BotPassword.php

Go to the documentation of this file.

<?php
use MediaWiki\Session\BotPasswordSessionProvider;
use Wikimedia\Rdbms\IMaintainableDatabase;
 
class BotPassword implements IDBAccessObject {
 
    const APPID_MAXLENGTH = 32;
 
    private $isSaved;
 
    private $centralId;
 
    private $appId;
 
    private $token;
 
    private $restrictions;
 
    private $grants;
 
    private $flags = self::READ_NORMAL;
 
    protected function __construct( $row, $isSaved, $flags = self::READ_NORMAL ) {
        $this->isSaved = $isSaved;
        $this->flags = $flags;
 
        $this->centralId = (int)$row->bp_user;
        $this->appId = $row->bp_app_id;
        $this->token = $row->bp_token;
        $this->restrictions = MWRestrictions::newFromJson( $row->bp_restrictions );
        $this->grants = FormatJson::decode( $row->bp_grants );
    }
 
    public static function getDB( $db ) {
        global $wgBotPasswordsCluster, $wgBotPasswordsDatabase;
 
        $lb = $wgBotPasswordsCluster
            ? wfGetLBFactory()->getExternalLB( $wgBotPasswordsCluster )
            : wfGetLB( $wgBotPasswordsDatabase );
        return $lb->getConnectionRef( $db, [], $wgBotPasswordsDatabase );
    }
 
    public static function newFromUser( User $user, $appId, $flags = self::READ_NORMAL ) {
        $centralId = CentralIdLookup::factory()->centralIdFromLocalUser(
            $user, CentralIdLookup::AUDIENCE_RAW, $flags
        );
        return $centralId ? self::newFromCentralId( $centralId, $appId, $flags ) : null;
    }
 
    public static function newFromCentralId( $centralId, $appId, $flags = self::READ_NORMAL ) {
        global $wgEnableBotPasswords;
 
        if ( !$wgEnableBotPasswords ) {
            return null;
        }
 
        list( $index, $options ) = DBAccessObjectUtils::getDBOptions( $flags );
        $db = self::getDB( $index );
        $row = $db->selectRow(
            'bot_passwords',
            [ 'bp_user', 'bp_app_id', 'bp_token', 'bp_restrictions', 'bp_grants' ],
            [ 'bp_user' => $centralId, 'bp_app_id' => $appId ],
            __METHOD__,
            $options
        );
        return $row ? new self( $row, true, $flags ) : null;
    }
 
    public static function newUnsaved( array $data, $flags = self::READ_NORMAL ) {
        $row = (object)[
            'bp_user' => 0,
            'bp_app_id' => isset( $data['appId'] ) ? trim( $data['appId'] ) : '',
            'bp_token' => '**unsaved**',
            'bp_restrictions' => isset( $data['restrictions'] )
                ? $data['restrictions']
                : MWRestrictions::newDefault(),
            'bp_grants' => isset( $data['grants'] ) ? $data['grants'] : [],
        ];
 
        if (
            $row->bp_app_id === '' || strlen( $row->bp_app_id ) > self::APPID_MAXLENGTH ||
            !$row->bp_restrictions instanceof MWRestrictions ||
            !is_array( $row->bp_grants )
        ) {
            return null;
        }
 
        $row->bp_restrictions = $row->bp_restrictions->toJson();
        $row->bp_grants = FormatJson::encode( $row->bp_grants );
 
        if ( isset( $data['user'] ) ) {
            if ( !$data['user'] instanceof User ) {
                return null;
            }
            $row->bp_user = CentralIdLookup::factory()->centralIdFromLocalUser(
                $data['user'], CentralIdLookup::AUDIENCE_RAW, $flags
            );
        } elseif ( isset( $data['username'] ) ) {
            $row->bp_user = CentralIdLookup::factory()->centralIdFromName(
                $data['username'], CentralIdLookup::AUDIENCE_RAW, $flags
            );
        } elseif ( isset( $data['centralId'] ) ) {
            $row->bp_user = $data['centralId'];
        }
        if ( !$row->bp_user ) {
            return null;
        }
 
        return new self( $row, false, $flags );
    }
 
    public function isSaved() {
        return $this->isSaved;
    }
 
    public function getUserCentralId() {
        return $this->centralId;
    }
 
    public function getAppId() {
        return $this->appId;
    }
 
    public function getToken() {
        return $this->token;
    }
 
    public function getRestrictions() {
        return $this->restrictions;
    }
 
    public function getGrants() {
        return $this->grants;
    }
 
    public static function getSeparator() {
        global $wgUserrightsInterwikiDelimiter;
        return $wgUserrightsInterwikiDelimiter;
    }
 
    protected function getPassword() {
        list( $index, $options ) = DBAccessObjectUtils::getDBOptions( $this->flags );
        $db = self::getDB( $index );
        $password = $db->selectField(
            'bot_passwords',
            'bp_password',
            [ 'bp_user' => $this->centralId, 'bp_app_id' => $this->appId ],
            __METHOD__,
            $options
        );
        if ( $password === false ) {
            return PasswordFactory::newInvalidPassword();
        }
 
        $passwordFactory = new \PasswordFactory();
        $passwordFactory->init( \RequestContext::getMain()->getConfig() );
        try {
            return $passwordFactory->newFromCiphertext( $password );
        } catch ( PasswordError $ex ) {
            return PasswordFactory::newInvalidPassword();
        }
    }
 
    public function save( $operation, Password $password = null ) {
        $conds = [
            'bp_user' => $this->centralId,
            'bp_app_id' => $this->appId,
        ];
        $fields = [
            'bp_token' => MWCryptRand::generateHex( User::TOKEN_LENGTH ),
            'bp_restrictions' => $this->restrictions->toJson(),
            'bp_grants' => FormatJson::encode( $this->grants ),
        ];
 
        if ( $password !== null ) {
            $fields['bp_password'] = $password->toString();
        } elseif ( $operation === 'insert' ) {
            $fields['bp_password'] = PasswordFactory::newInvalidPassword()->toString();
        }
 
        $dbw = self::getDB( DB_MASTER );
        switch ( $operation ) {
            case 'insert':
                $dbw->insert( 'bot_passwords', $fields + $conds, __METHOD__, [ 'IGNORE' ] );
                break;
 
            case 'update':
                $dbw->update( 'bot_passwords', $fields, $conds, __METHOD__ );
                break;
 
            default:
                return false;
        }
        $ok = (bool)$dbw->affectedRows();
        if ( $ok ) {
            $this->token = $dbw->selectField( 'bot_passwords', 'bp_token', $conds, __METHOD__ );
            $this->isSaved = true;
        }
        return $ok;
    }
 
    public function delete() {
        $conds = [
            'bp_user' => $this->centralId,
            'bp_app_id' => $this->appId,
        ];
        $dbw = self::getDB( DB_MASTER );
        $dbw->delete( 'bot_passwords', $conds, __METHOD__ );
        $ok = (bool)$dbw->affectedRows();
        if ( $ok ) {
            $this->token = '**unsaved**';
            $this->isSaved = false;
        }
        return $ok;
    }
 
    public static function invalidateAllPasswordsForUser( $username ) {
        $centralId = CentralIdLookup::factory()->centralIdFromName(
            $username, CentralIdLookup::AUDIENCE_RAW, CentralIdLookup::READ_LATEST
        );
        return $centralId && self::invalidateAllPasswordsForCentralId( $centralId );
    }
 
    public static function invalidateAllPasswordsForCentralId( $centralId ) {
        global $wgEnableBotPasswords;
 
        if ( !$wgEnableBotPasswords ) {
            return false;
        }
 
        $dbw = self::getDB( DB_MASTER );
        $dbw->update(
            'bot_passwords',
            [ 'bp_password' => PasswordFactory::newInvalidPassword()->toString() ],
            [ 'bp_user' => $centralId ],
            __METHOD__
        );
        return (bool)$dbw->affectedRows();
    }
 
    public static function removeAllPasswordsForUser( $username ) {
        $centralId = CentralIdLookup::factory()->centralIdFromName(
            $username, CentralIdLookup::AUDIENCE_RAW, CentralIdLookup::READ_LATEST
        );
        return $centralId && self::removeAllPasswordsForCentralId( $centralId );
    }
 
    public static function removeAllPasswordsForCentralId( $centralId ) {
        global $wgEnableBotPasswords;
 
        if ( !$wgEnableBotPasswords ) {
            return false;
        }
 
        $dbw = self::getDB( DB_MASTER );
        $dbw->delete(
            'bot_passwords',
            [ 'bp_user' => $centralId ],
            __METHOD__
        );
        return (bool)$dbw->affectedRows();
    }
 
    public static function generatePassword( $config ) {
        return PasswordFactory::generateRandomPasswordString(
            max( 32, $config->get( 'MinimalPasswordLength' ) ) );
    }
 
    public static function canonicalizeLoginData( $username, $password ) {
        $sep = BotPassword::getSeparator();
        // the strlen check helps minimize the password information obtainable from timing
        if ( strlen( $password ) >= 32 && strpos( $username, $sep ) !== false ) {
            // the separator is not valid in new usernames but might appear in legacy ones
            if ( preg_match( '/^[0-9a-w]{32,}$/', $password ) ) {
                return [ $username, $password, true ];
            }
        } elseif ( strlen( $password ) > 32 && strpos( $password, $sep ) !== false ) {
            $segments = explode( $sep, $password );
            $password = array_pop( $segments );
            $appId = implode( $sep, $segments );
            if ( preg_match( '/^[0-9a-w]{32,}$/', $password ) ) {
                return [ $username . $sep . $appId, $password, true ];
            }
        }
        return false;
    }
 
    public static function login( $username, $password, WebRequest $request ) {
        global $wgEnableBotPasswords;
 
        if ( !$wgEnableBotPasswords ) {
            return Status::newFatal( 'botpasswords-disabled' );
        }
 
        $manager = MediaWiki\Session\SessionManager::singleton();
        $provider = $manager->getProvider( BotPasswordSessionProvider::class );
        if ( !$provider ) {
            return Status::newFatal( 'botpasswords-no-provider' );
        }
 
        // Split name into name+appId
        $sep = self::getSeparator();
        if ( strpos( $username, $sep ) === false ) {
            return Status::newFatal( 'botpasswords-invalid-name', $sep );
        }
        list( $name, $appId ) = explode( $sep, $username, 2 );
 
        // Find the named user
        $user = User::newFromName( $name );
        if ( !$user || $user->isAnon() ) {
            return Status::newFatal( 'nosuchuser', $name );
        }
 
        // Get the bot password
        $bp = self::newFromUser( $user, $appId );
        if ( !$bp ) {
            return Status::newFatal( 'botpasswords-not-exist', $name, $appId );
        }
 
        // Check restrictions
        $status = $bp->getRestrictions()->check( $request );
        if ( !$status->isOK() ) {
            return Status::newFatal( 'botpasswords-restriction-failed' );
        }
 
        // Check the password
        if ( !$bp->getPassword()->equals( $password ) ) {
            return Status::newFatal( 'wrongpassword' );
        }
 
        // Ok! Create the session.
        return Status::newGood( $provider->newSessionForRequest( $user, $bp, $request ) );
    }
}