includes/session/SessionInfo.php

   1 <?php
   2 /**
   3  * MediaWiki session info
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  * @ingroup Session
  22  */
  23
  24 namespace MediaWiki\Session;
  25
  26 /**
  27  * Value object returned by SessionProvider
  28  *
  29  * This holds the data necessary to construct a Session.
  30  *
  31  * @ingroup Session
  32  * @since 1.27
  33  */
  34 class SessionInfo {
  35         /** Minimum allowed priority */
  36         const MIN_PRIORITY = 1;
  37
  38         /** Maximum allowed priority */
  39         const MAX_PRIORITY = 100;
  40
  41         /** @var SessionProvider|null */
  42         private $provider;
  43
  44         /** @var string */
  45         private $id;
  46
  47         /** @var int */
  48         private $priority;
  49
  50         /** @var UserInfo|null */
  51         private $userInfo = null;
  52
  53         private $persisted = false;
  54         private $remembered = false;
  55         private $forceHTTPS = false;
  56         private $idIsSafe = false;
  57         private $forceUse = false;
  58
  59         /** @var array|null */
  60         private $providerMetadata = null;
  61
  62         /**
  63          * @param int $priority Session priority
  64          * @param array $data
  65          *  - provider: (SessionProvider|null) If not given, the provider will be
  66          *    determined from the saved session data.
  67          *  - id: (string|null) Session ID
  68          *  - userInfo: (UserInfo|null) User known from the request. If
  69          *    $provider->canChangeUser() is false, a verified user
  70          *    must be provided.
  71          *  - persisted: (bool) Whether this session was persisted
  72          *  - remembered: (bool) Whether the verified user was remembered.
  73          *    Defaults to true.
  74          *  - forceHTTPS: (bool) Whether to force HTTPS for this session
  75          *  - metadata: (array) Provider metadata, to be returned by
  76          *    Session::getProviderMetadata().
  77          *  - idIsSafe: (bool) Set true if the 'id' did not come from the user.
  78          *    Generally you'll use this from SessionProvider::newEmptySession(),
  79          *    and not from any other method.
  80          *  - forceUse: (bool) Set true if the 'id' is from
  81          *    SessionProvider::hashToSessionId() to delete conflicting session
  82          *    store data instead of discarding this SessionInfo. Ignored unless
  83          *    both 'provider' and 'id' are given.
  84          *  - copyFrom: (SessionInfo) SessionInfo to copy other data items from.
  85          */
  86         public function __construct( $priority, array $data ) {
  87                 if ( $priority < self::MIN_PRIORITY || $priority > self::MAX_PRIORITY ) {
  88                         throw new \InvalidArgumentException( 'Invalid priority' );
  89                 }
  90
  91                 if ( isset( $data['copyFrom'] ) ) {
  92                         $from = $data['copyFrom'];
  93                         if ( !$from instanceof SessionInfo ) {
  94                                 throw new \InvalidArgumentException( 'Invalid copyFrom' );
  95                         }
  96                         $data += [
  97                                 'provider' => $from->provider,
  98                                 'id' => $from->id,
  99                                 'userInfo' => $from->userInfo,
 100                                 'persisted' => $from->persisted,
 101                                 'remembered' => $from->remembered,
 102                                 'forceHTTPS' => $from->forceHTTPS,
 103                                 'metadata' => $from->providerMetadata,
 104                                 'idIsSafe' => $from->idIsSafe,
 105                                 'forceUse' => $from->forceUse,
 106                                 // @codeCoverageIgnoreStart
 107                         ];
 108                         // @codeCoverageIgnoreEnd
 109                 } else {
 110                         $data += [
 111                                 'provider' => null,
 112                                 'id' => null,
 113                                 'userInfo' => null,
 114                                 'persisted' => false,
 115                                 'remembered' => true,
 116                                 'forceHTTPS' => false,
 117                                 'metadata' => null,
 118                                 'idIsSafe' => false,
 119                                 'forceUse' => false,
 120                                 // @codeCoverageIgnoreStart
 121                         ];
 122                         // @codeCoverageIgnoreEnd
 123                 }
 124
 125                 if ( $data['id'] !== null && !SessionManager::validateSessionId( $data['id'] ) ) {
 126                         throw new \InvalidArgumentException( 'Invalid session ID' );
 127                 }
 128
 129                 if ( $data['userInfo'] !== null && !$data['userInfo'] instanceof UserInfo ) {
 130                         throw new \InvalidArgumentException( 'Invalid userInfo' );
 131                 }
 132
 133                 if ( !$data['provider'] && $data['id'] === null ) {
 134                         throw new \InvalidArgumentException(
 135                                 'Must supply an ID when no provider is given'
 136                         );
 137                 }
 138
 139                 if ( $data['metadata'] !== null && !is_array( $data['metadata'] ) ) {
 140                         throw new \InvalidArgumentException( 'Invalid metadata' );
 141                 }
 142
 143                 $this->provider = $data['provider'];
 144                 if ( $data['id'] !== null ) {
 145                         $this->id = $data['id'];
 146                         $this->idIsSafe = $data['idIsSafe'];
 147                         $this->forceUse = $data['forceUse'] && $this->provider;
 148                 } else {
 149                         $this->id = $this->provider->getManager()->generateSessionId();
 150                         $this->idIsSafe = true;
 151                         $this->forceUse = false;
 152                 }
 153                 $this->priority = (int)$priority;
 154                 $this->userInfo = $data['userInfo'];
 155                 $this->persisted = (bool)$data['persisted'];
 156                 if ( $data['provider'] !== null ) {
 157                         if ( $this->userInfo !== null && !$this->userInfo->isAnon() && $this->userInfo->isVerified() ) {
 158                                 $this->remembered = (bool)$data['remembered'];
 159                         }
 160                         $this->providerMetadata = $data['metadata'];
 161                 }
 162                 $this->forceHTTPS = (bool)$data['forceHTTPS'];
 163         }
 164
 165         /**
 166          * Return the provider
 167          * @return SessionProvider|null
 168          */
 169         final public function getProvider() {
 170                 return $this->provider;
 171         }
 172
 173         /**
 174          * Return the session ID
 175          * @return string
 176          */
 177         final public function getId() {
 178                 return $this->id;
 179         }
 180
 181         /**
 182          * Indicate whether the ID is "safe"
 183          *
 184          * The ID is safe in the following cases:
 185          * - The ID was randomly generated by the constructor.
 186          * - The ID was found in the backend data store.
 187          * - $this->getProvider()->persistsSessionId() is false.
 188          * - The constructor was explicitly told it's safe using the 'idIsSafe'
 189          *   parameter.
 190          *
 191          * @return bool
 192          */
 193         final public function isIdSafe() {
 194                 return $this->idIsSafe;
 195         }
 196
 197         /**
 198          * Force use of this SessionInfo if validation fails
 199          *
 200          * The normal behavior is to discard the SessionInfo if validation against
 201          * the data stored in the session store fails. If this returns true,
 202          * SessionManager will instead delete the session store data so this
 203          * SessionInfo may still be used.
 204          *
 205          * @return bool
 206          */
 207         final public function forceUse() {
 208                 return $this->forceUse;
 209         }
 210
 211         /**
 212          * Return the priority
 213          * @return int
 214          */
 215         final public function getPriority() {
 216                 return $this->priority;
 217         }
 218
 219         /**
 220          * Return the user
 221          * @return UserInfo|null
 222          */
 223         final public function getUserInfo() {
 224                 return $this->userInfo;
 225         }
 226
 227         /**
 228          * Return whether the session is persisted
 229          * @return bool
 230          */
 231         final public function wasPersisted() {
 232                 return $this->persisted;
 233         }
 234
 235         /**
 236          * Return provider metadata
 237          * @return array|null
 238          */
 239         final public function getProviderMetadata() {
 240                 return $this->providerMetadata;
 241         }
 242
 243         /**
 244          * Return whether the user was remembered
 245          *
 246          * For providers that can persist the user separately from the session,
 247          * the human using it may not actually *want* that to be done. For example,
 248          * a cookie-based provider can set cookies that are longer-lived than the
 249          * backend session data, but on a public terminal the human likely doesn't
 250          * want those cookies set.
 251          *
 252          * This is false unless a non-anonymous verified user was passed to
 253          * the SessionInfo constructor by the provider, and the provider didn't
 254          * pass false for the 'remembered' data item.
 255          *
 256          * @return bool
 257          */
 258         final public function wasRemembered() {
 259                 return $this->remembered;
 260         }
 261
 262         /**
 263          * Whether this session should only be used over HTTPS
 264          * @return bool
 265          */
 266         final public function forceHTTPS() {
 267                 return $this->forceHTTPS;
 268         }
 269
 270         public function __toString() {
 271                 return '[' . $this->getPriority() . ']' .
 272                         ( $this->getProvider() ?: 'null' ) .
 273                         ( $this->userInfo ?: '<null>' ) . $this->getId();
 274         }
 275
 276         /**
 277          * Compare two SessionInfo objects by priority
 278          * @param SessionInfo $a
 279          * @param SessionInfo $b
 280          * @return int Negative if $a < $b, positive if $a > $b, zero if equal
 281          */
 282         public static function compare( $a, $b ) {
 283                 return $a->getPriority() - $b->getPriority();
 284         }
 285
 286 }