Merge "Add a query meta api option to check for OATH"

api/ApiQueryOATH.php

@@ -0,0 +1,89 @@
+<?php
+/**
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ */
+
+/**
+ * Query module to check if a user has OATH authentication enabled.
+ *
+ * Usage requires the 'oathauth-api-all' grant which is not given to any group
+ * by default. Use of this API is security sensitive and should not be granted
+ * lightly. Configuring a special 'oathauth' user group is recommended.
+ *
+ * @ingroup API
+ * @ingroup Extensions
+ */
+class ApiQueryOATH extends ApiQueryBase {
+	public function __construct( $query, $moduleName ) {
+		parent::__construct( $query, $moduleName, 'oath' );
+	}
+
+	public function execute() {
+		$params = $this->extractRequestParams();
+		if ( $params['user'] === null ) {
+			$params['user'] = $this->getUser()->getName();
+		}
+
+		if ( !$this->getUser()->isAllowed( 'oathauth-api-all' ) ) {
+			$this->dieUsage(
+				'You do not have permission to check OATH status',
+				'permissiondenied'
+			);
+		}
+
+		$user = User::newFromName( $params['user'] );
+		if ( $user === false ) {
+			$this->dieUsageMsg( [ 'noname', $params['user'] ] );
+		}
+
+		$result = $this->getResult();
+		$data = [
+			'enabled' => false,
+		];
+
+		if ( !$user->isAnon() ) {
+			$oathUser = OATHAuthHooks::getOATHUserRepository()
+				->findByUser( $user );
+			$data['enabled'] = $oathUser && $oathUser->getKey() !== null;
+		}
+		$result->addValue( 'query', $this->getModuleName(), $data );
+	}
+
+	public function getCacheMode( $params ) {
+		return 'private';
+	}
+
+	public function isInternal() {
+		return true;
+	}
+
+	public function getAllowedParams() {
+		return [
+			'user' => [
+				ApiBase::PARAM_TYPE => 'user',
+			],
+		];
+	}
+
+	protected function getExamplesMessages() {
+		return [
+			'action=query&meta=oath'
+				=> 'apihelp-query+oath-example-1',
+			'action=query&meta=oath&oathuser=Example'
+				=> 'apihelp-query+oath-example-2',
+		];
+	}
+}

extension.json

@@ -7,6 +7,7 @@
 	"type": "other",
 	"license-name": "GPL-2.0+",
 	"AutoloadClasses": {
+		"ApiQueryOATH": "api/ApiQueryOATH.php",
 		"OATHAuthHooks": "OATHAuth.hooks.php",
 		"OATHAuthLegacyHooks": "OATHAuth.hooks.legacy.php",
 		"OATHAuthKey": "OATHAuthKey.php",
@@ -73,12 +74,24 @@
 		"OATH": "SpecialOATH"
 	},
 	"AvailableRights": [
-		"oathauth-enable"
+		"oathauth-enable",
+		"oathauth-api-all"
 	],
 	"GroupPermissions": {
 		"*": {
 			"oathauth-enable": true
 		}
 	},
+	"GrantPermissions": {
+		"oath": {
+			"oathauth-api-all": true
+		}
+	},
+	"GrantPermissionGroups": {
+		"oath": "authentication"
+	},
+	"APIMetaModules": {
+		"oath": "ApiQueryOATH"
+	},
 	"manifest_version": 1
 }

i18n/en.json

@@ -51,5 +51,12 @@
 	"oathauth-auth-ui": "Please enter verification code from your mobile app",
 	"oathauth-throttled": "Too many verification attempts! Please wait $1.",
 	"oathauth-login-failed": "Verification failed.",
-	"oathauth-describe-provider": "Two-factor authentication (OATH)."
+	"oathauth-describe-provider": "Two-factor authentication (OATH).",
+	"grant-group-authentication": "Perform authentication actions for self and others",
+	"grant-oath": "Access two-factor authentication (OATH) information for self and others",
+	"right-oathauth-api-all": "Query and validate OATH information for self and others",
+	"apihelp-query+oath-description": "Check to see if two-factor authentication (OATH) is enabled for a user.",
+	"apihelp-query+oath-param-user": "User to get information about. Defaults to the current user.",
+	"apihelp-query+oath-example-1": "Get information about the current user",
+	"apihelp-query+oath-example-2": "Get information about user <kbd>Example</kbd>"
 }

i18n/qqq.json

@@ -56,5 +56,12 @@
 	"oathauth-auth-ui": "Shown on top of the login form when second factor is required",
 	"oathauth-throttled": "Error message when throttling limit is hit.\n\nParameters:\n* $1 - throttle block duration",
 	"oathauth-login-failed": "Error message when verifying the second factor failed.",
-	"oathauth-describe-provider": "Description of the extension as an authentication provider."
+	"oathauth-describe-provider": "Description of the extension as an authentication provider.",
+	"grant-group-authentication": "{{Related|Grant-group}}",
+	"grant-oath": "Name for grant \"oath\".\n{{Related|Grant}}",
+	"right-oathauth-api-all": "{{doc-right|oathauth-api-all}}",
+	"apihelp-query+oath-description": "{{doc-apihelp-description|query+oath}}",
+	"apihelp-query+oath-param-user": "{{doc-apihelp-param|query+oath|user}}",
+	"apihelp-query+oath-example-1": "{{doc-apihelp-example|query+oath}}",
+	"apihelp-query+oath-example-2": "{{doc-apihelp-example|query+oath}}"
 }