feat: allow oauth consumers to be created with consumer acceptance (#447)

* feat: allow oauth consumers to be created with consumer acceptance

* fix: ownerOnly flag determines whether consumer is auto accepted

* fix: ensure ownerOnly is also considered on subsequent lookup

* refactor: expect matching ownerOnly param to be given on lookup

* fix: access secret is expected to be used in hmac format

* docs: add CHANGELOG

Author: m90

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 Tags have the format: `<MediaWiki core version>-<PHP Version>-<date>-<build number>`
 
+## 1.39-7.4-20240722-0
+- Add `ownerOnly` parameter to OAuth setup (#447)
+
 ## 1.39-7.4-20240624-0
 - Enable InstantCommons (#444)
 

dist-persist/wbstack/src/Internal/ApiWbStackOauthGet.php

@@ -8,7 +8,7 @@
  * This API is used by tools that need OAuth consumers.
  * Calling this API will either give you details for the spec that you ask if they already exist.
  * OR it will create such a consume, and give you the details.
- * 
+ *
  * Most of the logic for OAuth stuff currently lives within WbStackPlatformReservedUser
  */
 
@@ -26,28 +26,31 @@ public function execute() {
         // Try and get the required consumer
         $consumerData = WbStackPlatformReservedUser::getOAuthConsumer(
             $this->getParameter('consumerName'),
-            $this->getParameter('consumerVersion')
+            $this->getParameter('consumerVersion'),
+            $this->getParameter('ownerOnly'),
         );
 
         // If it doesnt exist, make sure the user and consumer do
-        if(!$consumerData) {
+        if (!$consumerData) {
             $callbackUrl = $this->getScheme() . $GLOBALS[WBSTACK_INFO_GLOBAL]->requestDomain . $this->getParameter('callbackUrlTail');
 
             WbStackPlatformReservedUser::createIfNotExists();
             WbStackPlatformReservedUser::createOauthConsumer(
                 $this->getParameter('consumerName'),
                 $this->getParameter('consumerVersion'),
                 $this->getParameter('grants'),
-                $callbackUrl
+                $callbackUrl,
+                $this->getParameter('ownerOnly'),
             );
             $consumerData = WbStackPlatformReservedUser::getOAuthConsumer(
                 $this->getParameter('consumerName'),
-                $this->getParameter('consumerVersion')
+                $this->getParameter('consumerVersion'),
+                $this->getParameter('ownerOnly'),
             );
         }
 
         // Return appropriate result
-        if(!$consumerData) {
+        if (!$consumerData) {
             $res = ['success' => 0];
         } else {
             $res = [
@@ -77,6 +80,9 @@ public function getAllowedParams() {
                 ParamValidator::PARAM_TYPE => 'string',
                 ParamValidator::PARAM_REQUIRED => true
             ],
+            'ownerOnly' => [
+                ParamValidator::PARAM_TYPE => 'boolean',
+            ],
         ];
     }
 }

dist-persist/wbstack/src/Internal/WbStackPlatformReservedUser.php

@@ -50,7 +50,7 @@ public static function createIfNotExists() {
         return true;
     }
 
-    public static function createOauthConsumer($consumerName, $version, $grants, $callbackUrl) {
+    public static function createOauthConsumer($consumerName, $version, $grants, $callbackUrl, $ownerOnly = false) {
         // ### Setup oauth consumer...
         // LOGIC mainly from https://github.com/wikimedia/mediawiki-extensions-OAuth/blob/master/maintenance/createOAuthConsumer.php ?
         // EXECUTION of script from https://github.com/wmde/wikibase-docker/blob/master/wikibase/1.33/bundle/extra-install.sh#L7 ?
@@ -65,7 +65,7 @@ public static function createOauthConsumer($consumerName, $version, $grants, $ca
             'callbackIsPrefix' => true,
             'grants' => '["' . implode( '","', $grants) . '"]',
             'granttype' => 'normal',
-            'ownerOnly' => false,
+            'ownerOnly' => $ownerOnly,
             'email' => WbStackPlatformReservedUser::PLATFORM_RESERVED_EMAIL,
             'wiki' => '*',
             'rsaKey' => '',
@@ -99,15 +99,14 @@ public static function createOauthConsumer($consumerName, $version, $grants, $ca
         $control = new \MediaWiki\Extension\OAuth\Control\ConsumerSubmitControl( $context, $data, $dbw );
         $approveStatus = $control->submit();
 
-        if ( !$approveStatus->isGood() ) {
-            // TODO return more info...
+        if ( !$approveStatus->isOK() ) {
             return false;
         }
 
         return true;
     }
 
-    public static function getOAuthConsumer($consumerName, $version) {
+    public static function getOAuthConsumer($consumerName, $version, $ownerOnly = false) {
         $user = self::getUser();
         // TODO create the oauth consumer on the fly if it doesn't exist (needs grants and callbackurl)
 
@@ -131,10 +130,30 @@ public static function getOAuthConsumer($consumerName, $version) {
             return false;
         }
 
-        return [
+        if ($c->getOwnerOnly() !== $ownerOnly) {
+            return false;
+        }
+
+        $data = [
             'agent' => $c->getName(),
             'consumerKey' => $c->getConsumerKey(),
             'consumerSecret' => \MediaWiki\Extension\OAuth\Backend\Utils::hmacDBSecret( $c->getSecretKey() ),
         ];
+
+        $a = \MediaWiki\Extension\OAuth\Backend\ConsumerAcceptance::newFromUserConsumerWiki(
+            $db,
+            $user->getId(),
+            $c,
+            $c->getWiki(),
+            \MediaWiki\Extension\OAuth\Backend\ConsumerAcceptance::READ_NORMAL,
+            $c->getOAuthVersion(),
+        );
+
+        if ( $a !== false ) {
+            $data['accessKey'] = $a->getAccessToken();
+            $data['accessSecret'] = \MediaWiki\Extension\OAuth\Backend\Utils::hmacDBSecret( $a->getAccessSecret() );
+        }
+
+        return $data;
     }
 }

dist/wbstack/src/Internal/ApiWbStackOauthGet.php

@@ -8,7 +8,7 @@
  * This API is used by tools that need OAuth consumers.
  * Calling this API will either give you details for the spec that you ask if they already exist.
  * OR it will create such a consume, and give you the details.
- * 
+ *
  * Most of the logic for OAuth stuff currently lives within WbStackPlatformReservedUser
  */
 
@@ -26,28 +26,31 @@ public function execute() {
         // Try and get the required consumer
         $consumerData = WbStackPlatformReservedUser::getOAuthConsumer(
             $this->getParameter('consumerName'),
-            $this->getParameter('consumerVersion')
+            $this->getParameter('consumerVersion'),
+            $this->getParameter('ownerOnly'),
         );
 
         // If it doesnt exist, make sure the user and consumer do
-        if(!$consumerData) {
+        if (!$consumerData) {
             $callbackUrl = $this->getScheme() . $GLOBALS[WBSTACK_INFO_GLOBAL]->requestDomain . $this->getParameter('callbackUrlTail');
 
             WbStackPlatformReservedUser::createIfNotExists();
             WbStackPlatformReservedUser::createOauthConsumer(
                 $this->getParameter('consumerName'),
                 $this->getParameter('consumerVersion'),
                 $this->getParameter('grants'),
-                $callbackUrl
+                $callbackUrl,
+                $this->getParameter('ownerOnly'),
             );
             $consumerData = WbStackPlatformReservedUser::getOAuthConsumer(
                 $this->getParameter('consumerName'),
-                $this->getParameter('consumerVersion')
+                $this->getParameter('consumerVersion'),
+                $this->getParameter('ownerOnly'),
             );
         }
 
         // Return appropriate result
-        if(!$consumerData) {
+        if (!$consumerData) {
             $res = ['success' => 0];
         } else {
             $res = [
@@ -77,6 +80,9 @@ public function getAllowedParams() {
                 ParamValidator::PARAM_TYPE => 'string',
                 ParamValidator::PARAM_REQUIRED => true
             ],
+            'ownerOnly' => [
+                ParamValidator::PARAM_TYPE => 'boolean',
+            ],
         ];
     }
 }

dist/wbstack/src/Internal/WbStackPlatformReservedUser.php

@@ -50,7 +50,7 @@ public static function createIfNotExists() {
         return true;
     }
 
-    public static function createOauthConsumer($consumerName, $version, $grants, $callbackUrl) {
+    public static function createOauthConsumer($consumerName, $version, $grants, $callbackUrl, $ownerOnly = false) {
         // ### Setup oauth consumer...
         // LOGIC mainly from https://github.com/wikimedia/mediawiki-extensions-OAuth/blob/master/maintenance/createOAuthConsumer.php ?
         // EXECUTION of script from https://github.com/wmde/wikibase-docker/blob/master/wikibase/1.33/bundle/extra-install.sh#L7 ?
@@ -65,7 +65,7 @@ public static function createOauthConsumer($consumerName, $version, $grants, $ca
             'callbackIsPrefix' => true,
             'grants' => '["' . implode( '","', $grants) . '"]',
             'granttype' => 'normal',
-            'ownerOnly' => false,
+            'ownerOnly' => $ownerOnly,
             'email' => WbStackPlatformReservedUser::PLATFORM_RESERVED_EMAIL,
             'wiki' => '*',
             'rsaKey' => '',
@@ -99,15 +99,14 @@ public static function createOauthConsumer($consumerName, $version, $grants, $ca
         $control = new \MediaWiki\Extension\OAuth\Control\ConsumerSubmitControl( $context, $data, $dbw );
         $approveStatus = $control->submit();
 
-        if ( !$approveStatus->isGood() ) {
-            // TODO return more info...
+        if ( !$approveStatus->isOK() ) {
             return false;
         }
 
         return true;
     }
 
-    public static function getOAuthConsumer($consumerName, $version) {
+    public static function getOAuthConsumer($consumerName, $version, $ownerOnly = false) {
         $user = self::getUser();
         // TODO create the oauth consumer on the fly if it doesn't exist (needs grants and callbackurl)
 
@@ -131,10 +130,30 @@ public static function getOAuthConsumer($consumerName, $version) {
             return false;
         }
 
-        return [
+        if ($c->getOwnerOnly() !== $ownerOnly) {
+            return false;
+        }
+
+        $data = [
             'agent' => $c->getName(),
             'consumerKey' => $c->getConsumerKey(),
             'consumerSecret' => \MediaWiki\Extension\OAuth\Backend\Utils::hmacDBSecret( $c->getSecretKey() ),
         ];
+
+        $a = \MediaWiki\Extension\OAuth\Backend\ConsumerAcceptance::newFromUserConsumerWiki(
+            $db,
+            $user->getId(),
+            $c,
+            $c->getWiki(),
+            \MediaWiki\Extension\OAuth\Backend\ConsumerAcceptance::READ_NORMAL,
+            $c->getOAuthVersion(),
+        );
+
+        if ( $a !== false ) {
+            $data['accessKey'] = $a->getAccessToken();
+            $data['accessSecret'] = \MediaWiki\Extension\OAuth\Backend\Utils::hmacDBSecret( $a->getAccessSecret() );
+        }
+
+        return $data;
     }
 }