Commit graph

37 commits

Author SHA1 Message Date
Reedy 86def072cf UpdateTables: Move code into maintenance script for modernisation and simplification
Change-Id: If238e6a74f9de952360526b23e8e9d2a396ebf62
2024-01-02 14:24:12 +00:00
Reedy 57505f1976 Drop DB updates from pre MW 1.35
updateDatabaseValueFormat and updateTOTPToMultipleKeys are from 1.34:
Iaf9facb54cd9693f20ed2f48d22b076c4b626705
I71286534d21d95083436d64d79811943c1a1d032

updateTOTPScratchTokensToArray is from 1.36:
Ie8de059888363bf1cea4f0b268a46faaa5671904

Change-Id: I6de64d95b2e4b132d321b6f8f0129c476ef00f7f
2023-12-22 00:42:50 +00:00
Taavi Väänänen 4fee32d2f3
Do not use Module when disabling OAuth for a user
Bug: T242031
Change-Id: I4d4922b9e17d9272e59d6a8af3cb4e2acd48dd9f
2023-12-22 00:54:53 +02:00
Taavi Väänänen 033f9192ee
Migrate callers of Database::insert() to InsertQueryBuilder
Bug: T351905
Change-Id: I298f3807b68d042b2fa92bca789dd6a2b271d4c8
2023-12-06 07:40:53 -08:00
Taavi Väänänen 94782641cf
Convert to a virtual domain
Bug: T348484
Change-Id: I1ab23dfdf32e6965cac4e6c5736abbbf606c1c92
2023-12-06 07:08:10 -08:00
Reedy c56496d62f Various minor cleanup
Change-Id: Idbf84a1f49f1afbd2d3a342cedd72895c5378bc6
2023-10-10 23:29:21 +01:00
Taavi Väänänen 8bafb6fd4e
Keep both tables up-to-date on WRITE_BOTH
Bug: T242031
Change-Id: Ib387a3d448edca0e35d34de54a4c50b33601a2d4
2023-08-16 11:12:32 +08:00
Taavi Väänänen 6ef3d2418a
Database-level support for multiple auth devices
This adds new database tables to support storing multiple authentication
factors for a single user. The current approach taken is to use a single
database row per 2fa method and key. The current module/key abstraction
will have to be updated to support having multiple module types for a
single user (for example for having a separate module for recovery
codes), but this patch does not address that and instead keeps the
existing limitations, however the needed updates for that should be
doable with this database schema.

I've decided to add a new table instead of modifying the existing
oathauth_users table. This is mainly because adding an auto_increment
column to the existing table would be difficult, but also allows us to
update the table definition to follow MW conventions (namely the column
name prefixes). I've also used the opportunity to normalize the device
types onto a separate table.

The migration stage variable is set to SCHEMA_COMPAT_NEW so that
third-party wikis can use update.php normally and don't have to adjust
anything. This means that it needs to be manually set to _OLD on
wmf-config before merging this patch.

Since we're already working with the database schema, this add a new,
currently unused column for the creation data, so that T242847 will not
require a new schema change.

Bug: T242031
Bug: T242847
Change-Id: I6aa69c089340434737b55201b80398708a70c355
2023-02-24 15:33:00 +02:00
Taavi Väänänen e3d07eb0ae
Add separate OATHAuthDatabase service
Add a simple service to access the central database to decrease code
repetition.

Change-Id: Ib33000f4d44d77da31cc375e374cb595ad23bcbd
2023-01-30 14:16:37 +02:00
Reedy dac8cb27dc Move UpdateTables to HookHandler
Standardises code

Bug: T270971
Change-Id: If4ec8443afde189ce69d305857f94249a605dd42
2022-10-05 23:25:55 -04:00
Umherirrender c1c8cf8e49 Bump minimum required version for upgrade to 1.31
Remove sql patches, mention the gerrit change to check version
- patch-remove_reset.sql - Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19

Change-Id: Iae21017f7724390470ca89f492ef26f8ea36e0ad
2022-07-11 19:01:36 +02:00
Matěj Suchánek 0e4ffe44af Replace Maintenance::error calls with ::fatalError
Calling Maintenance::error() with the exit code has
been deprecated since 1.31.

Change-Id: I64fb31b36f8476e3c9ac0f6089f801d375abab9c
2022-07-08 11:13:30 +02:00
Kunal Mehta 329c3133d6 Send a notification when 2FA is disabled
Notify users when 2FA is disabled on their account in case something was
fishy about it. This notification is a "system" notification that will
be displayed in the web UI and sent over email. It can't be opted out of
as a preference.

The notification links to Special:Preferences, where users can see their
2FA status and re-enable it if they want. A secondary help link goes to
[[mw:Help:Two-factor authentication]], but can be overridden by
adjusting the "oathauth-notifications-disable-helplink" message. The
notification text is different based on whether the user disabled 2FA on
their own, or an admin used the special page or a maint script to do it.

On Wikimedia wikis, we'll use the WikimediaMessages extension to
customize the messages.

The Echo (Notifications) extension is not required, this will gracefully
do nothing if it's not enabled.

Bug: T210075
Bug: T210963
Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
2022-02-17 00:14:20 -08:00
ZabeMath 7820be3326 Replace uses of DB_MASTER with DB_PRIMARY
Change-Id: Ifd3c5b97b0f519b7f61c8fd76149b1bcd53796d1
2021-05-13 01:25:56 +02:00
Reedy ec1c1dcb22 Update TOTP Scratch Tokens to array
Bug: T237303
Change-Id: Ie8de059888363bf1cea4f0b268a46faaa5671904
2020-12-31 01:18:05 +00:00
DannyS712 e801672feb disableOATHAuthForUser: Use fatalError
Bug: T268303
Change-Id: I93474a87e4263edfb46dce80e7216ec74a94580c
2020-11-20 04:11:56 +00:00
libraryupgrader 5b1a07906a build: Updating mediawiki/mediawiki-codesniffer to 29.0.0
The following sniffs are failing and were disabled:
* MediaWiki.Commenting.FunctionComment.MissingDocumentationPrivate
* MediaWiki.Commenting.FunctionComment.MissingParamName
* MediaWiki.Commenting.FunctionComment.MissingParamTag
* MediaWiki.Commenting.FunctionComment.MissingReturn

Additional changes:
* Also sorted "composer fix" command to run phpcbf last.

Change-Id: Idb1b91244e653b2ba2e27bceb3eba769577124a9
2020-01-14 08:27:31 +00:00
Umherirrender 712fe51fd5 Use Maintenance::addDescription
It is better to use a setter function than setting a property

Change-Id: Iea7f9ca69a3435e77101e05c60c3fb1ca6fe0501
2019-08-19 20:00:48 +02:00
Dejan Savuljesku 017d8c8126 Support for multiple keys, improved module form logic #2
Removed unused classes, missed in previous commits

Bug: T218210

Change-Id: Iaf9facb54cd9693f20ed2f48d22b076c4b626705
2019-07-05 20:23:26 +00:00
rvogel b9f768e20a Refactor includes to src #2
Bug: T218210

Change-Id: I079e6e819c079b68bbfecdac0d873b26d4e16e86
2019-07-04 13:36:13 +00:00
Dejan Savuljesku ea984e5c2b Refactor the extension to support multiple auth modules
Please note, this patch requires a schema change before merging

Change-Id: I71286534d21d95083436d64d79811943c1a1d032
ERM: #14484
Bug: T218210
2019-06-18 10:45:21 +00:00
Umherirrender 11ee994993 Use ::class for class name resolution
Available since php5.5

Change-Id: Ibb6c84372ac5b82099536fea304fcdefd3693f60
2019-03-03 02:05:56 +01:00
Gergő Tisza 30ed1852b2 Make disableOATHAuthForUser.php log out the affected user
Bug: T189537
Change-Id: Ib8141aedd674ebbc7b103e1f2e8ba6bf99945b61
2018-12-27 20:41:11 +00:00
Reedy 1871a9abe1 Re-instate "Add some logging of OATHAuth actions"
This reverts commit 69b6292c12.

Bug: T151010
Change-Id: I6f610551bc4bd1e78c0282011b80a3f3e70b8885
2018-12-18 17:34:37 +00:00
SBassett 69b6292c12 Revert "Add some logging of OATHAuth actions"
This reverts commit 5acd2eed17.

Bug: T210643
Change-Id: I051cba39bf65f553dfeee9aaf7e9ca1155617dfc
2018-11-28 22:50:12 +00:00
jenkins-bot eff7041be3 Merge "Add some logging of OATHAuth actions" 2018-11-16 18:40:01 +00:00
Umherirrender f8b629f39b Add method scope visibility
Change-Id: I6f4d4acf4fcb4aab318ca217dd4e6185f383e27e
2018-11-02 11:26:41 +01:00
Reedy 5acd2eed17 Add some logging of OATHAuth actions
Logs:
* User enrolling in OATHAuth
* User un-enrolling in OATHAuth
* Scratch token used
* 2FA disabled via a maintenance script
* 2FA disabled via Special:DisableOATHForUser
* Logged in using OTP
* User attempted to enable 2FA using a scratch token
* User attempted to enable 2FA using an invalid OTP

Bug: T151010
Change-Id: Ie6ee610a11814616d34c3d9f5467a563f0db2df3
2018-10-26 15:47:01 +00:00
Umherirrender 35c7b642ad Remove underscore from maintenance script to match class
Move maintenance script to own folder

Without alias under old name, because it should not be run from cron.

Change-Id: I64854b7ef65cd255aff279000ecc81d54155f548
2017-12-10 00:23:07 +01:00
Kunal Mehta 5de762d11e build: Updating mediawiki/mediawiki-codesniffer to 0.11.0
Change-Id: I9cb1df1c9c56bbcb26c9606f33949185ba0235a4
2017-08-11 00:08:50 -04:00
Kunal Mehta c02f2f13b5 build: Updating mediawiki/mediawiki-codesniffer to 0.10.0
The following sniffs are failing and were disabled:
* MediaWiki.Commenting.FunctionComment.MissingParamComment
* MediaWiki.Commenting.FunctionComment.MissingParamTag
* MediaWiki.Commenting.FunctionComment.MissingReturn
* MediaWiki.Commenting.FunctionComment.ParamNameNoMatch
* MediaWiki.FunctionComment.Missing.Protected
* MediaWiki.FunctionComment.Missing.Public

Change-Id: I79250c955f70faf177ada5c7328576abed88011c
2017-07-07 17:50:56 +02:00
Reedy d9f94e41e6 Add a maintenance script to disable oathauth for a username
Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688
2017-07-04 20:58:31 +00:00
Reedy 3cf448830c Remove unused private variable
Change-Id: I9a18a3bf0e79803a3dbb76b91abe87e681560f82
2017-05-19 17:53:51 +01:00
Justin Du ddd8d93867 Update Maintenance scripts to use $this->requireExtension()
Bug: T152139
Change-Id: I5d8979c297db95beec4c5df439beaa2b58f266cf
2016-12-01 15:19:13 -06:00
Reedy 9cceee17cc Clean up code style and docblocks
* array() -> []
* spacing fixes
* dirname( __FILE__ ) -> __DIR__
* Add phpcs style checks using latest mediawiki-codesniffer to keep
  things clean.

Co-Authored-By: Bryan Davis <bd808@wikimedia.org>
Change-Id: I95735f928d3e5d6ac9d2a10d92b40ed01cf2737c
2016-09-30 14:40:06 -06:00
Reedy bfe362d059 We need a master to do write actions...
Change-Id: I618d371cdf76d96370c65975db702ed2fef0579c
2016-09-17 00:04:05 +01:00
Tyler Anthony Romeo 89455cdfb2 Refactor extension key storage
This takes out the actual key information from
OATHUser and puts it into an OATHKey class, which OATHUser
depends on. This allows easily swapping keys in/out from
a user.

Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2016-03-22 18:08:45 -07:00