lb = $lb; $this->cache = $cache; $this->auth = $auth; $this->setLogger( LoggerFactory::getInstance( 'authentication' ) ); } /** * @param LoggerInterface $logger */ public function setLogger( LoggerInterface $logger ) { $this->logger = $logger; } /** * @param User $user * @return OATHUser * @throws \ConfigException * @throws \MWException */ public function findByUser( User $user ) { $oathUser = $this->cache->get( $user->getName() ); if ( !$oathUser ) { $oathUser = new OATHUser( $user, [] ); $uid = MediaWikiServices::getInstance() ->getCentralIdLookupFactory() ->getLookup() ->centralIdFromLocalUser( $user ); $res = $this->getDB( DB_REPLICA )->selectRow( 'oathauth_users', '*', [ 'id' => $uid ], __METHOD__ ); if ( $res ) { $data = $res->data; $moduleKey = $res->module; if ( $this->isLegacy( $res ) ) { $module = $this->auth->getModuleByKey( 'totp' ); $data = $this->checkAndResolveLegacy( $data, $res ); } else { $module = $this->auth->getModuleByKey( $moduleKey ); } if ( $module === null ) { // For sanity throw new MWException( 'oathauth-module-invalid' ); } $oathUser->setModule( $module ); $decodedData = FormatJson::decode( $res->data, true ); if ( !isset( $decodedData['keys'] ) && $module->getName() === 'totp' ) { // Legacy single-key setup $key = $module->newKey( $decodedData ); $oathUser->addKey( $key ); } elseif ( is_array( $decodedData['keys'] ) ) { foreach ( $decodedData['keys'] as $keyData ) { $key = $module->newKey( $keyData ); $oathUser->addKey( $key ); } } } $this->cache->set( $user->getName(), $oathUser ); } return $oathUser; } /** * @param OATHUser $user * @param string|null $clientInfo * @throws ConfigException * @throws MWException */ public function persist( OATHUser $user, $clientInfo = null ) { if ( !$clientInfo ) { $clientInfo = RequestContext::getMain()->getRequest()->getIP(); } $prevUser = $this->findByUser( $user->getUser() ); $data = $user->getModule()->getDataFromUser( $user ); $this->getDB( DB_PRIMARY )->replace( 'oathauth_users', 'id', [ 'id' => MediaWikiServices::getInstance() ->getCentralIdLookupFactory() ->getLookup() ->centralIdFromLocalUser( $user->getUser() ), 'module' => $user->getModule()->getName(), 'data' => FormatJson::encode( $data ) ], __METHOD__ ); $userName = $user->getUser()->getName(); $this->cache->set( $userName, $user ); if ( $prevUser !== false ) { $this->logger->info( 'OATHAuth updated for {user} from {clientip}', [ 'user' => $userName, 'clientip' => $clientInfo, 'oldoathtype' => $prevUser->getModule()->getName(), 'newoathtype' => $user->getModule()->getName(), ] ); } else { // If findByUser() has returned false, there was no user row or cache entry $this->logger->info( 'OATHAuth enabled for {user} from {clientip}', [ 'user' => $userName, 'clientip' => $clientInfo, 'oathtype' => $user->getModule()->getName(), ] ); } } /** * @param OATHUser $user * @param string $clientInfo * @param bool $self Whether they disabled it themselves */ public function remove( OATHUser $user, $clientInfo, bool $self ) { $this->getDB( DB_PRIMARY )->delete( 'oathauth_users', [ 'id' => MediaWikiServices::getInstance() ->getCentralIdLookupFactory() ->getLookup() ->centralIdFromLocalUser( $user->getUser() ) ], __METHOD__ ); $userName = $user->getUser()->getName(); $this->cache->delete( $userName ); $this->logger->info( 'OATHAuth disabled for {user} from {clientip}', [ 'user' => $userName, 'clientip' => $clientInfo, 'oathtype' => $user->getModule()->getName(), ] ); Notifications\Manager::notifyDisabled( $user, $self ); } /** * @param int $index DB_PRIMARY/DB_REPLICA * @return DBConnRef */ private function getDB( $index ) { global $wgOATHAuthDatabase; return $this->lb->getConnectionRef( $index, [], $wgOATHAuthDatabase ); } /** * @param stdClass $row * @return bool */ private function isLegacy( $row ) { if ( $row->module !== '' ) { return false; } if ( property_exists( $row, 'secret' ) && $row->secret !== null ) { return true; } return false; } /** * Checks if the DB data is in the new format, * if not converts old data to new * * @param string $data * @param stdClass $row * @return string */ private function checkAndResolveLegacy( $data, $row ) { if ( $data ) { // New data exists - no action required return $data; } if ( property_exists( $row, 'secret' ) && property_exists( $row, 'scratch_tokens' ) ) { return FormatJson::encode( [ 'secret' => $row->secret, 'scratch_tokens' => $row->scratch_tokens ] ); } return ''; } }