MediaWiki  1.28.0
BotPasswordSessionProviderTest.php
Go to the documentation of this file.
1 <?php
2 
3 namespace MediaWiki\Session;
4 
7 use User;
8 
15 
16  private $config;
17 
18  private function getProvider( $name = null, $prefix = null ) {
19  global $wgSessionProviders;
20 
21  $params = [
22  'priority' => 40,
23  'sessionCookieName' => $name,
24  'sessionCookieOptions' => [],
25  ];
26  if ( $prefix !== null ) {
27  $params['sessionCookieOptions']['prefix'] = $prefix;
28  }
29 
30  if ( !$this->config ) {
31  $this->config = new \HashConfig( [
32  'CookiePrefix' => 'wgCookiePrefix',
33  'EnableBotPasswords' => true,
34  'BotPasswordsDatabase' => false,
35  'SessionProviders' => $wgSessionProviders + [
38  'args' => [ $params ],
39  ]
40  ],
41  ] );
42  }
43  $manager = new SessionManager( [
44  'config' => new \MultiConfig( [ $this->config, \RequestContext::getMain()->getConfig() ] ),
45  'logger' => new \Psr\Log\NullLogger,
46  'store' => new TestBagOStuff,
47  ] );
48 
49  return $manager->getProvider( BotPasswordSessionProvider::class );
50  }
51 
52  protected function setUp() {
53  parent::setUp();
54 
55  $this->setMwGlobals( [
56  'wgEnableBotPasswords' => true,
57  'wgBotPasswordsDatabase' => false,
58  'wgCentralIdLookupProvider' => 'local',
59  'wgGrantPermissions' => [
60  'test' => [ 'read' => true ],
61  ],
62  ] );
63  }
64 
65  public function addDBDataOnce() {
66  $passwordFactory = new \PasswordFactory();
67  $passwordFactory->init( \RequestContext::getMain()->getConfig() );
68  $passwordHash = $passwordFactory->newFromPlaintext( 'foobaz' );
69 
70  $sysop = static::getTestSysop()->getUser();
71  $userId = \CentralIdLookup::factory( 'local' )->centralIdFromName( $sysop->getName() );
72 
73  $dbw = wfGetDB( DB_MASTER );
74  $dbw->delete(
75  'bot_passwords',
76  [ 'bp_user' => $userId, 'bp_app_id' => 'BotPasswordSessionProvider' ],
77  __METHOD__
78  );
79  $dbw->insert(
80  'bot_passwords',
81  [
82  'bp_user' => $userId,
83  'bp_app_id' => 'BotPasswordSessionProvider',
84  'bp_password' => $passwordHash->toString(),
85  'bp_token' => 'token!',
86  'bp_restrictions' => '{"IPAddresses":["127.0.0.0/8"]}',
87  'bp_grants' => '["test"]',
88  ],
89  __METHOD__
90  );
91  }
92 
93  public function testConstructor() {
94  try {
95  $provider = new BotPasswordSessionProvider();
96  $this->fail( 'Expected exception not thrown' );
97  } catch ( \InvalidArgumentException $ex ) {
98  $this->assertSame(
99  'MediaWiki\\Session\\BotPasswordSessionProvider::__construct: priority must be specified',
100  $ex->getMessage()
101  );
102  }
103 
104  try {
105  $provider = new BotPasswordSessionProvider( [
106  'priority' => SessionInfo::MIN_PRIORITY - 1
107  ] );
108  $this->fail( 'Expected exception not thrown' );
109  } catch ( \InvalidArgumentException $ex ) {
110  $this->assertSame(
111  'MediaWiki\\Session\\BotPasswordSessionProvider::__construct: Invalid priority',
112  $ex->getMessage()
113  );
114  }
115 
116  try {
117  $provider = new BotPasswordSessionProvider( [
118  'priority' => SessionInfo::MAX_PRIORITY + 1
119  ] );
120  $this->fail( 'Expected exception not thrown' );
121  } catch ( \InvalidArgumentException $ex ) {
122  $this->assertSame(
123  'MediaWiki\\Session\\BotPasswordSessionProvider::__construct: Invalid priority',
124  $ex->getMessage()
125  );
126  }
127 
128  $provider = new BotPasswordSessionProvider( [
129  'priority' => 40
130  ] );
131  $priv = \TestingAccessWrapper::newFromObject( $provider );
132  $this->assertSame( 40, $priv->priority );
133  $this->assertSame( '_BPsession', $priv->sessionCookieName );
134  $this->assertSame( [], $priv->sessionCookieOptions );
135 
136  $provider = new BotPasswordSessionProvider( [
137  'priority' => 40,
138  'sessionCookieName' => null,
139  ] );
140  $priv = \TestingAccessWrapper::newFromObject( $provider );
141  $this->assertSame( '_BPsession', $priv->sessionCookieName );
142 
143  $provider = new BotPasswordSessionProvider( [
144  'priority' => 40,
145  'sessionCookieName' => 'Foo',
146  'sessionCookieOptions' => [ 'Bar' ],
147  ] );
148  $priv = \TestingAccessWrapper::newFromObject( $provider );
149  $this->assertSame( 'Foo', $priv->sessionCookieName );
150  $this->assertSame( [ 'Bar' ], $priv->sessionCookieOptions );
151  }
152 
153  public function testBasics() {
154  $provider = $this->getProvider();
155 
156  $this->assertTrue( $provider->persistsSessionId() );
157  $this->assertFalse( $provider->canChangeUser() );
158 
159  $this->assertNull( $provider->newSessionInfo() );
160  $this->assertNull( $provider->newSessionInfo( 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' ) );
161  }
162 
163  public function testProvideSessionInfo() {
164  $provider = $this->getProvider();
165  $request = new \FauxRequest;
166  $request->setCookie( '_BPsession', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa', 'wgCookiePrefix' );
167 
168  if ( !defined( 'MW_API' ) ) {
169  $this->assertNull( $provider->provideSessionInfo( $request ) );
170  define( 'MW_API', 1 );
171  }
172 
173  $info = $provider->provideSessionInfo( $request );
174  $this->assertInstanceOf( SessionInfo::class, $info );
175  $this->assertSame( 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa', $info->getId() );
176 
177  $this->config->set( 'EnableBotPasswords', false );
178  $this->assertNull( $provider->provideSessionInfo( $request ) );
179  $this->config->set( 'EnableBotPasswords', true );
180 
181  $this->assertNull( $provider->provideSessionInfo( new \FauxRequest ) );
182  }
183 
184  public function testNewSessionInfoForRequest() {
185  $provider = $this->getProvider();
186  $user = static::getTestSysop()->getUser();
187  $request = $this->getMock( 'FauxRequest', [ 'getIP' ] );
188  $request->expects( $this->any() )->method( 'getIP' )
189  ->will( $this->returnValue( '127.0.0.1' ) );
190  $bp = \BotPassword::newFromUser( $user, 'BotPasswordSessionProvider' );
191 
192  $session = $provider->newSessionForRequest( $user, $bp, $request );
193  $this->assertInstanceOf( Session::class, $session );
194 
195  $this->assertEquals( $session->getId(), $request->getSession()->getId() );
196  $this->assertEquals( $user->getName(), $session->getUser()->getName() );
197 
198  $this->assertEquals( [
199  'centralId' => $bp->getUserCentralId(),
200  'appId' => $bp->getAppId(),
201  'token' => $bp->getToken(),
202  'rights' => [ 'read' ],
203  ], $session->getProviderMetadata() );
204 
205  $this->assertEquals( [ 'read' ], $session->getAllowedUserRights() );
206  }
207 
208  public function testCheckSessionInfo() {
209  $logger = new \TestLogger( true );
210  $provider = $this->getProvider();
211  $provider->setLogger( $logger );
212 
213  $user = static::getTestSysop()->getUser();
214  $request = $this->getMock( 'FauxRequest', [ 'getIP' ] );
215  $request->expects( $this->any() )->method( 'getIP' )
216  ->will( $this->returnValue( '127.0.0.1' ) );
217  $bp = \BotPassword::newFromUser( $user, 'BotPasswordSessionProvider' );
218 
219  $data = [
220  'provider' => $provider,
221  'id' => 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
222  'userInfo' => UserInfo::newFromUser( $user, true ),
223  'persisted' => false,
224  'metadata' => [
225  'centralId' => $bp->getUserCentralId(),
226  'appId' => $bp->getAppId(),
227  'token' => $bp->getToken(),
228  ],
229  ];
230  $dataMD = $data['metadata'];
231 
232  foreach ( array_keys( $data['metadata'] ) as $key ) {
233  $data['metadata'] = $dataMD;
234  unset( $data['metadata'][$key] );
235  $info = new SessionInfo( SessionInfo::MIN_PRIORITY, $data );
236  $metadata = $info->getProviderMetadata();
237 
238  $this->assertFalse( $provider->refreshSessionInfo( $info, $request, $metadata ) );
239  $this->assertSame( [
240  [ LogLevel::INFO, 'Session "{session}": Missing metadata: {missing}' ]
241  ], $logger->getBuffer() );
242  $logger->clearBuffer();
243  }
244 
245  $data['metadata'] = $dataMD;
246  $data['metadata']['appId'] = 'Foobar';
247  $info = new SessionInfo( SessionInfo::MIN_PRIORITY, $data );
248  $metadata = $info->getProviderMetadata();
249  $this->assertFalse( $provider->refreshSessionInfo( $info, $request, $metadata ) );
250  $this->assertSame( [
251  [ LogLevel::INFO, 'Session "{session}": No BotPassword for {centralId} {appId}' ],
252  ], $logger->getBuffer() );
253  $logger->clearBuffer();
254 
255  $data['metadata'] = $dataMD;
256  $data['metadata']['token'] = 'Foobar';
257  $info = new SessionInfo( SessionInfo::MIN_PRIORITY, $data );
258  $metadata = $info->getProviderMetadata();
259  $this->assertFalse( $provider->refreshSessionInfo( $info, $request, $metadata ) );
260  $this->assertSame( [
261  [ LogLevel::INFO, 'Session "{session}": BotPassword token check failed' ],
262  ], $logger->getBuffer() );
263  $logger->clearBuffer();
264 
265  $request2 = $this->getMock( 'FauxRequest', [ 'getIP' ] );
266  $request2->expects( $this->any() )->method( 'getIP' )
267  ->will( $this->returnValue( '10.0.0.1' ) );
268  $data['metadata'] = $dataMD;
269  $info = new SessionInfo( SessionInfo::MIN_PRIORITY, $data );
270  $metadata = $info->getProviderMetadata();
271  $this->assertFalse( $provider->refreshSessionInfo( $info, $request2, $metadata ) );
272  $this->assertSame( [
273  [ LogLevel::INFO, 'Session "{session}": Restrictions check failed' ],
274  ], $logger->getBuffer() );
275  $logger->clearBuffer();
276 
277  $info = new SessionInfo( SessionInfo::MIN_PRIORITY, $data );
278  $metadata = $info->getProviderMetadata();
279  $this->assertTrue( $provider->refreshSessionInfo( $info, $request, $metadata ) );
280  $this->assertSame( [], $logger->getBuffer() );
281  $this->assertEquals( $dataMD + [ 'rights' => [ 'read' ] ], $metadata );
282  }
283 
284  public function testGetAllowedUserRights() {
285  $logger = new \TestLogger( true );
286  $provider = $this->getProvider();
287  $provider->setLogger( $logger );
288 
290  $backendPriv = \TestingAccessWrapper::newFromObject( $backend );
291 
292  try {
293  $provider->getAllowedUserRights( $backend );
294  $this->fail( 'Expected exception not thrown' );
295  } catch ( \InvalidArgumentException $ex ) {
296  $this->assertSame( 'Backend\'s provider isn\'t $this', $ex->getMessage() );
297  }
298 
299  $backendPriv->provider = $provider;
300  $backendPriv->providerMetadata = [ 'rights' => [ 'foo', 'bar', 'baz' ] ];
301  $this->assertSame( [ 'foo', 'bar', 'baz' ], $provider->getAllowedUserRights( $backend ) );
302  $this->assertSame( [], $logger->getBuffer() );
303 
304  $backendPriv->providerMetadata = [ 'foo' => 'bar' ];
305  $this->assertSame( [], $provider->getAllowedUserRights( $backend ) );
306  $this->assertSame( [
307  [
308  LogLevel::DEBUG,
309  'MediaWiki\\Session\\BotPasswordSessionProvider::getAllowedUserRights: ' .
310  'No provider metadata, returning no rights allowed'
311  ]
312  ], $logger->getBuffer() );
313  $logger->clearBuffer();
314 
315  $backendPriv->providerMetadata = [ 'rights' => 'bar' ];
316  $this->assertSame( [], $provider->getAllowedUserRights( $backend ) );
317  $this->assertSame( [
318  [
319  LogLevel::DEBUG,
320  'MediaWiki\\Session\\BotPasswordSessionProvider::getAllowedUserRights: ' .
321  'No provider metadata, returning no rights allowed'
322  ]
323  ], $logger->getBuffer() );
324  $logger->clearBuffer();
325 
326  $backendPriv->providerMetadata = null;
327  $this->assertSame( [], $provider->getAllowedUserRights( $backend ) );
328  $this->assertSame( [
329  [
330  LogLevel::DEBUG,
331  'MediaWiki\\Session\\BotPasswordSessionProvider::getAllowedUserRights: ' .
332  'No provider metadata, returning no rights allowed'
333  ]
334  ], $logger->getBuffer() );
335  $logger->clearBuffer();
336  }
337 }
const MIN_PRIORITY
Minimum allowed priority.
Definition: SessionInfo.php:36
wfGetDB($db, $groups=[], $wiki=false)
Get a Database object.
Apache License January AND DISTRIBUTION Definitions License shall mean the terms and conditions for use
static newFromUser(User $user, $verified=false)
Create an instance from an existing User object.
Definition: UserInfo.php:116
Session Database MediaWiki\Session\BotPasswordSessionProvider.
when a variable name is used in a it is silently declared as a new local masking the global
Definition: design.txt:93
const DB_MASTER
Definition: defines.php:23
BagOStuff with utility functions for MediaWiki\\Session\\* testing.
static getMain()
Static methods.
static getDummySessionBackend()
If you need a SessionBackend for testing but don't want to create a real one, use this...
Definition: TestUtils.php:64
$params
static factory($providerId=null)
Fetch a CentralIdLookup.
Provides a fallback sequence for Config objects.
Definition: MultiConfig.php:28
This document is intended to provide useful advice for parties seeking to redistribute MediaWiki to end users It s targeted particularly at maintainers for Linux since it s been observed that distribution packages of MediaWiki often break We ve consistently had to recommend that users seeking support use official tarballs instead of their distribution s and this often solves whatever problem the user is having It would be nice if this could such as
Definition: distributors.txt:9
please add to it if you re going to add events to the MediaWiki code where normally authentication against an external auth plugin would be creating a local account $user
Definition: hooks.txt:242
static newFromUser(User $user, $appId, $flags=self::READ_NORMAL)
Load a BotPassword from the database.
Definition: BotPassword.php:89
const MAX_PRIORITY
Maximum allowed priority.
Definition: SessionInfo.php:39
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition: injection.txt:35
error also a ContextSource you ll probably need to make sure the header is varied on $request
Definition: hooks.txt:2573
you have access to all of the normal MediaWiki so you can get a DB use the etc For full docs on the Maintenance class
Definition: maintenance.txt:52
This serves as the entry point to the MediaWiki session handling system.
static newFromObject($object)
Return the same object, without access restrictions.
setMwGlobals($pairs, $value=null)
Value object returned by SessionProvider.
Definition: SessionInfo.php:34
Allows to change the fields on the form that will be generated $name
Definition: hooks.txt:300