mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth
synced 2024-12-04 12:48:25 +00:00
244 lines
6.3 KiB
PHP
244 lines
6.3 KiB
PHP
<?php
|
|
/**
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
* http://www.gnu.org/copyleft/gpl.html
|
|
*/
|
|
|
|
namespace MediaWiki\Extension\OATHAuth;
|
|
|
|
use BagOStuff;
|
|
use ConfigException;
|
|
use FormatJson;
|
|
use MediaWiki\Logger\LoggerFactory;
|
|
use MediaWiki\MediaWikiServices;
|
|
use MWException;
|
|
use Psr\Log\LoggerInterface;
|
|
use RequestContext;
|
|
use stdClass;
|
|
use User;
|
|
use Wikimedia\Rdbms\DBConnRef;
|
|
use Wikimedia\Rdbms\ILoadBalancer;
|
|
|
|
class OATHUserRepository {
|
|
/** @var ILoadBalancer */
|
|
protected $lb;
|
|
|
|
/** @var BagOStuff */
|
|
protected $cache;
|
|
|
|
/**
|
|
* @var OATHAuth
|
|
*/
|
|
protected $auth;
|
|
|
|
/** @var LoggerInterface */
|
|
private $logger;
|
|
|
|
/**
|
|
* OATHUserRepository constructor.
|
|
* @param ILoadBalancer $lb
|
|
* @param BagOStuff $cache
|
|
* @param OATHAuth $auth
|
|
*/
|
|
public function __construct( ILoadBalancer $lb, BagOStuff $cache, OATHAuth $auth ) {
|
|
$this->lb = $lb;
|
|
$this->cache = $cache;
|
|
$this->auth = $auth;
|
|
|
|
$this->setLogger( LoggerFactory::getInstance( 'authentication' ) );
|
|
}
|
|
|
|
/**
|
|
* @param LoggerInterface $logger
|
|
*/
|
|
public function setLogger( LoggerInterface $logger ) {
|
|
$this->logger = $logger;
|
|
}
|
|
|
|
/**
|
|
* @param User $user
|
|
* @return OATHUser
|
|
* @throws \ConfigException
|
|
* @throws \MWException
|
|
*/
|
|
public function findByUser( User $user ) {
|
|
$oathUser = $this->cache->get( $user->getName() );
|
|
if ( !$oathUser ) {
|
|
$oathUser = new OATHUser( $user, [] );
|
|
|
|
$uid = MediaWikiServices::getInstance()
|
|
->getCentralIdLookupFactory()
|
|
->getLookup()
|
|
->centralIdFromLocalUser( $user );
|
|
$res = $this->getDB( DB_REPLICA )->selectRow(
|
|
'oathauth_users',
|
|
[ 'module', 'data' ],
|
|
[ 'id' => $uid ],
|
|
__METHOD__
|
|
);
|
|
if ( $res ) {
|
|
$data = $res->data;
|
|
$moduleKey = $res->module;
|
|
if ( $this->isLegacy( $res ) ) {
|
|
$module = $this->auth->getModuleByKey( 'totp' );
|
|
$data = $this->checkAndResolveLegacy( $data, $res );
|
|
} else {
|
|
$module = $this->auth->getModuleByKey( $moduleKey );
|
|
}
|
|
if ( $module === null ) {
|
|
// For sanity
|
|
throw new MWException( 'oathauth-module-invalid' );
|
|
}
|
|
|
|
$oathUser->setModule( $module );
|
|
$decodedData = FormatJson::decode( $res->data, true );
|
|
if ( !isset( $decodedData['keys'] ) && $module->getName() === 'totp' ) {
|
|
// Legacy single-key setup
|
|
$key = $module->newKey( $decodedData );
|
|
$oathUser->addKey( $key );
|
|
} elseif ( is_array( $decodedData['keys'] ) ) {
|
|
foreach ( $decodedData['keys'] as $keyData ) {
|
|
$key = $module->newKey( $keyData );
|
|
$oathUser->addKey( $key );
|
|
}
|
|
}
|
|
}
|
|
|
|
$this->cache->set( $user->getName(), $oathUser );
|
|
}
|
|
return $oathUser;
|
|
}
|
|
|
|
/**
|
|
* @param OATHUser $user
|
|
* @param string|null $clientInfo
|
|
* @throws ConfigException
|
|
* @throws MWException
|
|
*/
|
|
public function persist( OATHUser $user, $clientInfo = null ) {
|
|
if ( !$clientInfo ) {
|
|
$clientInfo = RequestContext::getMain()->getRequest()->getIP();
|
|
}
|
|
$prevUser = $this->findByUser( $user->getUser() );
|
|
$data = $user->getModule()->getDataFromUser( $user );
|
|
|
|
$this->getDB( DB_PRIMARY )->replace(
|
|
'oathauth_users',
|
|
'id',
|
|
[
|
|
'id' => MediaWikiServices::getInstance()
|
|
->getCentralIdLookupFactory()
|
|
->getLookup()
|
|
->centralIdFromLocalUser( $user->getUser() ),
|
|
'module' => $user->getModule()->getName(),
|
|
'data' => FormatJson::encode( $data )
|
|
],
|
|
__METHOD__
|
|
);
|
|
|
|
$userName = $user->getUser()->getName();
|
|
$this->cache->set( $userName, $user );
|
|
|
|
if ( $prevUser !== false ) {
|
|
$this->logger->info( 'OATHAuth updated for {user} from {clientip}', [
|
|
'user' => $userName,
|
|
'clientip' => $clientInfo,
|
|
'oldoathtype' => $prevUser->getModule()->getName(),
|
|
'newoathtype' => $user->getModule()->getName(),
|
|
] );
|
|
} else {
|
|
// If findByUser() has returned false, there was no user row or cache entry
|
|
$this->logger->info( 'OATHAuth enabled for {user} from {clientip}', [
|
|
'user' => $userName,
|
|
'clientip' => $clientInfo,
|
|
'oathtype' => $user->getModule()->getName(),
|
|
] );
|
|
Notifications\Manager::notifyEnabled( $user );
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @param OATHUser $user
|
|
* @param string $clientInfo
|
|
* @param bool $self Whether they disabled it themselves
|
|
*/
|
|
public function remove( OATHUser $user, $clientInfo, bool $self ) {
|
|
$this->getDB( DB_PRIMARY )->delete(
|
|
'oathauth_users',
|
|
[ 'id' => MediaWikiServices::getInstance()
|
|
->getCentralIdLookupFactory()
|
|
->getLookup()
|
|
->centralIdFromLocalUser( $user->getUser() ) ],
|
|
__METHOD__
|
|
);
|
|
|
|
$userName = $user->getUser()->getName();
|
|
$this->cache->delete( $userName );
|
|
|
|
$this->logger->info( 'OATHAuth disabled for {user} from {clientip}', [
|
|
'user' => $userName,
|
|
'clientip' => $clientInfo,
|
|
'oathtype' => $user->getModule()->getName(),
|
|
] );
|
|
Notifications\Manager::notifyDisabled( $user, $self );
|
|
}
|
|
|
|
/**
|
|
* @param int $index DB_PRIMARY/DB_REPLICA
|
|
* @return DBConnRef
|
|
*/
|
|
private function getDB( $index ) {
|
|
global $wgOATHAuthDatabase;
|
|
|
|
return $this->lb->getConnectionRef( $index, [], $wgOATHAuthDatabase );
|
|
}
|
|
|
|
/**
|
|
* @param stdClass $row
|
|
* @return bool
|
|
*/
|
|
private function isLegacy( $row ) {
|
|
if ( $row->module !== '' ) {
|
|
return false;
|
|
}
|
|
if ( property_exists( $row, 'secret' ) && $row->secret !== null ) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Checks if the DB data is in the new format,
|
|
* if not converts old data to new
|
|
*
|
|
* @param string $data
|
|
* @param stdClass $row
|
|
* @return string
|
|
*/
|
|
private function checkAndResolveLegacy( $data, $row ) {
|
|
if ( $data ) {
|
|
// New data exists - no action required
|
|
return $data;
|
|
}
|
|
if ( property_exists( $row, 'secret' ) && property_exists( $row, 'scratch_tokens' ) ) {
|
|
return FormatJson::encode( [
|
|
'secret' => $row->secret,
|
|
'scratch_tokens' => $row->scratch_tokens
|
|
] );
|
|
}
|
|
return '';
|
|
}
|
|
}
|