3 * Utility class for bot passwords
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
21 use MediaWiki\Session\BotPasswordSessionProvider;
22 use Wikimedia\Rdbms\IMaintainableDatabase;
25 * Utility class for bot passwords
28 class BotPassword implements IDBAccessObject {
30 const APPID_MAXLENGTH = 32;
44 /** @var MWRestrictions */
45 private $restrictions;
51 private $flags = self::READ_NORMAL;
54 * @param object $row bot_passwords database row
55 * @param bool $isSaved Whether the bot password was read from the database
56 * @param int $flags IDBAccessObject read flags
58 protected function __construct( $row, $isSaved, $flags = self::READ_NORMAL ) {
59 $this->isSaved = $isSaved;
60 $this->flags = $flags;
62 $this->centralId = (int)$row->bp_user;
63 $this->appId = $row->bp_app_id;
64 $this->token = $row->bp_token;
65 $this->restrictions = MWRestrictions::newFromJson( $row->bp_restrictions );
66 $this->grants = FormatJson::decode( $row->bp_grants );
70 * Get a database connection for the bot passwords database
71 * @param int $db Index of the connection to get, e.g. DB_MASTER or DB_REPLICA.
72 * @return IMaintainableDatabase
74 public static function getDB( $db ) {
75 global $wgBotPasswordsCluster, $wgBotPasswordsDatabase;
77 $lb = $wgBotPasswordsCluster
78 ? wfGetLBFactory()->getExternalLB( $wgBotPasswordsCluster )
79 : wfGetLB( $wgBotPasswordsDatabase );
80 return $lb->getConnectionRef( $db, [], $wgBotPasswordsDatabase );
84 * Load a BotPassword from the database
86 * @param string $appId
87 * @param int $flags IDBAccessObject read flags
88 * @return BotPassword|null
90 public static function newFromUser( User $user, $appId, $flags = self::READ_NORMAL ) {
91 $centralId = CentralIdLookup::factory()->centralIdFromLocalUser(
92 $user, CentralIdLookup::AUDIENCE_RAW, $flags
94 return $centralId ? self::newFromCentralId( $centralId, $appId, $flags ) : null;
98 * Load a BotPassword from the database
99 * @param int $centralId from CentralIdLookup
100 * @param string $appId
101 * @param int $flags IDBAccessObject read flags
102 * @return BotPassword|null
104 public static function newFromCentralId( $centralId, $appId, $flags = self::READ_NORMAL ) {
105 global $wgEnableBotPasswords;
107 if ( !$wgEnableBotPasswords ) {
111 list( $index, $options ) = DBAccessObjectUtils::getDBOptions( $flags );
112 $db = self::getDB( $index );
113 $row = $db->selectRow(
115 [ 'bp_user', 'bp_app_id', 'bp_token', 'bp_restrictions', 'bp_grants' ],
116 [ 'bp_user' => $centralId, 'bp_app_id' => $appId ],
120 return $row ? new self( $row, true, $flags ) : null;
124 * Create an unsaved BotPassword
125 * @param array $data Data to use to create the bot password. Keys are:
126 * - user: (User) User object to create the password for. Overrides username and centralId.
127 * - username: (string) Username to create the password for. Overrides centralId.
128 * - centralId: (int) User central ID to create the password for.
129 * - appId: (string) App ID for the password.
130 * - restrictions: (MWRestrictions, optional) Restrictions.
131 * - grants: (string[], optional) Grants.
132 * @param int $flags IDBAccessObject read flags
133 * @return BotPassword|null
135 public static function newUnsaved( array $data, $flags = self::READ_NORMAL ) {
138 'bp_app_id' => isset( $data['appId'] ) ? trim( $data['appId'] ) : '',
139 'bp_token' => '**unsaved**',
140 'bp_restrictions' => isset( $data['restrictions'] )
141 ? $data['restrictions']
142 : MWRestrictions::newDefault(),
143 'bp_grants' => isset( $data['grants'] ) ? $data['grants'] : [],
147 $row->bp_app_id === '' || strlen( $row->bp_app_id ) > self::APPID_MAXLENGTH ||
148 !$row->bp_restrictions instanceof MWRestrictions ||
149 !is_array( $row->bp_grants )
154 $row->bp_restrictions = $row->bp_restrictions->toJson();
155 $row->bp_grants = FormatJson::encode( $row->bp_grants );
157 if ( isset( $data['user'] ) ) {
158 if ( !$data['user'] instanceof User ) {
161 $row->bp_user = CentralIdLookup::factory()->centralIdFromLocalUser(
162 $data['user'], CentralIdLookup::AUDIENCE_RAW, $flags
164 } elseif ( isset( $data['username'] ) ) {
165 $row->bp_user = CentralIdLookup::factory()->centralIdFromName(
166 $data['username'], CentralIdLookup::AUDIENCE_RAW, $flags
168 } elseif ( isset( $data['centralId'] ) ) {
169 $row->bp_user = $data['centralId'];
171 if ( !$row->bp_user ) {
175 return new self( $row, false, $flags );
179 * Indicate whether this is known to be saved
182 public function isSaved() {
183 return $this->isSaved;
187 * Get the central user ID
190 public function getUserCentralId() {
191 return $this->centralId;
198 public function getAppId() {
206 public function getToken() {
211 * Get the restrictions
212 * @return MWRestrictions
214 public function getRestrictions() {
215 return $this->restrictions;
222 public function getGrants() {
223 return $this->grants;
227 * Get the separator for combined user name + app ID
230 public static function getSeparator() {
231 global $wgUserrightsInterwikiDelimiter;
232 return $wgUserrightsInterwikiDelimiter;
239 protected function getPassword() {
240 list( $index, $options ) = DBAccessObjectUtils::getDBOptions( $this->flags );
241 $db = self::getDB( $index );
242 $password = $db->selectField(
245 [ 'bp_user' => $this->centralId, 'bp_app_id' => $this->appId ],
249 if ( $password === false ) {
250 return PasswordFactory::newInvalidPassword();
253 $passwordFactory = new \PasswordFactory();
254 $passwordFactory->init( \RequestContext::getMain()->getConfig() );
256 return $passwordFactory->newFromCiphertext( $password );
257 } catch ( PasswordError $ex ) {
258 return PasswordFactory::newInvalidPassword();
263 * Whether the password is currently invalid
267 public function isInvalid() {
268 return $this->getPassword() instanceof InvalidPassword;
272 * Save the BotPassword to the database
273 * @param string $operation 'update' or 'insert'
274 * @param Password|null $password Password to set.
275 * @return bool Success
277 public function save( $operation, Password $password = null ) {
279 'bp_user' => $this->centralId,
280 'bp_app_id' => $this->appId,
283 'bp_token' => MWCryptRand::generateHex( User::TOKEN_LENGTH ),
284 'bp_restrictions' => $this->restrictions->toJson(),
285 'bp_grants' => FormatJson::encode( $this->grants ),
288 if ( $password !== null ) {
289 $fields['bp_password'] = $password->toString();
290 } elseif ( $operation === 'insert' ) {
291 $fields['bp_password'] = PasswordFactory::newInvalidPassword()->toString();
294 $dbw = self::getDB( DB_MASTER );
295 switch ( $operation ) {
297 $dbw->insert( 'bot_passwords', $fields + $conds, __METHOD__, [ 'IGNORE' ] );
301 $dbw->update( 'bot_passwords', $fields, $conds, __METHOD__ );
307 $ok = (bool)$dbw->affectedRows();
309 $this->token = $dbw->selectField( 'bot_passwords', 'bp_token', $conds, __METHOD__ );
310 $this->isSaved = true;
316 * Delete the BotPassword from the database
317 * @return bool Success
319 public function delete() {
321 'bp_user' => $this->centralId,
322 'bp_app_id' => $this->appId,
324 $dbw = self::getDB( DB_MASTER );
325 $dbw->delete( 'bot_passwords', $conds, __METHOD__ );
326 $ok = (bool)$dbw->affectedRows();
328 $this->token = '**unsaved**';
329 $this->isSaved = false;
335 * Invalidate all passwords for a user, by name
336 * @param string $username User name
337 * @return bool Whether any passwords were invalidated
339 public static function invalidateAllPasswordsForUser( $username ) {
340 $centralId = CentralIdLookup::factory()->centralIdFromName(
341 $username, CentralIdLookup::AUDIENCE_RAW, CentralIdLookup::READ_LATEST
343 return $centralId && self::invalidateAllPasswordsForCentralId( $centralId );
347 * Invalidate all passwords for a user, by central ID
348 * @param int $centralId
349 * @return bool Whether any passwords were invalidated
351 public static function invalidateAllPasswordsForCentralId( $centralId ) {
352 global $wgEnableBotPasswords;
354 if ( !$wgEnableBotPasswords ) {
358 $dbw = self::getDB( DB_MASTER );
361 [ 'bp_password' => PasswordFactory::newInvalidPassword()->toString() ],
362 [ 'bp_user' => $centralId ],
365 return (bool)$dbw->affectedRows();
369 * Remove all passwords for a user, by name
370 * @param string $username User name
371 * @return bool Whether any passwords were removed
373 public static function removeAllPasswordsForUser( $username ) {
374 $centralId = CentralIdLookup::factory()->centralIdFromName(
375 $username, CentralIdLookup::AUDIENCE_RAW, CentralIdLookup::READ_LATEST
377 return $centralId && self::removeAllPasswordsForCentralId( $centralId );
381 * Remove all passwords for a user, by central ID
382 * @param int $centralId
383 * @return bool Whether any passwords were removed
385 public static function removeAllPasswordsForCentralId( $centralId ) {
386 global $wgEnableBotPasswords;
388 if ( !$wgEnableBotPasswords ) {
392 $dbw = self::getDB( DB_MASTER );
395 [ 'bp_user' => $centralId ],
398 return (bool)$dbw->affectedRows();
402 * Returns a (raw, unhashed) random password string.
403 * @param Config $config
406 public static function generatePassword( $config ) {
407 return PasswordFactory::generateRandomPasswordString(
408 max( 32, $config->get( 'MinimalPasswordLength' ) ) );
412 * There are two ways to login with a bot password: "username@appId", "password" and
413 * "username", "appId@password". Transform it so it is always in the first form.
414 * Returns [bot username, bot password, could be normal password?] where the last one is a flag
415 * meaning this could either be a bot password or a normal password, it cannot be decided for
416 * certain (although in such cases it almost always will be a bot password).
417 * If this cannot be a bot password login just return false.
418 * @param string $username
419 * @param string $password
420 * @return array|false
422 public static function canonicalizeLoginData( $username, $password ) {
423 $sep = self::getSeparator();
424 // the strlen check helps minimize the password information obtainable from timing
425 if ( strlen( $password ) >= 32 && strpos( $username, $sep ) !== false ) {
426 // the separator is not valid in new usernames but might appear in legacy ones
427 if ( preg_match( '/^[0-9a-w]{32,}$/', $password ) ) {
428 return [ $username, $password, true ];
430 } elseif ( strlen( $password ) > 32 && strpos( $password, $sep ) !== false ) {
431 $segments = explode( $sep, $password );
432 $password = array_pop( $segments );
433 $appId = implode( $sep, $segments );
434 if ( preg_match( '/^[0-9a-w]{32,}$/', $password ) ) {
435 return [ $username . $sep . $appId, $password, true ];
442 * Try to log the user in
443 * @param string $username Combined user name and app ID
444 * @param string $password Supplied password
445 * @param WebRequest $request
446 * @return Status On success, the good status's value is the new Session object
448 public static function login( $username, $password, WebRequest $request ) {
449 global $wgEnableBotPasswords, $wgPasswordAttemptThrottle;
451 if ( !$wgEnableBotPasswords ) {
452 return Status::newFatal( 'botpasswords-disabled' );
455 $manager = MediaWiki\Session\SessionManager::singleton();
456 $provider = $manager->getProvider( BotPasswordSessionProvider::class );
458 return Status::newFatal( 'botpasswords-no-provider' );
461 // Split name into name+appId
462 $sep = self::getSeparator();
463 if ( strpos( $username, $sep ) === false ) {
464 return Status::newFatal( 'botpasswords-invalid-name', $sep );
466 list( $name, $appId ) = explode( $sep, $username, 2 );
468 // Find the named user
469 $user = User::newFromName( $name );
470 if ( !$user || $user->isAnon() ) {
471 return Status::newFatal( 'nosuchuser', $name );
474 if ( $user->isLocked() ) {
475 return Status::newFatal( 'botpasswords-locked' );
480 if ( !empty( $wgPasswordAttemptThrottle ) ) {
481 $throttle = new MediaWiki\Auth\Throttler( $wgPasswordAttemptThrottle, [
482 'type' => 'botpassword',
483 'cache' => ObjectCache::getLocalClusterInstance(),
485 $result = $throttle->increase( $user->getName(), $request->getIP(), __METHOD__ );
487 $msg = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
488 return Status::newFatal( $msg );
492 // Get the bot password
493 $bp = self::newFromUser( $user, $appId );
495 return Status::newFatal( 'botpasswords-not-exist', $name, $appId );
498 // Check restrictions
499 $status = $bp->getRestrictions()->check( $request );
500 if ( !$status->isOK() ) {
501 return Status::newFatal( 'botpasswords-restriction-failed' );
504 // Check the password
505 $passwordObj = $bp->getPassword();
506 if ( $passwordObj instanceof InvalidPassword ) {
507 return Status::newFatal( 'botpasswords-needs-reset', $name, $appId );
509 if ( !$passwordObj->equals( $password ) ) {
510 return Status::newFatal( 'wrongpassword' );
513 // Ok! Create the session.
515 $throttle->clear( $user->getName(), $request->getIP() );
517 return Status::newGood( $provider->newSessionForRequest( $user, $bp, $request ) );