From e2519a7279c49bdabe578184dead499e55b36fd8 Mon Sep 17 00:00:00 2001 From: Adam Goldsmith Date: Mon, 20 Feb 2023 21:54:20 -0500 Subject: [PATCH] Upgrade to 1.39, switch from LDAP to OpenID Connect, update extensions --- Dockerfile | 31 +++++++++++--------- LocalSettings.php | 69 +++++++++++++-------------------------------- composer.local.json | 24 ++++++++++------ 3 files changed, 52 insertions(+), 72 deletions(-) diff --git a/Dockerfile b/Dockerfile index f479bb2..b9ad601 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,30 @@ -FROM mediawiki:1.37 +FROM mediawiki:1.39 RUN apt-get update \ - && apt-get install -y libldap2-dev libpng-dev git zip \ + && apt-get install -y libpng-dev git zip \ && rm -rf /var/lib/apt/lists/* \ - && docker-php-ext-install -j$(nproc) ldap gd - -COPY composer.local.json /var/www/html/ -COPY --from=composer:2.1 /usr/bin/composer /usr/bin/composer -RUN cd /var/www/html/ && composer update --no-dev + && docker-php-ext-install -j$(nproc) gd calendar # Needed for making branch name from MEDIAWIKI_MAJOR_VERSION SHELL ["/bin/bash", "-c"] +# needs to be downloaded before composer is run +# https://www.mediawiki.org/wiki/Extension:OpenIDConnect +RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \ + https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect \ + /var/www/html/extensions/OpenIDConnect + +COPY composer.local.json /var/www/html/ +COPY --from=composer:2 /usr/bin/composer /usr/bin/composer +RUN cd /var/www/html/ && composer update --no-dev + + # from composer.local.json: # https://www.mediawiki.org/wiki/Extension:PluggableAuth # https://www.mediawiki.org/wiki/Extension:LDAPProvider # https://www.mediawiki.org/wiki/Extension:LDAPAuthentication2 +# https://www.mediawiki.org/wiki/Extension:Semantic_Approved_Revs +# https://www.mediawiki.org/wiki/Extension:QRLite # https://www.mediawiki.org/wiki/Extension:LDAPUserInfo RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \ @@ -52,12 +61,8 @@ RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \ # https://www.mediawiki.org/wiki/Extension:External_Data RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \ https://gerrit.wikimedia.org/r/mediawiki/extensions/ExternalData \ - /var/www/html/extensions/ExternalData - -# https://www.mediawiki.org/wiki/Extension:QRLite -RUN git clone --depth 1 \ - https://github.com/gesinn-it/QRLite \ - /var/www/html/extensions/QRLite + /var/www/html/extensions/ExternalData \ + && cd /var/www/html/extensions/ExternalData && composer install --no-dev # https://www.mediawiki.org/wiki/Extension:CSS RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \ diff --git a/LocalSettings.php b/LocalSettings.php index efa9d08..3138ebf 100644 --- a/LocalSettings.php +++ b/LocalSettings.php @@ -76,6 +76,7 @@ $wgDBmysql5 = false; ## Shared memory settings $wgMainCacheType = CACHE_NONE; +$wgSessionCacheType = CACHE_DB; $wgMemCachedServers = []; ## To enable image uploads, make sure the 'images' directory @@ -112,6 +113,10 @@ $wgSecretKey = $secrets['wgSecretKey']; # Changing this will log out all existing sessions. $wgAuthenticationTokenVersion = "1"; +$wgCookieSameSite = "None"; +$wgForceHTTPS = true; +$wgCookieSecure = true; + # Site upgrade key. Must be set to a string (default provided) to turn on the # web installer while LocalSettings.php is in place $wgUpgradeKey = $secrets['wgUpgradeKey']; @@ -147,6 +152,7 @@ wfLoadSkin( 'Timeless' ); # Semantic MediaWiki Extension wfLoadExtension( 'SemanticMediaWiki' ); +wfLoadExtension( 'SemanticResultFormats' ); enableSemantics( 'claremontmakerspace.org' ); $smwgPDefaultType = '_txt'; $smwgEnabledQueryDependencyLinksStore = true; @@ -172,67 +178,30 @@ wfLoadExtension( 'Scribunto' ); $wgScribuntoDefaultEngine = 'luastandalone'; $wgScribuntoUseCodeEditor = "true"; -# LDAP -putenv('LDAPTLS_REQCERT=never'); wfLoadExtension( 'PluggableAuth' ); -wfLoadExtension( 'LDAPProvider' ); -wfLoadExtension( 'LDAPUserInfo' ); -wfLoadExtension( 'LDAPAuthentication2' ); -$wgPluggableAuth_ButtonLabel = "Log in with CMS Network Resources Account"; -$LDAPProviderDomainConfigProvider = function() use ($secrets) { - $config = [ - 'CMS' => [ - "connection" => [ - "server" => "innerweb.claremontmakerspace.org", - "port" => 7636, - "enctype" => "ssl", - "user" => "uid=LDAPSearch,cn=users,dc=sawtooth,dc=claremontmakerspace,dc=org", - "pass" => $secrets['LDAPPass'], - "options" => [ - "LDAP_OPT_DEREF" => 1, - ], - "basedn" => "cn=users,dc=sawtooth,dc=claremontmakerspace,dc=org", - "groupbasedn" => "dc=sawtooth,dc=claremontmakerspace,dc=org", - "userbasedn" => "dc=sawtooth,dc=claremontmakerspace,dc=org", - "searchattribute" => "uid", - "searchstring" => "uid=USER-NAME,cn=users,dc=sawtooth,dc=claremontmakerspace,dc=org", - "usernameattribute" => "uid", - "realnameattribute" => "cn", - "emailattribute" => "mail" - ], - "authentication" => [ - "usernameattribute" => "uid", - "realnameattribute" => "cn", - "emailattribute" => "mail" - ], - "userinfo" => [ - "email" => "mail", - "realname" => "cn", - "properties.gender" => "gender" - ] - ] - ]; - - return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config ); -}; - -wfLoadExtension( 'VisualEditor' ); +wfLoadExtension( 'OpenIDConnect' ); +$wgOpenIDConnect_MigrateUsersByUserName = true; +$wgPluggableAuth_Config["Log in with CMS Network Resources Account"] = [ + 'plugin' => 'OpenIDConnect', + 'data' => [ + 'providerURL' => 'https://ucs-sso-ng.claremontmakerspace.org/realms/ucs', + 'clientID' => 'mediawiki', + 'clientsecret' => $secrets['OpenIDSecret'], + ] +]; +wfloadextension( 'VisualEditor' ); wfLoadExtension( 'TemplateData' ); - wfLoadExtension( 'Variables' ); - wfLoadExtension( 'CSS' ); - wfLoadExtension( 'Widgets' ); wfLoadExtension( 'ApprovedRevs' ); wfLoadExtension( 'SemanticApprovedRevs' ); +wfLoadExtension( 'QRLite' ); -wfLoadExtension( 'Diagrams' ); +wfloadextension( 'Diagrams' ); $wgDiagramsServiceUrl ='https://wiki.claremontmakerspace.org/diagrams'; -require_once "$IP/extensions/QRLite/QRLite.php"; - wfLoadExtension( 'ExternalData' ); $edgStringReplacements['SNIPEIT_URL'] = 'https://inventory.claremontmakerspace.org'; $edgAllowExternalDataFrom = 'SNIPEIT_URL'; diff --git a/composer.local.json b/composer.local.json index 6cb915a..0790d7e 100644 --- a/composer.local.json +++ b/composer.local.json @@ -1,14 +1,20 @@ { "require": { - "mediawiki/pluggable-auth": "^5.7", - "mediawiki/ldap-provider": "^1.0", - "mediawiki/ldap-authentication-2": "^1.0", - "mediawiki/semantic-media-wiki": "^4.0", - "mediawiki/semantic-scribunto": "^2.0", + "mediawiki/pluggable-auth": "^6.2", + "mediawiki/semantic-media-wiki": "^4.1", + "mediawiki/semantic-scribunto": "^2.2", "mediawiki/semantic-result-formats": "^4.0", - "mediawiki/approved-revs": "^1.7", - "mediawiki/semantic-approved-revs": "^0.9", - "mediawiki/data-transfer": "^1.0", - "samwilson/diagrams": "^0.9" + "mediawiki/approved-revs": "^1.8", + "mediawiki/semantic-approved-revs": "^0.9", + "mediawiki/data-transfer": "^1.4", + "gesinn-it/qrlite": "^1.0.0-alpha", + "samwilson/diagrams": "^0.11" + }, + "extra": { + "merge-plugin": { + "include": [ + "extensions/OpenIDConnect/composer.json" + ] + } } }