diff --git a/scripts/install b/scripts/install index b6b861d..4eb99ff 100755 --- a/scripts/install +++ b/scripts/install @@ -40,12 +40,19 @@ sed -i "s@PATHTOCHANGE@$path@g" ../conf/nginx.conf sed -i "s@ALIASTOCHANGE@$final_path/@g" ../conf/nginx.conf sudo cp ../conf/nginx.conf /etc/nginx/conf.d/$domain.d/wordpress.conf +#Installation Wordpress +sudo dd if=/dev/zero of=/var/swap.1 bs=1M count=1024 +sudo mkswap /var/swap.1 +sudo swapon /var/swap.1 +dpkg -l | grep php5-cli > /dev/null 2>&1 +if [ $? != 0 ]; +then + apt-get install php5-cli +fi +curl https://raw.github.com/wp-cli/wp-cli.github.com/master/installer.sh | bash +wp core install --url=$domain$path --title=Yunohost --admin_user=admin --admin_password=$admin_passwd --admin_email=admin@$domain --path=$final_path +wp plugin activate http-authentication --path=$final_path + # Reload Nginx and regenerate SSOwat conf sudo service nginx reload -sudo yunohost app setting wordpress skipped_uris -v "$path/wp-admin" -sudo yunohost app ssowatconf - -#Installation Wordpress -curl -X POST -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:12.0) Gecko/20100101 Firefox/12.0" -e "http://$domain$path/wp-admin/install.php?step=2" -H "Content-Type:application/x-www-form-urlencoded" -H "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Encoding:gzip, deflate" --data "?step=2&weblog_title=Yunohost&user_name=admin&admin_password=$admin_passwd&admin_password2=$admin_passwd&admin_email=admin@$domain&Submit=Install+WordPress" http://$domain$path/wp-admin/install.php?step=2&weblog_title=Yunohost&user_name=admin&admin_password=$admin_passwd&admin_password2=$admin_passwd&admin_email=admin@$domain&Submit=Install+WordPress > /dev/null 2>&1 -sudo yunohost app setting wordpress skipped_uris -v "" sudo yunohost app ssowatconf diff --git a/sources/wp-content/plugins/http-authentication/http-authentication.php b/sources/wp-content/plugins/http-authentication/http-authentication.php new file mode 100644 index 0000000..2e99a1b --- /dev/null +++ b/sources/wp-content/plugins/http-authentication/http-authentication.php @@ -0,0 +1,278 @@ +REMOTE_USER). This plugin assumes users are externally authenticated, as with GatorLink. +Author: Daniel Westermann-Clark +Author URI: http://danieltwc.com/ +*/ + +require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'options-page.php'); + +class HTTPAuthenticationPlugin { + var $db_version = 2; + var $option_name = 'http_authentication_options'; + var $options; + + function HTTPAuthenticationPlugin() { + $this->options = get_option($this->option_name); + + if (is_admin()) { + $options_page = new HTTPAuthenticationOptionsPage($this, $this->option_name, __FILE__, $this->options); + add_action('admin_init', array($this, 'check_options')); + } + + add_action('login_head', array($this, 'add_login_css')); + add_action('login_footer', array($this, 'add_login_link')); + add_action('check_passwords', array($this, 'generate_password'), 10, 3); + add_action('wp_logout', array($this, 'logout')); + add_filter('login_url', array($this, 'bypass_reauth')); + add_filter('show_password_fields', array($this, 'allow_wp_auth')); + add_filter('allow_password_reset', array($this, 'allow_wp_auth')); + add_filter('authenticate', array($this, 'authenticate'), 10, 3); + } + + /* + * Check the options currently in the database and upgrade if necessary. + */ + function check_options() { + if ($this->options === false || ! isset($this->options['db_version']) || $this->options['db_version'] < $this->db_version) { + if (! is_array($this->options)) { + $this->options = array(); + } + + $current_db_version = isset($this->options['db_version']) ? $this->options['db_version'] : 0; + $this->upgrade($current_db_version); + $this->options['db_version'] = $this->db_version; + update_option($this->option_name, $this->options); + } + } + + /* + * Upgrade options as needed depending on the current database version. + */ + function upgrade($current_db_version) { + $default_options = array( + 'allow_wp_auth' => false, + 'auth_label' => 'HTTP authentication', + 'login_uri' => htmlspecialchars_decode(wp_login_url()), + 'logout_uri' => remove_query_arg('_wpnonce', htmlspecialchars_decode(wp_logout_url())), + 'additional_server_keys' => '', + 'auto_create_user' => false, + 'auto_create_email_domain' => '', + ); + + if ($current_db_version < 1) { + foreach ($default_options as $key => $value) { + // Handle migrating existing options from before we stored a db_version + if (! isset($this->options[$key])) { + $this->options[$key] = $value; + } + } + } + } + + function add_login_css() { +?> + +_generate_uri($this->options['login_uri'], wp_login_url($redirect_to)); + $auth_label = $this->options['auth_label']; + + echo "\t" . '' . "\n"; + } + + /* + * Generate a password for the user. This plugin does not require the + * administrator to enter this value, but we need to set it so that user + * creation and editing works. + */ + function generate_password($username, $password1, $password2) { + if (! $this->allow_wp_auth()) { + $password1 = $password2 = wp_generate_password(); + } + } + + /* + * Logout the user by redirecting them to the logout URI. + */ + function logout() { + $logout_uri = $this->_generate_uri($this->options['logout_uri'], home_url()); + + wp_redirect($logout_uri); + exit(); + } + + /* + * Remove the reauth=1 parameter from the login URL, if applicable. This allows + * us to transparently bypass the mucking about with cookies that happens in + * wp-login.php immediately after wp_signon when a user e.g. navigates directly + * to wp-admin. + */ + function bypass_reauth($login_url) { + $login_url = remove_query_arg('reauth', $login_url); + + return $login_url; + } + + /* + * Can we fallback to built-in WordPress authentication? + */ + function allow_wp_auth() { + return (bool) $this->options['allow_wp_auth']; + } + + /* + * Authenticate the user, first using the external authentication source. + * If allowed, fall back to WordPress password authentication. + */ + function authenticate($user, $username, $password) { + $user = $this->check_remote_user(); + + if (! is_wp_error($user)) { + // User was authenticated via REMOTE_USER + $user = new WP_User($user->ID); + } + else { + // REMOTE_USER is invalid; now what? + + if (! $this->allow_wp_auth()) { + // Bail with the WP_Error when not falling back to WordPress authentication + wp_die($user); + } + + // Fallback to built-in hooks (see wp-includes/user.php) + } + + return $user; + } + + /* + * If the REMOTE_USER or REDIRECT_REMOTE_USER evironment variable is set, use it + * as the username. This assumes that you have externally authenticated the user. + */ + function check_remote_user() { + $username = ''; + + $server_keys = $this->_get_server_keys(); + foreach ($server_keys as $server_key) { + if (! empty($_SERVER[$server_key])) { + $username = $_SERVER[$server_key]; + } + } + + if (! $username) { + return new WP_Error('empty_username', 'ERROR: No user found in server variables.'); + } + + // Create new users automatically, if configured + $user = get_user_by('login', $username); + if (! $user) { + if ((bool) $this->options['auto_create_user']) { + $user = $this->_create_user($username); + } + else { + // Bail out to avoid showing the login form + $user = new WP_Error('authentication_failed', __('ERROR: Invalid username or incorrect password.')); + } + } + + return $user; + } + + /* + * Return the list of $_SERVER keys that we will check for a username. By + * default, these are REMOTE_USER and REDIRECT_REMOTE_USER. Additional keys + * can be configured from the options page. + */ + function _get_server_keys() { + $server_keys = array('REMOTE_USER', 'REDIRECT_REMOTE_USER'); + + $additional_server_keys = $this->options['additional_server_keys']; + if (! empty($additional_server_keys)) { + $keys = preg_split('/,\s*/', $additional_server_keys); + $server_keys = array_merge($server_keys, $keys); + } + + return $server_keys; + } + + /* + * Create a new WordPress account for the specified username. + */ + function _create_user($username) { + $password = wp_generate_password(); + $email_domain = $this->options['auto_create_email_domain']; + + $user_id = wp_create_user($username, $password, $username . ($email_domain ? '@' . $email_domain : '')); + $user = get_user_by('id', $user_id); + + return $user; + } + + /* + * Fill the specified URI with the site URI and the specified return location. + */ + function _generate_uri($uri, $redirect_to) { + // Support tags for staged deployments + $base = $this->_get_base_url(); + + $tags = array( + 'host' => $_SERVER['HTTP_HOST'], + 'base' => $base, + 'site' => home_url(), + 'redirect' => $redirect_to, + ); + + foreach ($tags as $tag => $value) { + $uri = str_replace('%' . $tag . '%', $value, $uri); + $uri = str_replace('%' . $tag . '_encoded%', urlencode($value), $uri); + } + + // Support previous versions with only the %s tag + if (strstr($uri, '%s') !== false) { + $uri = sprintf($uri, urlencode($redirect_to)); + } + + return $uri; + } + + /* + * Return the base domain URL based on the WordPress home URL. + */ + function _get_base_url() { + $home = parse_url(home_url()); + + $base = home_url(); + foreach (array('path', 'query', 'fragment') as $key) { + if (! isset($home[$key])) continue; + $base = str_replace($home[$key], '', $base); + } + + return $base; + } +} + +// Load the plugin hooks, etc. +$http_authentication_plugin = new HTTPAuthenticationPlugin(); +?> diff --git a/sources/wp-content/plugins/http-authentication/options-page.php b/sources/wp-content/plugins/http-authentication/options-page.php new file mode 100644 index 0000000..f670ee2 --- /dev/null +++ b/sources/wp-content/plugins/http-authentication/options-page.php @@ -0,0 +1,195 @@ +plugin = $plugin; + $this->group = $group; + $this->page = $page; + $this->options = $options; + $this->title = $title; + + add_action('admin_init', array($this, 'register_options')); + add_action('admin_menu', array($this, 'add_options_page')); + } + + /* + * Register the options for this plugin so they can be displayed and updated below. + */ + function register_options() { + register_setting($this->group, $this->group, array($this, 'sanitize_settings')); + + $section = 'http_authentication_main'; + add_settings_section($section, 'Main Options', array($this, '_display_options_section'), $this->page); + add_settings_field('http_authentication_allow_wp_auth', 'Allow WordPress authentication?', array($this, '_display_option_allow_wp_auth'), $this->page, $section, array('label_for' => 'http_authentication_allow_wp_auth')); + add_settings_field('http_authentication_auth_label', 'Authentication label', array($this, '_display_option_auth_label'), $this->page, $section, array('label_for' => 'http_authentication_auth_label')); + add_settings_field('http_authentication_login_uri', 'Login URI', array($this, '_display_option_login_uri'), $this->page, $section, array('label_for' => 'http_authentication_login_uri')); + add_settings_field('http_authentication_logout_uri', 'Logout URI', array($this, '_display_option_logout_uri'), $this->page, $section, array('label_for' => 'http_authentication_logout_uri')); + add_settings_field('http_authentication_additional_server_keys', '$_SERVER variables', array($this, '_display_option_additional_server_keys'), $this->page, $section, array('label_for' => 'http_authentication_additional_server_keys')); + add_settings_field('http_authentication_auto_create_user', 'Automatically create accounts?', array($this, '_display_option_auto_create_user'), $this->page, $section, array('label_for' => 'http_authentication_auto_create_user')); + add_settings_field('http_authentication_auto_create_email_domain', 'Email address domain', array($this, '_display_option_auto_create_email_domain'), $this->page, $section, array('label_for' => 'http_authentication_auto_create_email_domain')); + } + + /* + * Set the database version on saving the options. + */ + function sanitize_settings($input) { + $output = $input; + $output['db_version'] = $this->plugin->db_version; + $output['allow_wp_auth'] = isset($input['allow_wp_auth']) ? (bool) $input['allow_wp_auth'] : false; + $output['auto_create_user'] = isset($input['auto_create_user']) ? (bool) $input['auto_create_user'] : false; + + return $output; + } + + /* + * Add an options page for this plugin. + */ + function add_options_page() { + add_options_page($this->title, $this->title, 'manage_options', $this->page, array($this, '_display_options_page')); + } + + /* + * Display the options for this plugin. + */ + function _display_options_page() { + if (! current_user_can('manage_options')) { + wp_die(__('You do not have sufficient permissions to access this page.')); + } +?> +
+

HTTP Authentication Options

+

For the Login URI and Logout URI options, you can use the following variables to support your installation:

+ +

You can also use %host_encoded%, %site_encoded%, and %redirect_encoded% for URL-encoded values.

+
+ + group); ?> + page); ?> +

+ +

+
+
+options['allow_wp_auth']; + $this->_display_checkbox_field('allow_wp_auth', $allow_wp_auth); +?> +Should the plugin fallback to WordPress authentication if none is found from the server? +options['login_uri'] == htmlspecialchars_decode(wp_login_url())) { + echo '
WARNING: You must set the login URI below to your external authentication system. Otherwise you will not be able to login!'; + } + } + + /* + * Display the authentication label field, describing the authentication system + * in use. + */ + function _display_option_auth_label() { + $auth_label = $this->options['auth_label']; + $this->_display_input_text_field('auth_label', $auth_label); +?> +Default is HTTP authentication; override to use the name of your single sign-on system. +options['login_uri']; + $this->_display_input_text_field('login_uri', $login_uri); +?> +Default is ; override to direct users to a single sign-on system. See above for available variables.
+Example: %base%/Shibboleth.sso/Login?target=%redirect_encoded% +options['logout_uri']; + $this->_display_input_text_field('logout_uri', $logout_uri); +?> +Default is ; override to e.g. remove a cookie. See above for available variables.
+Example: %base%/Shibboleth.sso/Logout?return=%redirect_encoded% +options['additional_server_keys']; + $this->_display_input_text_field('additional_server_keys', $additional_server_keys); +?> +$_SERVER variables in addition to REMOTE_USER and REDIRECT_REMOTE_USER to check for the username value, separated by a comma. Use this to e.g. support personal X.509 certificates for authentication.
+Example: SSL_CLIENT_S_DN_CN +options['auto_create_user']; + $this->_display_checkbox_field('auto_create_user', $auto_create_user); +?> +Should a new user be created automatically if not already in the WordPress database?
+Created users will obtain the role defined under "New User Default Role" on the General Options page. +options['auto_create_email_domain']; + $this->_display_input_text_field('auto_create_email_domain', $auto_create_email_domain); +?> +When a new user logs in, this domain is used for the initial email address on their account. The user can change his or her email address by editing their profile. + +
+ + value="1" />
+ diff --git a/sources/wp-content/plugins/http-authentication/readme.txt b/sources/wp-content/plugins/http-authentication/readme.txt new file mode 100644 index 0000000..8f14186 --- /dev/null +++ b/sources/wp-content/plugins/http-authentication/readme.txt @@ -0,0 +1,202 @@ +=== HTTP Authentication === +Contributors: dwc +Tags: authentication +Requires at least: 3.1 +Tested up to: 3.4 +Stable tag: 4.5 + +Use an external authentication source in WordPress. + +== Description == + +The HTTP Authentication plugin allows you to use existing means of authenticating people to WordPress. This includes Apache's basic HTTP authentication module, [Shibboleth](http://shibboleth.internet2.edu/), and many others. + +To follow updates to this plugin, visit: + +http://danieltwc.com/ + +For help with this version, visit: + +http://danieltwc.com/2011/http-authentication-4-0/ + +== Installation == + +1. Login as an existing user, such as admin. +2. Upload the `http-authentication` folder to your plugins folder, usually `wp-content/plugins`. (Or simply via the built-in installer.) +3. Activate the plugin on the Plugins screen. +4. Add one or more users to WordPress, specifying the external username for the "Username" field. Also be sure to set the role for each user. +5. Logout. +6. Protect `wp-login.php` and `wp-admin` using your external authentication (using, for example, `.htaccess` files). +7. Try logging in as one of the users added in step 4. + +Note: This version works with WordPress 3.0 and above. Use the following for older versions of WordPress: + +* Wordpress 2.0: [Version 1.8](http://downloads.wordpress.org/plugin/http-authentication.1.8.zip) +* Wordpress 2.5 through 2.9.x: [Version 2.4](http://downloads.wordpress.org/plugin/http-authentication.2.4.zip) + +== Frequently Asked Questions == + += What authentication mechanisms can I use? = + +Any authentication mechanism which sets the `REMOTE_USER` (or `REDIRECT_REMOTE_USER`, in the case of ScriptAlias'd PHP-as-CGI) environment variable can be used in conjunction with this plugin. Examples include Apache's `mod_auth` and `mod_auth_ldap`. + += How should I set up external authentication? = + +This depends on your hosting environment and your means of authentication. + +Many Apache installations allow configuration of authentication via `.htaccess` files, while some do not. Try adding the following to your blog's top-level `.htaccess` file: +` +AuthName "WordPress" +AuthType Basic +AuthUserFile /path/to/passwords +Require user dwc +` + +(You may also want to protect your `xmlrpc.php` file, which uses separate authentication code.) + +Then, create another `.htaccess` file in your `wp-admin` directory with the following contents: +`AuthName "WordPress" +AuthType Basic +AuthUserFile /path/to/passwords +Require user dwc` + +In both files, be sure to set `/path/to/passwords` to the location of your password file. For more information on creating this file, see below. + += Where can I find more information on configuring Apache authentication? = + +See Apache's HOWTO: [Authentication, Authorization, and Access Control](http://httpd.apache.org/docs/howto/auth.html). + += How does this plugin authenticate users? = + +This plugin doesn't actually authenticate users. It simply feeds WordPress the name of a user who has successfully authenticated through Apache. + +To determine the username, this plugin uses the `REMOTE_USER` or the `REDIRECT_REMOTE_USER` environment variable, which is set by many Apache authentication modules. If someone can find a way to spoof this value, this plugin is not guaranteed to be secure. + +By default, this plugin generates a random password each time you create a user or edit an existing user's profile. However, since this plugin requires an external authentication mechanism, this password is not requested by WordPress. Generating a random password helps protect accounts, preventing one authorized user from pretending to be another. + += If I disable this plugin, how will I login? = + +Because this plugin generates a random password when you create a new user or edit an existing user's profile, you will most likely have to reset each user's password if you disable this plugin. WordPress provides a link for requesting a new password on the login screen. + +Also, you should leave the `admin` user as a fallback, i.e. create a new account to use with this plugin. As long as you don't edit the `admin` profile, WordPress will store the password set when you installed WordPress. + +In the worst case scenario, you may have to use phpMyAdmin or the MySQL command line to [reset a user's password](http://codex.wordpress.org/Resetting_Your_Password). + += Can I configure the plugin to support standard WordPress logins? = + +Yes. You can authenticate some users via an external, single sign-on system and other users via the built-in username and password combination. (Note: When mixed authentication is in use, this plugin does not scramble passwords as described above.) + +When you configure your external authentication system, make sure that you allow users in even if they have not authenticated externally. Using [Shibboleth](http://shibboleth.internet2.edu/) as an example: +`AuthName "Shibboleth" +AuthType Shibboleth +Require Shibboleth` + +This enables Shibboleth authentication in ["passive" mode](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent). + +Then, in WordPress: + +1. Set the plugin to allow WordPress authentication. +2. Configure the login URI to match your Shibboleth system. For example, if your blog is hosted at `http://example.com/`, then your login URI should be `http://example.com/Shibboleth.sso/Login?target=%redirect_encoded%`. +3. Configure the logout URI to match your Shibboleth system. Following the above example, your logout URI would be `http://example.com/Shibboleth.sso/Logout?return=%redirect_encoded%`. + +After saving the options, authentication will work as follows: + +* If a user is already authenticated via Shibboleth, and he or she exists in the WordPress database, this plugin will log them in automatically. +* If a user is not authenticated via Shibboleth, the plugin will present the standard WordPress login form with an additional link to login via Shibboleth. + +Other authentication systems (particularly those without a login or logout URI) will need to be configured differently. + += Does this plugin support multisite (WordPress MU) setups? = + +Yes, you can enable this plugin across a network or on individual sites. However, options will need to be set on individual sites. + +If you have suggestions on how to improve network support, please submit a comment. + += How do you handle staged deployments (dev, test, prod) with the plugin? = + +If you have a WordPress site with multiple environments (e.g. `dev.example.com`, `test.example.com`, and `example.com`) you can use additional variables in the login and logout URIs: + +* `%host%` - The current value of `$_SERVER['HTTP_HOST']` +* `%base%` - The base domain URL (everything before the path) +* `%site%` - The WordPress home URI +* `%redirect%` - The return URI provided by WordPress + +You can also use `%host_encoded%`, `%site_encoded%`, and `%redirect_encoded%` for URL-encoded values. + +For example, your login URI could be: + +`https://%host%/Shibboleth.sso/Login?target=%redirect_encoded%` + +This would be modified for each environment as appropriate. + +== Screenshots == + +1. Plugin options, allowing WordPress authentication +2. WordPress login form with external authentication link + +== Changelog == + += 4.5 = +* Avoid some PHP notices due to saving options (William Schneider) +* Fix for redirect loop on some multisite setups (#1497) +* Add option to support additional $_SERVER variables in authentication (#1477) +* Remove use of call-time pass by reference to avoid warnings on PHP 5.3 and newer +* Fix deprecation notice in WordPress 3.3 on `get_userdatabylogin` (#1513) +* Fix deprecation notice in WordPress 3.1 and later for including wp-includes/registration.php +* Associate options page label tags with their input fields (#1514) + += 4.4 = +* Update CSS to correctly center login button on WordPress 3.3 + += 4.3 = +* Update plugin URIs + += 4.2 = +* Declare support for WordPress 3.2.1 +* Extend variable replacement for staged deployments +* Wrap redirect parameter on login to force us through `wp-login.php` so we can check the external authentication (thanks to Josh Larios) + += 4.1 = +* Declare support for WordPress 3.2 +* Update screenshots for WordPress 3.2 + += 4.0 = +* Restore (and improve) support for falling back to WordPress password authentication +* Remove migration of old options format (we'll assume enough people have upgraded) + += 3.3 = +* Update options handling to better support WordPress MU + += 3.2 = +* Restore password generation for adding and editing users + += 3.1 = +* Bump version number to make 3.0.1 the latest version on wordpress.org + += 3.0.1 = +* Handle authentication cookies more gracefully + += 3.0 = +* Add support for WordPress 3.0 +* Update WordPress MU support for WordPress 3.0 + += 2.4 = +* Add support for WordPress MU (Elliot Kendall) +* Allow for mixed HTTP and built-in authentication by falling back to wp-login.php (Elliot Kendall) + +== Upgrade Notice == + += 4.5 = +Avoid some PHP errors and warnings; add support for choosing $_SERVER variables + += 4.4 = +Minor CSS fix for WordPress 3.3 + += 4.3 = +No code changes; updating plugin URIs + += 4.2 = +Extends support for variable replacement + += 4.1 = +Minor update for WordPress 3.2 diff --git a/sources/wp-content/plugins/http-authentication/screenshot-1.png b/sources/wp-content/plugins/http-authentication/screenshot-1.png new file mode 100644 index 0000000..20635ee Binary files /dev/null and b/sources/wp-content/plugins/http-authentication/screenshot-1.png differ diff --git a/sources/wp-content/plugins/http-authentication/screenshot-2.png b/sources/wp-content/plugins/http-authentication/screenshot-2.png new file mode 100644 index 0000000..f9d4cdd Binary files /dev/null and b/sources/wp-content/plugins/http-authentication/screenshot-2.png differ