Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
91.75% |
89 / 97 |
|
85.71% |
6 / 7 |
CRAP | |
0.00% |
0 / 1 |
BotPasswordSessionProvider | |
91.75% |
89 / 97 |
|
85.71% |
6 / 7 |
28.44 | |
0.00% |
0 / 1 |
__construct | |
100.00% |
12 / 12 |
|
100.00% |
1 / 1 |
6 | |||
provideSessionInfo | |
100.00% |
12 / 12 |
|
100.00% |
1 / 1 |
4 | |||
newSessionInfo | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
newSessionForRequest | |
100.00% |
17 / 17 |
|
100.00% |
1 / 1 |
1 | |||
refreshSessionInfo | |
100.00% |
40 / 40 |
|
100.00% |
1 / 1 |
5 | |||
preventSessionsForUser | n/a |
0 / 0 |
n/a |
0 / 0 |
1 | |||||
getAllowedUserRights | |
100.00% |
7 / 7 |
|
100.00% |
1 / 1 |
5 | |||
getRestrictions | |
0.00% |
0 / 8 |
|
0.00% |
0 / 1 |
30 |
1 | <?php |
2 | /** |
3 | * Session provider for bot passwords |
4 | * |
5 | * This program is free software; you can redistribute it and/or modify |
6 | * it under the terms of the GNU General Public License as published by |
7 | * the Free Software Foundation; either version 2 of the License, or |
8 | * (at your option) any later version. |
9 | * |
10 | * This program is distributed in the hope that it will be useful, |
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
13 | * GNU General Public License for more details. |
14 | * |
15 | * You should have received a copy of the GNU General Public License along |
16 | * with this program; if not, write to the Free Software Foundation, Inc., |
17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
18 | * http://www.gnu.org/copyleft/gpl.html |
19 | * |
20 | * @file |
21 | * @ingroup Session |
22 | */ |
23 | |
24 | namespace MediaWiki\Session; |
25 | |
26 | use MediaWiki\MainConfigNames; |
27 | use MediaWiki\Permissions\GrantsInfo; |
28 | use MediaWiki\Request\WebRequest; |
29 | use MediaWiki\User\BotPassword; |
30 | use MediaWiki\User\User; |
31 | use MWRestrictions; |
32 | |
33 | /** |
34 | * Session provider for bot passwords |
35 | * @since 1.27 |
36 | */ |
37 | class BotPasswordSessionProvider extends ImmutableSessionProviderWithCookie { |
38 | /** @var GrantsInfo */ |
39 | private $grantsInfo; |
40 | |
41 | /** @var bool Whether the current request is an API request. */ |
42 | private $isApiRequest; |
43 | |
44 | /** |
45 | * @param GrantsInfo $grantsInfo |
46 | * @param array $params Keys include: |
47 | * - priority: (required) Set the priority |
48 | * - sessionCookieName: Session cookie name. Default is '_BPsession'. |
49 | * - sessionCookieOptions: Options to pass to WebResponse::setCookie(). |
50 | * - isApiRequest: Whether the current request is an API request. Should be only set in tests. |
51 | */ |
52 | public function __construct( GrantsInfo $grantsInfo, array $params = [] ) { |
53 | if ( !isset( $params['sessionCookieName'] ) ) { |
54 | $params['sessionCookieName'] = '_BPsession'; |
55 | } |
56 | parent::__construct( $params ); |
57 | |
58 | if ( !isset( $params['priority'] ) ) { |
59 | throw new \InvalidArgumentException( __METHOD__ . ': priority must be specified' ); |
60 | } |
61 | if ( $params['priority'] < SessionInfo::MIN_PRIORITY || |
62 | $params['priority'] > SessionInfo::MAX_PRIORITY |
63 | ) { |
64 | throw new \InvalidArgumentException( __METHOD__ . ': Invalid priority' ); |
65 | } |
66 | |
67 | $this->priority = $params['priority']; |
68 | |
69 | $this->grantsInfo = $grantsInfo; |
70 | |
71 | $this->isApiRequest = $params['isApiRequest'] |
72 | ?? ( defined( 'MW_API' ) || defined( 'MW_REST_API' ) ); |
73 | } |
74 | |
75 | public function provideSessionInfo( WebRequest $request ) { |
76 | // Only relevant for the (Action or REST) API |
77 | if ( !$this->isApiRequest ) { |
78 | return null; |
79 | } |
80 | |
81 | // Enabled? |
82 | if ( !$this->getConfig()->get( MainConfigNames::EnableBotPasswords ) ) { |
83 | return null; |
84 | } |
85 | |
86 | // Have a session ID? |
87 | $id = $this->getSessionIdFromCookie( $request ); |
88 | if ( $id === null ) { |
89 | return null; |
90 | } |
91 | |
92 | return new SessionInfo( $this->priority, [ |
93 | 'provider' => $this, |
94 | 'id' => $id, |
95 | 'persisted' => true |
96 | ] ); |
97 | } |
98 | |
99 | public function newSessionInfo( $id = null ) { |
100 | // We don't activate by default |
101 | return null; |
102 | } |
103 | |
104 | /** |
105 | * Create a new session for a request |
106 | * @param User $user |
107 | * @param BotPassword $bp |
108 | * @param WebRequest $request |
109 | * @return Session |
110 | */ |
111 | public function newSessionForRequest( User $user, BotPassword $bp, WebRequest $request ) { |
112 | $id = $this->getSessionIdFromCookie( $request ); |
113 | $info = new SessionInfo( SessionInfo::MAX_PRIORITY, [ |
114 | 'provider' => $this, |
115 | 'id' => $id, |
116 | 'userInfo' => UserInfo::newFromUser( $user, true ), |
117 | 'persisted' => $id !== null, |
118 | 'metadata' => [ |
119 | 'centralId' => $bp->getUserCentralId(), |
120 | 'appId' => $bp->getAppId(), |
121 | 'token' => $bp->getToken(), |
122 | 'rights' => $this->grantsInfo->getGrantRights( $bp->getGrants() ), |
123 | 'restrictions' => $bp->getRestrictions()->toJson(), |
124 | ], |
125 | ] ); |
126 | $session = $this->getManager()->getSessionFromInfo( $info, $request ); |
127 | $session->persist(); |
128 | return $session; |
129 | } |
130 | |
131 | /** |
132 | * @inheritDoc |
133 | * @phan-param array &$metadata |
134 | */ |
135 | public function refreshSessionInfo( SessionInfo $info, WebRequest $request, &$metadata ) { |
136 | $missingKeys = array_diff( |
137 | [ 'centralId', 'appId', 'token' ], |
138 | array_keys( $metadata ) |
139 | ); |
140 | if ( $missingKeys ) { |
141 | $this->logger->info( 'Session "{session}": Missing metadata: {missing}', [ |
142 | 'session' => $info->__toString(), |
143 | 'missing' => implode( ', ', $missingKeys ), |
144 | ] ); |
145 | return false; |
146 | } |
147 | |
148 | $bp = BotPassword::newFromCentralId( $metadata['centralId'], $metadata['appId'] ); |
149 | if ( !$bp ) { |
150 | $this->logger->info( |
151 | 'Session "{session}": No BotPassword for {centralId} {appId}', |
152 | [ |
153 | 'session' => $info->__toString(), |
154 | 'centralId' => $metadata['centralId'], |
155 | 'appId' => $metadata['appId'], |
156 | ] ); |
157 | return false; |
158 | } |
159 | |
160 | if ( !hash_equals( $metadata['token'], $bp->getToken() ) ) { |
161 | $this->logger->info( 'Session "{session}": BotPassword token check failed', [ |
162 | 'session' => $info->__toString(), |
163 | 'centralId' => $metadata['centralId'], |
164 | 'appId' => $metadata['appId'], |
165 | ] ); |
166 | return false; |
167 | } |
168 | |
169 | $status = $bp->getRestrictions()->check( $request ); |
170 | if ( !$status->isOK() ) { |
171 | $this->logger->info( |
172 | 'Session "{session}": Restrictions check failed', |
173 | [ |
174 | 'session' => $info->__toString(), |
175 | 'restrictions' => $status->getValue(), |
176 | 'centralId' => $metadata['centralId'], |
177 | 'appId' => $metadata['appId'], |
178 | ] ); |
179 | return false; |
180 | } |
181 | |
182 | // Update saved rights |
183 | $metadata['rights'] = $this->grantsInfo->getGrantRights( $bp->getGrants() ); |
184 | |
185 | return true; |
186 | } |
187 | |
188 | /** |
189 | * @codeCoverageIgnore |
190 | * @inheritDoc |
191 | */ |
192 | public function preventSessionsForUser( $username ) { |
193 | BotPassword::removeAllPasswordsForUser( $username ); |
194 | } |
195 | |
196 | public function getAllowedUserRights( SessionBackend $backend ) { |
197 | if ( $backend->getProvider() !== $this ) { |
198 | throw new \InvalidArgumentException( 'Backend\'s provider isn\'t $this' ); |
199 | } |
200 | $data = $backend->getProviderMetadata(); |
201 | if ( $data && isset( $data['rights'] ) && is_array( $data['rights'] ) ) { |
202 | return $data['rights']; |
203 | } |
204 | |
205 | // Should never happen |
206 | $this->logger->debug( __METHOD__ . ': No provider metadata, returning no rights allowed' ); |
207 | return []; |
208 | } |
209 | |
210 | public function getRestrictions( ?array $data ): ?MWRestrictions { |
211 | if ( $data && isset( $data['restrictions'] ) && is_string( $data['restrictions'] ) ) { |
212 | try { |
213 | return MWRestrictions::newFromJson( $data['restrictions'] ); |
214 | } catch ( \InvalidArgumentException $e ) { |
215 | $this->logger->warning( __METHOD__ . ': Failed to parse restrictions: {restrictions}', [ |
216 | 'restrictions' => $data['restrictions'] |
217 | ] ); |
218 | return null; |
219 | } |
220 | } |
221 | return null; |
222 | } |
223 | } |