Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
92.05% |
139 / 151 |
|
78.26% |
18 / 23 |
CRAP | |
0.00% |
0 / 1 |
| BotPassword | |
92.67% |
139 / 150 |
|
78.26% |
18 / 23 |
55.15 | |
0.00% |
0 / 1 |
| __construct | |
100.00% |
7 / 7 |
|
100.00% |
1 / 1 |
1 | |||
| getReplicaDatabase | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
1 | |||
| getPrimaryDatabase | |
0.00% |
0 / 3 |
|
0.00% |
0 / 1 |
2 | |||
| newFromUser | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
1 | |||
| newFromCentralId | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
1 | |||
| newUnsaved | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
1 | |||
| isSaved | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| getUserCentralId | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| getAppId | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| getToken | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| getRestrictions | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| getGrants | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| getSeparator | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
1 | |||
| getPassword | |
93.33% |
14 / 15 |
|
0.00% |
0 / 1 |
4.00 | |||
| isInvalid | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
| save | |
100.00% |
13 / 13 |
|
100.00% |
1 / 1 |
5 | |||
| delete | |
100.00% |
7 / 7 |
|
100.00% |
1 / 1 |
2 | |||
| invalidateAllPasswordsForUser | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
1 | |||
| removeAllPasswordsForUser | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
1 | |||
| generatePassword | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
| canonicalizeLoginData | |
100.00% |
11 / 11 |
|
100.00% |
1 / 1 |
7 | |||
| login | |
90.00% |
45 / 50 |
|
0.00% |
0 / 1 |
15.22 | |||
| loginHook | |
100.00% |
15 / 15 |
|
100.00% |
1 / 1 |
4 | |||
| 1 | <?php |
| 2 | /** |
| 3 | * @license GPL-2.0-or-later |
| 4 | * @file |
| 5 | */ |
| 6 | |
| 7 | namespace MediaWiki\User; |
| 8 | |
| 9 | use MediaWiki\Auth\AuthenticationResponse; |
| 10 | use MediaWiki\Auth\Throttler; |
| 11 | use MediaWiki\HookContainer\HookRunner; |
| 12 | use MediaWiki\Json\FormatJson; |
| 13 | use MediaWiki\MainConfigNames; |
| 14 | use MediaWiki\MediaWikiServices; |
| 15 | use MediaWiki\Password\InvalidPassword; |
| 16 | use MediaWiki\Password\Password; |
| 17 | use MediaWiki\Password\PasswordError; |
| 18 | use MediaWiki\Password\PasswordFactory; |
| 19 | use MediaWiki\Request\WebRequest; |
| 20 | use MediaWiki\Session\BotPasswordSessionProvider; |
| 21 | use MediaWiki\Status\Status; |
| 22 | use MediaWiki\Utils\MWRestrictions; |
| 23 | use stdClass; |
| 24 | use UnexpectedValueException; |
| 25 | use Wikimedia\Rdbms\IDatabase; |
| 26 | use Wikimedia\Rdbms\IDBAccessObject; |
| 27 | use Wikimedia\Rdbms\IReadableDatabase; |
| 28 | |
| 29 | /** |
| 30 | * Utility class for bot passwords |
| 31 | * @since 1.27 |
| 32 | */ |
| 33 | class BotPassword { |
| 34 | |
| 35 | public const APPID_MAXLENGTH = 32; |
| 36 | |
| 37 | /** |
| 38 | * Minimum length for a bot password |
| 39 | */ |
| 40 | public const PASSWORD_MINLENGTH = 32; |
| 41 | |
| 42 | /** |
| 43 | * Maximum length of the json representation of restrictions |
| 44 | * @since 1.36 |
| 45 | */ |
| 46 | public const RESTRICTIONS_MAXLENGTH = 65535; |
| 47 | |
| 48 | /** |
| 49 | * Maximum length of the json representation of grants |
| 50 | * @since 1.36 |
| 51 | */ |
| 52 | public const GRANTS_MAXLENGTH = 65535; |
| 53 | |
| 54 | /** @var bool */ |
| 55 | private $isSaved; |
| 56 | |
| 57 | /** @var int */ |
| 58 | private $centralId; |
| 59 | |
| 60 | /** @var string */ |
| 61 | private $appId; |
| 62 | |
| 63 | /** @var string */ |
| 64 | private $token; |
| 65 | |
| 66 | /** @var MWRestrictions */ |
| 67 | private $restrictions; |
| 68 | |
| 69 | /** @var string[] */ |
| 70 | private $grants; |
| 71 | |
| 72 | /** @var int Defaults to {@see READ_NORMAL} */ |
| 73 | private $flags; |
| 74 | |
| 75 | /** |
| 76 | * @internal only public for construction in BotPasswordStore |
| 77 | * |
| 78 | * @param stdClass $row bot_passwords database row |
| 79 | * @param bool $isSaved Whether the bot password was read from the database |
| 80 | * @param int $flags IDBAccessObject read flags |
| 81 | */ |
| 82 | public function __construct( $row, $isSaved, $flags = IDBAccessObject::READ_NORMAL ) { |
| 83 | $this->isSaved = $isSaved; |
| 84 | $this->flags = $flags; |
| 85 | |
| 86 | $this->centralId = (int)$row->bp_user; |
| 87 | $this->appId = $row->bp_app_id; |
| 88 | $this->token = $row->bp_token; |
| 89 | $this->restrictions = MWRestrictions::newFromJson( $row->bp_restrictions ); |
| 90 | $this->grants = FormatJson::decode( $row->bp_grants ); |
| 91 | } |
| 92 | |
| 93 | public static function getReplicaDatabase(): IReadableDatabase { |
| 94 | return MediaWikiServices::getInstance() |
| 95 | ->getBotPasswordStore() |
| 96 | ->getReplicaDatabase(); |
| 97 | } |
| 98 | |
| 99 | public static function getPrimaryDatabase(): IDatabase { |
| 100 | return MediaWikiServices::getInstance() |
| 101 | ->getBotPasswordStore() |
| 102 | ->getPrimaryDatabase(); |
| 103 | } |
| 104 | |
| 105 | /** |
| 106 | * Load a BotPassword from the database |
| 107 | * @param UserIdentity $userIdentity |
| 108 | * @param string $appId |
| 109 | * @param int $flags IDBAccessObject read flags |
| 110 | * @return BotPassword|null |
| 111 | */ |
| 112 | public static function newFromUser( UserIdentity $userIdentity, $appId, $flags = IDBAccessObject::READ_NORMAL ) { |
| 113 | return MediaWikiServices::getInstance() |
| 114 | ->getBotPasswordStore() |
| 115 | ->getByUser( $userIdentity, (string)$appId, (int)$flags ); |
| 116 | } |
| 117 | |
| 118 | /** |
| 119 | * Load a BotPassword from the database |
| 120 | * @param int $centralId from CentralIdLookup |
| 121 | * @param string $appId |
| 122 | * @param int $flags IDBAccessObject read flags |
| 123 | * @return BotPassword|null |
| 124 | */ |
| 125 | public static function newFromCentralId( $centralId, $appId, $flags = IDBAccessObject::READ_NORMAL ) { |
| 126 | return MediaWikiServices::getInstance() |
| 127 | ->getBotPasswordStore() |
| 128 | ->getByCentralId( (int)$centralId, (string)$appId, (int)$flags ); |
| 129 | } |
| 130 | |
| 131 | /** |
| 132 | * Create an unsaved BotPassword |
| 133 | * @param array $data Data to use to create the bot password. Keys are: |
| 134 | * - user: (UserIdentity) UserIdentity to create the password for. Overrides username and centralId. |
| 135 | * - username: (string) Username to create the password for. Overrides centralId. |
| 136 | * - centralId: (int) User central ID to create the password for. |
| 137 | * - appId: (string, required) App ID for the password. |
| 138 | * - restrictions: (MWRestrictions, optional) Restrictions. |
| 139 | * - grants: (string[], optional) Grants. |
| 140 | * @param int $flags IDBAccessObject read flags |
| 141 | * @return BotPassword|null |
| 142 | */ |
| 143 | public static function newUnsaved( array $data, $flags = IDBAccessObject::READ_NORMAL ) { |
| 144 | return MediaWikiServices::getInstance() |
| 145 | ->getBotPasswordStore() |
| 146 | ->newUnsavedBotPassword( $data, (int)$flags ); |
| 147 | } |
| 148 | |
| 149 | /** |
| 150 | * Indicate whether this is known to be saved |
| 151 | * @return bool |
| 152 | */ |
| 153 | public function isSaved() { |
| 154 | return $this->isSaved; |
| 155 | } |
| 156 | |
| 157 | /** |
| 158 | * Get the central user ID |
| 159 | * @return int |
| 160 | */ |
| 161 | public function getUserCentralId() { |
| 162 | return $this->centralId; |
| 163 | } |
| 164 | |
| 165 | /** |
| 166 | * @return string |
| 167 | */ |
| 168 | public function getAppId() { |
| 169 | return $this->appId; |
| 170 | } |
| 171 | |
| 172 | /** |
| 173 | * @return string |
| 174 | */ |
| 175 | public function getToken() { |
| 176 | return $this->token; |
| 177 | } |
| 178 | |
| 179 | /** |
| 180 | * @return MWRestrictions |
| 181 | */ |
| 182 | public function getRestrictions() { |
| 183 | return $this->restrictions; |
| 184 | } |
| 185 | |
| 186 | /** |
| 187 | * @return string[] |
| 188 | */ |
| 189 | public function getGrants() { |
| 190 | return $this->grants; |
| 191 | } |
| 192 | |
| 193 | /** |
| 194 | * Get the separator for combined username + app ID |
| 195 | * @return string |
| 196 | */ |
| 197 | public static function getSeparator() { |
| 198 | $userrightsInterwikiDelimiter = MediaWikiServices::getInstance() |
| 199 | ->getMainConfig()->get( MainConfigNames::UserrightsInterwikiDelimiter ); |
| 200 | return $userrightsInterwikiDelimiter; |
| 201 | } |
| 202 | |
| 203 | /** |
| 204 | * @return Password |
| 205 | */ |
| 206 | private function getPassword() { |
| 207 | if ( ( $this->flags & IDBAccessObject::READ_LATEST ) == IDBAccessObject::READ_LATEST ) { |
| 208 | $db = self::getPrimaryDatabase(); |
| 209 | } else { |
| 210 | $db = self::getReplicaDatabase(); |
| 211 | } |
| 212 | |
| 213 | $password = $db->newSelectQueryBuilder() |
| 214 | ->select( 'bp_password' ) |
| 215 | ->from( 'bot_passwords' ) |
| 216 | ->where( [ 'bp_user' => $this->centralId, 'bp_app_id' => $this->appId ] ) |
| 217 | ->recency( $this->flags ) |
| 218 | ->caller( __METHOD__ )->fetchField(); |
| 219 | if ( $password === false ) { |
| 220 | return PasswordFactory::newInvalidPassword(); |
| 221 | } |
| 222 | |
| 223 | $passwordFactory = MediaWikiServices::getInstance()->getPasswordFactory(); |
| 224 | try { |
| 225 | return $passwordFactory->newFromCiphertext( $password ); |
| 226 | } catch ( PasswordError ) { |
| 227 | return PasswordFactory::newInvalidPassword(); |
| 228 | } |
| 229 | } |
| 230 | |
| 231 | /** |
| 232 | * Whether the password is currently invalid |
| 233 | * @since 1.32 |
| 234 | * @return bool |
| 235 | */ |
| 236 | public function isInvalid() { |
| 237 | return $this->getPassword() instanceof InvalidPassword; |
| 238 | } |
| 239 | |
| 240 | /** |
| 241 | * Save the BotPassword to the database |
| 242 | * @param string $operation 'update' or 'insert' |
| 243 | * @param Password|null $password Password to set. |
| 244 | * @return Status |
| 245 | * @throws UnexpectedValueException |
| 246 | */ |
| 247 | public function save( $operation, ?Password $password = null ) { |
| 248 | // Ensure operation is valid |
| 249 | if ( $operation !== 'insert' && $operation !== 'update' ) { |
| 250 | throw new UnexpectedValueException( |
| 251 | "Expected 'insert' or 'update'; got '{$operation}'." |
| 252 | ); |
| 253 | } |
| 254 | |
| 255 | $store = MediaWikiServices::getInstance()->getBotPasswordStore(); |
| 256 | if ( $operation === 'insert' ) { |
| 257 | $statusValue = $store->insertBotPassword( $this, $password ); |
| 258 | } else { |
| 259 | // Must be update, already checked above |
| 260 | $statusValue = $store->updateBotPassword( $this, $password ); |
| 261 | } |
| 262 | |
| 263 | if ( $statusValue->isGood() ) { |
| 264 | $this->token = $statusValue->getValue(); |
| 265 | $this->isSaved = true; |
| 266 | return Status::newGood(); |
| 267 | } |
| 268 | |
| 269 | // Action failed, status will have code botpasswords-insert-failed or |
| 270 | // botpasswords-update-failed depending on which action we tried |
| 271 | return Status::wrap( $statusValue ); |
| 272 | } |
| 273 | |
| 274 | /** |
| 275 | * Delete the BotPassword from the database |
| 276 | * @return bool Success |
| 277 | */ |
| 278 | public function delete() { |
| 279 | $ok = MediaWikiServices::getInstance() |
| 280 | ->getBotPasswordStore() |
| 281 | ->deleteBotPassword( $this ); |
| 282 | if ( $ok ) { |
| 283 | $this->token = '**unsaved**'; |
| 284 | $this->isSaved = false; |
| 285 | } |
| 286 | return $ok; |
| 287 | } |
| 288 | |
| 289 | /** |
| 290 | * Invalidate all passwords for a user, by name |
| 291 | * @param string $username |
| 292 | * @return bool Whether any passwords were invalidated |
| 293 | */ |
| 294 | public static function invalidateAllPasswordsForUser( $username ) { |
| 295 | return MediaWikiServices::getInstance() |
| 296 | ->getBotPasswordStore() |
| 297 | ->invalidateUserPasswords( (string)$username ); |
| 298 | } |
| 299 | |
| 300 | /** |
| 301 | * Remove all passwords for a user, by name |
| 302 | * @param string $username |
| 303 | * @return bool Whether any passwords were removed |
| 304 | */ |
| 305 | public static function removeAllPasswordsForUser( $username ) { |
| 306 | return MediaWikiServices::getInstance() |
| 307 | ->getBotPasswordStore() |
| 308 | ->removeUserPasswords( (string)$username ); |
| 309 | } |
| 310 | |
| 311 | /** |
| 312 | * Returns a (raw, unhashed) random password string. |
| 313 | * |
| 314 | * @return string |
| 315 | */ |
| 316 | public static function generatePassword() { |
| 317 | return PasswordFactory::generateRandomPasswordString( self::PASSWORD_MINLENGTH ); |
| 318 | } |
| 319 | |
| 320 | /** |
| 321 | * There are two ways to login with a bot password: "username@appId", "password" and |
| 322 | * "username", "appId@password". Transform it so it is always in the first form. |
| 323 | * Returns [bot username, bot password]. |
| 324 | * If this cannot be a bot password login just return false. |
| 325 | * @param string $username |
| 326 | * @param string $password |
| 327 | * @return string[]|false |
| 328 | */ |
| 329 | public static function canonicalizeLoginData( $username, $password ) { |
| 330 | $sep = self::getSeparator(); |
| 331 | // the strlen check helps minimize the password information obtainable from timing |
| 332 | if ( strlen( $password ) >= self::PASSWORD_MINLENGTH && str_contains( $username, $sep ) ) { |
| 333 | // the separator is not valid in new usernames but might appear in legacy ones |
| 334 | if ( preg_match( '/^[0-9a-w]{' . self::PASSWORD_MINLENGTH . ',}$/', $password ) ) { |
| 335 | return [ $username, $password ]; |
| 336 | } |
| 337 | } elseif ( strlen( $password ) > self::PASSWORD_MINLENGTH && str_contains( $password, $sep ) ) { |
| 338 | $segments = explode( $sep, $password ); |
| 339 | $password = array_pop( $segments ); |
| 340 | $appId = implode( $sep, $segments ); |
| 341 | if ( preg_match( '/^[0-9a-w]{' . self::PASSWORD_MINLENGTH . ',}$/', $password ) ) { |
| 342 | return [ $username . $sep . $appId, $password ]; |
| 343 | } |
| 344 | } |
| 345 | return false; |
| 346 | } |
| 347 | |
| 348 | /** |
| 349 | * Try to log the user in |
| 350 | * @param string $username Combined username and app ID |
| 351 | * @param string $password Supplied password |
| 352 | * @param WebRequest $request |
| 353 | * @return Status On success, the good status's value is the new Session object |
| 354 | */ |
| 355 | public static function login( $username, $password, WebRequest $request ) { |
| 356 | $services = MediaWikiServices::getInstance(); |
| 357 | $sessionManager = $services->getSessionManager(); |
| 358 | $config = $services->getMainConfig(); |
| 359 | $enableBotPasswords = $config->get( MainConfigNames::EnableBotPasswords ); |
| 360 | $passwordAttemptThrottle = $config->get( MainConfigNames::PasswordAttemptThrottle ); |
| 361 | if ( !$enableBotPasswords ) { |
| 362 | return Status::newFatal( 'botpasswords-disabled' ); |
| 363 | } |
| 364 | |
| 365 | // @phan-suppress-next-line PhanUndeclaredMethod |
| 366 | $provider = $sessionManager->getProvider( BotPasswordSessionProvider::class ); |
| 367 | |
| 368 | if ( !$provider ) { |
| 369 | return Status::newFatal( 'botpasswords-no-provider' ); |
| 370 | } |
| 371 | |
| 372 | $performer = $request->getSession()->getUser(); |
| 373 | // Split name into name+appId |
| 374 | $sep = self::getSeparator(); |
| 375 | if ( !str_contains( $username, $sep ) ) { |
| 376 | return self::loginHook( |
| 377 | $username, null, $performer, Status::newFatal( 'botpasswords-invalid-name', $sep ) |
| 378 | ); |
| 379 | } |
| 380 | [ $name, $appId ] = explode( $sep, $username, 2 ); |
| 381 | |
| 382 | // Find the named user |
| 383 | $user = User::newFromName( $name ); |
| 384 | if ( !$user || $user->isAnon() ) { |
| 385 | return self::loginHook( $user ?: $name, null, $performer, Status::newFatal( 'nosuchuser', $name ) ); |
| 386 | } |
| 387 | |
| 388 | if ( $user->isLocked() ) { |
| 389 | return Status::newFatal( 'botpasswords-locked' ); |
| 390 | } |
| 391 | |
| 392 | $throttle = null; |
| 393 | if ( $passwordAttemptThrottle ) { |
| 394 | $throttle = new Throttler( $passwordAttemptThrottle, [ |
| 395 | 'type' => 'botpassword', |
| 396 | 'cache' => $services->getObjectCacheFactory()->getLocalClusterInstance(), |
| 397 | ] ); |
| 398 | $result = $throttle->increase( $user->getName(), $request->getIP(), __METHOD__ ); |
| 399 | if ( $result ) { |
| 400 | $msg = wfMessage( 'login-throttled' )->durationParams( $result['wait'] ); |
| 401 | return self::loginHook( $user, null, $performer, Status::newFatal( $msg ) ); |
| 402 | } |
| 403 | } |
| 404 | |
| 405 | // Get the bot password |
| 406 | $bp = self::newFromUser( $user, $appId ); |
| 407 | if ( !$bp ) { |
| 408 | return self::loginHook( $user, $bp, $performer, |
| 409 | Status::newFatal( 'botpasswords-not-exist', $name, $appId ) ); |
| 410 | } |
| 411 | |
| 412 | // Check restrictions |
| 413 | $status = $bp->getRestrictions()->check( $request ); |
| 414 | if ( !$status->isOK() ) { |
| 415 | return self::loginHook( $user, $bp, $performer, |
| 416 | Status::newFatal( 'botpasswords-restriction-failed' ) ); |
| 417 | } |
| 418 | |
| 419 | // Check the password |
| 420 | $passwordObj = $bp->getPassword(); |
| 421 | if ( $passwordObj instanceof InvalidPassword ) { |
| 422 | return self::loginHook( $user, $bp, $performer, |
| 423 | Status::newFatal( 'botpasswords-needs-reset', $name, $appId ) ); |
| 424 | } |
| 425 | if ( !$passwordObj->verify( $password ) ) { |
| 426 | return self::loginHook( $user, $bp, $performer, Status::newFatal( 'wrongpassword' ) ); |
| 427 | } |
| 428 | |
| 429 | // Ok! Create the session. |
| 430 | if ( $throttle ) { |
| 431 | $throttle->clear( $user->getName(), $request->getIP() ); |
| 432 | } |
| 433 | return self::loginHook( $user, $bp, $performer, |
| 434 | Status::newGood( $provider->newSessionForRequest( $user, $bp, $request ) ) ); |
| 435 | } |
| 436 | |
| 437 | /** |
| 438 | * Call AuthManagerLoginAuthenticateAudit |
| 439 | * |
| 440 | * To facilitate logging all authentications, even ones not via |
| 441 | * AuthManager, call the AuthManagerLoginAuthenticateAudit hook. |
| 442 | * |
| 443 | * @param User|string $user User being logged in |
| 444 | * @param BotPassword|null $bp Bot sub-account, if it can be identified |
| 445 | * @param User $performer User performing the request |
| 446 | * @param Status $status Login status |
| 447 | * @return Status The passed-in status |
| 448 | */ |
| 449 | private static function loginHook( $user, $bp, User $performer, Status $status ) { |
| 450 | $extraData = [ |
| 451 | 'performer' => $performer |
| 452 | ]; |
| 453 | if ( $user instanceof User ) { |
| 454 | $name = $user->getName(); |
| 455 | if ( $bp ) { |
| 456 | $extraData['appId'] = $name . self::getSeparator() . $bp->getAppId(); |
| 457 | } |
| 458 | } else { |
| 459 | $name = $user; |
| 460 | $user = null; |
| 461 | } |
| 462 | |
| 463 | if ( $status->isGood() ) { |
| 464 | $response = AuthenticationResponse::newPass( $name ); |
| 465 | } else { |
| 466 | $response = AuthenticationResponse::newFail( $status->getMessage() ); |
| 467 | } |
| 468 | ( new HookRunner( MediaWikiServices::getInstance()->getHookContainer() ) ) |
| 469 | ->onAuthManagerLoginAuthenticateAudit( $response, $user, $name, $extraData ); |
| 470 | |
| 471 | return $status; |
| 472 | } |
| 473 | } |
| 474 | |
| 475 | /** @deprecated class alias since 1.41 */ |
| 476 | class_alias( BotPassword::class, 'BotPassword' ); |