MediaWiki  master
BotPassword.php
Go to the documentation of this file.
1 <?php
21 namespace MediaWiki\User;
22 
23 use DBAccessObjectUtils;
24 use FormatJson;
25 use IDBAccessObject;
26 use InvalidPassword;
27 use MediaWiki\Auth\AuthenticationResponse;
28 use MediaWiki\Auth\Throttler;
29 use MediaWiki\Config\Config;
30 use MediaWiki\HookContainer\HookRunner;
31 use MediaWiki\MainConfigNames;
32 use MediaWiki\MediaWikiServices;
33 use MediaWiki\Request\WebRequest;
34 use MediaWiki\Session\BotPasswordSessionProvider;
35 use MediaWiki\Session\SessionManager;
36 use MediaWiki\Status\Status;
37 use MWRestrictions;
38 use ObjectCache;
39 use Password;
40 use PasswordError;
41 use PasswordFactory;
42 use stdClass;
43 use UnexpectedValueException;
44 use Wikimedia\Rdbms\IDatabase;
45 
50 class BotPassword implements IDBAccessObject {
51 
52  public const APPID_MAXLENGTH = 32;
53 
57  public const PASSWORD_MINLENGTH = 32;
58 
63  public const RESTRICTIONS_MAXLENGTH = 65535;
64 
69  public const GRANTS_MAXLENGTH = 65535;
70 
72  private $isSaved;
73 
75  private $centralId;
76 
78  private $appId;
79 
81  private $token;
82 
84  private $restrictions;
85 
87  private $grants;
88 
90  private $flags;
91 
99  public function __construct( $row, $isSaved, $flags = self::READ_NORMAL ) {
100  $this->isSaved = $isSaved;
101  $this->flags = $flags;
102 
103  $this->centralId = (int)$row->bp_user;
104  $this->appId = $row->bp_app_id;
105  $this->token = $row->bp_token;
106  $this->restrictions = MWRestrictions::newFromJson( $row->bp_restrictions );
107  $this->grants = FormatJson::decode( $row->bp_grants );
108  }
109 
115  public static function getDB( $db ) {
116  return MediaWikiServices::getInstance()
117  ->getBotPasswordStore()
118  ->getDatabase( $db );
119  }
120 
128  public static function newFromUser( UserIdentity $userIdentity, $appId, $flags = self::READ_NORMAL ) {
129  return MediaWikiServices::getInstance()
130  ->getBotPasswordStore()
131  ->getByUser( $userIdentity, (string)$appId, (int)$flags );
132  }
133 
141  public static function newFromCentralId( $centralId, $appId, $flags = self::READ_NORMAL ) {
142  return MediaWikiServices::getInstance()
143  ->getBotPasswordStore()
144  ->getByCentralId( (int)$centralId, (string)$appId, (int)$flags );
145  }
146 
159  public static function newUnsaved( array $data, $flags = self::READ_NORMAL ) {
160  return MediaWikiServices::getInstance()
161  ->getBotPasswordStore()
162  ->newUnsavedBotPassword( $data, (int)$flags );
163  }
164 
169  public function isSaved() {
170  return $this->isSaved;
171  }
172 
177  public function getUserCentralId() {
178  return $this->centralId;
179  }
180 
184  public function getAppId() {
185  return $this->appId;
186  }
187 
191  public function getToken() {
192  return $this->token;
193  }
194 
198  public function getRestrictions() {
199  return $this->restrictions;
200  }
201 
205  public function getGrants() {
206  return $this->grants;
207  }
208 
213  public static function getSeparator() {
214  $userrightsInterwikiDelimiter = MediaWikiServices::getInstance()
215  ->getMainConfig()->get( MainConfigNames::UserrightsInterwikiDelimiter );
216  return $userrightsInterwikiDelimiter;
217  }
218 
222  private function getPassword() {
223  [ $index, $options ] = DBAccessObjectUtils::getDBOptions( $this->flags );
224  $db = self::getDB( $index );
225  $password = $db->newSelectQueryBuilder()
226  ->select( 'bp_password' )
227  ->from( 'bot_passwords' )
228  ->where( [ 'bp_user' => $this->centralId, 'bp_app_id' => $this->appId ] )
229  ->options( $options )
230  ->caller( __METHOD__ )->fetchField();
231  if ( $password === false ) {
232  return PasswordFactory::newInvalidPassword();
233  }
234 
235  $passwordFactory = MediaWikiServices::getInstance()->getPasswordFactory();
236  try {
237  return $passwordFactory->newFromCiphertext( $password );
238  } catch ( PasswordError $ex ) {
239  return PasswordFactory::newInvalidPassword();
240  }
241  }
242 
248  public function isInvalid() {
249  return $this->getPassword() instanceof InvalidPassword;
250  }
251 
259  public function save( $operation, Password $password = null ) {
260  // Ensure operation is valid
261  if ( $operation !== 'insert' && $operation !== 'update' ) {
262  throw new UnexpectedValueException(
263  "Expected 'insert' or 'update'; got '{$operation}'."
264  );
265  }
266 
267  $store = MediaWikiServices::getInstance()->getBotPasswordStore();
268  if ( $operation === 'insert' ) {
269  $statusValue = $store->insertBotPassword( $this, $password );
270  } else {
271  // Must be update, already checked above
272  $statusValue = $store->updateBotPassword( $this, $password );
273  }
274 
275  if ( $statusValue->isGood() ) {
276  $this->token = $statusValue->getValue();
277  $this->isSaved = true;
278  return Status::newGood();
279  }
280 
281  // Action failed, status will have code botpasswords-insert-failed or
282  // botpasswords-update-failed depending on which action we tried
283  return Status::wrap( $statusValue );
284  }
285 
290  public function delete() {
291  $ok = MediaWikiServices::getInstance()
292  ->getBotPasswordStore()
293  ->deleteBotPassword( $this );
294  if ( $ok ) {
295  $this->token = '**unsaved**';
296  $this->isSaved = false;
297  }
298  return $ok;
299  }
300 
306  public static function invalidateAllPasswordsForUser( $username ) {
307  return MediaWikiServices::getInstance()
308  ->getBotPasswordStore()
309  ->invalidateUserPasswords( (string)$username );
310  }
311 
320  public static function invalidateAllPasswordsForCentralId( $centralId ) {
321  wfDeprecated( __METHOD__, '1.37' );
322 
323  $enableBotPasswords = MediaWikiServices::getInstance()->getMainConfig()
324  ->get( MainConfigNames::EnableBotPasswords );
325 
326  if ( !$enableBotPasswords ) {
327  return false;
328  }
329 
330  $dbw = self::getDB( DB_PRIMARY );
331  $dbw->newUpdateQueryBuilder()
332  ->update( 'bot_passwords' )
333  ->set( [ 'bp_password' => PasswordFactory::newInvalidPassword()->toString() ] )
334  ->where( [ 'bp_user' => $centralId ] )
335  ->caller( __METHOD__ )->execute();
336  return (bool)$dbw->affectedRows();
337  }
338 
344  public static function removeAllPasswordsForUser( $username ) {
345  return MediaWikiServices::getInstance()
346  ->getBotPasswordStore()
347  ->removeUserPasswords( (string)$username );
348  }
349 
358  public static function removeAllPasswordsForCentralId( $centralId ) {
359  wfDeprecated( __METHOD__, '1.37' );
360 
361  $enableBotPasswords = MediaWikiServices::getInstance()->getMainConfig()
362  ->get( MainConfigNames::EnableBotPasswords );
363 
364  if ( !$enableBotPasswords ) {
365  return false;
366  }
367 
368  $dbw = self::getDB( DB_PRIMARY );
369  $dbw->newDeleteQueryBuilder()
370  ->deleteFrom( 'bot_passwords' )
371  ->where( [ 'bp_user' => $centralId ] )
372  ->caller( __METHOD__ )->execute();
373  return (bool)$dbw->affectedRows();
374  }
375 
381  public static function generatePassword( $config ) {
382  return PasswordFactory::generateRandomPasswordString( max(
383  self::PASSWORD_MINLENGTH, $config->get( MainConfigNames::MinimalPasswordLength ) ) );
384  }
385 
395  public static function canonicalizeLoginData( $username, $password ) {
396  $sep = self::getSeparator();
397  // the strlen check helps minimize the password information obtainable from timing
398  if ( strlen( $password ) >= self::PASSWORD_MINLENGTH && str_contains( $username, $sep ) ) {
399  // the separator is not valid in new usernames but might appear in legacy ones
400  if ( preg_match( '/^[0-9a-w]{' . self::PASSWORD_MINLENGTH . ',}$/', $password ) ) {
401  return [ $username, $password ];
402  }
403  } elseif ( strlen( $password ) > self::PASSWORD_MINLENGTH && str_contains( $password, $sep ) ) {
404  $segments = explode( $sep, $password );
405  $password = array_pop( $segments );
406  $appId = implode( $sep, $segments );
407  if ( preg_match( '/^[0-9a-w]{' . self::PASSWORD_MINLENGTH . ',}$/', $password ) ) {
408  return [ $username . $sep . $appId, $password ];
409  }
410  }
411  return false;
412  }
413 
421  public static function login( $username, $password, WebRequest $request ) {
422  $enableBotPasswords = MediaWikiServices::getInstance()->getMainConfig()
423  ->get( MainConfigNames::EnableBotPasswords );
424  $passwordAttemptThrottle = MediaWikiServices::getInstance()->getMainConfig()
425  ->get( MainConfigNames::PasswordAttemptThrottle );
426  if ( !$enableBotPasswords ) {
427  return Status::newFatal( 'botpasswords-disabled' );
428  }
429 
430  $provider = SessionManager::singleton()->getProvider( BotPasswordSessionProvider::class );
431  if ( !$provider ) {
432  return Status::newFatal( 'botpasswords-no-provider' );
433  }
434 
435  // Split name into name+appId
436  $sep = self::getSeparator();
437  if ( !str_contains( $username, $sep ) ) {
438  return self::loginHook( $username, null, Status::newFatal( 'botpasswords-invalid-name', $sep ) );
439  }
440  [ $name, $appId ] = explode( $sep, $username, 2 );
441 
442  // Find the named user
443  $user = User::newFromName( $name );
444  if ( !$user || $user->isAnon() ) {
445  return self::loginHook( $user ?: $name, null, Status::newFatal( 'nosuchuser', $name ) );
446  }
447 
448  if ( $user->isLocked() ) {
449  return Status::newFatal( 'botpasswords-locked' );
450  }
451 
452  $throttle = null;
453  if ( $passwordAttemptThrottle ) {
454  $throttle = new Throttler( $passwordAttemptThrottle, [
455  'type' => 'botpassword',
456  'cache' => ObjectCache::getLocalClusterInstance(),
457  ] );
458  $result = $throttle->increase( $user->getName(), $request->getIP(), __METHOD__ );
459  if ( $result ) {
460  $msg = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
461  return self::loginHook( $user, null, Status::newFatal( $msg ) );
462  }
463  }
464 
465  // Get the bot password
466  $bp = self::newFromUser( $user, $appId );
467  if ( !$bp ) {
468  return self::loginHook( $user, $bp,
469  Status::newFatal( 'botpasswords-not-exist', $name, $appId ) );
470  }
471 
472  // Check restrictions
473  $status = $bp->getRestrictions()->check( $request );
474  if ( !$status->isOK() ) {
475  return self::loginHook( $user, $bp, Status::newFatal( 'botpasswords-restriction-failed' ) );
476  }
477 
478  // Check the password
479  $passwordObj = $bp->getPassword();
480  if ( $passwordObj instanceof InvalidPassword ) {
481  return self::loginHook( $user, $bp,
482  Status::newFatal( 'botpasswords-needs-reset', $name, $appId ) );
483  }
484  if ( !$passwordObj->verify( $password ) ) {
485  return self::loginHook( $user, $bp, Status::newFatal( 'wrongpassword' ) );
486  }
487 
488  // Ok! Create the session.
489  if ( $throttle ) {
490  $throttle->clear( $user->getName(), $request->getIP() );
491  }
492  return self::loginHook( $user, $bp,
493  // @phan-suppress-next-line PhanUndeclaredMethod
494  Status::newGood( $provider->newSessionForRequest( $user, $bp, $request ) ) );
495  }
496 
508  private static function loginHook( $user, $bp, Status $status ) {
509  $extraData = [];
510  if ( $user instanceof User ) {
511  $name = $user->getName();
512  if ( $bp ) {
513  $extraData['appId'] = $name . self::getSeparator() . $bp->getAppId();
514  }
515  } else {
516  $name = $user;
517  $user = null;
518  }
519 
520  if ( $status->isGood() ) {
521  $response = AuthenticationResponse::newPass( $name );
522  } else {
523  $response = AuthenticationResponse::newFail( $status->getMessage() );
524  }
525  ( new HookRunner( MediaWikiServices::getInstance()->getHookContainer() ) )
526  ->onAuthManagerLoginAuthenticateAudit( $response, $user, $name, $extraData );
527 
528  return $status;
529  }
530 }
531 
536 class_alias( BotPassword::class, 'BotPassword' );
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition: GlobalFunctions.php:903
wfDeprecated
wfDeprecated( $function, $version=false, $component=false, $callerOffset=2)
Logs a warning that a deprecated feature was used.
Definition: GlobalFunctions.php:767
DBAccessObjectUtils
Helper class for DAO classes.
Definition: DBAccessObjectUtils.php:32
DBAccessObjectUtils\getDBOptions
static getDBOptions( $bitfield)
Get an appropriate DB index, options, and fallback DB index for a query.
Definition: DBAccessObjectUtils.php:55
FormatJson
JSON formatter wrapper class.
Definition: FormatJson.php:28
FormatJson\decode
static decode( $value, $assoc=false)
Decodes a JSON string.
Definition: FormatJson.php:148
InvalidPassword
Represents an invalid password hash.
Definition: InvalidPassword.php:34
MWRestrictions
A class to check request restrictions expressed as a JSON object.
Definition: MWRestrictions.php:29
MWRestrictions\newFromJson
static newFromJson( $json)
Definition: MWRestrictions.php:64
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition: AuthenticationResponse.php:37
MediaWiki\Auth\AuthenticationResponse\newFail
static newFail(Message $msg, array $failReasons=[])
Definition: AuthenticationResponse.php:157
MediaWiki\HookContainer\HookRunner
This class provides an implementation of the core hook interfaces, forwarding hook calls to HookConta...
Definition: HookRunner.php:568
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition: MainConfigNames.php:22
MediaWiki\MainConfigNames\MinimalPasswordLength
const MinimalPasswordLength
Name constant for the MinimalPasswordLength setting, for use with Config::get()
Definition: MainConfigNames.php:2584
MediaWiki\MainConfigNames\PasswordAttemptThrottle
const PasswordAttemptThrottle
Name constant for the PasswordAttemptThrottle setting, for use with Config::get()
Definition: MainConfigNames.php:2987
MediaWiki\MainConfigNames\UserrightsInterwikiDelimiter
const UserrightsInterwikiDelimiter
Name constant for the UserrightsInterwikiDelimiter setting, for use with Config::get()
Definition: MainConfigNames.php:2669
MediaWiki\MainConfigNames\EnableBotPasswords
const EnableBotPasswords
Name constant for the EnableBotPasswords setting, for use with Config::get()
Definition: MainConfigNames.php:3005
MediaWiki\MediaWikiServices
Service locator for MediaWiki core services.
Definition: MediaWikiServices.php:232
MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition: MediaWikiServices.php:319
GuzzleHttp\Psr7\Request\WebRequest
The WebRequest class encapsulates getting at data passed in the URL or via a POSTed form stripping il...
Definition: WebRequest.php:50
GuzzleHttp\Psr7\Request\WebRequest\getIP
getIP()
Work out the IP address based on various globals For trusted proxies, use the XFF client IP (first of...
Definition: WebRequest.php:1270
MediaWiki\Session\SessionManager
This serves as the entry point to the MediaWiki session handling system.
Definition: SessionManager.php:79
MediaWiki\Session\SessionManager\singleton
static singleton()
Get the global SessionManager.
Definition: SessionManager.php:129
MediaWiki\Status\Status
Generic operation result class Has warning/error list, boolean status and arbitrary value.
Definition: Status.php:58
MediaWiki\Status\Status\getMessage
getMessage( $shortContext=false, $longContext=false, $lang=null)
Get a bullet list of the errors as a Message object.
Definition: Status.php:260
MediaWiki\Status\Status\wrap
static wrap( $sv)
Succinct helper method to wrap a StatusValue.
Definition: Status.php:76
MediaWiki\User\BotPassword
Utility class for bot passwords.
Definition: BotPassword.php:50
MediaWiki\User\BotPassword\RESTRICTIONS_MAXLENGTH
const RESTRICTIONS_MAXLENGTH
Maximum length of the json representation of restrictions.
Definition: BotPassword.php:63
MediaWiki\User\BotPassword\removeAllPasswordsForUser
static removeAllPasswordsForUser( $username)
Remove all passwords for a user, by name.
Definition: BotPassword.php:344
MediaWiki\User\BotPassword\generatePassword
static generatePassword( $config)
Returns a (raw, unhashed) random password string.
Definition: BotPassword.php:381
MediaWiki\User\BotPassword\invalidateAllPasswordsForUser
static invalidateAllPasswordsForUser( $username)
Invalidate all passwords for a user, by name.
Definition: BotPassword.php:306
MediaWiki\User\BotPassword\newFromUser
static newFromUser(UserIdentity $userIdentity, $appId, $flags=self::READ_NORMAL)
Load a BotPassword from the database.
Definition: BotPassword.php:128
MediaWiki\User\BotPassword\getSeparator
static getSeparator()
Get the separator for combined user name + app ID.
Definition: BotPassword.php:213
MediaWiki\User\BotPassword\isSaved
isSaved()
Indicate whether this is known to be saved.
Definition: BotPassword.php:169
MediaWiki\User\BotPassword\canonicalizeLoginData
static canonicalizeLoginData( $username, $password)
There are two ways to login with a bot password: "username@appId", "password" and "username",...
Definition: BotPassword.php:395
MediaWiki\User\BotPassword\PASSWORD_MINLENGTH
const PASSWORD_MINLENGTH
Minimum length for a bot password.
Definition: BotPassword.php:57
MediaWiki\User\BotPassword\removeAllPasswordsForCentralId
static removeAllPasswordsForCentralId( $centralId)
Remove all passwords for a user, by central ID.
Definition: BotPassword.php:358
MediaWiki\User\BotPassword\login
static login( $username, $password, WebRequest $request)
Try to log the user in.
Definition: BotPassword.php:421
MediaWiki\User\BotPassword\__construct
__construct( $row, $isSaved, $flags=self::READ_NORMAL)
Definition: BotPassword.php:99
MediaWiki\User\BotPassword\newFromCentralId
static newFromCentralId( $centralId, $appId, $flags=self::READ_NORMAL)
Load a BotPassword from the database.
Definition: BotPassword.php:141
MediaWiki\User\BotPassword\isInvalid
isInvalid()
Whether the password is currently invalid.
Definition: BotPassword.php:248
MediaWiki\User\BotPassword\invalidateAllPasswordsForCentralId
static invalidateAllPasswordsForCentralId( $centralId)
Invalidate all passwords for a user, by central ID.
Definition: BotPassword.php:320
MediaWiki\User\BotPassword\save
save( $operation, Password $password=null)
Save the BotPassword to the database.
Definition: BotPassword.php:259
MediaWiki\User\BotPassword\GRANTS_MAXLENGTH
const GRANTS_MAXLENGTH
Maximum length of the json representation of grants.
Definition: BotPassword.php:69
MediaWiki\User\BotPassword\getUserCentralId
getUserCentralId()
Get the central user ID.
Definition: BotPassword.php:177
MediaWiki\User\BotPassword\newUnsaved
static newUnsaved(array $data, $flags=self::READ_NORMAL)
Create an unsaved BotPassword.
Definition: BotPassword.php:159
MediaWiki\User\BotPassword\getDB
static getDB( $db)
Get a database connection for the bot passwords database.
Definition: BotPassword.php:115
MediaWiki\User\User
internal since 1.36
Definition: User.php:98
MediaWiki\User\User\newFromName
static newFromName( $name, $validate='valid')
Definition: User.php:600
ObjectCache
Functions to get cache objects.
Definition: ObjectCache.php:67
ObjectCache\getLocalClusterInstance
static getLocalClusterInstance()
Get the main cluster-local cache object.
Definition: ObjectCache.php:320
PasswordError
Show an error when any operation involving passwords fails to run.
Definition: PasswordError.php:29
PasswordFactory
Factory class for creating and checking Password objects.
Definition: PasswordFactory.php:34
PasswordFactory\generateRandomPasswordString
static generateRandomPasswordString(int $minLength=10)
Generate a random string suitable for a password.
Definition: PasswordFactory.php:239
PasswordFactory\newInvalidPassword
static newInvalidPassword()
Create an InvalidPassword.
Definition: PasswordFactory.php:255
Password
Represents a password hash for use in authentication.
Definition: Password.php:61
StatusValue\newFatal
static newFatal( $message,... $parameters)
Factory function for fatal errors.
Definition: StatusValue.php:73
StatusValue\isOK
isOK()
Returns whether the operation completed.
Definition: StatusValue.php:134
StatusValue\isGood
isGood()
Returns whether the operation completed and didn't have any error or warnings.
Definition: StatusValue.php:125
StatusValue\newGood
static newGood( $value=null)
Factory function for good results.
Definition: StatusValue.php:85
IDBAccessObject
Interface for database access objects.
Definition: IDBAccessObject.php:57
MediaWiki\Config\Config
Interface for configuration instances.
Definition: Config.php:32
MediaWiki\User\UserIdentity
Interface for objects representing user identity.
Definition: UserIdentity.php:39
Wikimedia\Rdbms\IDatabase
Basic database interface for live and lazy-loaded relation database handles.
Definition: IDatabase.php:36
MediaWiki\User
Utility class for bot passwords.
Definition: ActorCache.php:21
DB_PRIMARY
const DB_PRIMARY
Definition: defines.php:28