From 22f0b46bde3680f3f912faeae3588522d41cd740 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Mon, 4 Sep 2023 15:06:13 +0200 Subject: [PATCH] Revamp LDAP : * Move ldap config to json file * enable all extensions * rename options --- conf/LocalSettings.php | 97 +++++++++++++++++++---------------------- conf/ldapproviders.json | 24 ++++++++++ config_panel.toml | 34 +++++++++++---- manifest.toml | 34 ++++++++++++++- scripts/install | 10 +++-- scripts/upgrade | 13 +++--- 6 files changed, 143 insertions(+), 69 deletions(-) create mode 100644 conf/ldapproviders.json mode change 100644 => 100755 scripts/install mode change 100644 => 100755 scripts/upgrade diff --git a/conf/LocalSettings.php b/conf/LocalSettings.php index 702e110..16f780e 100644 --- a/conf/LocalSettings.php +++ b/conf/LocalSettings.php @@ -135,59 +135,54 @@ wfLoadSkin( 'Vector' ); # End of automatically generated settings. # Add more configuration options below. -# Enabled extensions. Most of the extensions are enabled by adding -# wfLoadExtensions('ExtensionName'); -# to LocalSettings.php. Check specific extension documentation for more details. +# LDAP Settings +# See https://www.mediawiki.org/wiki/Manual:Active_Directory_Integration -# LDAPProvider -# https://www.mediawiki.org/wiki/Extension:LDAPProvider -wfLoadExtension( 'LDAPProvider' ); - -# PluggableAuth -# https://www.mediawiki.org/wiki/Extension:PluggableAuth -wfLoadExtension( 'PluggableAuth' ); - -$wgPluggableAuth_EnableLocalLogin = true; -$wgPluggableAuth_EnableLocalProperties = true; - -# LDAPAuthentication2 -# https://www.mediawiki.org/wiki/Extension:LDAPAuthentication2 -wfLoadExtension( 'LDAPAuthentication2' ); - -# Note(decentral1se): leaving here in case we need them one day -# LDAPGroups -# https://www.mediawiki.org/wiki/Extension:LDAPGroups -# wfLoadExtension( 'LDAPGroups' ); - -# Note(decentral1se): leaving here in case we need them one day -# LDAPUserInfo -# https://www.mediawiki.org/wiki/Extension:LDAPUserInfo -# wfLoadExtension( 'LDAPUserInfo' ); - -# Note(decentral1se): leaving here in case we need them one day -# LDAPAuthorization -# https://www.mediawiki.org/wiki/Extension:LDAPAuthorization # wfLoadExtension( 'LDAPAuthorization' ); +wfLoadExtension( 'LDAPAuthentication2' ); +wfLoadExtension( 'LDAPGroups' ); +wfLoadExtension( 'LDAPProvider' ); +wfLoadExtension( 'LDAPUserInfo' ); +wfLoadExtension( 'PluggableAuth' ); +wfLoadExtension( 'Auth_remoteuser' ); -# LDAP configuration -$LDAPProviderDomainConfigProvider = function() { - $config = [ - "LDAP" => [ - "connection" => [ - "server" => "localhost", - "port" => "389", - "basedn" => "dc=yunohost,dc=org", - "groupbasedn" => "ou=users,dc=yunohost,dc=org", - "userbasedn" => "ou=groups,dc=yunohost,dc=org", - "searchattribute" => "uid", - "usernameattribute" => "uid", - "realnameattribute" => "cn", - "emailattribute" => "mail" - ] - ] +# Yunohost configuration values for config_panel +$public_wiki = __PUBLIC_WIKI__; +$local_accounts = __LOCAL_ACCOUNTS__; +$yunohost_accounts = __YUNOHOST_ACCOUNTS__; + +# Configuration of the generic PluggableAuth extension +$wgPluggableAuth_EnableLocalLogin = $local_accounts; +$wgPluggableAuth_EnableLocalProperties = true; +$wgPluggableAuth_EnableFastLogout = true; +# $wgPluggableAuth_ButtonLabel = "Log In"; + +# Configuration of the Yunohost LDAP+SSO +if ($yunohost_accounts) { + $LDAPProviderDomainConfigs = "$IP/ldapproviders.json"; + $LDAPProviderDefaultDomain = "yunohost.local"; + + $wgPluggableAuth_Config["Log In with Yunohost"] = [ + "plugin" => "LDAPAuthentication2", + "data" => [ "domain" => "yunohost.local" ] ]; - return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config ); -}; -$createaccount = __CREATE_ACCOUNT__; -$wgGroupPermissions['*']['createaccount'] = $createaccount; + $wgAuthRemoteuserUserUrls = [ + 'logout' => 'https://__DOMAIN__/yunohost/sso/?action=logout' + ]; +} + +# Auth_remoteuser will read the REMOTE_USER http header (for Yunohost SSO) +$wgAuthRemoteuserUserName = [ + getenv('REMOTE_USER'), +]; + +# Allow users to login as other than SSO logged in user +$wgAuthRemoteuserAllowUserSwitch = true; + +# $wgEmailConfirmToEdit = false; +$wgGroupPermissions['*']['edit'] = $public_wiki; +$wgGroupPermissions['*']['read'] = $public_wiki; +$wgGroupPermissions['*']['createaccount'] = $local_accounts; +$wgGroupPermissions['*']['autocreateaccount'] = true; +$wgBlockDisablesLogin = true; diff --git a/conf/ldapproviders.json b/conf/ldapproviders.json new file mode 100644 index 0000000..b9e4d32 --- /dev/null +++ b/conf/ldapproviders.json @@ -0,0 +1,24 @@ +{ + "yunohost.local": { + "connection": { + "server": "localhost", + "port": "389", + "use-tls": "false", + "basedn": "dc=yunohost,dc=org", + "userbasedn": "ou=users,dc=yunohost,dc=org", + "groupbasedn": "ou=groups,dc=yunohost,dc=org", + "searchattribute": "uid", + "usernameattribute": "uid", + "realnameattribute": "cn", + "emailattribute": "mail", + "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory", + "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ] + }, + "userinfo": [], + "authorization": [], + "groupsync": { + "mapping": { + } + } + } +} diff --git a/config_panel.toml b/config_panel.toml index 1600740..e2e5a52 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -3,14 +3,32 @@ version = "1.0" [main] name = "Mediawiki configuration" - [main.config] name = "Configuration Options" - [main.config.create_account] - ask = "Create account" - type = "boolean" - yes = true - no = false - help = "Set to 'true' to allow account creation." - bind = "createaccount:__INSTALL_DIR__/LocalSettings.php" + [install.public_wiki] + ask.en = "Is this Wiki public ?" + ask.fr = "Ce Wiki est-il public ?" + help.en = "This visibility is handled by Mediawiki, not Yunohost" + help.fr = "Cette visibilité est gérée par Mediawiki, pas Yunohost" + type = "boolean" + default = true + bind = ":__INSTALL_DIR__/LocalSettings.php" + + [install.local_accounts] + ask.en = "Allow local accounts (non-Yunohost login) ?" + ask.fr = "Autoriser les comptes locaux (non connectés à Yunohost) ?" + help.en = "If this is enabled, people without a Yunohost account can create an account, local to the wiki." + help.fr = "Si activé, les personnes sans compte Yunohost pourront créer un compte local au wiki." + type = "boolean" + default = false + bind = ":__INSTALL_DIR__/LocalSettings.php" + + [install.yunohost_accounts] + ask.en = "Link with Yunohost accounts" + ask.fr = "Lier aux comptes Yunohost" + help.en = "If this is enabled, Yunohost users will be able to login." + help.fr = "Si activé, les utilisateurs Yunohost pourront s'authentifier." + type = "boolean" + default = true + bind = ":__INSTALL_DIR__/LocalSettings.php" diff --git a/manifest.toml b/manifest.toml index a2bf148..720e867 100644 --- a/manifest.toml +++ b/manifest.toml @@ -38,8 +38,8 @@ ram.runtime = "50M" default = "/wiki" [install.init_main_permission] - help.en = "Visibility of the wiki pages" - help.fr = "La visibilité des pages du wiki" + help.en = "Visibility of the wiki (handled by Yunohost)" + help.fr = "La visibilité du wiki (gérée par Yunohost)" type = "group" default = "visitors" @@ -64,12 +64,42 @@ ram.runtime = "50M" type = "string" default = "YunoWiki" + [install.public_wiki] + ask.en = "Is this Wiki public ?" + ask.fr = "Ce Wiki est-il public ?" + help.en = "This visibility is handled by Mediawiki, not Yunohost" + help.fr = "Cette visibilité est gérée par Mediawiki, pas Yunohost" + type = "boolean" + default = true + + [install.local_accounts] + ask.en = "Allow local accounts (non-Yunohost login) ?" + ask.fr = "Autoriser les comptes locaux (non connectés à Yunohost) ?" + help.en = "If this is enabled, people without a Yunohost account can create an account, local to the wiki." + help.fr = "Si activé, les personnes sans compte Yunohost pourront créer un compte local au wiki." + type = "boolean" + default = false + + [install.yunohost_accounts] + ask.en = "Link with Yunohost accounts" + ask.fr = "Lier aux comptes Yunohost" + help.en = "If this is enabled, Yunohost users will be able to login." + help.fr = "Si activé, les utilisateurs Yunohost pourront s'authentifier." + type = "boolean" + default = true + + [resources] [resources.sources] [resources.sources.main] url = "https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.tar.gz" sha256 = "e05d419de40c6ad03145aca07e08cf995d1ca1667d97793bb73970e2c11b0a04" + [resources.sources.auth_remoteuser] + url = "https://github.com/wikimedia/mediawiki-extensions-Auth_remoteuser/archive/1a72290f4b3f35694a9a0a71d7c17258badca429.tar.gz" + sha256 = "4864edde068209a8a72a97238041220d47b3d4cd4c353637dd0857f488b67904" + in_subdir = true + [resources.sources.ldap_groups] url = "https://github.com/wikimedia/mediawiki-extensions-LDAPGroups/archive/6babc982f16ea9b6a6a64d45e55413c663bc6b6f.tar.gz" sha256 = "88ce087760726ea61c002c8d4b169b1d3a5421d76d8e4afa916ba55051a9130a" diff --git a/scripts/install b/scripts/install old mode 100644 new mode 100755 index f938d4c..8fcf3c4 --- a/scripts/install +++ b/scripts/install @@ -26,13 +26,16 @@ ynh_script_progression --message="Setting up source files..." --weight=4 # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" + + # See https://www.mediawiki.org/wiki/Manual:Active_Directory_Integration + ynh_setup_source --dest_dir="$install_dir/extensions/Auth_remoteuser" --source_id="auth_remoteuser" + ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthorization" --source_id="ldap_authorization" ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthentication2" --source_id="ldap_authentication2" + ynh_setup_source --dest_dir="$install_dir/extensions/LDAPGroups" --source_id="ldap_groups" ynh_setup_source --dest_dir="$install_dir/extensions/LDAPProvider" --source_id="ldap_provider" + ynh_setup_source --dest_dir="$install_dir/extensions/LDAPUserInfo" --source_id="ldap_userinfo" ynh_setup_source --dest_dir="$install_dir/extensions/PluggableAuth" --source_id="pluggable_auth" - # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPGroups" --source_id="ldap_groups" - # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPUserInfo" --source_id="ldap_userinfo" - # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthorization" --source_id="ldap_authorization" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" @@ -94,6 +97,7 @@ mv "$install_dir/LocalSettings.php" "$install_dir/LocalSettings.php.orig" wiki_name_underscorified="${wiki_name//[^a-zA-Z0-9]/_}" ynh_add_config --template="../conf/LocalSettings.php" --destination="$install_dir/LocalSettings.php" +ynh_add_config --template="../conf/ldapproviders.json" --destination="$install_dir/ldapproviders.json" # This is required to update database schemas "php$phpversion" "$install_dir/maintenance/update.php" diff --git a/scripts/upgrade b/scripts/upgrade old mode 100644 new mode 100755 index 335274d..32bc825 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -58,14 +58,15 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" + + # See https://www.mediawiki.org/wiki/Manual:Active_Directory_Integration + ynh_setup_source --dest_dir="$install_dir/extensions/Auth_remoteuser" --source_id="auth_remoteuser" + ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthorization" --source_id="ldap_authorization" ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthentication2" --source_id="ldap_authentication2" + ynh_setup_source --dest_dir="$install_dir/extensions/LDAPGroups" --source_id="ldap_groups" ynh_setup_source --dest_dir="$install_dir/extensions/LDAPProvider" --source_id="ldap_provider" + ynh_setup_source --dest_dir="$install_dir/extensions/LDAPUserInfo" --source_id="ldap_userinfo" ynh_setup_source --dest_dir="$install_dir/extensions/PluggableAuth" --source_id="pluggable_auth" - - # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPGroups" --source_id="ldap_groups" - # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPUserInfo" --source_id="ldap_userinfo" - # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthorization" --source_id="ldap_authorization" - fi chmod -R o-rwx "$install_dir" @@ -115,6 +116,8 @@ if (( password_length < 10 )); then echo "\$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;" >> "$install_dir/LocalSettings.php" fi +ynh_add_config --template="../conf/ldapproviders.json" --destination="$install_dir/ldapproviders.json" + # This is required to update database schemas "php$phpversion" "$install_dir/maintenance/update.php"