Commit graph

1475 commits

Author SHA1 Message Date
Reedy 7c4649ce37 ApiOATHValidate: Fix example passing TOTP token in data
Change-Id: Idee5685cbf69e4d6dfe4e03e109a0523bc94784f
2022-03-29 12:12:14 +01:00
Translation updater bot 1a92eef0bf Localisation updates from https://translatewiki.net.
Change-Id: I3b96bf1bbf95f46a7955ace3fa4f445b36cf1c02
2022-03-29 08:06:00 +02:00
Translation updater bot 4faabe76b5 Localisation updates from https://translatewiki.net.
Change-Id: I37943a2b3846dae741c5c5834ea5f8faba1ca784
2022-03-28 08:21:35 +02:00
Reedy 6898d6ba93 OATHUserRepository: Stop handling legacy single-key
Migration is handled by UpdateTables::switchTOTPToMultipleKeys()

The transition has been completed at WMF as well.

Bug: T304375
Change-Id: I0e6d30075dfbd66d692cd8a5e3f7c9ebf44bc065
2022-03-26 09:44:55 +00:00
jenkins-bot 1ee5f486d6 Merge "OATHUserRepository: Remove some legacy handling" 2022-03-25 20:44:02 +00:00
Reedy 22505f73ae OATHUserRepository: Remove some legacy handling
The migration from `oathauth_users.secret` to `oathauth_users.module`
was added in I71286534d21d950834. It resides now in the UpdateTables
class, which runs from the LoadExtensionSchemaUpdates hook.

The transition has been completed at WMF as well.

Bug: T304375
Change-Id: I5fa88704c6da2ae2679a19e0c5a2cfe7f3bf5f50
2022-03-25 20:38:16 +00:00
Translation updater bot 1b6ed147d7 Localisation updates from https://translatewiki.net.
Change-Id: Iab3beb8db6aabbf4058815a2394d3e239b4423b5
2022-03-25 08:35:09 +01:00
Translation updater bot 9606a8f679 Localisation updates from https://translatewiki.net.
Change-Id: I36c3607874a56f9754676f691dabda84d4f269fd
2022-03-24 08:34:59 +01:00
Translation updater bot feb4ae190e Localisation updates from https://translatewiki.net.
Change-Id: I0ffd4e269fcff02c3f7c36071b9d9ea42ec5ab63
2022-03-22 08:29:50 +01:00
Reedy 6adc5ecabf Remove unused $key variables from foreach()
Change-Id: Ib035ff7fc3eeeb73b6f870b226775d61b3caee11
2022-03-21 23:58:03 +00:00
Alexander Vorwerk 248d2bb8d6 Disable user only after it has been removed from the db
OATHUser::disable sets the 'module' value to null, but
OATHUserRepository::remove reads that value, in order to add the type
to the log entry, resulting in fatals.

Bug: T304350
Change-Id: Ied622f1ba65bfabad3f048dbca885e4dadab0907
2022-03-21 21:50:20 +00:00
Alexander Vorwerk bd8bb22ecd Revert "Explicitly specify SQL columns to SELECT"
This reverts commit 6f37618f4f.

We are later calling isLegacy and that is checking whether
'secret' is set, but due to the change in the select,
'secret' is never set, breaking the functionality of isLegacy().

Change-Id: Ic2c53dca6d1b1608192a5722408f157505187092
2022-03-21 19:11:42 +00:00
Translation updater bot 81ece94b9d Localisation updates from https://translatewiki.net.
Change-Id: I7906b17770bf9e45b4b8014f60018c66d3a92a84
2022-03-21 08:15:06 +01:00
Translation updater bot 0f3ec513fb Localisation updates from https://translatewiki.net.
Change-Id: I01803540ade12679c1b1ca00b42bb9f0764c46b3
2022-03-18 08:45:09 +01:00
Translation updater bot ead1dde666 Localisation updates from https://translatewiki.net.
Change-Id: Id7b58b44a21542e4d60da2ec664475f6dd95528d
2022-03-17 08:37:26 +01:00
Translation updater bot 4410eb9da0 Localisation updates from https://translatewiki.net.
Change-Id: I5fda7e98750dbbfd2b521ad611c21f70c10a2535
2022-03-16 08:07:59 +01:00
jenkins-bot 3043b1eb75 Merge "Send a notification when 2FA is enabled" 2022-03-15 18:32:59 +00:00
Translation updater bot 5b6921caca Localisation updates from https://translatewiki.net.
Change-Id: Id282f9cefbd7e474e3d8b9431af57c77aa138ea2
2022-03-14 08:14:25 +01:00
Translation updater bot e96bd2e768 Localisation updates from https://translatewiki.net.
Change-Id: I8a5e1c889432085ceef61d9e6eb3a77241ba26bb
2022-03-10 08:19:31 +01:00
Translation updater bot 792e6f10d4 Localisation updates from https://translatewiki.net.
Change-Id: I32369421add4f351fbfb9f4b76372463831b618f
2022-03-09 08:09:51 +01:00
Translation updater bot 2978eba304 Localisation updates from https://translatewiki.net.
Change-Id: I48113b595c0f3b46ef19215f55114b24c4e29598
2022-03-07 08:11:22 +01:00
Translation updater bot 3f2d81f837 Localisation updates from https://translatewiki.net.
Change-Id: Ice717fdf645285750e92224028abbe52c756638c
2022-03-03 08:22:58 +01:00
Translation updater bot abdf3584c0 Localisation updates from https://translatewiki.net.
Change-Id: Ie94bc63e21e8394d3c725a863c11551d38787577
2022-02-28 14:29:08 +01:00
jenkins-bot caee0f788b Merge "Explicitly specify SQL columns to SELECT" 2022-02-28 07:36:04 +00:00
jenkins-bot e3624a3b8a Merge "Add basic tests for TOTPKey" 2022-02-28 07:32:29 +00:00
Kunal Mehta 6f37618f4f Explicitly specify SQL columns to SELECT
...instead of `SELECT *`, in anticipation of future schema changes.
Notably, we didn't need to select the `id` field, since we don't ever
use it (spotted by Thiemo!).

Change-Id: I1089199bdad70401684377d88877eccc689427f9
2022-02-27 23:15:50 -08:00
Kunal Mehta ba39a4dfa8 Add basic tests for TOTPKey
Mostly I wanted to add tests for verifying serialization and
deserialization, since that's what I modify in my next commit.

Change-Id: I8223f2e3e1b3ce79afc8c5cd9ca4afe6d418abf9
2022-02-27 23:01:58 -08:00
Translation updater bot a458752222 Localisation updates from https://translatewiki.net.
Change-Id: I7771da37eaed44691782976168fba716ba2f19b2
2022-02-25 09:44:51 +01:00
Reedy 211c1cb930 Replace usages of Wikimedia\(suppress|restore)Warnings()
Change-Id: Iac7480957819652d487e177bc9caf0c8c3db83e4
2022-02-24 21:18:30 +00:00
Translation updater bot e3ef5d1619 Localisation updates from https://translatewiki.net.
Change-Id: I3cde834312cd4208580b32f6b7b85f98f60c1e50
2022-02-24 08:49:40 +01:00
Reedy 16bc5d7168 Send a notification when 2FA is enabled
Bug: T301987
Change-Id: I0fe32b735e34753442ec9811ea41d15b76999d87
2022-02-24 00:39:37 +00:00
jenkins-bot be665c93cc Merge "SECURITY: Use constant time checks for token values" 2022-02-23 23:07:22 +00:00
Translation updater bot fa6acfbc17 Localisation updates from https://translatewiki.net.
Change-Id: Icc0870102ede8c370457e55646d208514df5d602
2022-02-23 08:19:18 +01:00
sbassett 274c82043e SECURITY: Use constant time checks for token values
Bug: T302059
Change-Id: If726c61233d44e76a22fe25c2c910ce59771b49c
2022-02-22 16:11:07 -06:00
Translation updater bot 7c64eaf0a4 Localisation updates from https://translatewiki.net.
Change-Id: I870f0a7a161d11e7f9edd994a62a45bc5304043b
2022-02-22 08:12:01 +01:00
Translation updater bot 900f9e171c Localisation updates from https://translatewiki.net.
Change-Id: Id7282b409d4df3f66ac7fae4558cfd7399304600
2022-02-21 08:16:21 +01:00
Reedy de936aef6a Convert OATHAuth to abstract schema
Bug: T268564
Change-Id: I251fac0e1939cc84e7eab3e7514e07c81b2b0f1e
2022-02-18 10:36:56 +00:00
jenkins-bot 88552e65bf Merge "Add module types to log entries" 2022-02-18 09:18:09 +00:00
Translation updater bot 44831d0ecf Localisation updates from https://translatewiki.net.
Change-Id: Icbe945f1481cdc10980b68f04fad9bceb0b287f6
2022-02-18 08:40:54 +01:00
Reedy 239ff36a06 Add module types to log entries
Change-Id: If765f666496492da44efa282011c2605923be3a2
2022-02-18 00:30:32 +00:00
jenkins-bot 361d2829ba Merge "Add some greppable usage of messages" 2022-02-17 21:20:21 +00:00
Reedy 68ca72d7b9 Add some greppable usage of messages
Change-Id: I5ca72a33ecacb15a8a01f6cda0cdb7cdb628eab8
Follows-Up: Idbac3940b36ce21a0b40044482514a28c5fbd45f
Follows-Up: Ic173ebb7e39d22e40fea23c2b906d246adef1e05
2022-02-17 20:44:51 +00:00
Reedy 4a3db51953 DisablePresentationModel: Remove duplicate getExtraParam call
Follows-Up: I99077ea082b8483cc4fd77573a0d00fa98201f15
Change-Id: I3e6d5aad83e005f7ea2b80551b5eb9249bf4b947
2022-02-17 18:16:17 +00:00
Kunal Mehta 329c3133d6 Send a notification when 2FA is disabled
Notify users when 2FA is disabled on their account in case something was
fishy about it. This notification is a "system" notification that will
be displayed in the web UI and sent over email. It can't be opted out of
as a preference.

The notification links to Special:Preferences, where users can see their
2FA status and re-enable it if they want. A secondary help link goes to
[[mw:Help:Two-factor authentication]], but can be overridden by
adjusting the "oathauth-notifications-disable-helplink" message. The
notification text is different based on whether the user disabled 2FA on
their own, or an admin used the special page or a maint script to do it.

On Wikimedia wikis, we'll use the WikimediaMessages extension to
customize the messages.

The Echo (Notifications) extension is not required, this will gracefully
do nothing if it's not enabled.

Bug: T210075
Bug: T210963
Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
2022-02-17 00:14:20 -08:00
jenkins-bot 4cc5cbe4ad Merge "Require OATHAuth for membership in specified user groups" 2022-02-17 07:41:53 +00:00
Translation updater bot 094051f490 Localisation updates from https://translatewiki.net.
Change-Id: If253afd0e21b27a2dfe9791ff9d5402d9976fb70
2022-02-17 08:12:05 +01:00
Lucas Werkmeister 203a0112c0 Pass context into HTMLForm
Creating a HTMLForm (or OOUIHTMLForm) without passing in a context is
deprecated now.

Bug: T301866
Change-Id: I35eb85f5089bcef04624e5f72fd1a4389be87de9
Depends-On: Ic65c8934ab33c6d1ca0356011923f8933c5072ca
2022-02-16 13:05:35 +01:00
Translation updater bot 7ead5b8888 Localisation updates from https://translatewiki.net.
Change-Id: I8fbf5c821276fec4fc92cc712e693c2044dd7000
2022-02-16 08:13:20 +01:00
Kunal Mehta 498dcfeb80 Require OATHAuth for membership in specified user groups
Users in groups listed in $wgOATHRequiredForGroups (default none) must
have two-factor authentication enabled otherwise their membership in
those groups will be disabled. This is done using the
UserEffectiveGroups hook, which allows dynamically adding or removing
user groups.

If a user doesn't have 2FA enabled, it will appear to them as if they
aren't a member of the group at all. Special:Preferences will show which
groups are disabled. In the future it would be good to have a hook into
PermissionsError to show this as well. The UserGetRights hook is used to
ensure the user still has the "oathauth-enable" user right in case it
was only granted to them as part of the user group they are disabled
from.

On the outside, Special:ListUsers will still show the user as a member
of the group. The API list=users&prop=groups|groupmemberships will show
inconsistent informaiton, groups will remove disabled groups while
groupmemberships will not.

This functionality was somewhat already available with
$wgOATHExclusiveRights, except that implementation has flaws outlined at
T150562#6078263 and haven't been resolved in I69af6a58e4 for over a year
now. If this works out, it's expected that will be deprecated/removed.

Bug: T150562
Change-Id: I07ebddafc6f2233ccec216fa8ac6e996553499fb
2022-02-14 00:47:20 -08:00
Translation updater bot 15a1792b2a Localisation updates from https://translatewiki.net.
Change-Id: Ic453ed1c38f95f5232c807f90f21bf623bb6f45a
2022-02-10 08:41:55 +01:00