3 * Copyright © 2016 Wikimedia Foundation and contributors
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
24 use MediaWiki\Auth\AuthManager;
25 use MediaWiki\Auth\AuthenticationRequest;
26 use MediaWiki\Auth\AuthenticationResponse;
27 use MediaWiki\Auth\CreateFromLoginAuthenticationRequest;
28 use MediaWiki\Logger\LoggerFactory;
31 * Helper class for AuthManager-using API modules. Intended for use via
36 class ApiAuthManagerHelper {
38 /** @var ApiBase API module, for context and parameters */
41 /** @var string Message output format */
42 private $messageFormat;
45 * @param ApiBase $module API module, for context and parameters
47 public function __construct( ApiBase $module ) {
48 $this->module = $module;
50 $params = $module->extractRequestParams();
51 $this->messageFormat = isset( $params['messageformat'] ) ? $params['messageformat'] : 'wikitext';
55 * Static version of the constructor, for chaining
56 * @param ApiBase $module API module, for context and parameters
57 * @return ApiAuthManagerHelper
59 public static function newForModule( ApiBase $module ) {
60 return new self( $module );
64 * Format a message for output
65 * @param array &$res Result array
66 * @param string $key Result key
67 * @param Message $message
69 private function formatMessage( array &$res, $key, Message $message ) {
70 switch ( $this->messageFormat ) {
75 $res[$key] = $message->setContext( $this->module )->text();
79 $res[$key] = $message->setContext( $this->module )->parseAsBlock();
80 $res[$key] = Parser::stripOuterParagraph( $res[$key] );
85 'key' => $message->getKey(),
86 'params' => $message->getParams(),
88 ApiResult::setIndexedTagName( $res[$key]['params'], 'param' );
94 * Call $manager->securitySensitiveOperationStatus()
95 * @param string $operation Operation being checked.
96 * @throws ApiUsageException
98 public function securitySensitiveOperation( $operation ) {
99 $status = AuthManager::singleton()->securitySensitiveOperationStatus( $operation );
101 case AuthManager::SEC_OK:
104 case AuthManager::SEC_REAUTH:
105 $this->module->dieWithError( 'apierror-reauthenticate' );
107 case AuthManager::SEC_FAIL:
108 $this->module->dieWithError( 'apierror-cannotreauthenticate' );
111 throw new UnexpectedValueException( "Unknown status \"$status\"" );
116 * Filter out authentication requests by class name
117 * @param AuthenticationRequest[] $reqs Requests to filter
118 * @param string[] $blacklist Class names to remove
119 * @return AuthenticationRequest[]
121 public static function blacklistAuthenticationRequests( array $reqs, array $blacklist ) {
123 $blacklist = array_flip( $blacklist );
124 $reqs = array_filter( $reqs, function ( $req ) use ( $blacklist ) {
125 return !isset( $blacklist[get_class( $req )] );
132 * Fetch and load the AuthenticationRequests for an action
133 * @param string $action One of the AuthManager::ACTION_* constants
134 * @return AuthenticationRequest[]
136 public function loadAuthenticationRequests( $action ) {
137 $params = $this->module->extractRequestParams();
139 $manager = AuthManager::singleton();
140 $reqs = $manager->getAuthenticationRequests( $action, $this->module->getUser() );
142 // Filter requests, if requested to do so
143 $wantedRequests = null;
144 if ( isset( $params['requests'] ) ) {
145 $wantedRequests = array_flip( $params['requests'] );
146 } elseif ( isset( $params['request'] ) ) {
147 $wantedRequests = [ $params['request'] => true ];
149 if ( $wantedRequests !== null ) {
150 $reqs = array_filter( $reqs, function ( $req ) use ( $wantedRequests ) {
151 return isset( $wantedRequests[$req->getUniqueId()] );
155 // Collect the fields for all the requests
158 foreach ( $reqs as $req ) {
159 $info = (array)$req->getFieldInfo();
161 $sensitive += array_filter( $info, function ( $opts ) {
162 return !empty( $opts['sensitive'] );
166 // Extract the request data for the fields and mark those request
167 // parameters as used
168 $data = array_intersect_key( $this->module->getRequest()->getValues(), $fields );
169 $this->module->getMain()->markParamsUsed( array_keys( $data ) );
172 $this->module->getMain()->markParamsSensitive( array_keys( $sensitive ) );
173 $this->module->requirePostedParameters( array_keys( $sensitive ), 'noprefix' );
176 return AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data );
180 * Format an AuthenticationResponse for return
181 * @param AuthenticationResponse $res
184 public function formatAuthenticationResponse( AuthenticationResponse $res ) {
186 'status' => $res->status,
189 if ( $res->status === AuthenticationResponse::PASS && $res->username !== null ) {
190 $ret['username'] = $res->username;
193 if ( $res->status === AuthenticationResponse::REDIRECT ) {
194 $ret['redirecttarget'] = $res->redirectTarget;
195 if ( $res->redirectApiData !== null ) {
196 $ret['redirectdata'] = $res->redirectApiData;
200 if ( $res->status === AuthenticationResponse::REDIRECT ||
201 $res->status === AuthenticationResponse::UI ||
202 $res->status === AuthenticationResponse::RESTART
204 $ret += $this->formatRequests( $res->neededRequests );
207 if ( $res->status === AuthenticationResponse::FAIL ||
208 $res->status === AuthenticationResponse::UI ||
209 $res->status === AuthenticationResponse::RESTART
211 $this->formatMessage( $ret, 'message', $res->message );
212 $ret['messagecode'] = ApiMessage::create( $res->message )->getApiCode();
215 if ( $res->status === AuthenticationResponse::FAIL ||
216 $res->status === AuthenticationResponse::RESTART
218 $this->module->getRequest()->getSession()->set(
219 'ApiAuthManagerHelper::createRequest',
222 $ret['canpreservestate'] = $res->createRequest !== null;
224 $this->module->getRequest()->getSession()->remove( 'ApiAuthManagerHelper::createRequest' );
231 * Logs successful or failed authentication.
232 * @param string $event Event type (e.g. 'accountcreation')
233 * @param string|AuthenticationResponse $result Response or error message
235 public function logAuthenticationResult( $event, $result ) {
236 if ( is_string( $result ) ) {
237 $status = Status::newFatal( $result );
238 } elseif ( $result->status === AuthenticationResponse::PASS ) {
239 $status = Status::newGood();
240 } elseif ( $result->status === AuthenticationResponse::FAIL ) {
241 $status = Status::newFatal( $result->message );
246 $module = $this->module->getModuleName();
247 LoggerFactory::getInstance( 'authevents' )->info( "$module API attempt", [
255 * Fetch the preserved CreateFromLoginAuthenticationRequest, if any
256 * @return CreateFromLoginAuthenticationRequest|null
258 public function getPreservedRequest() {
259 $ret = $this->module->getRequest()->getSession()->get( 'ApiAuthManagerHelper::createRequest' );
260 return $ret instanceof CreateFromLoginAuthenticationRequest ? $ret : null;
264 * Format an array of AuthenticationRequests for return
265 * @param AuthenticationRequest[] $reqs
266 * @return array Will have a 'requests' key, and also 'fields' if $module's
267 * params include 'mergerequestfields'.
269 public function formatRequests( array $reqs ) {
270 $params = $this->module->extractRequestParams();
271 $mergeFields = !empty( $params['mergerequestfields'] );
273 $ret = [ 'requests' => [] ];
274 foreach ( $reqs as $req ) {
275 $describe = $req->describeCredentials();
277 'id' => $req->getUniqueId(),
278 'metadata' => $req->getMetadata() + [ ApiResult::META_TYPE => 'assoc' ],
280 switch ( $req->required ) {
281 case AuthenticationRequest::OPTIONAL:
282 $reqInfo['required'] = 'optional';
284 case AuthenticationRequest::REQUIRED:
285 $reqInfo['required'] = 'required';
287 case AuthenticationRequest::PRIMARY_REQUIRED:
288 $reqInfo['required'] = 'primary-required';
291 $this->formatMessage( $reqInfo, 'provider', $describe['provider'] );
292 $this->formatMessage( $reqInfo, 'account', $describe['account'] );
293 if ( !$mergeFields ) {
294 $reqInfo['fields'] = $this->formatFields( (array)$req->getFieldInfo() );
296 $ret['requests'][] = $reqInfo;
299 if ( $mergeFields ) {
300 $fields = AuthenticationRequest::mergeFieldInfo( $reqs );
301 $ret['fields'] = $this->formatFields( $fields );
308 * Clean up a field array for output
309 * @param ApiBase $module For context and parameters 'mergerequestfields'
310 * and 'messageformat'
311 * @param array $fields
314 private function formatFields( array $fields ) {
320 $module = $this->module;
323 foreach ( $fields as $name => $field ) {
324 $ret = array_intersect_key( $field, $copy );
326 if ( isset( $field['options'] ) ) {
327 $ret['options'] = array_map( function ( $msg ) use ( $module ) {
328 return $msg->setContext( $module )->plain();
329 }, $field['options'] );
330 ApiResult::setArrayType( $ret['options'], 'assoc' );
332 $this->formatMessage( $ret, 'label', $field['label'] );
333 $this->formatMessage( $ret, 'help', $field['help'] );
334 $ret['optional'] = !empty( $field['optional'] );
335 $ret['sensitive'] = !empty( $field['sensitive'] );
337 $retFields[$name] = $ret;
340 ApiResult::setArrayType( $retFields, 'assoc' );
346 * Fetch the standard parameters this helper recognizes
347 * @param string $action AuthManager action
348 * @param string $param,... Parameters to use
351 public static function getStandardParams( $action, $param /* ... */ ) {
354 ApiBase::PARAM_TYPE => 'string',
355 ApiBase::PARAM_ISMULTI => true,
356 ApiBase::PARAM_HELP_MSG => [ 'api-help-authmanagerhelper-requests', $action ],
359 ApiBase::PARAM_TYPE => 'string',
360 ApiBase::PARAM_REQUIRED => true,
361 ApiBase::PARAM_HELP_MSG => [ 'api-help-authmanagerhelper-request', $action ],
364 ApiBase::PARAM_DFLT => 'wikitext',
365 ApiBase::PARAM_TYPE => [ 'html', 'wikitext', 'raw', 'none' ],
366 ApiBase::PARAM_HELP_MSG => 'api-help-authmanagerhelper-messageformat',
368 'mergerequestfields' => [
369 ApiBase::PARAM_DFLT => false,
370 ApiBase::PARAM_HELP_MSG => 'api-help-authmanagerhelper-mergerequestfields',
373 ApiBase::PARAM_DFLT => false,
374 ApiBase::PARAM_HELP_MSG => 'api-help-authmanagerhelper-preservestate',
377 ApiBase::PARAM_TYPE => 'string',
378 ApiBase::PARAM_HELP_MSG => 'api-help-authmanagerhelper-returnurl',
381 ApiBase::PARAM_DFLT => false,
382 ApiBase::PARAM_HELP_MSG => 'api-help-authmanagerhelper-continue',
387 $wantedParams = func_get_args();
388 array_shift( $wantedParams );
389 foreach ( $wantedParams as $name ) {
390 if ( isset( $params[$name] ) ) {
391 $ret[$name] = $params[$name];
scripts.mit.edu / autoinstallsdev / mediawiki.git / blob