1 <?php
27 class BotPassword implements IDBAccessObject {
29  const APPID_MAXLENGTH = 32;
32  private $isSaved;
35  private $centralId;
38  private $appId;
41  private $token;
44  private $restrictions;
47  private $grants;
50  private $flags = self::READ_NORMAL;
57  protected function __construct( $row, $isSaved, $flags = self::READ_NORMAL ) {
58  $this->isSaved = $isSaved;
59  $this->flags = $flags;
61  $this->centralId = (int)$row->bp_user;
62  $this->appId = $row->bp_app_id;
63  $this->token = $row->bp_token;
64  $this->restrictions = MWRestrictions::newFromJson( $row->bp_restrictions );
65  $this->grants = FormatJson::decode( $row->bp_grants );
66  }
73  public static function getDB( $db ) {
76  $lb = $wgBotPasswordsCluster
77  ? wfGetLBFactory()->getExternalLB( $wgBotPasswordsCluster )
78  : wfGetLB( $wgBotPasswordsDatabase );
79  return $lb->getConnectionRef( $db, [], $wgBotPasswordsDatabase );
80  }
89  public static function newFromUser( User $user, $appId, $flags = self::READ_NORMAL ) {
90  $centralId = CentralIdLookup::factory()->centralIdFromLocalUser(
92  );
93  return $centralId ? self::newFromCentralId( $centralId, $appId, $flags ) : null;
94  }
103  public static function newFromCentralId( $centralId, $appId, $flags = self::READ_NORMAL ) {
106  if ( !$wgEnableBotPasswords ) {
107  return null;
108  }
111  $db = self::getDB( $index );
112  $row = $db->selectRow(
113  'bot_passwords',
114  [ 'bp_user', 'bp_app_id', 'bp_token', 'bp_restrictions', 'bp_grants' ],
115  [ 'bp_user' => $centralId, 'bp_app_id' => $appId ],
116  __METHOD__,
117  $options
118  );
119  return $row ? new self( $row, true, $flags ) : null;
120  }
134  public static function newUnsaved( array $data, $flags = self::READ_NORMAL ) {
135  $row = (object)[
136  'bp_user' => 0,
137  'bp_app_id' => isset( $data['appId'] ) ? trim( $data['appId'] ) : '',
138  'bp_token' => '**unsaved**',
139  'bp_restrictions' => isset( $data['restrictions'] )
140  ? $data['restrictions']
142  'bp_grants' => isset( $data['grants'] ) ? $data['grants'] : [],
143  ];
145  if (
146  $row->bp_app_id === '' || strlen( $row->bp_app_id ) > self::APPID_MAXLENGTH ||
147  !$row->bp_restrictions instanceof MWRestrictions ||
148  !is_array( $row->bp_grants )
149  ) {
150  return null;
151  }
153  $row->bp_restrictions = $row->bp_restrictions->toJson();
154  $row->bp_grants = FormatJson::encode( $row->bp_grants );
156  if ( isset( $data['user'] ) ) {
157  if ( !$data['user'] instanceof User ) {
158  return null;
159  }
160  $row->bp_user = CentralIdLookup::factory()->centralIdFromLocalUser(
161  $data['user'], CentralIdLookup::AUDIENCE_RAW, $flags
162  );
163  } elseif ( isset( $data['username'] ) ) {
164  $row->bp_user = CentralIdLookup::factory()->centralIdFromName(
165  $data['username'], CentralIdLookup::AUDIENCE_RAW, $flags
166  );
167  } elseif ( isset( $data['centralId'] ) ) {
168  $row->bp_user = $data['centralId'];
169  }
170  if ( !$row->bp_user ) {
171  return null;
172  }
174  return new self( $row, false, $flags );
175  }
181  public function isSaved() {
182  return $this->isSaved;
183  }
189  public function getUserCentralId() {
190  return $this->centralId;
191  }
197  public function getAppId() {
198  return $this->appId;
199  }
205  public function getToken() {
206  return $this->token;
207  }
213  public function getRestrictions() {
214  return $this->restrictions;
215  }
221  public function getGrants() {
222  return $this->grants;
223  }
229  public static function getSeparator() {
232  }
238  protected function getPassword() {
239  list( $index, $options ) = DBAccessObjectUtils::getDBOptions( $this->flags );
240  $db = self::getDB( $index );
241  $password = $db->selectField(
242  'bot_passwords',
243  'bp_password',
244  [ 'bp_user' => $this->centralId, 'bp_app_id' => $this->appId ],
245  __METHOD__,
246  $options
247  );
248  if ( $password === false ) {
250  }
252  $passwordFactory = new \PasswordFactory();
253  $passwordFactory->init( \RequestContext::getMain()->getConfig() );
254  try {
255  return $passwordFactory->newFromCiphertext( $password );
256  } catch ( PasswordError $ex ) {
258  }
259  }
267  public function save( $operation, Password $password = null ) {
268  $conds = [
269  'bp_user' => $this->centralId,
270  'bp_app_id' => $this->appId,
271  ];
272  $fields = [
274  'bp_restrictions' => $this->restrictions->toJson(),
275  'bp_grants' => FormatJson::encode( $this->grants ),
276  ];
278  if ( $password !== null ) {
279  $fields['bp_password'] = $password->toString();
280  } elseif ( $operation === 'insert' ) {
281  $fields['bp_password'] = PasswordFactory::newInvalidPassword()->toString();
282  }
284  $dbw = self::getDB( DB_MASTER );
285  switch ( $operation ) {
286  case 'insert':
287  $dbw->insert( 'bot_passwords', $fields + $conds, __METHOD__, [ 'IGNORE' ] );
288  break;
290  case 'update':
291  $dbw->update( 'bot_passwords', $fields, $conds, __METHOD__ );
292  break;
294  default:
295  return false;
296  }
297  $ok = (bool)$dbw->affectedRows();
298  if ( $ok ) {
299  $this->token = $dbw->selectField( 'bot_passwords', 'bp_token', $conds, __METHOD__ );
300  $this->isSaved = true;
301  }
302  return $ok;
303  }
309  public function delete() {
310  $conds = [
311  'bp_user' => $this->centralId,
312  'bp_app_id' => $this->appId,
313  ];
314  $dbw = self::getDB( DB_MASTER );
315  $dbw->delete( 'bot_passwords', $conds, __METHOD__ );
316  $ok = (bool)$dbw->affectedRows();
317  if ( $ok ) {
318  $this->token = '**unsaved**';
319  $this->isSaved = false;
320  }
321  return $ok;
322  }
329  public static function invalidateAllPasswordsForUser( $username ) {
330  $centralId = CentralIdLookup::factory()->centralIdFromName(
332  );
333  return $centralId && self::invalidateAllPasswordsForCentralId( $centralId );
334  }
341  public static function invalidateAllPasswordsForCentralId( $centralId ) {
344  if ( !$wgEnableBotPasswords ) {
345  return false;
346  }
348  $dbw = self::getDB( DB_MASTER );
349  $dbw->update(
350  'bot_passwords',
351  [ 'bp_password' => PasswordFactory::newInvalidPassword()->toString() ],
352  [ 'bp_user' => $centralId ],
353  __METHOD__
354  );
355  return (bool)$dbw->affectedRows();
356  }
363  public static function removeAllPasswordsForUser( $username ) {
364  $centralId = CentralIdLookup::factory()->centralIdFromName(
366  );
367  return $centralId && self::removeAllPasswordsForCentralId( $centralId );
368  }
375  public static function removeAllPasswordsForCentralId( $centralId ) {
378  if ( !$wgEnableBotPasswords ) {
379  return false;
380  }
382  $dbw = self::getDB( DB_MASTER );
383  $dbw->delete(
384  'bot_passwords',
385  [ 'bp_user' => $centralId ],
386  __METHOD__
387  );
388  return (bool)$dbw->affectedRows();
389  }
398  public static function login( $username, $password, WebRequest $request ) {
401  if ( !$wgEnableBotPasswords ) {
402  return Status::newFatal( 'botpasswords-disabled' );
403  }
406  $provider = $manager->getProvider( BotPasswordSessionProvider::class );
407  if ( !$provider ) {
408  return Status::newFatal( 'botpasswords-no-provider' );
409  }
411  // Split name into name+appId
412  $sep = self::getSeparator();
413  if ( strpos( $username, $sep ) === false ) {
414  return Status::newFatal( 'botpasswords-invalid-name', $sep );
415  }
416  list( $name, $appId ) = explode( $sep, $username, 2 );
418  // Find the named user
420  if ( !$user || $user->isAnon() ) {
421  return Status::newFatal( 'nosuchuser', $name );
422  }
424  // Get the bot password
425  $bp = self::newFromUser( $user, $appId );
426  if ( !$bp ) {
427  return Status::newFatal( 'botpasswords-not-exist', $name, $appId );
428  }
430  // Check restrictions
431  $status = $bp->getRestrictions()->check( $request );
432  if ( !$status->isOK() ) {
433  return Status::newFatal( 'botpasswords-restriction-failed' );
434  }
436  // Check the password
437  if ( !$bp->getPassword()->equals( $password ) ) {
438  return Status::newFatal( 'wrongpassword' );
439  }
441  // Ok! Create the session.
442  return Status::newGood( $provider->newSessionForRequest( $user, $bp, $request ) );
443  }
444 }
