Yearly cleanup (#33)

Notable changes: Fix running with PostgreSQL

.github/workflows/php.yml

@@ -10,17 +10,12 @@ permissions:
   contents: read
 
 jobs:
-  build:
-
+  test:
     runs-on: ubuntu-latest
-
     steps:
-    - run: pwd
     - uses: actions/checkout@v3
-
     - name: Validate composer.json and composer.lock
       run: composer validate --strict
-
     - name: Cache Composer packages
       id: composer-cache
       uses: actions/cache@v3
@@ -29,15 +24,17 @@ jobs:
         key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
         restore-keys: |
           ${{ runner.os }}-php-
-
     - name: Install dependencies
-      run: composer install --no-dev --prefer-dist --no-progress
-
-    # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit"
-    # Docs: https://getcomposer.org/doc/articles/scripts.md
-
-    # - name: Run test suite
-    #   run: composer run-script test
+      run: composer install
+    - name: Run test suite
+      run: composer run-script test
+  publish:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install dependencies
+      run: composer install --no-dev
     - uses: actions/upload-artifact@v3
       with:
         name: AuthManagerOAuth

.gitignore

@@ -1,4 +1,2 @@
 /composer.lock
 /vendor
-/node_modules
-.eslintcache

.phan/config.php

@@ -0,0 +1,3 @@
+<?php
+
+return require __DIR__ . '/../vendor/mediawiki/mediawiki-phan-config/src/config.php';

.phpcs.xml

@@ -2,4 +2,6 @@
 <ruleset>
 	<rule ref="./vendor/mediawiki/mediawiki-codesniffer/MediaWiki" />
 	<file>.</file>
+	<arg name="extensions" value="php"/>
+	<arg name="encoding" value="UTF-8"/>
 </ruleset>

SECURITY.md

@@ -13,13 +13,6 @@ currently being supported with security updates.
 
 Please report security vulnerabilites to [email protected].
 
-You can use PGP encryption if you want.
-My public key is at https://keys.openpgp.org/search?q=Moritz.Hedtke%40t-online.de.
-
-You can import it using: `gpg --keyserver keys.openpgp.org --recv-key 0x1248D3E11D114A8575C989346794D45A488C2EDE`
-
-My fingerprint is: 1248 D3E1 1D11 4A85 75C9 8934 6794 D45A 488C 2EDE
-
 You can expect me to respond within a few days but please be patient if it takes longer.
 
 Please provide as much details as you can. If you have one a proof of concept would be great.

composer.json

@@ -2,11 +2,9 @@
 	"name": "mohe2015/authmanageroauth",
 	"description": "Create accounts or login using OAuth",
 	"license": "GPL-2.0-or-later",
-	"config": {
-		"autoloader-suffix": "authmanageroauth"
-	},
 	"require-dev": {
-		"mediawiki/mediawiki-codesniffer": "38.0.0",
+		"mediawiki/mediawiki-codesniffer": "42.0.0",
+		"mediawiki/mediawiki-phan-config": "0.13.0",
 		"mediawiki/minus-x": "1.1.1",
 		"php-parallel-lint/php-console-highlighter": "1.0.0",
 		"php-parallel-lint/php-parallel-lint": "1.3.2"
@@ -21,10 +19,10 @@
 			"minus-x fix .",
 			"phpcbf"
 		],
+		"phan": "phan -d . --long-progress-bar",
 		"phpcs": "phpcs -sp --cache"
 	},
 	"require": {
-		"league/oauth2-client": "^2.6",
-		"psr/container": "^1.0.0"
+		"league/oauth2-client": "^2.7"
 	}
 }

extension.json

@@ -11,7 +11,7 @@
 		"MediaWiki": ">= 1.35.0"
 	},
 	"AutoloadNamespaces": {
-		"MediaWiki\\Extension\\AuthManagerOAuth\\": "includes/"
+		"MediaWiki\\Extension\\AuthManagerOAuth\\": "src/"
 	},
 	"load_composer_autoloader": true,
 	"config": {
@@ -39,12 +39,12 @@
 		]
 	},
 	"AuthManagerAutoConfig": {
-        "primaryauth": {
-            "MediaWiki\\Extension\\AuthManagerOAuth\\AuthManagerOAuthPrimaryAuthenticationProvider": {
-                "class": "MediaWiki\\Extension\\AuthManagerOAuth\\AuthManagerOAuthPrimaryAuthenticationProvider",
+		"primaryauth": {
+			"MediaWiki\\Extension\\AuthManagerOAuth\\AuthManagerOAuthPrimaryAuthenticationProvider": {
+				"class": "MediaWiki\\Extension\\AuthManagerOAuth\\AuthManagerOAuthPrimaryAuthenticationProvider",
 				"sort": 0
-            }
-        }
-    },
+			}
+		}
+	},
 	"manifest_version": 2
 }

includes/AuthManagerOAuthPrimaryAuthenticationProvider.php → src/AuthManagerOAuthPrimaryAuthenticationProvider.php

@@ -19,6 +19,9 @@
 
 namespace MediaWiki\Extension\AuthManagerOAuth;
 
+use League\OAuth2\Client\Provider\GenericProvider;
+use MediaWiki\Auth\AuthenticationRequest;
+use MediaWiki\Auth\AuthenticationResponse;
 use MediaWiki\MediaWikiServices;
 
 class AuthManagerOAuthPrimaryAuthenticationProvider extends \MediaWiki\Auth\AbstractPrimaryAuthenticationProvider {
@@ -31,7 +34,9 @@ class AuthManagerOAuthPrimaryAuthenticationProvider extends \MediaWiki\Auth\Abst
 	 */
 	public function getAuthenticationRequests( $action, array $options ) {
 		wfDebugLog( 'AuthManagerOAuth getAuthenticationRequests', var_export( $action, true ) );
-		if ( $action === \MediaWiki\Auth\AuthManager::ACTION_LOGIN || $action === \MediaWiki\Auth\AuthManager::ACTION_CREATE || $action === \MediaWiki\Auth\AuthManager::ACTION_LINK ) {
+		if ( $action === \MediaWiki\Auth\AuthManager::ACTION_LOGIN
+		  || $action === \MediaWiki\Auth\AuthManager::ACTION_CREATE
+		  || $action === \MediaWiki\Auth\AuthManager::ACTION_LINK ) {
 			$config = MediaWikiServices::getInstance()->getConfigFactory()->makeConfig( 'authmanageroauth' );
 			$reqs = [];
 			foreach ( $config->get( 'AuthManagerOAuthConfig' ) as $amoa_provider => $provider ) {
@@ -70,10 +75,11 @@ public function testUserExists( $username, $flags = User::READ_NORMAL ) {
 	/**
 	 * @inheritDoc
 	 */
-	public function providerAllowsAuthenticationDataChange( \MediaWiki\Auth\AuthenticationRequest $req, $checkData = true ) {
+	public function providerAllowsAuthenticationDataChange( AuthenticationRequest $req, $checkData = true ) {
 		wfDebugLog( 'AuthManagerOAuth providerAllowsAuthenticationDataChange', var_export( $req, true ) );
-		if ( get_class( $req ) === UnlinkOAuthAccountRequest::class &&
-			( $req->action === \MediaWiki\Auth\AuthManager::ACTION_REMOVE || $req->action === \MediaWiki\Auth\AuthManager::ACTION_CHANGE ) ) {
+		if ( get_class( $req ) === UnlinkOAuthAccountRequest::class
+		  && ( $req->action === \MediaWiki\Auth\AuthManager::ACTION_REMOVE
+			|| $req->action === \MediaWiki\Auth\AuthManager::ACTION_CHANGE ) ) {
 			return \StatusValue::newGood();
 		}
 		return \StatusValue::newGood( 'ignored' );
@@ -82,10 +88,11 @@ public function providerAllowsAuthenticationDataChange( \MediaWiki\Auth\Authenti
 	/**
 	 * @inheritDoc
 	 */
-	public function providerChangeAuthenticationData( \MediaWiki\Auth\AuthenticationRequest $req ) {
+	public function providerChangeAuthenticationData( AuthenticationRequest $req ) {
 		wfDebugLog( 'AuthManagerOAuth providerChangeAuthenticationData', var_export( $req, true ) );
-		if ( get_class( $req ) === UnlinkOAuthAccountRequest::class &&
-			( $req->action === \MediaWiki\Auth\AuthManager::ACTION_REMOVE || $req->action === \MediaWiki\Auth\AuthManager::ACTION_CHANGE ) ) {
+		if ( get_class( $req ) === UnlinkOAuthAccountRequest::class
+		  && ( $req->action === \MediaWiki\Auth\AuthManager::ACTION_REMOVE
+			|| $req->action === \MediaWiki\Auth\AuthManager::ACTION_CHANGE ) ) {
 			$user = \User::newFromName( $req->username );
 			$lb = MediaWikiServices::getInstance()->getDBLoadBalancer();
 			$dbr = $lb->getConnectionRef( DB_PRIMARY );
@@ -112,23 +119,30 @@ public function accountCreationType() {
 	/**
 	 * This starts primary authentication/creation/linking by redirecting to the OAuth provider.
 	 * @param array $reqs The original requests.
-	 * @return \MediaWiki\Auth\AuthenticationResponse the response for redirecting or abstaining.
+	 * @return AuthenticationResponse the response for redirecting or abstaining.
 	 */
 	private function beginPrimary( array $reqs ) {
 		wfDebugLog( 'AuthManagerOAuth beginPrimary*', var_export( $reqs, true ) );
-		$req = \MediaWiki\Auth\AuthenticationRequest::getRequestByClass( $reqs, ChooseOAuthProviderRequest::class );
+		$req = AuthenticationRequest::getRequestByClass( $reqs, ChooseOAuthProviderRequest::class );
 		if ( $req !== null ) {
 			$config = MediaWikiServices::getInstance()->getConfigFactory()->makeConfig( 'authmanageroauth' );
-			$provider = new \League\OAuth2\Client\Provider\GenericProvider( $config->get( 'AuthManagerOAuthConfig' )[$req->amoa_provider] );
+			$provider = new GenericProvider( $config->get( 'AuthManagerOAuthConfig' )[$req->amoa_provider] );
 			$authorizationUrl = $provider->getAuthorizationUrl( [
 				'redirect_uri' => $req->returnToUrl
 			] );
 
-			$this->manager->setAuthenticationSessionData( self::AUTHENTICATION_SESSION_DATA_STATE, $provider->getState() );
+			$this->manager->setAuthenticationSessionData(
+				self::AUTHENTICATION_SESSION_DATA_STATE,
+				$provider->getState()
+			);
 
-			return \MediaWiki\Auth\AuthenticationResponse::newRedirect( [ new OAuthProviderAuthenticationRequest( $req->amoa_provider ) ], $authorizationUrl, null );
+			return AuthenticationResponse::newRedirect(
+				[ new OAuthProviderAuthenticationRequest( $req->amoa_provider ) ],
+				$authorizationUrl,
+				null
+			);
 		} else {
-			return \MediaWiki\Auth\AuthenticationResponse::newAbstain();
+			return AuthenticationResponse::newAbstain();
 		}
 	}
 
@@ -157,19 +171,21 @@ public function beginPrimaryAccountLink( $user, array $reqs ) {
 	}
 
 	/**
-	 * Convert the response of an OAuth redirect to the identity it represents for further use. This asks the OAuth provider to verify the the login and gets the remote username and id.
+	 * Convert the response of an OAuth redirect to the identity it represents for further use.
+	 * This asks the OAuth provider to verify the the login and gets the remote username and id.
 	 * @param OAuthProviderAuthenticationRequest $req
 	 * @return OAuthIdentityRequest
 	 */
 	private function convertOAuthProviderAuthenticationRequestToOAuthIdentityRequest( $req ) {
 		$config = MediaWikiServices::getInstance()->getConfigFactory()->makeConfig( 'authmanageroauth' );
-		$provider = new \League\OAuth2\Client\Provider\GenericProvider( $config->get( 'AuthManagerOAuthConfig' )[$req->amoa_provider] );
+		$provider = new GenericProvider( $config->get( 'AuthManagerOAuthConfig' )[$req->amoa_provider] );
 		try {
-			// TODO do we even need this authentication data or can we just store this in the authentication request. ensure again that both of it can't be manipulated
+			// TODO do we even need this authentication data or can we just store this in the authentication request.
+			// ensure again that both of it can't be manipulated
 			$state = $this->manager->getAuthenticationSessionData( self::AUTHENTICATION_SESSION_DATA_STATE );
 			$this->manager->removeAuthenticationSessionData( self::AUTHENTICATION_SESSION_DATA_STATE );
 			if ( ( !$state ) || $state !== $req->state ) {
-				return \MediaWiki\Auth\AuthenticationResponse::newFail( wfMessage( 'authmanageroauth-state-mismatch' ) );
+				return AuthenticationResponse::newFail( wfMessage( 'authmanageroauth-state-mismatch' ) );
 			}
 
 			$accessToken = $provider->getAccessToken( 'authorization_code', [
@@ -178,15 +194,20 @@ private function convertOAuthProviderAuthenticationRequestToOAuthIdentityRequest
 
 			$resourceOwner = $provider->getResourceOwner( $accessToken );
 
-			$req = new OAuthIdentityRequest( $req->amoa_provider, $resourceOwner->getId(), $resourceOwner->toArray()['login'] );  // TODO FIXME provider dependent path
+			// TODO FIXME provider dependent path
+			$req = new OAuthIdentityRequest(
+				$req->amoa_provider,
+				strval( $resourceOwner->getId() ),
+				$resourceOwner->toArray()['login']
+			);
 
-			$response = \MediaWiki\Auth\AuthenticationResponse::newPass();
+			$response = AuthenticationResponse::newPass();
 			$response->createRequest = $req;
 			$response->linkRequest = $req;
 			$response->loginRequest = $req;
 			return $response;
 		} catch ( \League\OAuth2\Client\Provider\Exception\IdentityProviderException $e ) {
-			return \MediaWiki\Auth\AuthenticationResponse::newFail( wfMessage( 'authmanageroauth-error', $e->getMessage() ) );
+			return AuthenticationResponse::newFail( wfMessage( 'authmanageroauth-error', $e->getMessage() ) );
 		}
 	}
 
@@ -195,11 +216,11 @@ private function convertOAuthProviderAuthenticationRequestToOAuthIdentityRequest
 	 */
 	public function continuePrimaryAccountCreation( $user, $creator, array $reqs ) {
 		wfDebugLog( 'AuthManagerOAuth continuePrimaryAccountCreation', var_export( $reqs, true ) );
-		$req = \MediaWiki\Auth\AuthenticationRequest::getRequestByClass( $reqs, OAuthProviderAuthenticationRequest::class );
+		$req = AuthenticationRequest::getRequestByClass( $reqs, OAuthProviderAuthenticationRequest::class );
 		if ( $req !== null ) {
 			return $this->convertOAuthProviderAuthenticationRequestToOAuthIdentityRequest( $req );
 		} else {
-			return \MediaWiki\Auth\AuthenticationResponse::newAbstain();
+			return AuthenticationResponse::newAbstain();
 		}
 	}
 
@@ -209,28 +230,37 @@ public function continuePrimaryAccountCreation( $user, $creator, array $reqs ) {
 	public function continuePrimaryAuthentication( array $reqs ) {
 		wfDebugLog( 'AuthManagerOAuth continuePrimaryAuthentication', var_export( $reqs, true ) );
 
-		$identity_req = \MediaWiki\Auth\AuthenticationRequest::getRequestByClass( $reqs, OAuthIdentityRequest::class );
-		if ( $identity_req !== null ) {	// Already authenticated with OAuth provider
-			$choose_local_account_req = \MediaWiki\Auth\AuthenticationRequest::getRequestByClass( $reqs, ChooseLocalAccountRequest::class );
+		$identity_req = AuthenticationRequest::getRequestByClass( $reqs, OAuthIdentityRequest::class );
+		if ( $identity_req !== null ) {
+			// Already authenticated with OAuth provider
+
+			$choose_local_account_req = AuthenticationRequest::getRequestByClass(
+				$reqs,
+				ChooseLocalAccountRequest::class
+			);
 			if ( $choose_local_account_req !== null ) {
-				return \MediaWiki\Auth\AuthenticationResponse::newPass( $choose_local_account_req->username );
+				return AuthenticationResponse::newPass( $choose_local_account_req->username );
 			}
 
-			$choose_local_username_req = \MediaWiki\Auth\AuthenticationRequest::getRequestByClass( $reqs, LocalUsernameInputRequest::class );
+			$choose_local_username_req = AuthenticationRequest::getRequestByClass(
+				$reqs,
+				LocalUsernameInputRequest::class
+			);
 			if ( $choose_local_username_req !== null ) {
 				$user = \User::newFromName( $choose_local_username_req->local_username );
-				if ( !$user->isRegistered() ) { // TODO FIXME query on primary race condition but that's just how it is https://phabricator.wikimedia.org/T138678#3911381
-					return \MediaWiki\Auth\AuthenticationResponse::newPass( $choose_local_username_req->local_username );
+				// TODO FIXME query on primary race condition https://phabricator.wikimedia.org/T138678#3911381
+				if ( !$user->isRegistered() ) {
+					return AuthenticationResponse::newPass( $choose_local_username_req->local_username );
 				} else {
-					return \MediaWiki\Auth\AuthenticationResponse::newFail( wfMessage( 'authmanageroauth-account-already-exists' ) );
+					return AuthenticationResponse::newFail( wfMessage( 'authmanageroauth-account-already-exists' ) );
 				}
 			}
 		}
 
-		$req = \MediaWiki\Auth\AuthenticationRequest::getRequestByClass( $reqs, OAuthProviderAuthenticationRequest::class );
+		$req = AuthenticationRequest::getRequestByClass( $reqs, OAuthProviderAuthenticationRequest::class );
 		if ( $req !== null ) {
 			$resp = $this->convertOAuthProviderAuthenticationRequestToOAuthIdentityRequest( $req );
-			if ( $resp->status !== \MediaWiki\Auth\AuthenticationResponse::PASS ) {
+			if ( $resp->status !== AuthenticationResponse::PASS ) {
 				return $resp;
 			}
 
@@ -256,24 +286,24 @@ public function continuePrimaryAuthentication( array $reqs ) {
 			] );
 			if ( count( $reqs ) === 2 ) {
 				// There are no previous linked accounts
-				return \MediaWiki\Auth\AuthenticationResponse::newUI( $reqs, wfMessage( 'authmanageroauth-choose-username' ) );
+				return AuthenticationResponse::newUI( $reqs, wfMessage( 'authmanageroauth-choose-username' ) );
 			} else {
 				// There are already accounts linked
-				return \MediaWiki\Auth\AuthenticationResponse::newUI( $reqs, wfMessage( 'authmanageroauth-choose-message' ) );
+				return AuthenticationResponse::newUI( $reqs, wfMessage( 'authmanageroauth-choose-message' ) );
 			}
 		}
-		return \MediaWiki\Auth\AuthenticationResponse::newAbstain();
+		return AuthenticationResponse::newAbstain();
 	}
 
 	/**
 	 * @inheritDoc
 	 */
 	public function continuePrimaryAccountLink( $user, array $reqs ) {
 		wfDebugLog( 'AuthManagerOAuth continuePrimaryAccountLink', var_export( $reqs, true ) );
-		$req = \MediaWiki\Auth\AuthenticationRequest::getRequestByClass( $reqs, OAuthProviderAuthenticationRequest::class );
+		$req = AuthenticationRequest::getRequestByClass( $reqs, OAuthProviderAuthenticationRequest::class );
 		if ( $req !== null ) {
 			$resp = $this->convertOAuthProviderAuthenticationRequestToOAuthIdentityRequest( $req );
-			if ( $resp->status !== \MediaWiki\Auth\AuthenticationResponse::PASS ) {
+			if ( $resp->status !== AuthenticationResponse::PASS ) {
 				return $resp;
 			}
 
@@ -295,7 +325,7 @@ public function continuePrimaryAccountLink( $user, array $reqs ) {
 			return $resp;
 		} else {
 			// TODO FIXME maybe we can put this in the common method so this is even less duplication
-			return \MediaWiki\Auth\AuthenticationResponse::newAbstain();
+			return AuthenticationResponse::newAbstain();
 		}
 	}
 
@@ -321,7 +351,7 @@ public function autoCreatedAccount( $user, $source ) {
 	/**
 	 * @inheritDoc
 	 */
-	public function finishAccountCreation( $user, $creator, \MediaWiki\Auth\AuthenticationResponse $response ) {
+	public function finishAccountCreation( $user, $creator, AuthenticationResponse $response ) {
 		wfDebugLog( 'AuthManagerOAuth finishAccountCreation', var_export( $response, true ) );
 		$req = $response->createRequest;
 		$lb = MediaWikiServices::getInstance()->getDBLoadBalancer();

includes/sql/authmanageroauth_linked_accounts.sql → src/sql/authmanageroauth_linked_accounts.sql

@@ -3,7 +3,7 @@ CREATE TABLE /*_*/authmanageroauth_linked_accounts(
     amoa_provider VARCHAR(255) NOT NULL,
 
     -- the local user id
-    amoa_local_user INTEGER UNSIGNED NOT NULL,
+    amoa_local_user BIGINT NOT NULL,
 
     -- the remote user identifier
     amoa_remote_user VARCHAR(255) NOT NULL,