f60fd42b33
* Use PSR-3 templates and context where applicable * Add log coverage for exceptional events Bug: T125452 Change-Id: I8f96fa1c5766c739a21219abcae2dbb76de53e2a
185 lines
5.2 KiB
PHP
185 lines
5.2 KiB
PHP
<?php
|
|
/**
|
|
* Session provider for bot passwords
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
* http://www.gnu.org/copyleft/gpl.html
|
|
*
|
|
* @file
|
|
* @ingroup Session
|
|
*/
|
|
|
|
namespace MediaWiki\Session;
|
|
|
|
use BotPassword;
|
|
use User;
|
|
use WebRequest;
|
|
|
|
/**
|
|
* Session provider for bot passwords
|
|
* @since 1.27
|
|
*/
|
|
class BotPasswordSessionProvider extends ImmutableSessionProviderWithCookie {
|
|
|
|
/**
|
|
* @param array $params Keys include:
|
|
* - priority: (required) Set the priority
|
|
* - sessionCookieName: Session cookie name. Default is '_BPsession'.
|
|
* - sessionCookieOptions: Options to pass to WebResponse::setCookie().
|
|
*/
|
|
public function __construct( array $params = array() ) {
|
|
if ( !isset( $params['sessionCookieName'] ) ) {
|
|
$params['sessionCookieName'] = '_BPsession';
|
|
}
|
|
parent::__construct( $params );
|
|
|
|
if ( !isset( $params['priority'] ) ) {
|
|
throw new \InvalidArgumentException( __METHOD__ . ': priority must be specified' );
|
|
}
|
|
if ( $params['priority'] < SessionInfo::MIN_PRIORITY ||
|
|
$params['priority'] > SessionInfo::MAX_PRIORITY
|
|
) {
|
|
throw new \InvalidArgumentException( __METHOD__ . ': Invalid priority' );
|
|
}
|
|
|
|
$this->priority = $params['priority'];
|
|
}
|
|
|
|
public function provideSessionInfo( WebRequest $request ) {
|
|
// Only relevant for the API
|
|
if ( !defined( 'MW_API' ) ) {
|
|
return null;
|
|
}
|
|
|
|
// Enabled?
|
|
if ( !$this->config->get( 'EnableBotPasswords' ) ) {
|
|
return null;
|
|
}
|
|
|
|
// Have a session ID?
|
|
$id = $this->getSessionIdFromCookie( $request );
|
|
if ( $id === null ) {
|
|
return null;
|
|
}
|
|
|
|
return new SessionInfo( $this->priority, array(
|
|
'provider' => $this,
|
|
'id' => $id,
|
|
'persisted' => true
|
|
) );
|
|
}
|
|
|
|
public function newSessionInfo( $id = null ) {
|
|
// We don't activate by default
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Create a new session for a request
|
|
* @param User $user
|
|
* @param BotPassword $bp
|
|
* @param WebRequest $request
|
|
* @return Session
|
|
*/
|
|
public function newSessionForRequest( User $user, BotPassword $bp, WebRequest $request ) {
|
|
$id = $this->getSessionIdFromCookie( $request );
|
|
$info = new SessionInfo( SessionInfo::MAX_PRIORITY, array(
|
|
'provider' => $this,
|
|
'id' => $id,
|
|
'userInfo' => UserInfo::newFromUser( $user, true ),
|
|
'persisted' => $id !== null,
|
|
'metadata' => array(
|
|
'centralId' => $bp->getUserCentralId(),
|
|
'appId' => $bp->getAppId(),
|
|
'token' => $bp->getToken(),
|
|
'rights' => \MWGrants::getGrantRights( $bp->getGrants() ),
|
|
),
|
|
) );
|
|
$session = $this->getManager()->getSessionFromInfo( $info, $request );
|
|
$session->persist();
|
|
return $session;
|
|
}
|
|
|
|
public function refreshSessionInfo( SessionInfo $info, WebRequest $request, &$metadata ) {
|
|
$missingKeys = array_diff(
|
|
array( 'centralId', 'appId', 'token' ),
|
|
array_keys( $metadata )
|
|
);
|
|
if ( $missingKeys ) {
|
|
$this->logger->info( 'Session "{session}": Missing metadata: {missing}', array(
|
|
'session' => $info,
|
|
'missing' => join( ', ', $missingKeys ),
|
|
) );
|
|
return false;
|
|
}
|
|
|
|
$bp = BotPassword::newFromCentralId( $metadata['centralId'], $metadata['appId'] );
|
|
if ( !$bp ) {
|
|
$this->logger->info(
|
|
'Session "{session}": No BotPassword for {centralId} {appId}',
|
|
array(
|
|
'session' => $info,
|
|
'centralId' => $metadata['centralId'],
|
|
'appId' => $metadata['appId'],
|
|
) );
|
|
return false;
|
|
}
|
|
|
|
if ( !hash_equals( $metadata['token'], $bp->getToken() ) ) {
|
|
$this->logger->info( 'Session "{session}": BotPassword token check failed', array(
|
|
'session' => $info,
|
|
'centralId' => $metadata['centralId'],
|
|
'appId' => $metadata['appId'],
|
|
) );
|
|
return false;
|
|
}
|
|
|
|
$status = $bp->getRestrictions()->check( $request );
|
|
if ( !$status->isOk() ) {
|
|
$this->logger->info(
|
|
'Session "{session}": Restrictions check failed',
|
|
array(
|
|
'session' => $info,
|
|
'restrictions' => $status->getValue(),
|
|
'centralId' => $metadata['centralId'],
|
|
'appId' => $metadata['appId'],
|
|
) );
|
|
return false;
|
|
}
|
|
|
|
// Update saved rights
|
|
$metadata['rights'] = \MWGrants::getGrantRights( $bp->getGrants() );
|
|
|
|
return true;
|
|
}
|
|
|
|
public function preventSessionsForUser( $username ) {
|
|
BotPassword::removeAllPasswordsForUser( $username );
|
|
}
|
|
|
|
public function getAllowedUserRights( SessionBackend $backend ) {
|
|
if ( $backend->getProvider() !== $this ) {
|
|
throw new InvalidArgumentException( 'Backend\'s provider isn\'t $this' );
|
|
}
|
|
$data = $backend->getProviderMetadata();
|
|
if ( $data ) {
|
|
return $data['rights'];
|
|
}
|
|
|
|
// Should never happen
|
|
$this->logger->debug( __METHOD__ . ': No provider metadata, returning no rights allowed' );
|
|
return array();
|
|
}
|
|
}
|