Upgrade to 1.39, switch from LDAP to OpenID Connect, update extensions

Dockerfile

@@ -1,21 +1,30 @@
-FROM mediawiki:1.37
+FROM mediawiki:1.39
 
 RUN apt-get update \
-    && apt-get install -y libldap2-dev libpng-dev git zip \
+    && apt-get install -y libpng-dev git zip \
     && rm -rf /var/lib/apt/lists/* \
-    && docker-php-ext-install -j$(nproc) ldap gd
+    && docker-php-ext-install -j$(nproc) gd calendar
-
-COPY composer.local.json /var/www/html/
-COPY --from=composer:2.1 /usr/bin/composer /usr/bin/composer
-RUN cd /var/www/html/ && composer update --no-dev
 
 # Needed for making branch name from MEDIAWIKI_MAJOR_VERSION
 SHELL ["/bin/bash", "-c"]
 
+# needs to be downloaded before composer is run
+# https://www.mediawiki.org/wiki/Extension:OpenIDConnect
+RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \
+    https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect \
+    /var/www/html/extensions/OpenIDConnect
+
+COPY composer.local.json /var/www/html/
+COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
+RUN cd /var/www/html/ && composer update --no-dev
+
+
 # from composer.local.json:
 # https://www.mediawiki.org/wiki/Extension:PluggableAuth
 # https://www.mediawiki.org/wiki/Extension:LDAPProvider
 # https://www.mediawiki.org/wiki/Extension:LDAPAuthentication2
+# https://www.mediawiki.org/wiki/Extension:Semantic_Approved_Revs
+# https://www.mediawiki.org/wiki/Extension:QRLite
 
 # https://www.mediawiki.org/wiki/Extension:LDAPUserInfo
 RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \
@@ -52,12 +61,8 @@ RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \
 # https://www.mediawiki.org/wiki/Extension:External_Data
 RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \
     https://gerrit.wikimedia.org/r/mediawiki/extensions/ExternalData \
-    /var/www/html/extensions/ExternalData
+    /var/www/html/extensions/ExternalData \
-
+    && cd /var/www/html/extensions/ExternalData && composer install --no-dev
-# https://www.mediawiki.org/wiki/Extension:QRLite
-RUN git clone --depth 1 \
-    https://github.com/gesinn-it/QRLite \
-    /var/www/html/extensions/QRLite
 
 # https://www.mediawiki.org/wiki/Extension:CSS
 RUN git clone --depth 1 -b REL${MEDIAWIKI_MAJOR_VERSION/./_} \

LocalSettings.php

@@ -76,6 +76,7 @@ $wgDBmysql5 = false;
 
 ## Shared memory settings
 $wgMainCacheType = CACHE_NONE;
+$wgSessionCacheType = CACHE_DB;
 $wgMemCachedServers = [];
 
 ## To enable image uploads, make sure the 'images' directory
@@ -112,6 +113,10 @@ $wgSecretKey = $secrets['wgSecretKey'];
 # Changing this will log out all existing sessions.
 $wgAuthenticationTokenVersion = "1";
 
+$wgCookieSameSite = "None";
+$wgForceHTTPS = true;
+$wgCookieSecure = true;
+
 # Site upgrade key. Must be set to a string (default provided) to turn on the
 # web installer while LocalSettings.php is in place
 $wgUpgradeKey = $secrets['wgUpgradeKey'];
@@ -147,6 +152,7 @@ wfLoadSkin( 'Timeless' );
 
 # Semantic MediaWiki Extension
 wfLoadExtension( 'SemanticMediaWiki' );
+wfLoadExtension( 'SemanticResultFormats' );
 enableSemantics( 'claremontmakerspace.org' );
 $smwgPDefaultType = '_txt';
 $smwgEnabledQueryDependencyLinksStore = true;
@@ -172,67 +178,30 @@ wfLoadExtension( 'Scribunto' );
 $wgScribuntoDefaultEngine = 'luastandalone';
 $wgScribuntoUseCodeEditor = "true";
 
-# LDAP
-putenv('LDAPTLS_REQCERT=never');
 wfLoadExtension( 'PluggableAuth' );
-wfLoadExtension( 'LDAPProvider' );
+wfLoadExtension( 'OpenIDConnect' );
-wfLoadExtension( 'LDAPUserInfo' );
+$wgOpenIDConnect_MigrateUsersByUserName = true;
-wfLoadExtension( 'LDAPAuthentication2' );
+$wgPluggableAuth_Config["Log in with CMS Network Resources Account"] = [
-$wgPluggableAuth_ButtonLabel = "Log in with CMS Network Resources Account";
+    'plugin' => 'OpenIDConnect',
-$LDAPProviderDomainConfigProvider = function() use ($secrets) {
+    'data' => [
-	$config = [
+        'providerURL' => 'https://ucs-sso-ng.claremontmakerspace.org/realms/ucs',
-		'CMS' => [
+        'clientID' => 'mediawiki',
-			"connection" => [
+        'clientsecret' => $secrets['OpenIDSecret'],
-				"server" => "innerweb.claremontmakerspace.org",
-				"port" => 7636,
-				"enctype" => "ssl",
-				"user" => "uid=LDAPSearch,cn=users,dc=sawtooth,dc=claremontmakerspace,dc=org",
-				"pass" => $secrets['LDAPPass'],
-				"options" => [
-					"LDAP_OPT_DEREF" => 1,
-				],
-				"basedn" => "cn=users,dc=sawtooth,dc=claremontmakerspace,dc=org",
-				"groupbasedn" => "dc=sawtooth,dc=claremontmakerspace,dc=org",
-				"userbasedn" => "dc=sawtooth,dc=claremontmakerspace,dc=org",
-				"searchattribute" => "uid",
-				"searchstring" => "uid=USER-NAME,cn=users,dc=sawtooth,dc=claremontmakerspace,dc=org",
-				"usernameattribute" => "uid",
-				"realnameattribute" => "cn",
-				"emailattribute" => "mail"
-			],
-			"authentication" => [
-				"usernameattribute" => "uid",
-				"realnameattribute" => "cn",
-				"emailattribute" => "mail"
-			],
-			"userinfo" => [
-				"email" => "mail",
-				"realname" => "cn",
-				"properties.gender" => "gender"
-			]
     ]
 ];
 
-	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
+wfloadextension( 'VisualEditor' );
-};
-
-wfLoadExtension( 'VisualEditor' );
-
 wfLoadExtension( 'TemplateData' );
-
 wfLoadExtension( 'Variables' );
-
 wfLoadExtension( 'CSS' );
-
 wfLoadExtension( 'Widgets' );
 wfLoadExtension( 'ApprovedRevs' );
 wfLoadExtension( 'SemanticApprovedRevs' );
+wfLoadExtension( 'QRLite' );
 
-wfLoadExtension( 'Diagrams' );
+wfloadextension( 'Diagrams' );
 $wgDiagramsServiceUrl ='https://wiki.claremontmakerspace.org/diagrams';
 
-require_once "$IP/extensions/QRLite/QRLite.php";
-
 wfLoadExtension( 'ExternalData' );
 $edgStringReplacements['SNIPEIT_URL'] = 'https://inventory.claremontmakerspace.org';
 $edgAllowExternalDataFrom = 'SNIPEIT_URL';

composer.local.json

@@ -1,14 +1,20 @@
 {
     "require": {
-        "mediawiki/pluggable-auth": "^5.7",
+        "mediawiki/pluggable-auth": "^6.2",
-        "mediawiki/ldap-provider": "^1.0",
+        "mediawiki/semantic-media-wiki": "^4.1",
-        "mediawiki/ldap-authentication-2": "^1.0",
+        "mediawiki/semantic-scribunto": "^2.2",
-        "mediawiki/semantic-media-wiki": "^4.0",
-        "mediawiki/semantic-scribunto": "^2.0",
         "mediawiki/semantic-result-formats": "^4.0",
-        "mediawiki/approved-revs": "^1.7",
+        "mediawiki/approved-revs": "^1.8",
         "mediawiki/semantic-approved-revs": "^0.9",
-        "mediawiki/data-transfer": "^1.0",
+        "mediawiki/data-transfer": "^1.4",
-        "samwilson/diagrams": "^0.9"
+        "gesinn-it/qrlite": "^1.0.0-alpha",
+        "samwilson/diagrams": "^0.11"
+    },
+    "extra": {
+        "merge-plugin": {
+            "include": [
+                "extensions/OpenIDConnect/composer.json"
+            ]
+        }
     }
 }