Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove PasswordCannotMatchUsername password policy

Browse source 
Bug: T242768
Change-Id: Ied6fe389a1ce6c66cbf558d2f3867fb12245ff8a
This commit is contained in:
Reedy 2021-09-05 17:56:31 +01:00
parent d7dee58047
commit 7a17473dd1
8 changed files with 3 additions and 92 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
RELEASE-NOTES-1.37
View file

@ -19,6 +19,9 @@ Some specific notes for MediaWiki 1.37 upgrades are below:
For notes on 1.36.x and older releases, see HISTORY.
=== Configuration changes for system administrators in 1.37 ===
* (T242768) The PasswordCannotMatchUsername password policy has been removed,
please use PasswordCannotBeSubstringInUsername instead. If you have not
customised your password policies, there will be nothing to do here.
* …
==== New configuration ====

3
includes/DefaultSettings.php
View file

@ -5254,7 +5254,6 @@ $wgCentralIdLookupProvider = 'local';
* as part of the login workflow, regardless if it is correct.
* - MaximalPasswordLength - maximum length password a user is allowed
* to attempt. Prevents DoS attacks with pbkdf2.
* - PasswordCannotMatchUsername - Password cannot match the username.
* - PasswordCannotBeSubstringInUsername - Password cannot be a substring
* (contained within) the username.
* - PasswordCannotMatchDefaults - Username/password combination cannot
@ -5294,7 +5293,6 @@ $wgPasswordPolicy = [
],
'default' => [
'MinimalPasswordLength' => [ 'value' => 1, 'suggestChangeOnLogin' => true ],
'PasswordCannotMatchUsername' => [ 'value' => true, 'suggestChangeOnLogin' => true ],
'PasswordCannotBeSubstringInUsername' => [
'value' => true,
'suggestChangeOnLogin' => true
@ -5307,7 +5305,6 @@ $wgPasswordPolicy = [
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',

20
includes/password/PasswordPolicyChecks.php
View file

@ -20,7 +20,6 @@
* @file
*/
use MediaWiki\MediaWikiServices;
use MediaWiki\User\UserIdentity;
use Wikimedia\CommonPasswords\CommonPasswords;
@ -85,25 +84,6 @@ class PasswordPolicyChecks {
return $status;
}
/**
* Check if username and password are a (case-insensitive) match.
* @param bool $policyVal true to force compliance.
* @param UserIdentity $user
* @param string $password
* @return Status error if username and password match, and policy is true
*/
public static function checkPasswordCannotMatchUsername( $policyVal, UserIdentity $user, $password ) {
$status = Status::newGood();
$username = $user->getName();
$contLang = MediaWikiServices::getInstance()->getContentLanguage();
if (
$policyVal && hash_equals( $contLang->lc( $username ), $contLang->lc( $password ) )
) {
$status->error( 'password-name-match' );
}
return $status;
}
/**
* Check if password is a (case-insensitive) substring within the username.
* @param bool $policyVal true to force compliance.

1
languages/i18n/en.json
View file

@ -4392,7 +4392,6 @@
"passwordpolicies-policy-displaywithflags": "<span class=\"passwordpolicies-policy\">$1 <code>($2)</code></span> <span class=\"passwordpolicies-policy-flags\">($3)</span>",
"passwordpolicies-policy-minimalpasswordlength": "Password must be at least $1 {{PLURAL:$1|character|characters}} long",
"passwordpolicies-policy-minimumpasswordlengthtologin": "Password must be at least $1 {{PLURAL:$1|character|characters}} long to be able to login",
"passwordpolicies-policy-passwordcannotmatchusername": "Password cannot be the same as username",
"passwordpolicies-policy-passwordcannotbesubstringinusername": "Password cannot be a substring within the username",
"passwordpolicies-policy-passwordcannotmatchdefaults": "Password cannot match a specific list of default passwords",
"passwordpolicies-policy-maximalpasswordlength": "Password must be less than $1 {{PLURAL:$1|character|characters}} long",

1
languages/i18n/qqq.json
View file

@ -4617,7 +4617,6 @@
"passwordpolicies-policy-displaywithflags": "{{optional}}\nParameters:\n* $1 - the text from the \"passwordpolicies-policy-...\" messages, i.e. {{msg-mw|passwordpolicies-policy-minimalpasswordlength}}\n* $2 - the name of this password policy\n* $3 - comma-separated list of the text from the \"passwordpolicies-policyflag-...\" messages, e.g. {{msg-mw|passwordpolicies-policyflag-forcechange}}",
"passwordpolicies-policy-minimalpasswordlength": "Password policy that enforces a minimum number of characters a password must be. $1 - minimum number of characters that a password can be",
"passwordpolicies-policy-minimumpasswordlengthtologin": "Password policy that enforces a minimum number of characters a password must be to be able to login to the wiki. $1 - minimum number of characters that a password can be to be able to login",
"passwordpolicies-policy-passwordcannotmatchusername": "Password policy that enforces that the password of the account cannot be the same as the username",
"passwordpolicies-policy-passwordcannotbesubstringinusername": "Password policy that enforces that the password of the account cannot be a substring within the username",
"passwordpolicies-policy-passwordcannotmatchdefaults": "Password policy that enforces that passwords are not on a list of default passwords (often previously used during MediaWiki automated testing)",
"passwordpolicies-policy-maximalpasswordlength": "Password policy that enforces a maximum number of characters a password must be. $1 - maximum number of characters that a password can be",

51
tests/phpunit/includes/password/PasswordPolicyChecksTest.php
View file

@ -1,51 +0,0 @@
<?php
/**
* Testing password-policy check functions
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
*/
use MediaWiki\User\UserIdentityValue;
/**
* See also the unit tests at \MediaWiki\Tests\Unit\PasswordPolicyChecksTest
*/
class PasswordPolicyChecksTest extends MediaWikiIntegrationTestCase {
/**
* @covers PasswordPolicyChecks::checkPasswordCannotMatchUsername
*
* Uses MediaWikiServices for the content language, so can't move to unit tests
*/
public function testCheckPasswordCannotMatchUsername() {
$user = UserIdentityValue::newRegistered( 42, 'user' );
$statusOK = PasswordPolicyChecks::checkPasswordCannotMatchUsername(
1, // policy value
$user, // User
'password' // password
);
$this->assertTrue( $statusOK->isGood(), 'Password does not match username' );
$statusLong = PasswordPolicyChecks::checkPasswordCannotMatchUsername(
1, // policy value
$user, // User
'user' // password
);
$this->assertFalse( $statusLong->isGood(), 'Password matches username' );
$this->assertTrue( $statusLong->isOK(), 'Password matches username, not fatal' );
}
}

13
tests/phpunit/includes/password/UserPasswordPolicyTest.php
View file

@ -32,12 +32,10 @@ class UserPasswordPolicyTest extends MediaWikiIntegrationTestCase {
'checkuser' => [
'MinimalPasswordLength' => [ 'value' => 10, 'forceChange' => true ],
'MinimumPasswordLengthToLogin' => 6,
'PasswordCannotMatchUsername' => true,
],
'sysop' => [
'MinimalPasswordLength' => [ 'value' => 8, 'suggestChangeOnLogin' => true ],
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
],
'bureaucrat' => [
'MinimalPasswordLength' => [
@ -45,15 +43,12 @@ class UserPasswordPolicyTest extends MediaWikiIntegrationTestCase {
'suggestChangeOnLogin' => false,
'forceChange' => true,
],
'PasswordCannotMatchUsername' => true,
],
'default' => [
'MinimalPasswordLength' => 4,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchDefaults' => true,
'MaximalPasswordLength' => 4096,
// test null handling
'PasswordCannotMatchUsername' => null,
'PasswordCannotBeSubstringInUsername' => true,
],
];
@ -61,7 +56,6 @@ class UserPasswordPolicyTest extends MediaWikiIntegrationTestCase {
protected $checks = [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',
@ -80,7 +74,6 @@ class UserPasswordPolicyTest extends MediaWikiIntegrationTestCase {
[
'MinimalPasswordLength' => [ 'value' => 8, 'suggestChangeOnLogin' => true ],
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBeSubstringInUsername' => true,
'PasswordCannotMatchDefaults' => true,
'MaximalPasswordLength' => 4096,
@ -97,7 +90,6 @@ class UserPasswordPolicyTest extends MediaWikiIntegrationTestCase {
'suggestChangeOnLogin' => true
],
'MinimumPasswordLengthToLogin' => 6,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBeSubstringInUsername' => true,
'PasswordCannotMatchDefaults' => true,
'MaximalPasswordLength' => 4096,
@ -121,7 +113,6 @@ class UserPasswordPolicyTest extends MediaWikiIntegrationTestCase {
'suggestChangeOnLogin' => true
],
'MinimumPasswordLengthToLogin' => 6,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBeSubstringInUsername' => true,
'PasswordCannotMatchDefaults' => true,
'MaximalPasswordLength' => 4096,
@ -234,19 +225,16 @@ class UserPasswordPolicyTest extends MediaWikiIntegrationTestCase {
], // p1
[
'MinimalPasswordLength' => 2,
'PasswordCannotMatchUsername' => 1,
'PasswordCannotBeSubstringInUsername' => 1,
], // p2
[
'MinimalPasswordLength' => 8,
'PasswordCannotMatchUsername' => 1,
'PasswordCannotBeSubstringInUsername' => 1,
], // max
],
'Missing items in p2' => [
[
'MinimalPasswordLength' => 8,
'PasswordCannotMatchUsername' => 1,
'PasswordCannotBeSubstringInUsername' => 1,
], // p1
[
@ -254,7 +242,6 @@ class UserPasswordPolicyTest extends MediaWikiIntegrationTestCase {
], // p2
[
'MinimalPasswordLength' => 8,
'PasswordCannotMatchUsername' => 1,
'PasswordCannotBeSubstringInUsername' => 1,
], // max
],

3
tests/phpunit/includes/user/UserTest.php
View file

@ -534,12 +534,10 @@ class UserTest extends MediaWikiIntegrationTestCase {
'sysop' => [
'MinimalPasswordLength' => 8,
'MinimumPasswordLengthToLogin' => 1,
'PasswordCannotMatchUsername' => 1,
'PasswordCannotBeSubstringInUsername' => 1,
],
'default' => [
'MinimalPasswordLength' => 6,
'PasswordCannotMatchUsername' => true,
'PasswordCannotBeSubstringInUsername' => true,
'PasswordCannotMatchDefaults' => true,
'MaximalPasswordLength' => 40,
@ -548,7 +546,6 @@ class UserTest extends MediaWikiIntegrationTestCase {
'checks' => [
'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
'PasswordCannotBeSubstringInUsername' =>
'PasswordPolicyChecks::checkPasswordCannotBeSubstringInUsername',
'PasswordCannotMatchDefaults' => 'PasswordPolicyChecks::checkPasswordCannotMatchDefaults',