Commit graph

81 commits

Author SHA1 Message Date
jenkins-bot d770f2bb05 Merge "Declare grant risk levels" 2024-01-17 03:44:51 +00:00
Reedy 6d58d6a6ee extension.json: Add config descriptions
Co-Authored credit to Ayush_Anand3310 who mostly wrote them on the task

Bug: T328577
Co-Authored-By: Ayush-Nautiyal007 <ayush.2020012016@tulas.edu.in>
Change-Id: Iea2d730bfe69c0ee72e894e7ea3bc31f141e546f
2024-01-13 14:33:04 +00:00
Reedy d82699be26 extension.json: Remove OATHAuthMultipleDevicesMigrationStage
Unused now

Change-Id: Ic712e81e2f935af4429debb52fa172958379392f
2024-01-13 14:29:14 +00:00
James D. Forrester de73bf5674 build: Update MediaWiki requirement to 1.42
All extensions in the MediaWiki tarball are expected to track MediaWiki's release directly.

Change-Id: Ia9dece4a8a203c2f5fc43b9f1c9af67268c0a08d
2024-01-12 14:12:34 -05:00
James D. Forrester b2abf6d832 extension.json: Drop RL targets definitions, no longer honoured
Bug: T328497
Change-Id: I1389d576d988e8d8b456d14db8d818c788a40d60
2024-01-12 08:50:50 -05:00
Taavi Väänänen 809576b671
ApiQueryOATH: do not use module to check enablement
Bug: T242031
Change-Id: Icafde71f6e58b24e8917b42a28b8f398aa28df20
2023-12-22 00:55:37 +02:00
Sam Wilson fbe2f875c4 Switch from client- to server-side generated QR codes
Use the same PHP library as UrlShortener (endroid/qr-code) to
generate QR codes, rather than the out-of-date JS library.

Bug: T348590
Change-Id: I560ac1b384e249aad1866752deac753c764ec553
2023-12-13 13:25:20 +08:00
Taavi Väänänen 94782641cf
Convert to a virtual domain
Bug: T348484
Change-Id: I1ab23dfdf32e6965cac4e6c5736abbbf606c1c92
2023-12-06 07:08:10 -08:00
Gergő Tisza 651cc7d8db
Declare grant risk levels
Bug: T290790
Depends-On: Ib7a195c167f82e686c4ede45388957f9988bf75d
Change-Id: Ic3493adbf012f2f6f9c7fc9598a7aba93fab18ed
2023-11-02 21:15:03 -07:00
Taavi Väänänen 1bb99e3ee3 Add myself to the author list
Change-Id: I7f72b1e0129548632e74cc8b8ccac030b51bc740
2023-10-10 21:57:04 +00:00
James D. Forrester 9feb7ea8f3 build: Update MediaWiki requirement to 1.41
All extensions in the MediaWiki tarball are expected to track MediaWiki's release directly.

Change-Id: Ie7602760c6e69f52fe28699638ceeaf048bfb14b
2023-08-19 13:56:16 +08:00
Umherirrender 4b44d7f9ba Use HookHandlers for Echo hook
Bug: T270971
Depends-On: Iffa2b409502b4269c9746e0304feb4aaee37a86e
Change-Id: I61dd10200c70575690c5c4db3978d6e85a6cfe5d
2023-08-16 00:14:23 +02:00
Umherirrender 6089abf1cb tests: Use static provider in TOTPAuthenticationRequestTest
Shows up a deprecation message

Follow-Up: I5ff35ad0e894f0a27beae00257dc1fc599ad518d
Change-Id: Ibd0184ab7f30898e9415400051413b3b7f9dde53
2023-05-19 22:27:12 +02:00
gerritbot 4b32885285 Update moved class RawMessage
See T321882. Moved in I195cf4c67bd514

Bug: T321681
Change-Id: If34bda0a8d0f882d51fea1fcf4257bb5de09948a
2023-05-19 10:31:07 +00:00
Taavi Väänänen 6ef3d2418a
Database-level support for multiple auth devices
This adds new database tables to support storing multiple authentication
factors for a single user. The current approach taken is to use a single
database row per 2fa method and key. The current module/key abstraction
will have to be updated to support having multiple module types for a
single user (for example for having a separate module for recovery
codes), but this patch does not address that and instead keeps the
existing limitations, however the needed updates for that should be
doable with this database schema.

I've decided to add a new table instead of modifying the existing
oathauth_users table. This is mainly because adding an auto_increment
column to the existing table would be difficult, but also allows us to
update the table definition to follow MW conventions (namely the column
name prefixes). I've also used the opportunity to normalize the device
types onto a separate table.

The migration stage variable is set to SCHEMA_COMPAT_NEW so that
third-party wikis can use update.php normally and don't have to adjust
anything. This means that it needs to be manually set to _OLD on
wmf-config before merging this patch.

Since we're already working with the database schema, this add a new,
currently unused column for the creation data, so that T242847 will not
require a new schema change.

Bug: T242031
Bug: T242847
Change-Id: I6aa69c089340434737b55201b80398708a70c355
2023-02-24 15:33:00 +02:00
Taavi Väänänen c0da90be2b
Add separate OATHAuthModuleRegistry service
This new service is separated from the previous OATHAuth class to give
the service a more accurate name. Also removed unnecessary injected
services and do some other minor cleanup.

Change-Id: I8d5fbc7594b69168dc0c8bfade1ac172a5aeef6f
2023-01-01 21:17:04 +02:00
Umherirrender 0fbb714b36 Replace deprecated HTMLForm::setPreText
Bug: T325474
Change-Id: I6dbbee52e27fd048cba3bd58a23554324c0db4b9
2022-12-27 12:49:08 +01:00
Reedy dac8cb27dc Move UpdateTables to HookHandler
Standardises code

Bug: T270971
Change-Id: If4ec8443afde189ce69d305857f94249a605dd42
2022-10-05 23:25:55 -04:00
Kunal Mehta c896015a44 Allow filtering Special:Log/oath by action
Configure "ActionFilteredLogs" in extension.json to allow filtering
the oath log by its two actions, verify ("checking" in the UI) and
disable-other.

== Test plan ==
* Enable 2FA on your administrator account, use Special:VerifyOATHForUser
  and Special:VerifyOATHForUser to generate two log entries.
* Visit Special:Log/oath and use the new action selector, testing each
  state to verify the correct set of logs are shown.
* Screenshots showing this testing are posted at T310487#7999991.

Bug: T310487
Change-Id: I10632c86689e330b21b44a096b098436ebe47e3e
2022-06-13 14:28:22 -04:00
Kunal Mehta 329c3133d6 Send a notification when 2FA is disabled
Notify users when 2FA is disabled on their account in case something was
fishy about it. This notification is a "system" notification that will
be displayed in the web UI and sent over email. It can't be opted out of
as a preference.

The notification links to Special:Preferences, where users can see their
2FA status and re-enable it if they want. A secondary help link goes to
[[mw:Help:Two-factor authentication]], but can be overridden by
adjusting the "oathauth-notifications-disable-helplink" message. The
notification text is different based on whether the user disabled 2FA on
their own, or an admin used the special page or a maint script to do it.

On Wikimedia wikis, we'll use the WikimediaMessages extension to
customize the messages.

The Echo (Notifications) extension is not required, this will gracefully
do nothing if it's not enabled.

Bug: T210075
Bug: T210963
Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
2022-02-17 00:14:20 -08:00
Kunal Mehta 498dcfeb80 Require OATHAuth for membership in specified user groups
Users in groups listed in $wgOATHRequiredForGroups (default none) must
have two-factor authentication enabled otherwise their membership in
those groups will be disabled. This is done using the
UserEffectiveGroups hook, which allows dynamically adding or removing
user groups.

If a user doesn't have 2FA enabled, it will appear to them as if they
aren't a member of the group at all. Special:Preferences will show which
groups are disabled. In the future it would be good to have a hook into
PermissionsError to show this as well. The UserGetRights hook is used to
ensure the user still has the "oathauth-enable" user right in case it
was only granted to them as part of the user group they are disabled
from.

On the outside, Special:ListUsers will still show the user as a member
of the group. The API list=users&prop=groups|groupmemberships will show
inconsistent informaiton, groups will remove disabled groups while
groupmemberships will not.

This functionality was somewhat already available with
$wgOATHExclusiveRights, except that implementation has flaws outlined at
T150562#6078263 and haven't been resolved in I69af6a58e4 for over a year
now. If this works out, it's expected that will be deprecated/removed.

Bug: T150562
Change-Id: I07ebddafc6f2233ccec216fa8ac6e996553499fb
2022-02-14 00:47:20 -08:00
Martin Urbanec 73a3848557 showqrcode-related RL modules should also target mobile devices
Otherwise, the QR code will not be displayed when using
the mobile interface.

Bug: T214986
Change-Id: I08c3f66d836f5fc854d5c7ae2ca580aa896f3f38
2021-09-05 23:07:35 +02:00
jenkins-bot 005dc5a364 Merge "Remove $wgOATHAuthSecret" 2021-07-01 00:22:02 +00:00
Reedy ec3c499138 Remove $wgOATHAuthSecret
It's unused

Change-Id: Ia62672c36a8241e0f25c69444b3db693aaea9db7
2021-07-01 00:48:17 +01:00
vladshapik bae40b8b5e Replace uses of the deprecated setters of AbstractAuthenticationProvider
Since AbstractAuthenticationProvider ::setLogger, ::setManager,
::setConfig methods had been soft deprecated,
so its uses were removed.
* Also bump required MW version to 1.37.0

Bug: T281991
Change-Id: Ifd6ed1bc60d8a7fe6d10af1f08b6670a96ca2851
2021-05-13 17:50:15 +03:00
ZabeMath 7820be3326 Replace uses of DB_MASTER with DB_PRIMARY
Change-Id: Ifd3c5b97b0f519b7f61c8fd76149b1bcd53796d1
2021-05-13 01:25:56 +02:00
libraryupgrader 255d43e6a1 build: Updating dependencies
composer:
* mediawiki/mediawiki-codesniffer: 34.0.0 → 35.0.0
* mediawiki/minus-x: 1.1.0 → 1.1.1

npm:
* eslint-config-wikimedia: 0.17.0 → 0.18.1

Additional changes:
* Added the "composer phan" command to conveniently run phan.
* Removing manual extensions for eslint.

Change-Id: I8bb66a4485564d0518f105ccbbdd8f8ba73d20a3
2021-01-30 06:33:24 +00:00
Martin Urbanec b5a187624e Add oathauth-verify-user to oath grant
Change-Id: I4baf29ad39bd56bcbf45670423fd553643af6b55
2021-01-29 00:51:06 +01:00
Reedy 615965c730 Inject services to Special Pages
Change-Id: Ice0c63368e9c0aa77688b63a74eb706dd00691ce
2020-12-31 23:54:43 +00:00
Reedy 85d6681fef Convert to HookHandler
Bug: T270971
Change-Id: Idf8dad4872a220624b4355a8a9b5e9a02d0e442c
2020-12-31 19:52:49 +00:00
Reedy 37d2b0ff19 Remove TwoFactorIsEnabled hook handler
Hook was part of Extension:OpenStackManager, but removed by REL1_35, so unnecessary
I4741fcb073f8463f017bc1b477206dee801b662b / 46d9149c2db7c2b2d4573bede74b54779d66bee8

Change-Id: I2c5f99bfa9028c57a1eadbd81a51f84b47668848
2020-12-31 02:37:42 +00:00
daniel a7b8ce496c Use "user-global" limit for TOTP attempts.
Depends-On: Id680b96be2ea81d29447c4c1abafc8f98a339626
Bug: T251661
Change-Id: I5c81d6cd39a783997cbaf6dc1ca8b5b5008cf0b9
2020-09-03 15:04:44 +02:00
DannyS712 130e649191 Add Special:VerifyOATHForUser to check if users have OATH enabled
Bug: T209749
Change-Id: Idbac3940b36ce21a0b40044482514a28c5fbd45f
2020-04-22 00:47:22 +00:00
DannyS712 c5ded3d748 Don't try to grant oathauth-enable to *
Bug: T248282
Depends-On: Ia4c04645bff5e19adbc31557449fc0a9b0ed6d5a
Change-Id: I1030ea396abe3b888ecb001f0790f73e7ef3eff0
2020-03-23 02:34:17 +00:00
DannyS712 4f8eca9f43 extension.json - don't use array syntax when hooks only have 1 handler
Change-Id: I143fbcb8a425241164e534b39bc6677750aa5f63
2020-03-11 10:49:27 +00:00
Umherirrender 275a5d4163 Move test-only namespaces to new TestAutoloadNamespaces declaration
Bug: T196090
Change-Id: I90882f3c0da996bd5fc3d5ab07adbe277969c1ba
2019-12-31 00:47:41 +01:00
Reedy 6b993ae3c6 Bump 0.4.4
Change-Id: I3097526954c18c6759461f800168ebeb4a92e9e7
2019-10-23 15:45:50 +01:00
Reedy 9c254ab7e5 Bump 0.4.3
Change-Id: Id6ea1e2e41d64ccdfb02b6b081595c0a2b490329
2019-10-09 22:07:08 +01:00
Dejan Savuljesku a244d95224 Ask user to reauthenticate before changing 2FA method
Re-auth period set to 60s

Bug: T218211
Change-Id: I17a84b8e60da2ada35c6b86cf6b66d75fb3f13fe
2019-10-09 20:45:30 +00:00
Reedy 1cfb3fc840 Bump version 0.4.2
After PHP interface change, useful for WebAuthn

Change-Id: I37e53c9a67f7591b5f2a41afaf96695d99a60867
2019-09-28 18:12:21 +01:00
Reedy 94be789597 Bump 0.4.1 for a few small bugfixes
Change-Id: Ia194f096f3cbfeb1b5394f279dbb99e46f3c06df
2019-09-05 14:54:09 +01:00
Reedy 89438231ba Update version to 0.4.0 to keep better track of changes
Especially for usage in Webauthn extension

Change-Id: Id5fae4ec9ffbd188151b8d91e4b6ae9c71c8a2ec
2019-08-30 19:42:48 +00:00
Dejan Savuljesku 6c09ac0c53 Allow revocation of user rights if 2FA isn't enabled on an account
Bug: T199118
Bug: T218215

Change-Id: I7036dd0d95598b90654a1fcf3130c6bdc6b635b4
2019-07-31 13:36:33 +00:00
Dejan Savuljesku 017d8c8126 Support for multiple keys, improved module form logic #2
Removed unused classes, missed in previous commits

Bug: T218210

Change-Id: Iaf9facb54cd9693f20ed2f48d22b076c4b626705
2019-07-05 20:23:26 +00:00
Amir Aharoni 53251f752c Split apihelp messages to a separate file
Bug: T189982
Change-Id: I04f84c10c99de9bdd5d7b9828e852615488328db
2019-07-04 20:09:00 +01:00
rvogel b9f768e20a Refactor includes to src #2
Bug: T218210

Change-Id: I079e6e819c079b68bbfecdac0d873b26d4e16e86
2019-07-04 13:36:13 +00:00
rvogel b04722a1eb Rework the way user interacts with 2FA settings
Bug: T218210

Change-Id: Iaa6f6ae1c25f47ef43a0e6467474284d89a7a213
2019-07-04 12:45:27 +00:00
Reedy 62d83ab1e6 Bump version to 0.3.0
Change-Id: If1dd738cba260a4270f943b1b98610d47f2023bd
2019-06-19 13:28:43 +01:00
rvogel d1475452a6 Fix remoteExtPath in RL module definition
Change-Id: Ie2a1af68f498d551da77df907a965d4fec0ece65
2019-06-18 22:22:03 +00:00
Dejan Savuljesku ea984e5c2b Refactor the extension to support multiple auth modules
Please note, this patch requires a schema change before merging

Change-Id: I71286534d21d95083436d64d79811943c1a1d032
ERM: #14484
Bug: T218210
2019-06-18 10:45:21 +00:00