<?php
/**
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 */

namespace MediaWiki\Specials;

use ErrorPageError;
use MediaWiki\Auth\AuthManager;
use MediaWiki\Html\Html;
use MediaWiki\HTMLForm\Field\HTMLRestrictionsField;
use MediaWiki\HTMLForm\HTMLForm;
use MediaWiki\Logger\LoggerFactory;
use MediaWiki\MainConfigNames;
use MediaWiki\Password\InvalidPassword;
use MediaWiki\Password\PasswordError;
use MediaWiki\Password\PasswordFactory;
use MediaWiki\Permissions\GrantsInfo;
use MediaWiki\Permissions\GrantsLocalization;
use MediaWiki\SpecialPage\FormSpecialPage;
use MediaWiki\Status\Status;
use MediaWiki\User\BotPassword;
use MediaWiki\User\CentralId\CentralIdLookup;
use MediaWiki\User\User;
use Psr\Log\LoggerInterface;

/**
 * Let users manage bot passwords
 *
 * @ingroup SpecialPage
 */
class SpecialBotPasswords extends FormSpecialPage {

	/** @var int Central user ID */
	private $userId = 0;

	/** @var BotPassword|null Bot password being edited, if any */
	private $botPassword = null;

	/** @var string|null Operation being performed: create, update, delete */
	private $operation = null;

	/** @var string|null New password set, for communication between onSubmit() and onSuccess() */
	private $password = null;

	private LoggerInterface $logger;
	private PasswordFactory $passwordFactory;
	private CentralIdLookup $centralIdLookup;
	private GrantsInfo $grantsInfo;
	private GrantsLocalization $grantsLocalization;

	/**
	 * @param PasswordFactory $passwordFactory
	 * @param AuthManager $authManager
	 * @param CentralIdLookup $centralIdLookup
	 * @param GrantsInfo $grantsInfo
	 * @param GrantsLocalization $grantsLocalization
	 */
	public function __construct(
		PasswordFactory $passwordFactory,
		AuthManager $authManager,
		CentralIdLookup $centralIdLookup,
		GrantsInfo $grantsInfo,
		GrantsLocalization $grantsLocalization
	) {
		parent::__construct( 'BotPasswords', 'editmyprivateinfo' );
		$this->logger = LoggerFactory::getInstance( 'authentication' );
		$this->passwordFactory = $passwordFactory;
		$this->centralIdLookup = $centralIdLookup;
		$this->setAuthManager( $authManager );
		$this->grantsInfo = $grantsInfo;
		$this->grantsLocalization = $grantsLocalization;
	}

	/**
	 * @return bool
	 */
	public function isListed() {
		return $this->getConfig()->get( MainConfigNames::EnableBotPasswords );
	}

	protected function getLoginSecurityLevel() {
		return $this->getName();
	}

	/**
	 * Main execution point
	 * @param string|null $par
	 */
	public function execute( $par ) {
		$this->requireNamedUser();
		$this->getOutput()->disallowUserJs();
		$this->getOutput()->addModuleStyles( 'mediawiki.special' );
		$this->addHelpLink( 'Manual:Bot_passwords' );

		if ( $par !== null ) {
			$par = trim( $par );
			if ( $par === '' ) {
				$par = null;
			} elseif ( strlen( $par ) > BotPassword::APPID_MAXLENGTH ) {
				throw new ErrorPageError(
					'botpasswords', 'botpasswords-bad-appid', [ htmlspecialchars( $par ) ]
				);
			}
		}

		parent::execute( $par );
	}

	protected function checkExecutePermissions( User $user ) {
		parent::checkExecutePermissions( $user );

		if ( !$this->getConfig()->get( MainConfigNames::EnableBotPasswords ) ) {
			throw new ErrorPageError( 'botpasswords', 'botpasswords-disabled' );
		}

		$this->userId = $this->centralIdLookup->centralIdFromLocalUser( $this->getUser() );
		if ( !$this->userId ) {
			throw new ErrorPageError( 'botpasswords', 'botpasswords-no-central-id' );
		}
	}

	protected function getFormFields() {
		$fields = [];

		if ( $this->par !== null ) {
			$this->botPassword = BotPassword::newFromCentralId( $this->userId, $this->par );
			if ( !$this->botPassword ) {
				$this->botPassword = BotPassword::newUnsaved( [
					'centralId' => $this->userId,
					'appId' => $this->par,
				] );
			}

			$sep = BotPassword::getSeparator();
			$fields[] = [
				'type' => 'info',
				'label-message' => 'username',
				'default' => $this->getUser()->getName() . $sep . $this->par
			];

			if ( $this->botPassword->isSaved() ) {
				$fields['resetPassword'] = [
					'type' => 'check',
					'label-message' => 'botpasswords-label-resetpassword',
				];
				if ( $this->botPassword->isInvalid() ) {
					$fields['resetPassword']['default'] = true;
				}
			}

			$showGrants = $this->grantsInfo->getValidGrants();
			$grantNames = $this->grantsLocalization->getGrantDescriptionsWithClasses(
				$showGrants, $this->getLanguage() );

			$fields[] = [
				'type' => 'info',
				'default' => '',
				'help-message' => 'botpasswords-help-grants',
			];
			$fields['grants'] = [
				'type' => 'checkmatrix',
				'label-message' => 'botpasswords-label-grants',
				'columns' => [
					$this->msg( 'botpasswords-label-grants-column' )->escaped() => 'grant'
				],
				'rows' => array_combine(
					$grantNames,
					$showGrants
				),
				'default' => array_map(
					static function ( $g ) {
						return "grant-$g";
					},
					$this->botPassword->getGrants()
				),
				'tooltips-html' => array_combine(
					$grantNames,
					array_map(
						fn ( $rights ) => Html::rawElement( 'ul', [], implode( '', array_map(
							fn ( $right ) => Html::rawElement( 'li', [], $this->msg( "right-$right" )->parse() ),
							$rights
						) ) ),
						array_intersect_key( $this->grantsInfo->getRightsByGrant(),
							array_fill_keys( $showGrants, true ) )
					)
				),
				'force-options-on' => array_map(
					static function ( $g ) {
						return "grant-$g";
					},
					$this->grantsInfo->getHiddenGrants()
				),
			];

			$fields['restrictions'] = [
				'class' => HTMLRestrictionsField::class,
				'required' => true,
				'default' => $this->botPassword->getRestrictions(),
			];

		} else {
			$linkRenderer = $this->getLinkRenderer();

			$dbr = BotPassword::getReplicaDatabase();
			$res = $dbr->newSelectQueryBuilder()
				->select( [ 'bp_app_id', 'bp_password' ] )
				->from( 'bot_passwords' )
				->where( [ 'bp_user' => $this->userId ] )
				->caller( __METHOD__ )->fetchResultSet();
			foreach ( $res as $row ) {
				try {
					$password = $this->passwordFactory->newFromCiphertext( $row->bp_password );
					$passwordInvalid = $password instanceof InvalidPassword;
					unset( $password );
				} catch ( PasswordError $ex ) {
					$passwordInvalid = true;
				}

				$text = $linkRenderer->makeKnownLink(
					$this->getPageTitle( $row->bp_app_id ),
					$row->bp_app_id
				);
				if ( $passwordInvalid ) {
					$text .= $this->msg( 'word-separator' )->escaped()
						. $this->msg( 'botpasswords-label-needsreset' )->parse();
				}

				$fields[] = [
					'section' => 'existing',
					'type' => 'info',
					'raw' => true,
					'default' => $text,
				];
			}

			$fields['appId'] = [
				'section' => 'createnew',
				'type' => 'textwithbutton',
				'label-message' => 'botpasswords-label-appid',
				'buttondefault' => $this->msg( 'botpasswords-label-create' )->text(),
				'buttonflags' => [ 'progressive', 'primary' ],
				'required' => true,
				'size' => BotPassword::APPID_MAXLENGTH,
				'maxlength' => BotPassword::APPID_MAXLENGTH,
				'validation-callback' => static function ( $v ) {
					$v = trim( $v );
					return $v !== '' && strlen( $v ) <= BotPassword::APPID_MAXLENGTH;
				},
			];

			$fields[] = [
				'type' => 'hidden',
				'default' => 'new',
				'name' => 'op',
			];
		}

		return $fields;
	}

	protected function alterForm( HTMLForm $form ) {
		$form->setId( 'mw-botpasswords-form' );
		$form->setTableId( 'mw-botpasswords-table' );
		$form->suppressDefaultSubmit();

		if ( $this->par !== null ) {
			if ( $this->botPassword->isSaved() ) {
				$form->setWrapperLegendMsg( 'botpasswords-editexisting' );
				$form->addButton( [
					'name' => 'op',
					'value' => 'update',
					'label-message' => 'botpasswords-label-update',
					'flags' => [ 'primary', 'progressive' ],
				] );
				$form->addButton( [
					'name' => 'op',
					'value' => 'delete',
					'label-message' => 'botpasswords-label-delete',
					'flags' => [ 'destructive' ],
				] );
			} else {
				$form->setWrapperLegendMsg( 'botpasswords-createnew' );
				$form->addButton( [
					'name' => 'op',
					'value' => 'create',
					'label-message' => 'botpasswords-label-create',
					'flags' => [ 'primary', 'progressive' ],
				] );
			}

			$form->addButton( [
				'name' => 'op',
				'value' => 'cancel',
				'label-message' => 'botpasswords-label-cancel'
			] );
		}
	}

	public function onSubmit( array $data ) {
		$op = $this->getRequest()->getVal( 'op', '' );

		switch ( $op ) {
			case 'new':
				$this->getOutput()->redirect( $this->getPageTitle( $data['appId'] )->getFullURL() );
				return false;

			case 'create':
				$this->operation = 'insert';
				return $this->save( $data );

			case 'update':
				$this->operation = 'update';
				return $this->save( $data );

			case 'delete':
				$this->operation = 'delete';
				$bp = BotPassword::newFromCentralId( $this->userId, $this->par );
				if ( $bp ) {
					$bp->delete();
					$this->logger->info(
						"Bot password {op} for {user}@{app_id}",
						[
							'app_id' => $this->par,
							'user' => $this->getUser()->getName(),
							'centralId' => $this->userId,
							'op' => 'delete',
							'client_ip' => $this->getRequest()->getIP()
						]
					);
				}
				return Status::newGood();

			case 'cancel':
				$this->getOutput()->redirect( $this->getPageTitle()->getFullURL() );
				return false;
		}

		return false;
	}

	private function save( array $data ) {
		$bp = BotPassword::newUnsaved( [
			'centralId' => $this->userId,
			'appId' => $this->par,
			'restrictions' => $data['restrictions'],
			'grants' => array_merge(
				$this->grantsInfo->getHiddenGrants(),
				// @phan-suppress-next-next-line PhanTypeMismatchArgumentInternal See phan issue #3163,
				// it's probably failing to infer the type of $data['grants']
				preg_replace( '/^grant-/', '', $data['grants'] )
			)
		] );

		if ( $bp === null ) {
			// Messages: botpasswords-insert-failed, botpasswords-update-failed
			return Status::newFatal( "botpasswords-{$this->operation}-failed", $this->par );
		}

		if ( $this->operation === 'insert' || !empty( $data['resetPassword'] ) ) {
			$this->password = BotPassword::generatePassword( $this->getConfig() );
			$password = $this->passwordFactory->newFromPlaintext( $this->password );
		} else {
			$password = null;
		}

		$res = $bp->save( $this->operation, $password );

		$success = $res->isGood();

		$this->logger->info(
			'Bot password {op} for {user}@{app_id} ' . ( $success ? 'succeeded' : 'failed' ),
			[
				'op' => $this->operation,
				'user' => $this->getUser()->getName(),
				'app_id' => $this->par,
				'centralId' => $this->userId,
				'restrictions' => $data['restrictions'],
				'grants' => $bp->getGrants(),
				'client_ip' => $this->getRequest()->getIP(),
				'success' => $success,
			]
		);

		return $res;
	}

	public function onSuccess() {
		$out = $this->getOutput();

		$username = $this->getUser()->getName();
		switch ( $this->operation ) {
			case 'insert':
				$out->setPageTitleMsg( $this->msg( 'botpasswords-created-title' ) );
				$out->addWikiMsg( 'botpasswords-created-body', $this->par, $username );
				break;

			case 'update':
				$out->setPageTitleMsg( $this->msg( 'botpasswords-updated-title' ) );
				$out->addWikiMsg( 'botpasswords-updated-body', $this->par, $username );
				break;

			case 'delete':
				$out->setPageTitleMsg( $this->msg( 'botpasswords-deleted-title' ) );
				$out->addWikiMsg( 'botpasswords-deleted-body', $this->par, $username );
				$this->password = null;
				break;
		}

		if ( $this->password !== null ) {
			$sep = BotPassword::getSeparator();
			$out->addWikiMsg(
				'botpasswords-newpassword',
				htmlspecialchars( $username . $sep . $this->par ),
				htmlspecialchars( $this->password ),
				htmlspecialchars( $username ),
				htmlspecialchars( $this->par . $sep . $this->password )
			);
			$this->password = null;
		}

		$out->addReturnTo( $this->getPageTitle() );
	}

	protected function getGroupName() {
		return 'login';
	}

	protected function getDisplayFormat() {
		return 'ooui';
	}
}

/** @deprecated class alias since 1.41 */
class_alias( SpecialBotPasswords::class, 'SpecialBotPasswords' );