CliInstaller: fail in a sane way when the password is invalid

Bug: T256620
Change-Id: Ie33bd076834124228dffc4760153e3a3b5238724

includes/installer/CliInstaller.php

@@ -55,7 +55,7 @@ class CliInstaller extends Installer {
 	 * @throws InstallException
 	 */
 	public function __construct( $siteName, $admin = null, array $options = [] ) {
-		global $wgContLang;
+		global $wgContLang, $wgPasswordPolicy;
 
 		parent::__construct();
 
@@ -89,10 +89,6 @@ class CliInstaller extends Installer {
 		}
 		$this->setVar( 'wgMetaNamespace', $metaNS );
 
-		if ( $admin ) {
-			$this->setVar( '_AdminName', $admin );
-		}
-
 		if ( !isset( $options['installdbuser'] ) ) {
 			$this->setVar( '_InstallUser',
 				$this->getVar( 'wgDBuser' ) );
@@ -108,8 +104,25 @@ class CliInstaller extends Installer {
 			$this->setVar( '_CreateDBAccount', true );
 		}
 
-		if ( isset( $options['pass'] ) ) {
-			$this->setVar( '_AdminPassword', $options['pass'] );
+		if ( $admin ) {
+			$this->setVar( '_AdminName', $admin );
+			if ( isset( $options['pass'] ) ) {
+				$adminUser = User::newFromName( $admin );
+				if ( !$adminUser ) {
+					throw new InstallException( Status::newFatal( 'config-admin-name-invalid' ) );
+				}
+				$upp = new UserPasswordPolicy(
+					$wgPasswordPolicy['policies'],
+					$wgPasswordPolicy['checks']
+				);
+				$status = $upp->checkUserPasswordForGroups( $adminUser, $options['pass'],
+					[ 'bureaucrat', 'sysop', 'interface-admin' ] ); // per Installer::createSysop()
+				if ( !$status->isGood() ) {
+					throw new InstallException( Status::newFatal(
+						$status->getMessage( 'config-admin-error-password-invalid' ) ) );
+				}
+				$this->setVar( '_AdminPassword', $options['pass'] );
+			}
 		}
 
 		// Detect and inject any extension found

includes/installer/i18n/en.json

@@ -166,6 +166,7 @@
 	"config-admin-email-help": "Enter an email address here to allow you to receive email from other users on the wiki, reset your password, and be notified of changes to pages on your watchlist. You can leave this field empty.",
 	"config-admin-error-user": "Internal error when creating an admin with the name \"<nowiki>$1</nowiki>\".",
 	"config-admin-error-password": "Internal error when setting a password for the admin \"<nowiki>$1</nowiki>\": <pre>$2</pre>",
+	"config-admin-error-password-invalid": "Invalid wiki admin password: $1",
 	"config-admin-error-bademail": "You have entered an invalid email address.",
 	"config-subscribe": "Subscribe to the [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce release announcements mailing list].",
 	"config-subscribe-help": "This is a low-volume mailing list used for release announcements, including important security announcements.\nYou should subscribe to it and update your MediaWiki installation when new versions come out.",

includes/installer/i18n/qqq.json

@@ -190,6 +190,7 @@
 	"config-admin-email-help": "Help text for an administrator email address in the MediaWiki installer.",
 	"config-admin-error-user": "Used as error message. Parameters:\n* $1 - username of administrator\nSee also:\n* {{msg-mw|Config-admin-error-password}}",
 	"config-admin-error-password": "Used as error message. Parameters:\n* $1 - username of administrator\n* $2 - error message\nSee also:\n* {{msg-mw|Config-admin-error-user}}",
+	"config-admin-error-password-invalid": "Used as error message. Parameters:\n* $1 - list of password errors\nSee also:\n* {{msg-mw|Config-admin-error-password}}",
 	"config-admin-error-bademail": "Error text in the MediaWiki installer when an entered email address does not validate.",
 	"config-subscribe": "Used as label for the installer checkbox",
 	"config-subscribe-help": "\"Low-volume\" in this context means that there will be few e-mails to that mailing list per time period.",