<?php
/**
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 * @ingroup Auth
 */

namespace MediaWiki\Auth;

use MediaWiki\MainConfigNames;
use MediaWiki\Password\Password;
use MediaWiki\Password\PasswordError;
use MediaWiki\Password\PasswordFactory;
use MediaWiki\SpecialPage\SpecialPage;
use MediaWiki\Status\Status;
use MediaWiki\User\User;
use Wikimedia\Assert\Assert;

/**
 * Basic framework for a primary authentication provider that uses passwords
 *
 * @stable to extend
 * @ingroup Auth
 * @since 1.27
 */
abstract class AbstractPasswordPrimaryAuthenticationProvider
	extends AbstractPrimaryAuthenticationProvider
{
	/** @var bool Whether this provider should ABSTAIN (false) or FAIL (true) on password failure */
	protected $authoritative;

	/** @var PasswordFactory|null */
	private $passwordFactory = null;

	/**
	 * @stable to call
	 * @param array $params Settings
	 *  - authoritative: Whether this provider should ABSTAIN (false) or FAIL
	 *    (true) on password failure
	 */
	public function __construct( array $params = [] ) {
		$this->authoritative = !isset( $params['authoritative'] ) || (bool)$params['authoritative'];
	}

	/**
	 * @return PasswordFactory
	 */
	protected function getPasswordFactory() {
		if ( $this->passwordFactory === null ) {
			$this->passwordFactory = new PasswordFactory(
				$this->config->get( MainConfigNames::PasswordConfig ),
				$this->config->get( MainConfigNames::PasswordDefault )
			);
		}
		return $this->passwordFactory;
	}

	/**
	 * Get a Password object from the hash
	 * @param string $hash
	 * @return Password
	 */
	protected function getPassword( $hash ) {
		$passwordFactory = $this->getPasswordFactory();
		try {
			return $passwordFactory->newFromCiphertext( $hash );
		} catch ( PasswordError $e ) {
			$class = static::class;
			$this->logger->debug( "Invalid password hash in {$class}::getPassword()" );
			return $passwordFactory->newFromCiphertext( null );
		}
	}

	/**
	 * Return the appropriate response for failure
	 * @param PasswordAuthenticationRequest $req
	 * @return AuthenticationResponse
	 */
	protected function failResponse( PasswordAuthenticationRequest $req ) {
		if ( $this->authoritative ) {
			return AuthenticationResponse::newFail(
				wfMessage( $req->password === '' ? 'wrongpasswordempty' : 'wrongpassword' )
			);
		} else {
			return AuthenticationResponse::newAbstain();
		}
	}

	/**
	 * Check that the password is valid
	 *
	 * This should be called *before* validating the password. If the result is
	 * not ok, login should fail immediately.
	 *
	 * @param string $username
	 * @param string $password
	 * @return Status
	 */
	protected function checkPasswordValidity( $username, $password ) {
		return User::newFromName( $username )->checkPasswordValidity( $password );
	}

	/**
	 * Adds user-friendly description to a fatal password validity check error.
	 * These errors prevent login even when the password is correct, so just displaying the
	 * description of the error would be somewhat confusing.
	 * @param string $username
	 * @param Status $status The status returned by checkPasswordValidity(); must be a fatal.
	 * @return AuthenticationResponse A FAIL response with an improved description.
	 */
	protected function getFatalPasswordErrorResponse(
		string $username,
		Status $status
	): AuthenticationResponse {
		Assert::precondition( !$status->isOK(), __METHOD__ . ' expects a fatal Status' );
		$resetLinkUrl = SpecialPage::getTitleFor( 'PasswordReset' )
			->getFullURL( [ 'wpUsername' => $username ] );
		return AuthenticationResponse::newFail( wfMessage( 'fatalpassworderror',
			$status->getMessage(), $resetLinkUrl ) );
	}

	/**
	 * Check if the password should be reset
	 *
	 * This should be called after a successful login. It sets 'reset-pass'
	 * authentication data if necessary, see
	 * ResetPassSecondaryAuthenticationProvider.
	 *
	 * @param string $username
	 * @param Status $status From $this->checkPasswordValidity()
	 * @param \stdClass|null $data Passed through to $this->getPasswordResetData()
	 */
	protected function setPasswordResetFlag( $username, Status $status, $data = null ) {
		$reset = $this->getPasswordResetData( $username, $data );

		if ( !$reset && $this->config->get( MainConfigNames::InvalidPasswordReset ) &&
		!$status->isGood() ) {
			$hard = $status->getValue()['forceChange'] ?? false;

			if ( $hard || !empty( $status->getValue()['suggestChangeOnLogin'] ) ) {
				$reset = (object)[
					'msg' => $status->getMessage( $hard ? 'resetpass-validity' : 'resetpass-validity-soft' ),
					'hard' => $hard,
				];
			}
		}

		if ( $reset ) {
			$this->manager->setAuthenticationSessionData( 'reset-pass', $reset );
		}
	}

	/**
	 * Get password reset data, if any
	 *
	 * @stable to override
	 * @param string $username
	 * @param \stdClass|null $data
	 * @return \stdClass|null { 'hard' => bool, 'msg' => Message }
	 */
	protected function getPasswordResetData( $username, $data ) {
		return null;
	}

	/**
	 * Get expiration date for a new password, if any
	 *
	 * @stable to override
	 * @param string $username
	 * @return string|null
	 */
	protected function getNewPasswordExpiry( $username ) {
		$days = $this->config->get( MainConfigNames::PasswordExpirationDays );
		$expires = $days ? wfTimestamp( TS_MW, time() + $days * 86400 ) : null;

		// Give extensions a chance to force an expiration
		$this->getHookRunner()->onResetPasswordExpiration(
			User::newFromName( $username ), $expires );

		return $expires;
	}

	/**
	 * @stable to override
	 * @param string $action
	 * @param array $options
	 *
	 * @return AuthenticationRequest[]
	 */
	public function getAuthenticationRequests( $action, array $options ) {
		switch ( $action ) {
			case AuthManager::ACTION_LOGIN:
			case AuthManager::ACTION_REMOVE:
			case AuthManager::ACTION_CREATE:
			case AuthManager::ACTION_CHANGE:
				return [ new PasswordAuthenticationRequest() ];
			default:
				return [];
		}
	}
}