Merge branch 'simplesaml' into main
This commit is contained in:
commit
15fbe13953
|
@ -12,6 +12,25 @@ export MEDIAWIKI_LOGO_FILE='$wgResourceBasePath/resources/assets/wiki.png'
|
||||||
export DB_ROOT_PASSWORD_VERSION=v1
|
export DB_ROOT_PASSWORD_VERSION=v1
|
||||||
export DB_PASSWORD_VERSION=v1
|
export DB_PASSWORD_VERSION=v1
|
||||||
export MEDIAWIKI_SECRET_KEY_VERSION=v1
|
export MEDIAWIKI_SECRET_KEY_VERSION=v1
|
||||||
|
|
||||||
export LOCAL_SETTINGS_CONF_VERSION=v1
|
export LOCAL_SETTINGS_CONF_VERSION=v1
|
||||||
export HTACCESS_CONF_VERSION=v1
|
export HTACCESS_CONF_VERSION=v1
|
||||||
export ENTRYPOINT_CONF_VERSION=v1
|
export ENTRYPOINT_CONF_VERSION=v1
|
||||||
|
|
||||||
|
# SAML
|
||||||
|
|
||||||
|
#export COMPOSE="compose.yml compose.simplesaml.yml"
|
||||||
|
|
||||||
|
#export SAML_ENABLED=1
|
||||||
|
#export SAML_CONTACT_NAME="Sam Ell"
|
||||||
|
#export SAML_CONTACT_EMAIL="saml@example.com"
|
||||||
|
|
||||||
|
#export SAML_EMAIL_ATTRIBUTE=email
|
||||||
|
#export SAML_REAL_NAME_ATTRIBUTE=realname
|
||||||
|
#export SAML_AUTH_SOURCE_ID=dev-sp
|
||||||
|
#export SAML_USERNAME_ATTRIBUTE=user
|
||||||
|
|
||||||
|
#export SAML_ADMIN_PASSWORD_VERSION=v1
|
||||||
|
#export SAML_SECRET_SALT_VERSION=v1
|
||||||
|
|
||||||
|
#export SAML_ENTRYPOINT_CONF_VERSION=v1
|
||||||
|
|
|
@ -132,7 +132,6 @@ wfLoadSkin( 'MonoBook' );
|
||||||
wfLoadSkin( 'Timeless' );
|
wfLoadSkin( 'Timeless' );
|
||||||
wfLoadSkin( 'Vector' );
|
wfLoadSkin( 'Vector' );
|
||||||
|
|
||||||
|
|
||||||
# Enabled extensions. Most of the extensions are enabled by adding
|
# Enabled extensions. Most of the extensions are enabled by adding
|
||||||
# wfLoadExtensions('ExtensionName');
|
# wfLoadExtensions('ExtensionName');
|
||||||
# to LocalSettings.php. Check specific extension documentation for more details.
|
# to LocalSettings.php. Check specific extension documentation for more details.
|
||||||
|
@ -166,3 +165,20 @@ $wgVirtualRestConfig['modules']['parsoid'] = [
|
||||||
// whether to parse URL as if they were meant for RESTBase (boolean or null, optional)
|
// whether to parse URL as if they were meant for RESTBase (boolean or null, optional)
|
||||||
'restbaseCompat' => null,
|
'restbaseCompat' => null,
|
||||||
];
|
];
|
||||||
|
|
||||||
|
{{ if eq (env "SAML_ENABLED") "1" }}
|
||||||
|
wfLoadExtension( 'PluggableAuth' );
|
||||||
|
|
||||||
|
wfLoadExtension( 'SimpleSAMLphp' );
|
||||||
|
|
||||||
|
$wgSimpleSAMLphp_InstallDir = "/var/simplesamlphp/";
|
||||||
|
$wgSimpleSAMLphp_AuthSourceId = "{{ env "SAML_SERVICE_PROVIDER" }}";
|
||||||
|
$wgSimpleSAMLphp_RealNameAttribute = "{{ env "SAML_REAL_NAME_ATTRIBUTE" }}";
|
||||||
|
$wgSimpleSAMLphp_EmailAttribute = "{{ env "SAML_EMAIL_ATTRIBUTE" }}";
|
||||||
|
$wgSimpleSAMLphp_UsernameAttribute = "{{ env "SAML_USERNAME_ATTRIBUTE" }}";
|
||||||
|
|
||||||
|
$wgGroupPermissions['*']['autocreateaccount'] = true;
|
||||||
|
$wgGroupPermissions['*']['createaccount'] = false;
|
||||||
|
|
||||||
|
$wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
|
||||||
|
{{ end }}
|
||||||
|
|
45
README.md
45
README.md
|
@ -13,10 +13,43 @@ Based on [`mediawiki-ve-bundle`][mediawiki-ve].
|
||||||
your Docker swarm box
|
your Docker swarm box
|
||||||
4. `direnv allow` (or `. .envrc`)
|
4. `direnv allow` (or `. .envrc`)
|
||||||
5. `abra secret_generate db_password v1 && abra secret_generate db_root_password v2`
|
5. `abra secret_generate db_password v1 && abra secret_generate db_root_password v2`
|
||||||
7. `abra secret_generate mediawiki_secret_key "pwgen -n 64 1"`
|
6. `abra secret_generate mediawiki_secret_key "pwgen -n 64 1"`
|
||||||
8. `abra deploy`
|
7. `abra deploy`
|
||||||
9. `abra service_run mediawiki /bin/bash` to open a shell
|
8. `abra service_run mediawiki /bin/bash` to open a shell
|
||||||
10. `php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`
|
9. `php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`
|
||||||
|
|
||||||
|
## SimpleSAMLphp
|
||||||
|
|
||||||
|
This app includes optional SAML Single Sign On using
|
||||||
|
[SimpleSAMLphp][simplesamlphp] and Mediawiki's
|
||||||
|
[Extension:SimpleSAMLphp][mw-simplesamlphp], based on the
|
||||||
|
[`venatorfox/simplesamlphp`][venatorfox-simplesamlphp] image.
|
||||||
|
|
||||||
|
NOTE: currently, if you enable SAML then it'll disable Mediawiki's own user account
|
||||||
|
system. Patches to make this configurable are welcome!
|
||||||
|
|
||||||
|
1. Edit `.envrc` and uncomment lines in the `SAML` section (including `COMPOSE`)
|
||||||
|
2. `direnv allow`
|
||||||
|
3. Generate secrets:
|
||||||
|
```
|
||||||
|
abra secret_generate saml_admin_password v1
|
||||||
|
abra secret_generate saml_secret_key v1 "pwgen -n 64 1"
|
||||||
|
```
|
||||||
|
4. `abra deploy`
|
||||||
|
5. Copy your SimpleSAMLphp metadata and certificates to the container (assuming
|
||||||
|
you have local `metadata` and `cert` folders:
|
||||||
|
```
|
||||||
|
abra cp metadata simplesamlphp:/var/simplesamlphp/
|
||||||
|
abra cp cert simplesamlphp:/var/simplesamlphp/
|
||||||
|
```
|
||||||
|
6. You can log into SimpleSAMLphp using the password you generated at
|
||||||
|
https://$DOMAIN/simplesaml/ and test authentication
|
||||||
|
7. Edit SimpleSAMLphp's `config.php` and change `store.sql.dsn`:
|
||||||
|
```
|
||||||
|
abra run simplesamlphp vim
|
||||||
|
# find 'store.sql.dsn' and edit to:
|
||||||
|
# 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3'
|
||||||
|
```
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
|
@ -26,3 +59,7 @@ MIT License
|
||||||
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||||
[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
|
[compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
|
||||||
[mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle
|
[mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle
|
||||||
|
|
||||||
|
[simplesamlphp]: https://simplesamlphp.org/
|
||||||
|
[mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
|
||||||
|
[venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp
|
||||||
|
|
|
@ -0,0 +1,80 @@
|
||||||
|
---
|
||||||
|
version: '3.8'
|
||||||
|
|
||||||
|
services:
|
||||||
|
mediawiki:
|
||||||
|
volumes:
|
||||||
|
- 'simplesaml:/var/simplesamlphp/'
|
||||||
|
- 'simplesaml_log:/var/simplesamlphp/log'
|
||||||
|
environment:
|
||||||
|
- SAML_AUTH_SOURCE_ID=${SAML_AUTH_SOURCE_ID}
|
||||||
|
- SAML_EMAIL_ATTRIBUTE=${SAML_EMAIL_ATTRIBUTE}
|
||||||
|
- SAML_REAL_NAME_ATTRIBUTE=${SAML_REAL_NAME_ATTRIBUTE}
|
||||||
|
- SAML_SERVICE_PROVIDER=${SAML_SERVICE_PROVIDER}
|
||||||
|
- SAML_USERNAME_ATTRIBUTE=${SAML_USERNAME_ATTRIBUTE}
|
||||||
|
|
||||||
|
simplesaml:
|
||||||
|
image: venatorfox/simplesamlphp:latest
|
||||||
|
secrets:
|
||||||
|
- saml_admin_password
|
||||||
|
- saml_secret_salt
|
||||||
|
environment:
|
||||||
|
- DOMAIN=${DOMAIN}
|
||||||
|
- CONFIG_BASEURLPATH=https://${DOMAIN}/simplesaml/
|
||||||
|
- CONFIG_AUTHADMINPASSWORD_FILE=/run/secrets/saml_admin_password
|
||||||
|
- CONFIG_SECRETSALT_FILE=/run/secrets/saml_secret_salt
|
||||||
|
- CONFIG_TECHNICALCONTACT_NAME=${SAML_CONTACT_NAME}
|
||||||
|
- CONFIG_TECHNICALCONTACT_EMAIL=${SAML_CONTACT_EMAIL}
|
||||||
|
- CONFIG_SHOWERRORS=true
|
||||||
|
- CONFIG_ERRORREPORTING=true
|
||||||
|
- CONFIG_ADMINPROTECTINDEXPAGE=true
|
||||||
|
- CONFIG_LOGGINGLEVEL=INFO
|
||||||
|
- CONFIG_ENABLESAML20IDP=true
|
||||||
|
- CONFIG_STORETYPE=sql
|
||||||
|
#- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
|
||||||
|
#- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'memcached']\n ],
|
||||||
|
- OPENLDAP_TLS_REQCERT=allow
|
||||||
|
- MTA_NULLCLIENT=true
|
||||||
|
- POSTFIX_MYHOSTNAME=${DOMAIN}
|
||||||
|
- POSTFIX_MYORIGIN=$$mydomain
|
||||||
|
- POSTFIX_INETINTERFACES=loopback-only
|
||||||
|
- DOCKER_REDIRECTLOGS=false
|
||||||
|
# Required if DOCKER_REDIRECTLOGS=true
|
||||||
|
# tty: true
|
||||||
|
configs:
|
||||||
|
- source: entrypoint_saml_conf
|
||||||
|
target: /docker-entrypoint.simplesaml.sh
|
||||||
|
mode: 0555
|
||||||
|
volumes:
|
||||||
|
- simplesaml:/var/simplesamlphp/
|
||||||
|
- simplesaml_log:/var/simplesamlphp/log
|
||||||
|
networks:
|
||||||
|
- internal
|
||||||
|
- proxy
|
||||||
|
entrypoint: /docker-entrypoint.simplesaml.sh
|
||||||
|
#entrypoint: ["tail", "-f", "/dev/null"]
|
||||||
|
deploy:
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.services.${STACK_NAME}_simplesaml.loadbalancer.server.port=80"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}_simplesaml.rule=(Host(`${DOMAIN}`) && PathPrefix(`/simplesaml`))"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}_simplesaml.entrypoints=web-secure"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}_simplesaml.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
simplesaml:
|
||||||
|
simplesaml_log:
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
saml_admin_password:
|
||||||
|
name: ${STACK_NAME}_saml_admin_password_${SAML_ADMIN_PASSWORD_VERSION}
|
||||||
|
external: true
|
||||||
|
saml_secret_salt:
|
||||||
|
name: ${STACK_NAME}_saml_secret_salt_${SAML_SECRET_SALT_VERSION}
|
||||||
|
external: true
|
||||||
|
|
||||||
|
configs:
|
||||||
|
entrypoint_saml_conf:
|
||||||
|
name: ${STACK_NAME}_entrypoint_saml_${SAML_ENTRYPOINT_CONF_VERSION}
|
||||||
|
file: entrypoint.simplesaml.sh.tmpl
|
||||||
|
template_driver: golang
|
|
@ -22,6 +22,7 @@ services:
|
||||||
delay: "60s"
|
delay: "60s"
|
||||||
max_attempts: 3
|
max_attempts: 3
|
||||||
window: 120s
|
window: 120s
|
||||||
|
|
||||||
mediawiki:
|
mediawiki:
|
||||||
image: 'revianlabs/mediawiki-ve-bundle'
|
image: 'revianlabs/mediawiki-ve-bundle'
|
||||||
environment:
|
environment:
|
||||||
|
@ -31,6 +32,7 @@ services:
|
||||||
- MEDIAWIKI_EMAIL_FROM=${MEDIAWIKI_EMAIL_FROM}
|
- MEDIAWIKI_EMAIL_FROM=${MEDIAWIKI_EMAIL_FROM}
|
||||||
- MEDIAWIKI_SITENAME=${MEDIAWIKI_SITENAME}
|
- MEDIAWIKI_SITENAME=${MEDIAWIKI_SITENAME}
|
||||||
- MEDIAWIKI_SITENAMESPACE=${MEDIAWIKI_SITENAMESPACE}
|
- MEDIAWIKI_SITENAMESPACE=${MEDIAWIKI_SITENAMESPACE}
|
||||||
|
- SAML_ENABLED=${SAML_ENABLED}
|
||||||
volumes:
|
volumes:
|
||||||
- 'mediawiki_images:/var/www/html/images'
|
- 'mediawiki_images:/var/www/html/images'
|
||||||
- 'parsoid:/usr/lib/parsoid'
|
- 'parsoid:/usr/lib/parsoid'
|
||||||
|
|
|
@ -3,26 +3,44 @@
|
||||||
set -eu -o pipefail
|
set -eu -o pipefail
|
||||||
|
|
||||||
init_db() {
|
init_db() {
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
|
if ! type mysql > /dev/null 2>&1; then
|
||||||
apt update && apt install -y mariadb-client
|
apt update && apt install -y mariadb-client
|
||||||
|
fi
|
||||||
|
|
||||||
PASSWORD=`cat /run/secrets/db_password`
|
PASSWORD=`cat /run/secrets/db_password`
|
||||||
TABLE_COUNT=$(mysql -u mediawiki --password="$PASSWORD" -h mariadb mediawiki -e "SELECT count(*) AS TOTAL FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'mediawiki';" -N -B)
|
TABLE_COUNT=$(mysql -u mediawiki --password="$PASSWORD" -h mariadb mediawiki -e "SELECT count(*) AS TOTAL FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'mediawiki';" -N -B)
|
||||||
|
|
||||||
if [[ "${TABLE_COUNT}" == "0" ]]; then
|
if [[ "${TABLE_COUNT}" == "0" ]]; then
|
||||||
mysql -u mediawiki --password="$PASSWORD" -h mariadb mediawiki < /var/www/html/maintenance/tables.sql
|
mysql -u mediawiki --password="$PASSWORD" -h mariadb mediawiki < /var/www/html/maintenance/tables.sql
|
||||||
else
|
else
|
||||||
php /var/www/html/maintenance/update.php
|
php /var/www/html/maintenance/update.php
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
install_extensions() {
|
||||||
|
if [ ! -d /var/www/html/extensions/PluggableAuth ]; then
|
||||||
|
git clone --depth 1 -b REL1_32 \
|
||||||
|
https://gerrit.wikimedia.org/r/p/mediawiki/extensions/PluggableAuth \
|
||||||
|
/var/www/html/extensions/PluggableAuth
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -d /var/www/html/extensions/SimpleSAMLphp ]; then
|
||||||
|
git clone --depth 1 -b REL1_32 \
|
||||||
|
https://gerrit.wikimedia.org/r/p/mediawiki/extensions/SimpleSAMLphp \
|
||||||
|
/var/www/html/extensions/SimpleSAMLphp
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
a2enmod rewrite
|
a2enmod rewrite
|
||||||
|
|
||||||
init_db
|
install_extensions
|
||||||
|
|
||||||
|
init_db
|
||||||
}
|
}
|
||||||
|
|
||||||
main
|
main
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
file_env() {
|
||||||
|
local var="$1"
|
||||||
|
local fileVar="${var}_FILE"
|
||||||
|
local def="${2:-}"
|
||||||
|
|
||||||
|
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||||
|
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
local val="$def"
|
||||||
|
if [ "${!var:-}" ]; then
|
||||||
|
val="${!var}"
|
||||||
|
elif [ "${!fileVar:-}" ]; then
|
||||||
|
val="$(< "${!fileVar}")"
|
||||||
|
fi
|
||||||
|
export "$var"="$val"
|
||||||
|
unset "$fileVar"
|
||||||
|
}
|
||||||
|
|
||||||
|
load_vars() {
|
||||||
|
file_env "CONFIG_AUTHADMINPASSWORD"
|
||||||
|
file_env "CONFIG_SECRETSALT"
|
||||||
|
}
|
||||||
|
|
||||||
|
generate_certs() {
|
||||||
|
CERT_DIR=/var/simplesamlphp/cert
|
||||||
|
|
||||||
|
if [ -f "$CERT_DIR/saml.crt" ] && [ -f "$CERT_DIR/saml.pem" ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! type openssl > /dev/null 2>&1; then
|
||||||
|
yum install -q -y openssl
|
||||||
|
fi
|
||||||
|
|
||||||
|
openssl req -newkey rsa:4096 -new -x509 \
|
||||||
|
-days 3652 -nodes \
|
||||||
|
-out "$CERT_DIR/saml.crt" \
|
||||||
|
-keyout "$CERT_DIR/saml.pem" \
|
||||||
|
-subj "/C=XX/ST=/L=/O=/OU=SimpleSAML/CN=${DOMAIN}"
|
||||||
|
}
|
||||||
|
|
||||||
|
enable_plugins() {
|
||||||
|
touch /var/simplesamlphp/modules/cas/enable
|
||||||
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
load_vars
|
||||||
|
|
||||||
|
enable_plugins
|
||||||
|
|
||||||
|
generate_certs
|
||||||
|
}
|
||||||
|
|
||||||
|
main
|
||||||
|
|
||||||
|
/init "$@"
|
Loading…
Reference in New Issue