Session.php

Go to the documentation of this file.

<?php
namespace MediaWiki\Session;
 
use Psr\Log\LoggerInterface;
use User;
use WebRequest;
 
final class Session implements \Countable, \Iterator, \ArrayAccess {
    private static $encryptionAlgorithm = null;
 
    private $backend;
 
    private $index;
 
    private $logger;
 
    public function __construct( SessionBackend $backend, $index, LoggerInterface $logger ) {
        $this->backend = $backend;
        $this->index = $index;
        $this->logger = $logger;
    }
 
    public function __destruct() {
        $this->backend->deregisterSession( $this->index );
    }
 
    public function getId() {
        return $this->backend->getId();
    }
 
    public function getSessionId() {
        return $this->backend->getSessionId();
    }
 
    public function resetId() {
        return $this->backend->resetId();
    }
 
    public function getProvider() {
        return $this->backend->getProvider();
    }
 
    public function isPersistent() {
        return $this->backend->isPersistent();
    }
 
    public function persist() {
        $this->backend->persist();
    }
 
    public function unpersist() {
        $this->backend->unpersist();
    }
 
    public function shouldRememberUser() {
        return $this->backend->shouldRememberUser();
    }
 
    public function setRememberUser( $remember ) {
        $this->backend->setRememberUser( $remember );
    }
 
    public function getRequest() {
        return $this->backend->getRequest( $this->index );
    }
 
    public function getUser() {
        return $this->backend->getUser();
    }
 
    public function getAllowedUserRights() {
        return $this->backend->getAllowedUserRights();
    }
 
    public function canSetUser() {
        return $this->backend->canSetUser();
    }
 
    public function setUser( $user ) {
        $this->backend->setUser( $user );
    }
 
    public function suggestLoginUsername() {
        return $this->backend->suggestLoginUsername( $this->index );
    }
 
    public function shouldForceHTTPS() {
        return $this->backend->shouldForceHTTPS();
    }
 
    public function setForceHTTPS( $force ) {
        $this->backend->setForceHTTPS( $force );
    }
 
    public function getLoggedOutTimestamp() {
        return $this->backend->getLoggedOutTimestamp();
    }
 
    public function setLoggedOutTimestamp( $ts ) {
        $this->backend->setLoggedOutTimestamp( $ts );
    }
 
    public function getProviderMetadata() {
        return $this->backend->getProviderMetadata();
    }
 
    public function clear() {
        $data = &$this->backend->getData();
        if ( $data ) {
            $data = [];
            $this->backend->dirty();
        }
        if ( $this->backend->canSetUser() ) {
            $this->backend->setUser( new User );
        }
        $this->backend->save();
    }
 
    public function renew() {
        $this->backend->renew();
    }
 
    public function sessionWithRequest( WebRequest $request ) {
        $request->setSessionId( $this->backend->getSessionId() );
        return $this->backend->getSession( $request );
    }
 
    public function get( $key, $default = null ) {
        $data = &$this->backend->getData();
        return array_key_exists( $key, $data ) ? $data[$key] : $default;
    }
 
    public function exists( $key ) {
        $data = &$this->backend->getData();
        return array_key_exists( $key, $data );
    }
 
    public function set( $key, $value ) {
        $data = &$this->backend->getData();
        if ( !array_key_exists( $key, $data ) || $data[$key] !== $value ) {
            $data[$key] = $value;
            $this->backend->dirty();
        }
    }
 
    public function remove( $key ) {
        $data = &$this->backend->getData();
        if ( array_key_exists( $key, $data ) ) {
            unset( $data[$key] );
            $this->backend->dirty();
        }
    }
 
    public function getToken( $salt = '', $key = 'default' ) {
        $new = false;
        $secrets = $this->get( 'wsTokenSecrets' );
        if ( !is_array( $secrets ) ) {
            $secrets = [];
        }
        if ( isset( $secrets[$key] ) && is_string( $secrets[$key] ) ) {
            $secret = $secrets[$key];
        } else {
            $secret = \MWCryptRand::generateHex( 32 );
            $secrets[$key] = $secret;
            $this->set( 'wsTokenSecrets', $secrets );
            $new = true;
        }
        if ( is_array( $salt ) ) {
            $salt = implode( '|', $salt );
        }
        return new Token( $secret, (string)$salt, $new );
    }
 
    public function resetToken( $key = 'default' ) {
        $secrets = $this->get( 'wsTokenSecrets' );
        if ( is_array( $secrets ) && isset( $secrets[$key] ) ) {
            unset( $secrets[$key] );
            $this->set( 'wsTokenSecrets', $secrets );
        }
    }
 
    public function resetAllTokens() {
        $this->remove( 'wsTokenSecrets' );
    }
 
    private function getSecretKeys() {
        global $wgSessionSecret, $wgSecretKey, $wgSessionPbkdf2Iterations;
 
        $wikiSecret = $wgSessionSecret ?: $wgSecretKey;
        $userSecret = $this->get( 'wsSessionSecret', null );
        if ( $userSecret === null ) {
            $userSecret = \MWCryptRand::generateHex( 32 );
            $this->set( 'wsSessionSecret', $userSecret );
        }
        $iterations = $this->get( 'wsSessionPbkdf2Iterations', null );
        if ( $iterations === null ) {
            $iterations = $wgSessionPbkdf2Iterations;
            $this->set( 'wsSessionPbkdf2Iterations', $iterations );
        }
 
        $keymats = hash_pbkdf2( 'sha256', $wikiSecret, $userSecret, $iterations, 64, true );
        return [
            substr( $keymats, 0, 32 ),
            substr( $keymats, 32, 32 ),
        ];
    }
 
    private static function getEncryptionAlgorithm() {
        global $wgSessionInsecureSecrets;
 
        if ( self::$encryptionAlgorithm === null ) {
            if ( function_exists( 'openssl_encrypt' ) ) {
                $methods = openssl_get_cipher_methods();
                if ( in_array( 'aes-256-ctr', $methods, true ) ) {
                    self::$encryptionAlgorithm = [ 'openssl', 'aes-256-ctr' ];
                    return self::$encryptionAlgorithm;
                }
                if ( in_array( 'aes-256-cbc', $methods, true ) ) {
                    self::$encryptionAlgorithm = [ 'openssl', 'aes-256-cbc' ];
                    return self::$encryptionAlgorithm;
                }
            }
 
            if ( function_exists( 'mcrypt_encrypt' )
                && in_array( 'rijndael-128', mcrypt_list_algorithms(), true )
            ) {
                $modes = mcrypt_list_modes();
                if ( in_array( 'ctr', $modes, true ) ) {
                    self::$encryptionAlgorithm = [ 'mcrypt', 'rijndael-128', 'ctr' ];
                    return self::$encryptionAlgorithm;
                }
                if ( in_array( 'cbc', $modes, true ) ) {
                    self::$encryptionAlgorithm = [ 'mcrypt', 'rijndael-128', 'cbc' ];
                    return self::$encryptionAlgorithm;
                }
            }
 
            if ( $wgSessionInsecureSecrets ) {
                // @todo: import a pure-PHP library for AES instead of this
                self::$encryptionAlgorithm = [ 'insecure' ];
                return self::$encryptionAlgorithm;
            }
 
            throw new \BadMethodCallException(
                'Encryption is not available. You really should install the PHP OpenSSL extension, ' .
                'or failing that the mcrypt extension. But if you really can\'t and you\'re willing ' .
                'to accept insecure storage of sensitive session data, set ' .
                '$wgSessionInsecureSecrets = true in LocalSettings.php to make this exception go away.'
            );
        }
 
        return self::$encryptionAlgorithm;
    }
 
    public function setSecret( $key, $value ) {
        list( $encKey, $hmacKey ) = $this->getSecretKeys();
        $serialized = serialize( $value );
 
        // The code for encryption (with OpenSSL) and sealing is taken from
        // Chris Steipp's OATHAuthUtils class in Extension::OATHAuth.
 
        // Encrypt
        // @todo: import a pure-PHP library for AES instead of doing $wgSessionInsecureSecrets
        $iv = random_bytes( 16 );
        $algorithm = self::getEncryptionAlgorithm();
        switch ( $algorithm[0] ) {
            case 'openssl':
                $ciphertext = openssl_encrypt( $serialized, $algorithm[1], $encKey, OPENSSL_RAW_DATA, $iv );
                if ( $ciphertext === false ) {
                    throw new \UnexpectedValueException( 'Encryption failed: ' . openssl_error_string() );
                }
                break;
            case 'mcrypt':
                // PKCS7 padding
                $blocksize = mcrypt_get_block_size( $algorithm[1], $algorithm[2] );
                $pad = $blocksize - ( strlen( $serialized ) % $blocksize );
                $serialized .= str_repeat( chr( $pad ), $pad );
 
                $ciphertext = mcrypt_encrypt( $algorithm[1], $encKey, $serialized, $algorithm[2], $iv );
                if ( $ciphertext === false ) {
                    throw new \UnexpectedValueException( 'Encryption failed' );
                }
                break;
            case 'insecure':
                $ex = new \Exception( 'No encryption is available, storing data as plain text' );
                $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );
                $ciphertext = $serialized;
                break;
            default:
                throw new \LogicException( 'invalid algorithm' );
        }
 
        // Seal
        $sealed = base64_encode( $iv ) . '.' . base64_encode( $ciphertext );
        $hmac = hash_hmac( 'sha256', $sealed, $hmacKey, true );
        $encrypted = base64_encode( $hmac ) . '.' . $sealed;
 
        // Store
        $this->set( $key, $encrypted );
    }
 
    public function getSecret( $key, $default = null ) {
        // Fetch
        $encrypted = $this->get( $key, null );
        if ( $encrypted === null ) {
            return $default;
        }
 
        // The code for unsealing, checking, and decrypting (with OpenSSL) is
        // taken from Chris Steipp's OATHAuthUtils class in
        // Extension::OATHAuth.
 
        // Unseal and check
        $pieces = explode( '.', $encrypted, 4 );
        if ( count( $pieces ) !== 3 ) {
            $ex = new \Exception( 'Invalid sealed-secret format' );
            $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );
            return $default;
        }
        list( $hmac, $iv, $ciphertext ) = $pieces;
        list( $encKey, $hmacKey ) = $this->getSecretKeys();
        $integCalc = hash_hmac( 'sha256', $iv . '.' . $ciphertext, $hmacKey, true );
        if ( !hash_equals( $integCalc, base64_decode( $hmac ) ) ) {
            $ex = new \Exception( 'Sealed secret has been tampered with, aborting.' );
            $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );
            return $default;
        }
 
        // Decrypt
        $algorithm = self::getEncryptionAlgorithm();
        switch ( $algorithm[0] ) {
            case 'openssl':
                $serialized = openssl_decrypt( base64_decode( $ciphertext ), $algorithm[1], $encKey,
                    OPENSSL_RAW_DATA, base64_decode( $iv ) );
                if ( $serialized === false ) {
                    $ex = new \Exception( 'Decyption failed: ' . openssl_error_string() );
                    $this->logger->debug( $ex->getMessage(), [ 'exception' => $ex ] );
                    return $default;
                }
                break;
            case 'mcrypt':
                $serialized = mcrypt_decrypt( $algorithm[1], $encKey, base64_decode( $ciphertext ),
                    $algorithm[2], base64_decode( $iv ) );
                if ( $serialized === false ) {
                    $ex = new \Exception( 'Decyption failed' );
                    $this->logger->debug( $ex->getMessage(), [ 'exception' => $ex ] );
                    return $default;
                }
 
                // Remove PKCS7 padding
                $pad = ord( substr( $serialized, -1 ) );
                $serialized = substr( $serialized, 0, -$pad );
                break;
            case 'insecure':
                $ex = new \Exception(
                    'No encryption is available, retrieving data that was stored as plain text'
                );
                $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] );
                $serialized = base64_decode( $ciphertext );
                break;
            default:
                throw new \LogicException( 'invalid algorithm' );
        }
 
        $value = unserialize( $serialized );
        if ( $value === false && $serialized !== serialize( false ) ) {
            $value = $default;
        }
        return $value;
    }
 
    public function delaySave() {
        return $this->backend->delaySave();
    }
 
    public function save() {
        $this->backend->save();
    }
 
    public function count() {
        $data = &$this->backend->getData();
        return count( $data );
    }
 
    public function current() {
        $data = &$this->backend->getData();
        return current( $data );
    }
 
    public function key() {
        $data = &$this->backend->getData();
        return key( $data );
    }
 
    public function next() {
        $data = &$this->backend->getData();
        next( $data );
    }
 
    public function rewind() {
        $data = &$this->backend->getData();
        reset( $data );
    }
 
    public function valid() {
        $data = &$this->backend->getData();
        return key( $data ) !== null;
    }
 
    public function offsetExists( $offset ) {
        $data = &$this->backend->getData();
        return isset( $data[$offset] );
    }
 
    public function &offsetGet( $offset ) {
        $data = &$this->backend->getData();
        if ( !array_key_exists( $offset, $data ) ) {
            $ex = new \Exception( "Undefined index (auto-adds to session with a null value): $offset" );
            $this->logger->debug( $ex->getMessage(), [ 'exception' => $ex ] );
        }
        return $data[$offset];
    }
 
    public function offsetSet( $offset, $value ) {
        $this->set( $offset, $value );
    }
 
    public function offsetUnset( $offset ) {
        $this->remove( $offset );
    }
 
}