<?php
/**
 * Session provider for bot passwords
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 * @ingroup Session
 */

namespace MediaWiki\Session;

use BotPassword;
use User;
use WebRequest;

/**
 * Session provider for bot passwords
 * @since 1.27
 */
class BotPasswordSessionProvider extends ImmutableSessionProviderWithCookie {

	/**
	 * @param array $params Keys include:
	 *  - priority: (required) Set the priority
	 *  - sessionCookieName: Session cookie name. Default is '_BPsession'.
	 *  - sessionCookieOptions: Options to pass to WebResponse::setCookie().
	 */
	public function __construct( array $params = [] ) {
		if ( !isset( $params['sessionCookieName'] ) ) {
			$params['sessionCookieName'] = '_BPsession';
		}
		parent::__construct( $params );

		if ( !isset( $params['priority'] ) ) {
			throw new \InvalidArgumentException( __METHOD__ . ': priority must be specified' );
		}
		if ( $params['priority'] < SessionInfo::MIN_PRIORITY ||
			$params['priority'] > SessionInfo::MAX_PRIORITY
		) {
			throw new \InvalidArgumentException( __METHOD__ . ': Invalid priority' );
		}

		$this->priority = $params['priority'];
	}

	public function provideSessionInfo( WebRequest $request ) {
		// Only relevant for the API
		if ( !defined( 'MW_API' ) ) {
			return null;
		}

		// Enabled?
		if ( !$this->config->get( 'EnableBotPasswords' ) ) {
			return null;
		}

		// Have a session ID?
		$id = $this->getSessionIdFromCookie( $request );
		if ( $id === null ) {
			return null;
		}

		return new SessionInfo( $this->priority, [
			'provider' => $this,
			'id' => $id,
			'persisted' => true
		] );
	}

	public function newSessionInfo( $id = null ) {
		// We don't activate by default
		return null;
	}

	/**
	 * Create a new session for a request
	 * @param User $user
	 * @param BotPassword $bp
	 * @param WebRequest $request
	 * @return Session
	 */
	public function newSessionForRequest( User $user, BotPassword $bp, WebRequest $request ) {
		$id = $this->getSessionIdFromCookie( $request );
		$info = new SessionInfo( SessionInfo::MAX_PRIORITY, [
			'provider' => $this,
			'id' => $id,
			'userInfo' => UserInfo::newFromUser( $user, true ),
			'persisted' => $id !== null,
			'metadata' => [
				'centralId' => $bp->getUserCentralId(),
				'appId' => $bp->getAppId(),
				'token' => $bp->getToken(),
				'rights' => \MWGrants::getGrantRights( $bp->getGrants() ),
			],
		] );
		$session = $this->getManager()->getSessionFromInfo( $info, $request );
		$session->persist();
		return $session;
	}

	public function refreshSessionInfo( SessionInfo $info, WebRequest $request, &$metadata ) {
		$missingKeys = array_diff(
			[ 'centralId', 'appId', 'token' ],
			array_keys( $metadata )
		);
		if ( $missingKeys ) {
			$this->logger->info( 'Session "{session}": Missing metadata: {missing}', [
				'session' => $info,
				'missing' => implode( ', ', $missingKeys ),
			] );
			return false;
		}

		$bp = BotPassword::newFromCentralId( $metadata['centralId'], $metadata['appId'] );
		if ( !$bp ) {
			$this->logger->info(
				'Session "{session}": No BotPassword for {centralId} {appId}',
				[
					'session' => $info,
					'centralId' => $metadata['centralId'],
					'appId' => $metadata['appId'],
			] );
			return false;
		}

		if ( !hash_equals( $metadata['token'], $bp->getToken() ) ) {
			$this->logger->info( 'Session "{session}": BotPassword token check failed', [
				'session' => $info,
				'centralId' => $metadata['centralId'],
				'appId' => $metadata['appId'],
			] );
			return false;
		}

		$status = $bp->getRestrictions()->check( $request );
		if ( !$status->isOK() ) {
			$this->logger->info(
				'Session "{session}": Restrictions check failed',
				[
					'session' => $info,
					'restrictions' => $status->getValue(),
					'centralId' => $metadata['centralId'],
					'appId' => $metadata['appId'],
			] );
			return false;
		}

		// Update saved rights
		$metadata['rights'] = \MWGrants::getGrantRights( $bp->getGrants() );

		return true;
	}

	/**
	 * @codeCoverageIgnore
	 * @inheritDoc
	 */
	public function preventSessionsForUser( $username ) {
		BotPassword::removeAllPasswordsForUser( $username );
	}

	public function getAllowedUserRights( SessionBackend $backend ) {
		if ( $backend->getProvider() !== $this ) {
			throw new \InvalidArgumentException( 'Backend\'s provider isn\'t $this' );
		}
		$data = $backend->getProviderMetadata();
		if ( $data && isset( $data['rights'] ) && is_array( $data['rights'] ) ) {
			return $data['rights'];
		}

		// Should never happen
		$this->logger->debug( __METHOD__ . ': No provider metadata, returning no rights allowed' );
		return [];
	}
}