BotPassword.php

Go to the documentation of this file.

<?php
use MediaWiki\Auth\AuthenticationResponse;
use MediaWiki\Auth\Throttler;
use MediaWiki\MediaWikiServices;
use MediaWiki\Session\BotPasswordSessionProvider;
use MediaWiki\Session\SessionManager;
use Wikimedia\Rdbms\IDatabase;
 
class BotPassword implements IDBAccessObject {
 
    public const APPID_MAXLENGTH = 32;
 
    public const PASSWORD_MINLENGTH = 32;
 
    public const RESTRICTIONS_MAXLENGTH = 65535;
 
    public const GRANTS_MAXLENGTH = 65535;
 
    private $isSaved;
 
    private $centralId;
 
    private $appId;
 
    private $token;
 
    private $restrictions;
 
    private $grants;
 
    private $flags = self::READ_NORMAL;
 
    private function __construct( $row, $isSaved, $flags = self::READ_NORMAL ) {
        $this->isSaved = $isSaved;
        $this->flags = $flags;
 
        $this->centralId = (int)$row->bp_user;
        $this->appId = $row->bp_app_id;
        $this->token = $row->bp_token;
        $this->restrictions = MWRestrictions::newFromJson( $row->bp_restrictions );
        $this->grants = FormatJson::decode( $row->bp_grants );
    }
 
    public static function getDB( $db ) {
        global $wgBotPasswordsCluster, $wgBotPasswordsDatabase;
 
        $lbFactory = MediaWikiServices::getInstance()->getDBLoadBalancerFactory();
        $lb = $wgBotPasswordsCluster
            ? $lbFactory->getExternalLB( $wgBotPasswordsCluster )
            : $lbFactory->getMainLB( $wgBotPasswordsDatabase );
        return $lb->getConnectionRef( $db, [], $wgBotPasswordsDatabase );
    }
 
    public static function newFromUser( User $user, $appId, $flags = self::READ_NORMAL ) {
        $centralId = CentralIdLookup::factory()->centralIdFromLocalUser(
            $user, CentralIdLookup::AUDIENCE_RAW, $flags
        );
        return $centralId ? self::newFromCentralId( $centralId, $appId, $flags ) : null;
    }
 
    public static function newFromCentralId( $centralId, $appId, $flags = self::READ_NORMAL ) {
        global $wgEnableBotPasswords;
 
        if ( !$wgEnableBotPasswords ) {
            return null;
        }
 
        list( $index, $options ) = DBAccessObjectUtils::getDBOptions( $flags );
        $db = self::getDB( $index );
        $row = $db->selectRow(
            'bot_passwords',
            [ 'bp_user', 'bp_app_id', 'bp_token', 'bp_restrictions', 'bp_grants' ],
            [ 'bp_user' => $centralId, 'bp_app_id' => $appId ],
            __METHOD__,
            $options
        );
        return $row ? new self( $row, true, $flags ) : null;
    }
 
    public static function newUnsaved( array $data, $flags = self::READ_NORMAL ) {
        if ( isset( $data['user'] ) && ( !$data['user'] instanceof User ) ) {
            return null;
        }
 
        $row = (object)[
            'bp_user' => 0,
            'bp_app_id' => isset( $data['appId'] ) ? trim( $data['appId'] ) : '',
            'bp_token' => '**unsaved**',
            'bp_restrictions' => $data['restrictions'] ?? MWRestrictions::newDefault(),
            'bp_grants' => $data['grants'] ?? [],
        ];
 
        if (
            $row->bp_app_id === '' ||
            strlen( $row->bp_app_id ) > self::APPID_MAXLENGTH ||
            !$row->bp_restrictions instanceof MWRestrictions ||
            !is_array( $row->bp_grants )
        ) {
            return null;
        }
 
        $row->bp_restrictions = $row->bp_restrictions->toJson();
        $row->bp_grants = FormatJson::encode( $row->bp_grants );
 
        if ( isset( $data['user'] ) ) {
            // Must be a User object, already checked above
            $row->bp_user = CentralIdLookup::factory()->centralIdFromLocalUser(
                $data['user'], CentralIdLookup::AUDIENCE_RAW, $flags
            );
        } elseif ( isset( $data['username'] ) ) {
            $row->bp_user = CentralIdLookup::factory()->centralIdFromName(
                $data['username'], CentralIdLookup::AUDIENCE_RAW, $flags
            );
        } elseif ( isset( $data['centralId'] ) ) {
            $row->bp_user = $data['centralId'];
        }
        if ( !$row->bp_user ) {
            return null;
        }
 
        return new self( $row, false, $flags );
    }
 
    public function isSaved() {
        return $this->isSaved;
    }
 
    public function getUserCentralId() {
        return $this->centralId;
    }
 
    public function getAppId() {
        return $this->appId;
    }
 
    public function getToken() {
        return $this->token;
    }
 
    public function getRestrictions() {
        return $this->restrictions;
    }
 
    public function getGrants() {
        return $this->grants;
    }
 
    public static function getSeparator() {
        global $wgUserrightsInterwikiDelimiter;
        return $wgUserrightsInterwikiDelimiter;
    }
 
    private function getPassword() {
        list( $index, $options ) = DBAccessObjectUtils::getDBOptions( $this->flags );
        $db = self::getDB( $index );
        $password = $db->selectField(
            'bot_passwords',
            'bp_password',
            [ 'bp_user' => $this->centralId, 'bp_app_id' => $this->appId ],
            __METHOD__,
            $options
        );
        if ( $password === false ) {
            return PasswordFactory::newInvalidPassword();
        }
 
        $passwordFactory = MediaWikiServices::getInstance()->getPasswordFactory();
        try {
            return $passwordFactory->newFromCiphertext( $password );
        } catch ( PasswordError $ex ) {
            return PasswordFactory::newInvalidPassword();
        }
    }
 
    public function isInvalid() {
        return $this->getPassword() instanceof InvalidPassword;
    }
 
    public function save( $operation, Password $password = null ) {
        // Ensure operation is valid
        if ( $operation !== 'insert' && $operation !== 'update' ) {
            throw new UnexpectedValueException(
                "Expected 'insert' or 'update'; got '{$operation}'."
            );
        }
 
        $conds = [
            'bp_user' => $this->centralId,
            'bp_app_id' => $this->appId,
        ];
 
        $res = Status::newGood();
 
        $restrictions = $this->restrictions->toJson();
 
        if ( strlen( $restrictions ) > self::RESTRICTIONS_MAXLENGTH ) {
            $res->fatal( 'botpasswords-toolong-restrictions' );
        }
 
        $grants = FormatJson::encode( $this->grants );
 
        if ( strlen( $grants ) > self::GRANTS_MAXLENGTH ) {
            $res->fatal( 'botpasswords-toolong-grants' );
        }
 
        if ( !$res->isGood() ) {
            return $res;
        }
 
        $fields = [
            'bp_token' => MWCryptRand::generateHex( User::TOKEN_LENGTH ),
            'bp_restrictions' => $restrictions,
            'bp_grants' => $grants,
        ];
 
        if ( $password !== null ) {
            $fields['bp_password'] = $password->toString();
        } elseif ( $operation === 'insert' ) {
            $fields['bp_password'] = PasswordFactory::newInvalidPassword()->toString();
        }
 
        $dbw = self::getDB( DB_MASTER );
 
        if ( $operation === 'insert' ) {
            $dbw->insert( 'bot_passwords', $fields + $conds, __METHOD__, [ 'IGNORE' ] );
        } else {
            // Must be update, already checked above
            $dbw->update( 'bot_passwords', $fields, $conds, __METHOD__ );
        }
 
        $ok = (bool)$dbw->affectedRows();
        if ( $ok ) {
            $this->token = $dbw->selectField( 'bot_passwords', 'bp_token', $conds, __METHOD__ );
            $this->isSaved = true;
 
            return $res;
        }
 
        // Messages: botpasswords-insert-failed, botpasswords-update-failed
        return Status::newFatal( "botpasswords-{$operation}-failed", $this->appId );
    }
 
    public function delete() {
        $dbw = self::getDB( DB_MASTER );
        $dbw->delete(
            'bot_passwords',
            [
                'bp_user' => $this->centralId,
                'bp_app_id' => $this->appId,
            ],
            __METHOD__
        );
        $ok = (bool)$dbw->affectedRows();
        if ( $ok ) {
            $this->token = '**unsaved**';
            $this->isSaved = false;
        }
        return $ok;
    }
 
    public static function invalidateAllPasswordsForUser( $username ) {
        $centralId = CentralIdLookup::factory()->centralIdFromName(
            $username, CentralIdLookup::AUDIENCE_RAW, CentralIdLookup::READ_LATEST
        );
        return $centralId && self::invalidateAllPasswordsForCentralId( $centralId );
    }
 
    public static function invalidateAllPasswordsForCentralId( $centralId ) {
        global $wgEnableBotPasswords;
 
        if ( !$wgEnableBotPasswords ) {
            return false;
        }
 
        $dbw = self::getDB( DB_MASTER );
        $dbw->update(
            'bot_passwords',
            [ 'bp_password' => PasswordFactory::newInvalidPassword()->toString() ],
            [ 'bp_user' => $centralId ],
            __METHOD__
        );
        return (bool)$dbw->affectedRows();
    }
 
    public static function removeAllPasswordsForUser( $username ) {
        $centralId = CentralIdLookup::factory()->centralIdFromName(
            $username, CentralIdLookup::AUDIENCE_RAW, CentralIdLookup::READ_LATEST
        );
        return $centralId && self::removeAllPasswordsForCentralId( $centralId );
    }
 
    public static function removeAllPasswordsForCentralId( $centralId ) {
        global $wgEnableBotPasswords;
 
        if ( !$wgEnableBotPasswords ) {
            return false;
        }
 
        $dbw = self::getDB( DB_MASTER );
        $dbw->delete(
            'bot_passwords',
            [ 'bp_user' => $centralId ],
            __METHOD__
        );
        return (bool)$dbw->affectedRows();
    }
 
    public static function generatePassword( $config ) {
        return PasswordFactory::generateRandomPasswordString(
            max( self::PASSWORD_MINLENGTH, $config->get( 'MinimalPasswordLength' ) ) );
    }
 
    public static function canonicalizeLoginData( $username, $password ) {
        $sep = self::getSeparator();
        // the strlen check helps minimize the password information obtainable from timing
        if ( strlen( $password ) >= self::PASSWORD_MINLENGTH && strpos( $username, $sep ) !== false ) {
            // the separator is not valid in new usernames but might appear in legacy ones
            if ( preg_match( '/^[0-9a-w]{' . self::PASSWORD_MINLENGTH . ',}$/', $password ) ) {
                return [ $username, $password ];
            }
        } elseif ( strlen( $password ) > self::PASSWORD_MINLENGTH && strpos( $password, $sep ) !== false ) {
            $segments = explode( $sep, $password );
            $password = array_pop( $segments );
            $appId = implode( $sep, $segments );
            if ( preg_match( '/^[0-9a-w]{' . self::PASSWORD_MINLENGTH . ',}$/', $password ) ) {
                return [ $username . $sep . $appId, $password ];
            }
        }
        return false;
    }
 
    public static function login( $username, $password, WebRequest $request ) {
        global $wgEnableBotPasswords, $wgPasswordAttemptThrottle;
 
        if ( !$wgEnableBotPasswords ) {
            return Status::newFatal( 'botpasswords-disabled' );
        }
 
        $provider = SessionManager::singleton()->getProvider( BotPasswordSessionProvider::class );
        if ( !$provider ) {
            return Status::newFatal( 'botpasswords-no-provider' );
        }
 
        // Split name into name+appId
        $sep = self::getSeparator();
        if ( strpos( $username, $sep ) === false ) {
            return self::loginHook( $username, null, Status::newFatal( 'botpasswords-invalid-name', $sep ) );
        }
        list( $name, $appId ) = explode( $sep, $username, 2 );
 
        // Find the named user
        $user = User::newFromName( $name );
        if ( !$user || $user->isAnon() ) {
            return self::loginHook( $user ?: $name, null, Status::newFatal( 'nosuchuser', $name ) );
        }
 
        if ( $user->isLocked() ) {
            return Status::newFatal( 'botpasswords-locked' );
        }
 
        $throttle = null;
        if ( !empty( $wgPasswordAttemptThrottle ) ) {
            $throttle = new Throttler( $wgPasswordAttemptThrottle, [
                'type' => 'botpassword',
                'cache' => ObjectCache::getLocalClusterInstance(),
            ] );
            $result = $throttle->increase( $user->getName(), $request->getIP(), __METHOD__ );
            if ( $result ) {
                $msg = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
                return self::loginHook( $user, null, Status::newFatal( $msg ) );
            }
        }
 
        // Get the bot password
        $bp = self::newFromUser( $user, $appId );
        if ( !$bp ) {
            return self::loginHook( $user, $bp,
                Status::newFatal( 'botpasswords-not-exist', $name, $appId ) );
        }
 
        // Check restrictions
        $status = $bp->getRestrictions()->check( $request );
        if ( !$status->isOK() ) {
            return self::loginHook( $user, $bp, Status::newFatal( 'botpasswords-restriction-failed' ) );
        }
 
        // Check the password
        $passwordObj = $bp->getPassword();
        if ( $passwordObj instanceof InvalidPassword ) {
            return self::loginHook( $user, $bp,
                Status::newFatal( 'botpasswords-needs-reset', $name, $appId ) );
        }
        if ( !$passwordObj->verify( $password ) ) {
            return self::loginHook( $user, $bp, Status::newFatal( 'wrongpassword' ) );
        }
 
        // Ok! Create the session.
        if ( $throttle ) {
            $throttle->clear( $user->getName(), $request->getIP() );
        }
        return self::loginHook( $user, $bp,
            // @phan-suppress-next-line PhanUndeclaredMethod
            Status::newGood( $provider->newSessionForRequest( $user, $bp, $request ) ) );
    }
 
    private static function loginHook( $user, $bp, Status $status ) {
        $extraData = [];
        if ( $user instanceof User ) {
            $name = $user->getName();
            if ( $bp ) {
                $extraData['appId'] = $name . self::getSeparator() . $bp->getAppId();
            }
        } else {
            $name = $user;
            $user = null;
        }
 
        if ( $status->isGood() ) {
            $response = AuthenticationResponse::newPass( $name );
        } else {
            $response = AuthenticationResponse::newFail( $status->getMessage() );
        }
        Hooks::runner()->onAuthManagerLoginAuthenticateAudit( $response, $user, $name, $extraData );
 
        return $status;
    }
}