Sign upLogin

wikimedia/mediawiki-core

View on GitHub
Star
includes/session/BotPasswordSessionProvider.php

Summary

Maintainability
A
2 hrs
Test Coverage
<?php
/**
 * Session provider for bot passwords
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 * @ingroup Session
 */

namespace MediaWiki\Session;

use InvalidArgumentException;
use MediaWiki\MainConfigNames;
use MediaWiki\Permissions\GrantsInfo;
use MediaWiki\Request\WebRequest;
use MediaWiki\User\BotPassword;
use MediaWiki\User\User;
use MWRestrictions;

/**
 * Session provider for bot passwords
 * @since 1.27
 */
class BotPasswordSessionProvider extends ImmutableSessionProviderWithCookie {
    /** @var GrantsInfo */
    private $grantsInfo;

    /** @var bool Whether the current request is an API request. */
    private $isApiRequest;

    /**
     * @param GrantsInfo $grantsInfo
     * @param array $params Keys include:
     *  - priority: (required) Set the priority
     *  - sessionCookieName: Session cookie name. Default is '_BPsession'.
     *  - sessionCookieOptions: Options to pass to WebResponse::setCookie().
     *  - isApiRequest: Whether the current request is an API request. Should be only set in tests.
     */
    public function __construct( GrantsInfo $grantsInfo, array $params = [] ) {
        if ( !isset( $params['sessionCookieName'] ) ) {
            $params['sessionCookieName'] = '_BPsession';
        }
        parent::__construct( $params );

        if ( !isset( $params['priority'] ) ) {
            throw new InvalidArgumentException( __METHOD__ . ': priority must be specified' );
        }
        if ( $params['priority'] < SessionInfo::MIN_PRIORITY ||
            $params['priority'] > SessionInfo::MAX_PRIORITY
        ) {
            throw new InvalidArgumentException( __METHOD__ . ': Invalid priority' );
        }

        $this->priority = $params['priority'];

        $this->grantsInfo = $grantsInfo;

        $this->isApiRequest = $params['isApiRequest']
            ?? ( defined( 'MW_API' ) || defined( 'MW_REST_API' ) );
    }

    public function provideSessionInfo( WebRequest $request ) {
        // Only relevant for the (Action or REST) API
        if ( !$this->isApiRequest ) {
            return null;
        }

        // Enabled?
        if ( !$this->getConfig()->get( MainConfigNames::EnableBotPasswords ) ) {
            return null;
        }

        // Have a session ID?
        $id = $this->getSessionIdFromCookie( $request );
        if ( $id === null ) {
            return null;
        }

        return new SessionInfo( $this->priority, [
            'provider' => $this,
            'id' => $id,
            'persisted' => true
        ] );
    }

    public function newSessionInfo( $id = null ) {
        // We don't activate by default
        return null;
    }

    /**
     * Create a new session for a request
     * @param User $user
     * @param BotPassword $bp
     * @param WebRequest $request
     * @return Session
     */
    public function newSessionForRequest( User $user, BotPassword $bp, WebRequest $request ) {
        $id = $this->getSessionIdFromCookie( $request );
        $info = new SessionInfo( SessionInfo::MAX_PRIORITY, [
            'provider' => $this,
            'id' => $id,
            'userInfo' => UserInfo::newFromUser( $user, true ),
            'persisted' => $id !== null,
            'metadata' => [
                'centralId' => $bp->getUserCentralId(),
                'appId' => $bp->getAppId(),
                'token' => $bp->getToken(),
                'rights' => $this->grantsInfo->getGrantRights( $bp->getGrants() ),
                'restrictions' => $bp->getRestrictions()->toJson(),
            ],
        ] );
        $session = $this->getManager()->getSessionFromInfo( $info, $request );
        $session->persist();
        return $session;
    }

    /**
     * @inheritDoc
     * @phan-param array &$metadata
     */
    public function refreshSessionInfo( SessionInfo $info, WebRequest $request, &$metadata ) {
        $missingKeys = array_diff(
            [ 'centralId', 'appId', 'token' ],
            array_keys( $metadata )
        );
        if ( $missingKeys ) {
            $this->logger->info( 'Session "{session}": Missing metadata: {missing}', [
                'session' => $info->__toString(),
                'missing' => implode( ', ', $missingKeys ),
            ] );
            return false;
        }

        $bp = BotPassword::newFromCentralId( $metadata['centralId'], $metadata['appId'] );
        if ( !$bp ) {
            $this->logger->info(
                'Session "{session}": No BotPassword for {centralId} {appId}',
                [
                    'session' => $info->__toString(),
                    'centralId' => $metadata['centralId'],
                    'appId' => $metadata['appId'],
                ] );
            return false;
        }

        if ( !hash_equals( $metadata['token'], $bp->getToken() ) ) {
            $this->logger->info( 'Session "{session}": BotPassword token check failed', [
                'session' => $info->__toString(),
                'centralId' => $metadata['centralId'],
                'appId' => $metadata['appId'],
            ] );
            return false;
        }

        $status = $bp->getRestrictions()->check( $request );
        if ( !$status->isOK() ) {
            $this->logger->info(
                'Session "{session}": Restrictions check failed',
                [
                    'session' => $info->__toString(),
                    'restrictions' => $status->getValue(),
                    'centralId' => $metadata['centralId'],
                    'appId' => $metadata['appId'],
                ] );
            return false;
        }

        // Update saved rights
        $metadata['rights'] = $this->grantsInfo->getGrantRights( $bp->getGrants() );

        return true;
    }

    /**
     * @codeCoverageIgnore
     * @inheritDoc
     */
    public function preventSessionsForUser( $username ) {
        BotPassword::removeAllPasswordsForUser( $username );
    }

    public function getAllowedUserRights( SessionBackend $backend ) {
        if ( $backend->getProvider() !== $this ) {
            throw new InvalidArgumentException( 'Backend\'s provider isn\'t $this' );
        }
        $data = $backend->getProviderMetadata();
        if ( $data && isset( $data['rights'] ) && is_array( $data['rights'] ) ) {
            return $data['rights'];
        }

        // Should never happen
        $this->logger->debug( __METHOD__ . ': No provider metadata, returning no rights allowed' );
        return [];
    }

    public function getRestrictions( ?array $data ): ?MWRestrictions {
        if ( $data && isset( $data['restrictions'] ) && is_string( $data['restrictions'] ) ) {
            try {
                return MWRestrictions::newFromJson( $data['restrictions'] );
            } catch ( InvalidArgumentException $e ) {
                $this->logger->warning( __METHOD__ . ': Failed to parse restrictions: {restrictions}', [
                    'restrictions' => $data['restrictions']
                ] );
                return null;
            }
        }
        return null;
    }
}