[ 'value' => 10, 'suggestChangeOnLogin' => true ], 'MinimumPasswordLengthToLogin' => [ 'value' => 1, 'suggestChangeOnLogin' => true ], 'PasswordNotInLargeBlacklist' => [ 'value' => true, 'suggestChangeOnLogin' => true ], ]; foreach ( $wmgPrivilegedGroups as $group ) { // On non-SUL wikis this is the effective password policy. On SUL wikis, it will be overridden // in the PasswordPoliciesForUser hook, but still needed for Special:PasswordPolicies if ( $group === 'user' ) { $group = 'default'; // For e.g. private and fishbowl wikis; covers 'user' in password policies } $wgPasswordPolicy['policies'][$group] = array_merge( $wgPasswordPolicy['policies'][$group] ?? [], $wmgPrivilegedPolicy ); } $wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = [ 'value' => 8, 'suggestChangeOnLogin' => false, ]; $wgPasswordPolicy['policies']['default']['PasswordCannotBePopular'] = [ 'value' => 100, 'suggestChangeOnLogin' => true, ]; // Enforce password policy when users login on other wikis; also for sensitive global groups // FIXME does this just duplicate the the global policy checks down in the main $wmgUseCentralAuth block? if ( $wmgUseCentralAuth ) { $wgHooks['PasswordPoliciesForUser'][] = function ( User $user, array &$effectivePolicy ) use ( $wmgPrivilegedPolicy ) { $privilegedGroups = wmfGetPrivilegedGroups( $user->getName(), $user ); if ( $privilegedGroups ) { $effectivePolicy = UserPasswordPolicy::maxOfPolicies( $effectivePolicy, $wmgPrivilegedPolicy ); // hack; PasswordNotInLargeBlacklist obsoletes PasswordCannotBePopular but maxOfPolicies can't handle that if ( $effectivePolicy['PasswordNotInLargeBlacklist'] ?? false ) { $effectivePolicy['PasswordCannotBePopular'] = 0; } if ( in_array( 'staff', $privilegedGroups, true ) ) { $effectivePolicy['MinimumPasswordLengthToLogin'] = [ 'value' => 10, 'suggestChangeOnLogin' => true, ]; } } return true; }; } $wgLocalVirtualHosts = [ 'wikipedia.beta.wmflabs.org', 'wiktionary.beta.wmflabs.org', 'wikibooks.beta.wmflabs.org', 'wikiquote.beta.wmflabs.org', 'wikinews.beta.wmflabs.org', 'wikisource.beta.wmflabs.org', 'wikiversity.beta.wmflabs.org', 'wikivoyage.beta.wmflabs.org', 'meta.wikimedia.beta.wmflabs.org', 'commons.wikimedia.beta.wmflabs.org', ]; # Attempt to auto block users using faulty servers # See also http://www.us.sorbs.net/general/using.shtml $wgEnableDnsBlacklist = true; $wgDnsBlacklistUrls = [ 'proxies.dnsbl.sorbs.net.', ]; if ( $wmgUseFlow ) { // Override CommonSettings.php, which has: // $wgFlowExternalStore = $wgDefaultExternalStore; $wgFlowExternalStore = [ 'DB://flow_cluster1', ]; $wgExtraNamespaces += [ 190 => 'Flow_test', 191 => 'Flow_test_talk', ]; $wgNamespacesWithSubpages += [ 190 => true, 191 => true, ]; $wgNamespaceContentModels[ 191 ] = 'flow-board'; // CONTENT_MODEL_FLOW_BOARD } if ( $wmgUseFileExporter ) { // On Beta don't bother enabling beta feature mode. $wgFileExporterBetaFeature = false; $wgFileExporterTarget = 'https://commons.wikimedia.beta.wmflabs.org/wiki/Special:ImportFile'; } if ( $wmgUseContentTranslation ) { $wgContentTranslationSiteTemplates['cx'] = 'https://cxserver-beta.wmflabs.org/v1'; $wgContentTranslationSiteTemplates['cookieDomain'] = false; $wgContentTranslationTranslateInTarget = false; } if ( $wmgUseCentralAuth ) { $wgCentralAuthUseSlaves = true; } if ( $wmgUseCentralNotice ) { // Emit CSP headers on banner previews. This can go away when full CSP // support (T135963) is deployed. $wgCentralNoticeContentSecurityPolicy = "default-src *.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org data: blob: 'self'; script-src *.beta.wmflabs.org *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src *.beta.wmflabs.org *.wikimedia.org data: 'unsafe-inline' 'self';"; } // Labs override for GlobalCssJs if ( $wmgUseGlobalCssJs && $wmgUseCentralAuth ) { // Load from betalabs metawiki $wgResourceLoaderSources['metawiki'] = [ 'apiScript' => '//meta.wikimedia.beta.wmflabs.org/w/api.php', 'loadScript' => '//meta.wikimedia.beta.wmflabs.org/w/load.php', ]; } if ( $wmgUseGlobalUserPage && $wmgUseCentralAuth ) { // Labs override $wgGlobalUserPageAPIUrl = 'https://meta.wikimedia.beta.wmflabs.org/w/api.php'; $wgGlobalUserPageDBname = 'metawiki'; } if ( $wmgUseUrlShortener ) { // Labs overrides $wgUrlShortenerReadOnly = false; $wgUrlShortenerServer = 'w-beta.wmflabs.org'; $wgUrlShortenerDBCluster = false; $wgUrlShortenerDBName = 'wikishared'; $wgUrlShortenerDomainsWhitelist = [ '(.*\.)?wikipedia\.beta\.wmflabs\.org', '(.*\.)?wiktionary\.beta\.wmflabs\.org', '(.*\.)?wikibooks\.beta\.wmflabs\.org', '(.*\.)?wikinews\.beta\.wmflabs\.org', '(.*\.)?wikiquote\.beta\.wmflabs\.org', '(.*\.)?wikisource\.beta\.wmflabs\.org', '(.*\.)?wikiversity\.beta\.wmflabs\.org', '(.*\.)?wikivoyage\.beta\.wmflabs\.org', '(.*\.)?wikimedia\.beta\.wmflabs\.org', '(.*\.)?wikidata\.beta\.wmflabs\.org', ]; $wgUrlShortenerApprovedDomains = [ '*.wikipedia.beta.wmflabs.org', '*.wiktionary.beta.wmflabs.org', '*.wikibooks.beta.wmflabs.org', '*.wikinews.beta.wmflabs.org', '*.wikiquote.beta.wmflabs.org', '*.wikisource.beta.wmflabs.org', '*.wikiversity.beta.wmflabs.org', '*.wikivoyage.beta.wmflabs.org', '*.wikimedia.beta.wmflabs.org', '*.wikidata.beta.wmflabs.org', ]; } // Labs override for BounceHandler if ( $wmgUseBounceHandler ) { // $wgVERPsecret = ''; // This was set in PrivateSettings.php by Legoktm $wgBounceHandlerCluster = false; $wgBounceHandlerSharedDB = false; $wgBounceHandlerInternalIPs = [ '127.0.0.1', '::1', '172.16.4.120' ]; // deployment-mx02.deployment-prep.eqiad.wmflabs $wgBounceHandlerUnconfirmUsers = true; $wgBounceRecordLimit = 5; $wgVERPdomainPart = 'beta.wmflabs.org'; } if ( $wmgUseTimedMediaHandler ) { $wgMwEmbedModuleConfig[ 'MediaWiki.ApiProviders' ] = [ "commons" => [ 'url' => '//commons.wikimedia.beta.wmflabs.org/w/api.php' ] ]; $wgEnableTranscode = true; // enable transcoding on labs $wgFFmpegLocation = '/usr/bin/ffmpeg'; // use new ffmpeg build w/ VP9 & Opus support } // Enable Flickr uploads on commons beta T86120 if ( $wgDBname == 'commonswiki' ) { $wgGroupPermissions['user']['upload'] = true; $wgGroupPermissions['user']['upload_by_url'] = true; } else { // Use InstantCommons on all betawikis except commonswiki $wgUseInstantCommons = true; } if ( $wmgEnableJsonConfigDataMode && $wgDBname !== 'commonswiki' ) { // Enable Tabular data namespace on Commons - T148745 $wgJsonConfigs['Tabular.JsonConfig']['remote']['url'] = 'https://commons.wikimedia.beta.wmflabs.org/w/api.php'; // Enable Map (GeoJSON) data namespace on Commons - T149548 $wgJsonConfigs['Map.JsonConfig']['remote']['url'] = 'https://commons.wikimedia.beta.wmflabs.org/w/api.php'; } if ( $wmgUseMath ) { $wgDefaultUserOptions[ 'math' ] = 'mathml'; } // CORS (cross-domain AJAX, T22814) // This lists the domains that are accepted as *origins* of CORS requests // DO NOT add domains here that aren't WMF wikis unless you really know what you're doing if ( $wmgUseCORS ) { $wgCrossSiteAJAXdomains = [ '*.beta.wmflabs.org', ]; } // Temporary override to test T68699 on Beta Cluster. Remove when in production. $wgExtendedLoginCookieExpiration = 365 * 86400; if ( $wmgUseCollection ) { $wgCollectionPortletFormats[] = 'rdf2text'; // Don't use production proxy to reach PediaPress $wgCollectionCommandToServeURL[ 'zip_post' ] = 'https://pediapress.com/wmfup/'; } if ( $wmgUsePageImages ) { $wgPageImagesBlacklist[] = [ 'type' => 'db', 'page' => 'MediaWiki:Pageimages-blacklist', 'db' => 'commonswiki', ]; } if ( $wmgUseQuickSurveys ) { $wgQuickSurveysRequireHttps = false; } if ( $wmgUseEcho && $wmgUseCentralAuth ) { $wgEchoSharedTrackingDB = 'wikishared'; // Set cluster back to false, to override CommonSettings.php setting it to 'extension1' $wgEchoSharedTrackingCluster = false; } // Enabling thank-you-edit on beta for testing T128249. Still disabled in prod. $wgEchoNotifications['thank-you-edit']['notify-type-availability']['web'] = true; // Enabling article-reminder on beta for testing T166973. Still disabled in prod. $wgAllowArticleReminderNotification = true; if ( $wmgUseGraph ) { // **** THIS LIST MUST MATCH puppet/hieradata/labs/deployment-prep/common.yaml **** // See https://www.mediawiki.org/wiki/Extension:Graph#External_data $wgGraphAllowedDomains['http'] = [ 'wmflabs.org' ]; $wgGraphAllowedDomains['https'][] = 'beta.wmflabs.org'; $wgGraphAllowedDomains['wikirawupload'][] = 'upload.beta.wmflabs.org'; $wgGraphAllowedDomains['wikidatasparql'][] = 'wdqs-test.wmflabs.org'; } if ( $wmgUseORES ) { $wgOresBaseUrl = 'https://ores-beta.wmflabs.org/'; } if ( $wmgUseUniversalLanguageSelector ) { $wgDefaultUserOptions['compact-language-links'] = 0; } $wgLoginNotifyAttemptsKnownIP = 10; $wgLoginNotifyAttemptsNewIP = 1; if ( $wmgUseKartographer ) { $wgKartographerMapServer = 'https://maps-beta.wmflabs.org'; $wgKartographerIconServer = 'https://maps-beta.wmflabs.org'; } if ( $wmgUseFileImporter ) { // Beta commons references configuration files hosted locally. // Note that beta testwiki will continue to fetch its configuration from production mw.org . if ( $wgDBname == 'commonswiki' ) { $wgFileImporterCommonsHelperServer = 'https://commons.wikimedia.beta.wmflabs.org'; $wgFileImporterCommonsHelperBasePageName = 'Extension:FileImporter/Data/'; $wgFileImporterCommonsHelperHelpPage = 'https://commons.wikimedia.beta.wmflabs.org/wiki/Extension:FileImporter/Data'; $wgFileImporterWikidataEntityEndpoint = 'https://wikidata.beta.wmflabs.org/wiki/Special:EntityData/'; $wgFileImporterWikidataNowCommonsEntity = 'Q531650'; } } $wgMessageCacheType = CACHE_ACCEL; // Let Beta Cluster Commons do upload-from-URL from production Commons. if ( $wgDBname == 'commonswiki' ) { $wgCopyUploadsDomains[] = 'upload.wikimedia.org'; } // Test of new import source configuration on labs cluster $wgImportSources = false; include "$wmfConfigDir/import.php"; $wgHooks['ImportSources'][] = 'wmfImportSources'; $wgAuthManagerAutoConfig['preauth'][GuanacoProvider::class] = [ 'class' => GuanacoProvider::class, 'sort' => 0, ]; class GuanacoProvider extends \MediaWiki\Auth\AbstractPreAuthenticationProvider { const EVILUA = 'Bawolff test'; /** * @param User $user * @param array $autocreate * @param array $options * @return Status */ public function testUserForCreation( $user, $autocreate, array $options = [] ) { return $this->testUser( $user ); } /** * @param User $user * @param User $creator * @param array $reqs * @return Status */ public function testForAccountCreation( $user, $creator, array $reqs ) { return $this->testUser( $user ); } /** * @param User $user * @return Status */ public function testUser( $user ) { $ua = $this->manager->getRequest()->getHeader( 'User-agent' ); $logger = \MediaWiki\Logger\LoggerFactory::getInstance( 'badpass' ); if ( $ua === self::EVILUA ) { $logger->info( 'Account creation prevented due to UA {name}', [ 'successful' => false, 'name' => $user->getName(), 'ua' => $ua, ] ); // To be misleading, claim its a throttle hit. // hopefully this will confuse attacker. $msg = wfMessage( 'acct_creation_throttle_hit' )->params( 6 ) ->durationParams( 86400 ); return \StatusValue::newFatal( $msg ); } $logger->info( 'Account creation allowed due to UA {name}', [ 'successful' => true, 'name' => $user->getName(), 'ua' => $ua, ] ); return \StatusValue::newGood(); } } } # end safeguard