Commit graph

75 commits

Author SHA1 Message Date
Derk-Jan Hartman ac30151bcf Don't allow scratch tokens when enrolling for 2 auth.
Validating with a scratch code is probably a "giant trap that newbies
could fall into".

Bug: T150824
Change-Id: I5710b151d7682e4cdb0b6a692f7b2c108f051caf
2017-05-15 13:16:29 +02:00
jenkins-bot 099224abee Merge "OathAuth: rename failedtovalidateoauth" 2017-05-10 15:18:44 +00:00
jenkins-bot 2e3c32cf84 Merge "OathAuth: remove message Oathauth-displayoathinfo" 2017-05-10 15:18:13 +00:00
Derk-Jan Hartman eabcc820a5 OathAuth: rename failedtovalidateoauth
Rename this key from failedtovalidateoauth to failedtovalidateoath
as it has nothing to do with OAuth

Bug: T151536
Change-Id: Ib34ef3dbdef8eda515748140960ef240e4990044
2017-04-26 21:00:13 +02:00
Derk-Jan Hartman 18a0c0174b More unused oathauth message keys
More message keys that became unused during various rewrite stages

Bug: T151536
Change-Id: Ic261ba73207793f3223227227d93624676290d3d
2017-04-26 17:15:29 +00:00
Derk-Jan Hartman 10b3b6557c OathAuth: remove message Oathauth-displayoathinfo
This message key was unused since change
I17ac042f5a5093b2c0b2ce8d088f95213d1c0509

Bug: T151604
Change-Id: Ic6686f34cf5dd3161d4d3df200b336c4eb5a3f83
2017-04-22 13:40:39 +02:00
Reedy 0f5772e7bd Remove SpecialOATHLogin.php as more AuthManager related cleanup
Change-Id: I9d7fd0a2da0e3e54bb5031d7e70769a2a27703c8
2017-04-01 16:51:41 +01:00
Umherirrender f338a1489e Rename api example message of oathvalidate
To make clear from the message name which module it belongs to, two
example messages should be renamed.

Change-Id: Idd329e77d5c7082eb8097309fb89f82c7a37cf68
2017-01-01 16:25:19 +01:00
Brad Jorsch 47d7c04496 Update for API error i18n
See Iae0e2ce3.

Change-Id: Ie30549363b079ea23d6eab5959d10ada8f74acdf
2016-12-10 00:26:48 +00:00
MarcoAurelio 628af8fad4 Replace references to mobile apps to more generic 'authentication device'
Desktop programs for TOTP authentication also exist, so lets replace
'mobile app' to more generic 'authentication device' to cover all of
them. Improvements on the wording are welcome.

Change-Id: Id19ac30dc7ac36616b8e00b1b4c9e95eec8afc06
2016-12-07 14:28:28 +00:00
MarcoAurelio a7ee83ece6 Typo fix
Change-Id: Idb28f4d1963ba7fa75496444d864a9e199e9b86e
2016-12-03 17:27:26 +00:00
MarcoAurelio 0ac5c0fb71 Make OATHAuth messages use consistent "two-factor authentication" wording
Bug: T150597
Change-Id: I0fed5a9b3fd747b6f2f71834c0bfe9dc88bbefb8
2016-11-17 11:19:11 +01:00
Reedy 8e70c98ed7 Rename openstackmanager- to oathauth-
Change-Id: If0378e0c0a3fc08de410be0d0e39273df1002391
2016-11-16 22:49:31 +00:00
Bryan Davis a6b60d2465 Apply rate limits to all token verifications
Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.

Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
2016-10-07 17:24:32 -07:00
Bryan Davis 36c523ab23 Add an api action to validate an OATH token
Add a new internal action=oathvalidate Action API module that can be
used to validate an OATH token collected from a user. Using the module
requires the 'oathauth-api-all' permission introduced in I4884f6e.

Attempts to call the action for a given user are rate limited to only
allow 10 failures per minute using the new 'badoath' key.

The check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Complete usage in an LDAP shared auth environment would look something
like:
* Authenticate a user with the LDAP server via auth-bind
* Call action=query&meta=oath as a privileged user to check for OATH
  protection.
* If OATH is active for the account, prompt the user for their current
  OATH token.
* Call action=oathvalidate as a privileged user to validate the token.
* If validation succeeds, complete authentication.
* If validation fails, do not authenticate the user.

Bug: T144712
Change-Id: I1b18d9f3b99364fc47c760bdfc2047c1cbb5c04a
2016-10-07 16:55:50 -07:00
Bryan Davis 766e18bca1 Add a query meta api option to check for OATH
Add a new internal action=query&meta=oath Action API module that can be
used to check for OATH protection on a given user account. Using the
module requires a new 'oathauth-api-all' permission which is not granted
to any group by default. The permission is also added to the new
'oath' grant so that it can be used via OAuth and bot passwords.

Use of this API is security sensitive and should not be granted lightly.
Configuring a special 'oathauth' user group to grant the needed
'oathauth-api-all' permission is recommended.

This check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Bug: T144712
Change-Id: I4884f6efdfa42db82c25eadb70c7aefa98c370e9
2016-10-07 12:10:18 -07:00
Gergő Tisza 563796a98c Update for AuthManager
Handling enabling/disabling via AuthManager is left to a separate
patch.

Bug: T110457
Change-Id: Ic492b8f2477c475f8414b61505139e9a1df2ba5b
2016-05-31 19:38:41 +00:00
csteipp 07f99656dc Fix i18n merge errors
Address comments by Raimond Spekking on
I39859cc59f1811de42b72f6167d332ea48812f97

Change-Id: Ib17f1a2f0e70e5fd286d7ea441b13f79da3743c5
2016-03-31 07:51:26 -07:00
Tyler Anthony Romeo 1a8006317d Move token login to separate page
Rather than have an extraneous form on the login page,
move the token input to a separate page. The actual
logic for logging in is identical, the only difference
is that the token is added to the form data on a second
page request.

Bug: 53195
Change-Id: I39859cc59f1811de42b72f6167d332ea48812f97
2016-03-29 16:02:54 -07:00
Tyler Romeo 4e9ad22469 Add user right for enabling two-factor auth
Make new right oathauth-enable that the user must have to enable two
factor authentication (disabling and logging in, of course, are still
allowed).

Bug: T100376
Change-Id: I18d43f8b2cf2c2ce9c2309a43961686498b5c999
2016-03-24 12:45:41 -07:00
Tyler Anthony Romeo 0c389f5025 Refactored special pages into HTMLForm and proxy
Made new class ProxySpecialPage, which acts as a
proxy object to another SpecialPage object that is
determined based on context information other than
the title.

Then Special:OATH has been split into two separate
special page classes (both FormSpecialPages using
HTMLForm) that are routed to by a ProxySpecialPage
object.

In addition, the form for enabling two-factor auth
has been refactored into vform style, with some
better instructions on how to enable two-factor
authentication.

Change-Id: Ib9117cbc9d7f044de9607db81a157e1b472b5ec0
2016-03-23 11:26:04 -07:00
Siebrand Mazeland 44a170a4f4 Remove use of "successful" in strings
Change-Id: If9e32d42a56b85318ce4b7446db95db579f63e14
2016-03-07 12:47:59 +01:00
Siebrand Mazeland 88b2fea14f Update indentation to use tabs
Change-Id: I761d90d8758d3c7b3dd82ea9693a56b46655555a
2015-10-13 08:31:04 +02:00
Siebrand Mazeland 71fee2e552 Update spelling and remove uses of title case
Change-Id: I8445ad4b1e5f0daf052331edd2a5c7a3b0113473
2014-10-21 19:40:24 +02:00
Siebrand Mazeland e08f4b18f5 Migrate to JSON i18n
Procedure per https://www.mediawiki.org/wiki/Manual:GenerateJsonI18n.php
with shim.

Change-Id: Iec7afc3b9697ec16145dd215ae27842cf54a5934
2014-03-28 12:07:32 +01:00