiki-extensions-OATHAuth
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth synced 2024-12-13 08:58:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
mediawiki-extensions-OATHAuth/src/OATHUserRepository.php

201 lines
5.6 KiB
PHP
Raw Normal View History

Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
<?php
Make licensing explicit, add missing GPL file headers Since this repository has multi-licensed code, add GPL v2+ file headers to code that had no licensing blocks to make it obvious which files carry which license. And add "AND GPL-3.0-or-later" to extension.json's license-name property to make it clear that this extension does have code that isn't redistributable under GPL v2. Change-Id: Id3059fb9596527ef054bec9d89a28f1ccbe2113d
2018-04-11 01:29:26 +00:00
/**
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*/
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
Refactor the extension to support multiple auth modules Please note, this patch requires a schema change before merging Change-Id: I71286534d21d95083436d64d79811943c1a1d032 ERM: #14484 Bug: T218210
2019-03-14 14:39:10 +00:00
namespace MediaWiki\Extension\OATHAuth;
use BagOStuff;
use ConfigException;
build: Updating mediawiki/mediawiki-codesniffer to 29.0.0 The following sniffs are failing and were disabled: * MediaWiki.Commenting.FunctionComment.MissingDocumentationPrivate * MediaWiki.Commenting.FunctionComment.MissingParamName * MediaWiki.Commenting.FunctionComment.MissingParamTag * MediaWiki.Commenting.FunctionComment.MissingReturn Additional changes: * Also sorted "composer fix" command to run phpcbf last. Change-Id: Idb1b91244e653b2ba2e27bceb3eba769577124a9
2020-01-14 08:27:29 +00:00
use FormatJson;
Various minor cleanup Change-Id: Idbf84a1f49f1afbd2d3a342cedd72895c5378bc6
2023-10-10 21:42:36 +00:00
use MediaWiki\Extension\OATHAuth\Notifications\Manager;
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
use MediaWiki\User\CentralId\CentralIdLookupFactory;
build: Updating mediawiki/mediawiki-codesniffer to 29.0.0 The following sniffs are failing and were disabled: * MediaWiki.Commenting.FunctionComment.MissingDocumentationPrivate * MediaWiki.Commenting.FunctionComment.MissingParamName * MediaWiki.Commenting.FunctionComment.MissingParamTag * MediaWiki.Commenting.FunctionComment.MissingReturn Additional changes: * Also sorted "composer fix" command to run phpcbf last. Change-Id: Idb1b91244e653b2ba2e27bceb3eba769577124a9
2020-01-14 08:27:29 +00:00
use MWException;
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
use Psr\Log\LoggerAwareInterface;
build: Updating mediawiki/mediawiki-codesniffer to 29.0.0 The following sniffs are failing and were disabled: * MediaWiki.Commenting.FunctionComment.MissingDocumentationPrivate * MediaWiki.Commenting.FunctionComment.MissingParamName * MediaWiki.Commenting.FunctionComment.MissingParamTag * MediaWiki.Commenting.FunctionComment.MissingReturn Additional changes: * Also sorted "composer fix" command to run phpcbf last. Change-Id: Idb1b91244e653b2ba2e27bceb3eba769577124a9
2020-01-14 08:27:29 +00:00
use Psr\Log\LoggerInterface;
Define fallback for request IP when persisting user Bug: T237554 Change-Id: I18f57a523a6515f593963a9c149374bd6f6c73b4
2019-11-12 08:47:12 +00:00
use RequestContext;
Database-level support for multiple auth devices This adds new database tables to support storing multiple authentication factors for a single user. The current approach taken is to use a single database row per 2fa method and key. The current module/key abstraction will have to be updated to support having multiple module types for a single user (for example for having a separate module for recovery codes), but this patch does not address that and instead keeps the existing limitations, however the needed updates for that should be doable with this database schema. I've decided to add a new table instead of modifying the existing oathauth_users table. This is mainly because adding an auto_increment column to the existing table would be difficult, but also allows us to update the table definition to follow MW conventions (namely the column name prefixes). I've also used the opportunity to normalize the device types onto a separate table. The migration stage variable is set to SCHEMA_COMPAT_NEW so that third-party wikis can use update.php normally and don't have to adjust anything. This means that it needs to be manually set to _OLD on wmf-config before merging this patch. Since we're already working with the database schema, this add a new, currently unused column for the creation data, so that T242847 will not require a new schema change. Bug: T242031 Bug: T242847 Change-Id: I6aa69c089340434737b55201b80398708a70c355
2022-12-31 23:49:18 +00:00
use RuntimeException;
build: Updating mediawiki/mediawiki-codesniffer to 29.0.0 The following sniffs are failing and were disabled: * MediaWiki.Commenting.FunctionComment.MissingDocumentationPrivate * MediaWiki.Commenting.FunctionComment.MissingParamName * MediaWiki.Commenting.FunctionComment.MissingParamTag * MediaWiki.Commenting.FunctionComment.MissingReturn Additional changes: * Also sorted "composer fix" command to run phpcbf last. Change-Id: Idb1b91244e653b2ba2e27bceb3eba769577124a9
2020-01-14 08:27:29 +00:00
use User;
Add missing use for namespace Wikimedia\Rdbms Change-Id: I5d65237678d858f1d10969a3de5a5b9d48f6a87f
2018-04-05 09:29:45 +00:00
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
class OATHUserRepository implements LoggerAwareInterface {
Add separate OATHAuthDatabase service Add a simple service to access the central database to decrease code repetition. Change-Id: Ib33000f4d44d77da31cc375e374cb595ad23bcbd
2022-12-31 21:32:29 +00:00
private OATHAuthDatabase $database;
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
private BagOStuff $cache;
Add in-process cache for OATHUser lookups Change-Id: I9392b7b1a23944dfd91d690fa30b5a7fdf0f2e51
2016-06-15 10:07:01 +00:00
Add separate OATHAuthModuleRegistry service This new service is separated from the previous OATHAuth class to give the service a more accurate name. Also removed unnecessary injected services and do some other minor cleanup. Change-Id: I8d5fbc7594b69168dc0c8bfade1ac172a5aeef6f
2022-12-31 21:06:34 +00:00
private OATHAuthModuleRegistry $moduleRegistry;
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
private CentralIdLookupFactory $centralIdLookupFactory;
Refactor the extension to support multiple auth modules Please note, this patch requires a schema change before merging Change-Id: I71286534d21d95083436d64d79811943c1a1d032 ERM: #14484 Bug: T218210
2019-03-14 14:39:10 +00:00
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
private LoggerInterface $logger;
public function __construct(
Add separate OATHAuthDatabase service Add a simple service to access the central database to decrease code repetition. Change-Id: Ib33000f4d44d77da31cc375e374cb595ad23bcbd
2022-12-31 21:32:29 +00:00
OATHAuthDatabase $database,
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
BagOStuff $cache,
Add separate OATHAuthModuleRegistry service This new service is separated from the previous OATHAuth class to give the service a more accurate name. Also removed unnecessary injected services and do some other minor cleanup. Change-Id: I8d5fbc7594b69168dc0c8bfade1ac172a5aeef6f
2022-12-31 21:06:34 +00:00
OATHAuthModuleRegistry $moduleRegistry,
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
CentralIdLookupFactory $centralIdLookupFactory,
LoggerInterface $logger
) {
Add separate OATHAuthDatabase service Add a simple service to access the central database to decrease code repetition. Change-Id: Ib33000f4d44d77da31cc375e374cb595ad23bcbd
2022-12-31 21:32:29 +00:00
$this->database = $database;
Add in-process cache for OATHUser lookups Change-Id: I9392b7b1a23944dfd91d690fa30b5a7fdf0f2e51
2016-06-15 10:07:01 +00:00
$this->cache = $cache;
Add separate OATHAuthModuleRegistry service This new service is separated from the previous OATHAuth class to give the service a more accurate name. Also removed unnecessary injected services and do some other minor cleanup. Change-Id: I8d5fbc7594b69168dc0c8bfade1ac172a5aeef6f
2022-12-31 21:06:34 +00:00
$this->moduleRegistry = $moduleRegistry;
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
$this->centralIdLookupFactory = $centralIdLookupFactory;
$this->setLogger( $logger );
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
}
/**
* @param LoggerInterface $logger
*/
public function setLogger( LoggerInterface $logger ) {
$this->logger = $logger;
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
}
Clean up code style and docblocks * array() -> [] * spacing fixes * dirname( __FILE__ ) -> __DIR__ * Add phpcs style checks using latest mediawiki-codesniffer to keep things clean. Co-Authored-By: Bryan Davis <bd808@wikimedia.org> Change-Id: I95735f928d3e5d6ac9d2a10d92b40ed01cf2737c
2016-09-16 23:18:35 +00:00
/**
* @param User $user
* @return OATHUser
Various minor cleanup Change-Id: Idbf84a1f49f1afbd2d3a342cedd72895c5378bc6
2023-10-10 21:42:36 +00:00
* @throws ConfigException
* @throws MWException
Clean up code style and docblocks * array() -> [] * spacing fixes * dirname( __FILE__ ) -> __DIR__ * Add phpcs style checks using latest mediawiki-codesniffer to keep things clean. Co-Authored-By: Bryan Davis <bd808@wikimedia.org> Change-Id: I95735f928d3e5d6ac9d2a10d92b40ed01cf2737c
2016-09-16 23:18:35 +00:00
*/
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
public function findByUser( User $user ) {
Add in-process cache for OATHUser lookups Change-Id: I9392b7b1a23944dfd91d690fa30b5a7fdf0f2e51
2016-06-15 10:07:01 +00:00
$oathUser = $this->cache->get( $user->getName() );
if ( !$oathUser ) {
build: Updating mediawiki/mediawiki-phan-config to 0.9.0 Change-Id: Iaac7b5f78f26a083e8ad2d12f9c9c4a9ed246283
2019-12-21 19:18:31 +00:00
$oathUser = new OATHUser( $user, [] );
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
OATHUserRepository: rely less on global state Inject more stuff into OATHUserRepository properly. Also done other misc cleanup on that class. Change-Id: I194345974146517c8216a81330cd930534d655e4
2022-12-31 18:48:09 +00:00
$uid = $this->centralIdLookupFactory->getLookup()
Replace deprecated CentralIdLookup::factory Bug: T288836 Change-Id: Iac0492405951d9c6bb21151f2b70f1989bdec027
2021-08-13 16:19:35 +00:00
->centralIdFromLocalUser( $user );
Database-level support for multiple auth devices This adds new database tables to support storing multiple authentication factors for a single user. The current approach taken is to use a single database row per 2fa method and key. The current module/key abstraction will have to be updated to support having multiple module types for a single user (for example for having a separate module for recovery codes), but this patch does not address that and instead keeps the existing limitations, however the needed updates for that should be doable with this database schema. I've decided to add a new table instead of modifying the existing oathauth_users table. This is mainly because adding an auto_increment column to the existing table would be difficult, but also allows us to update the table definition to follow MW conventions (namely the column name prefixes). I've also used the opportunity to normalize the device types onto a separate table. The migration stage variable is set to SCHEMA_COMPAT_NEW so that third-party wikis can use update.php normally and don't have to adjust anything. This means that it needs to be manually set to _OLD on wmf-config before merging this patch. Since we're already working with the database schema, this add a new, currently unused column for the creation data, so that T242847 will not require a new schema change. Bug: T242031 Bug: T242847 Change-Id: I6aa69c089340434737b55201b80398708a70c355
2022-12-31 23:49:18 +00:00
Drop support for old device schema Bug: T242031 Change-Id: Ib5de429f16b597867624a5a3cdfdac99b96c8bf5
2023-01-30 21:01:56 +00:00
$res = $this->database->getDB( DB_REPLICA )->newSelectQueryBuilder()
->select( [
'oad_data',
'oat_name',
] )
->from( 'oathauth_devices' )
->join( 'oathauth_types', null, [ 'oat_id = oad_type' ] )
->where( [ 'oad_user' => $uid ] )
->caller( __METHOD__ )
->fetchResultSet();
$module = null;
foreach ( $res as $row ) {
if ( $module && $row->oat_name !== $module->getName() ) {
// Not supported by current application-layer code.
OATHUserRepository: Minor cleanup/fixes * Don't use namespace on already imported Manager class * Fix oauth mention to oathauth Follows-Up: I6aa69c089340434737b55201b80398708a70c355 Change-Id: Id43fc3cffee589c6d04281edeb778c011dfecda4
2023-11-20 22:09:51 +00:00
throw new RuntimeException( "user {$uid} has multiple different oathauth modules defined" );
Database-level support for multiple auth devices This adds new database tables to support storing multiple authentication factors for a single user. The current approach taken is to use a single database row per 2fa method and key. The current module/key abstraction will have to be updated to support having multiple module types for a single user (for example for having a separate module for recovery codes), but this patch does not address that and instead keeps the existing limitations, however the needed updates for that should be doable with this database schema. I've decided to add a new table instead of modifying the existing oathauth_users table. This is mainly because adding an auto_increment column to the existing table would be difficult, but also allows us to update the table definition to follow MW conventions (namely the column name prefixes). I've also used the opportunity to normalize the device types onto a separate table. The migration stage variable is set to SCHEMA_COMPAT_NEW so that third-party wikis can use update.php normally and don't have to adjust anything. This means that it needs to be manually set to _OLD on wmf-config before merging this patch. Since we're already working with the database schema, this add a new, currently unused column for the creation data, so that T242847 will not require a new schema change. Bug: T242031 Bug: T242847 Change-Id: I6aa69c089340434737b55201b80398708a70c355
2022-12-31 23:49:18 +00:00
}
Drop support for old device schema Bug: T242031 Change-Id: Ib5de429f16b597867624a5a3cdfdac99b96c8bf5
2023-01-30 21:01:56 +00:00
if ( !$module ) {
$module = $this->moduleRegistry->getModuleByKey( $row->oat_name );
$oathUser->setModule( $module );
Database-level support for multiple auth devices This adds new database tables to support storing multiple authentication factors for a single user. The current approach taken is to use a single database row per 2fa method and key. The current module/key abstraction will have to be updated to support having multiple module types for a single user (for example for having a separate module for recovery codes), but this patch does not address that and instead keeps the existing limitations, however the needed updates for that should be doable with this database schema. I've decided to add a new table instead of modifying the existing oathauth_users table. This is mainly because adding an auto_increment column to the existing table would be difficult, but also allows us to update the table definition to follow MW conventions (namely the column name prefixes). I've also used the opportunity to normalize the device types onto a separate table. The migration stage variable is set to SCHEMA_COMPAT_NEW so that third-party wikis can use update.php normally and don't have to adjust anything. This means that it needs to be manually set to _OLD on wmf-config before merging this patch. Since we're already working with the database schema, this add a new, currently unused column for the creation data, so that T242847 will not require a new schema change. Bug: T242031 Bug: T242847 Change-Id: I6aa69c089340434737b55201b80398708a70c355
2022-12-31 23:49:18 +00:00
Drop support for old device schema Bug: T242031 Change-Id: Ib5de429f16b597867624a5a3cdfdac99b96c8bf5
2023-01-30 21:01:56 +00:00
if ( !$module ) {
throw new MWException( 'oathauth-module-invalid' );
Database-level support for multiple auth devices This adds new database tables to support storing multiple authentication factors for a single user. The current approach taken is to use a single database row per 2fa method and key. The current module/key abstraction will have to be updated to support having multiple module types for a single user (for example for having a separate module for recovery codes), but this patch does not address that and instead keeps the existing limitations, however the needed updates for that should be doable with this database schema. I've decided to add a new table instead of modifying the existing oathauth_users table. This is mainly because adding an auto_increment column to the existing table would be difficult, but also allows us to update the table definition to follow MW conventions (namely the column name prefixes). I've also used the opportunity to normalize the device types onto a separate table. The migration stage variable is set to SCHEMA_COMPAT_NEW so that third-party wikis can use update.php normally and don't have to adjust anything. This means that it needs to be manually set to _OLD on wmf-config before merging this patch. Since we're already working with the database schema, this add a new, currently unused column for the creation data, so that T242847 will not require a new schema change. Bug: T242031 Bug: T242847 Change-Id: I6aa69c089340434737b55201b80398708a70c355
2022-12-31 23:49:18 +00:00
}
}
Drop support for old device schema Bug: T242031 Change-Id: Ib5de429f16b597867624a5a3cdfdac99b96c8bf5
2023-01-30 21:01:56 +00:00
$keyData = FormatJson::decode( $row->oad_data, true );
$oathUser->addKey( $module->newKey( $keyData ) );
Add in-process cache for OATHUser lookups Change-Id: I9392b7b1a23944dfd91d690fa30b5a7fdf0f2e51
2016-06-15 10:07:01 +00:00
}
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
Add in-process cache for OATHUser lookups Change-Id: I9392b7b1a23944dfd91d690fa30b5a7fdf0f2e51
2016-06-15 10:07:01 +00:00
$this->cache->set( $user->getName(), $oathUser );
}
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
return $oathUser;
}
Minor documentation updates Update DatabaseBase type hint Update some deprecated code usages Change-Id: I86aa4507447040754d0c9f20171f7e22aed4a0cc
2016-09-30 21:13:57 +00:00
/**
* @param OATHUser $user
Define fallback for request IP when persisting user Bug: T237554 Change-Id: I18f57a523a6515f593963a9c149374bd6f6c73b4
2019-11-12 08:47:12 +00:00
* @param string|null $clientInfo
Refactor the extension to support multiple auth modules Please note, this patch requires a schema change before merging Change-Id: I71286534d21d95083436d64d79811943c1a1d032 ERM: #14484 Bug: T218210
2019-03-14 14:39:10 +00:00
* @throws ConfigException
* @throws MWException
Minor documentation updates Update DatabaseBase type hint Update some deprecated code usages Change-Id: I86aa4507447040754d0c9f20171f7e22aed4a0cc
2016-09-30 21:13:57 +00:00
*/
Define fallback for request IP when persisting user Bug: T237554 Change-Id: I18f57a523a6515f593963a9c149374bd6f6c73b4
2019-11-12 08:47:12 +00:00
public function persist( OATHUser $user, $clientInfo = null ) {
if ( !$clientInfo ) {
$clientInfo = RequestContext::getMain()->getRequest()->getIP();
}
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
$prevUser = $this->findByUser( $user->getUser() );
Database-level support for multiple auth devices This adds new database tables to support storing multiple authentication factors for a single user. The current approach taken is to use a single database row per 2fa method and key. The current module/key abstraction will have to be updated to support having multiple module types for a single user (for example for having a separate module for recovery codes), but this patch does not address that and instead keeps the existing limitations, however the needed updates for that should be doable with this database schema. I've decided to add a new table instead of modifying the existing oathauth_users table. This is mainly because adding an auto_increment column to the existing table would be difficult, but also allows us to update the table definition to follow MW conventions (namely the column name prefixes). I've also used the opportunity to normalize the device types onto a separate table. The migration stage variable is set to SCHEMA_COMPAT_NEW so that third-party wikis can use update.php normally and don't have to adjust anything. This means that it needs to be manually set to _OLD on wmf-config before merging this patch. Since we're already working with the database schema, this add a new, currently unused column for the creation data, so that T242847 will not require a new schema change. Bug: T242031 Bug: T242847 Change-Id: I6aa69c089340434737b55201b80398708a70c355
2022-12-31 23:49:18 +00:00
$userId = $this->centralIdLookupFactory->getLookup()->centralIdFromLocalUser( $user->getUser() );
Drop support for old device schema Bug: T242031 Change-Id: Ib5de429f16b597867624a5a3cdfdac99b96c8bf5
2023-01-30 21:01:56 +00:00
$moduleId = $this->moduleRegistry->getModuleId( $user->getModule()->getName() );
$rows = [];
foreach ( $user->getKeys() as $key ) {
$rows[] = [
'oad_user' => $userId,
'oad_type' => $moduleId,
'oad_data' => FormatJson::encode( $key->jsonSerialize() )
Database-level support for multiple auth devices This adds new database tables to support storing multiple authentication factors for a single user. The current approach taken is to use a single database row per 2fa method and key. The current module/key abstraction will have to be updated to support having multiple module types for a single user (for example for having a separate module for recovery codes), but this patch does not address that and instead keeps the existing limitations, however the needed updates for that should be doable with this database schema. I've decided to add a new table instead of modifying the existing oathauth_users table. This is mainly because adding an auto_increment column to the existing table would be difficult, but also allows us to update the table definition to follow MW conventions (namely the column name prefixes). I've also used the opportunity to normalize the device types onto a separate table. The migration stage variable is set to SCHEMA_COMPAT_NEW so that third-party wikis can use update.php normally and don't have to adjust anything. This means that it needs to be manually set to _OLD on wmf-config before merging this patch. Since we're already working with the database schema, this add a new, currently unused column for the creation data, so that T242847 will not require a new schema change. Bug: T242031 Bug: T242847 Change-Id: I6aa69c089340434737b55201b80398708a70c355
2022-12-31 23:49:18 +00:00
];
}
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
Drop support for old device schema Bug: T242031 Change-Id: Ib5de429f16b597867624a5a3cdfdac99b96c8bf5
2023-01-30 21:01:56 +00:00
$dbw = $this->database->getDB( DB_PRIMARY );
$dbw->startAtomic( __METHOD__ );
// TODO: only update changed rows
$dbw->delete(
'oathauth_devices',
[ 'oad_user' => $userId ],
__METHOD__
);
$dbw->insert(
'oathauth_devices',
$rows,
__METHOD__
);
$dbw->endAtomic( __METHOD__ );
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
$userName = $user->getUser()->getName();
$this->cache->set( $userName, $user );
if ( $prevUser !== false ) {
$this->logger->info( 'OATHAuth updated for {user} from {clientip}', [
'user' => $userName,
'clientip' => $clientInfo,
Add module types to log entries Change-Id: If765f666496492da44efa282011c2605923be3a2
2022-02-18 00:10:53 +00:00
'oldoathtype' => $prevUser->getModule()->getName(),
'newoathtype' => $user->getModule()->getName(),
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
] );
} else {
// If findByUser() has returned false, there was no user row or cache entry
$this->logger->info( 'OATHAuth enabled for {user} from {clientip}', [
'user' => $userName,
'clientip' => $clientInfo,
Add module types to log entries Change-Id: If765f666496492da44efa282011c2605923be3a2
2022-02-18 00:10:53 +00:00
'oathtype' => $user->getModule()->getName(),
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
] );
OATHUserRepository: Minor cleanup/fixes * Don't use namespace on already imported Manager class * Fix oauth mention to oathauth Follows-Up: I6aa69c089340434737b55201b80398708a70c355 Change-Id: Id43fc3cffee589c6d04281edeb778c011dfecda4
2023-11-20 22:09:51 +00:00
Manager::notifyEnabled( $user );
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
}
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
}
Minor documentation updates Update DatabaseBase type hint Update some deprecated code usages Change-Id: I86aa4507447040754d0c9f20171f7e22aed4a0cc
2016-09-30 21:13:57 +00:00
/**
* @param OATHUser $user
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
* @param string $clientInfo
Various minor cleanup Change-Id: Idbf84a1f49f1afbd2d3a342cedd72895c5378bc6
2023-10-10 21:42:36 +00:00
* @param bool $self Whether the user disabled the 2FA themselves
Minor documentation updates Update DatabaseBase type hint Update some deprecated code usages Change-Id: I86aa4507447040754d0c9f20171f7e22aed4a0cc
2016-09-30 21:13:57 +00:00
*/
Send a notification when 2FA is disabled Notify users when 2FA is disabled on their account in case something was fishy about it. This notification is a "system" notification that will be displayed in the web UI and sent over email. It can't be opted out of as a preference. The notification links to Special:Preferences, where users can see their 2FA status and re-enable it if they want. A secondary help link goes to [[mw:Help:Two-factor authentication]], but can be overridden by adjusting the "oathauth-notifications-disable-helplink" message. The notification text is different based on whether the user disabled 2FA on their own, or an admin used the special page or a maint script to do it. On Wikimedia wikis, we'll use the WikimediaMessages extension to customize the messages. The Echo (Notifications) extension is not required, this will gracefully do nothing if it's not enabled. Bug: T210075 Bug: T210963 Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
2022-02-16 09:15:02 +00:00
public function remove( OATHUser $user, $clientInfo, bool $self ) {
Database-level support for multiple auth devices This adds new database tables to support storing multiple authentication factors for a single user. The current approach taken is to use a single database row per 2fa method and key. The current module/key abstraction will have to be updated to support having multiple module types for a single user (for example for having a separate module for recovery codes), but this patch does not address that and instead keeps the existing limitations, however the needed updates for that should be doable with this database schema. I've decided to add a new table instead of modifying the existing oathauth_users table. This is mainly because adding an auto_increment column to the existing table would be difficult, but also allows us to update the table definition to follow MW conventions (namely the column name prefixes). I've also used the opportunity to normalize the device types onto a separate table. The migration stage variable is set to SCHEMA_COMPAT_NEW so that third-party wikis can use update.php normally and don't have to adjust anything. This means that it needs to be manually set to _OLD on wmf-config before merging this patch. Since we're already working with the database schema, this add a new, currently unused column for the creation data, so that T242847 will not require a new schema change. Bug: T242031 Bug: T242847 Change-Id: I6aa69c089340434737b55201b80398708a70c355
2022-12-31 23:49:18 +00:00
$userId = $this->centralIdLookupFactory->getLookup()
->centralIdFromLocalUser( $user->getUser() );
Drop support for old device schema Bug: T242031 Change-Id: Ib5de429f16b597867624a5a3cdfdac99b96c8bf5
2023-01-30 21:01:56 +00:00
$this->database->getDB( DB_PRIMARY )->delete(
'oathauth_devices',
[ 'oad_user' => $userId ],
__METHOD__
);
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
$userName = $user->getUser()->getName();
$this->cache->delete( $userName );
$this->logger->info( 'OATHAuth disabled for {user} from {clientip}', [
'user' => $userName,
'clientip' => $clientInfo,
Add module types to log entries Change-Id: If765f666496492da44efa282011c2605923be3a2
2022-02-18 00:10:53 +00:00
'oathtype' => $user->getModule()->getName(),
Re-instate "Add some logging of OATHAuth actions" This reverts commit 69b6292c124fd86ce286e6e7bcc4ceb8d55cdb01. Bug: T151010 Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-17 23:56:47 +00:00
] );
Various minor cleanup Change-Id: Idbf84a1f49f1afbd2d3a342cedd72895c5378bc6
2023-10-10 21:42:36 +00:00
Manager::notifyDisabled( $user, $self );
Refactor extension key storage This takes out the actual key information from OATHUser and puts it into an OATHKey class, which OATHUser depends on. This allows easily swapping keys in/out from a user. Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2014-05-19 00:05:59 +00:00
}
}
Reference in a new issue Copy permalink