From 3ffc2393738d258a03f7d23737c952d2c0bc8635 Mon Sep 17 00:00:00 2001 From: Luke Murphy Date: Mon, 19 Oct 2020 16:50:47 +0200 Subject: [PATCH] First attempt at OpenID login See https://git.autonomic.zone/compose-stacks/mediawiki/issues/14. --- .envrc.sample | 9 +++++++++ LocalSettings.php.tmpl | 10 ++++++++++ README.md | 19 ++++++++++++------- compose.openid.yml | 21 +++++++++++++++++++++ composer.local.json | 9 +++++++++ entrypoint.sh.tmpl | 28 +++++++++++++++++++++------- 6 files changed, 82 insertions(+), 14 deletions(-) create mode 100644 compose.openid.yml create mode 100644 composer.local.json diff --git a/.envrc.sample b/.envrc.sample index 2af2d11..321a2ac 100644 --- a/.envrc.sample +++ b/.envrc.sample @@ -18,6 +18,7 @@ export MEDIAWIKI_SECRET_KEY_VERSION=v1 export LOCAL_SETTINGS_CONF_VERSION=v1 export HTACCESS_CONF_VERSION=v1 export ENTRYPOINT_CONF_VERSION=v1 +export COMPOSER_LOCAL_CONF_VERSION=v1 # SAML @@ -40,3 +41,11 @@ export ENTRYPOINT_CONF_VERSION=v1 ## SMTP #export COMPOSE_FILE="compose.yml:compose.mailrelay.yml" #export SMTP_HOST=postfix_relay_app + +# OpenID Connect + +# export OPENID_ENABLED=1 +# export COMPOSE_FILE="compose.yml:compose.openid.yml" +# export OPENID_KEYCLOAK_URL="https://keycloak.local:8080/auth/realms/acme/" +# export OPENID_CLIENT_ID="mediawiki" +# export OPENID_CLIENT_SECRET_VERSION=v1 diff --git a/LocalSettings.php.tmpl b/LocalSettings.php.tmpl index 7aa7207..003202d 100644 --- a/LocalSettings.php.tmpl +++ b/LocalSettings.php.tmpl @@ -183,6 +183,16 @@ $wgGroupPermissions['*']['createaccount'] = false; $wgDebugLogFile = "/var/log/debug-{$wgDBname}.log"; {{ end }} +{{ if eq (env "OPENID_ENABLED") "1" }} +wfLoadExtension( 'PluggableAuth' ); +wfLoadExtension( 'OpenIDConnect' ); + +$wgOpenIDConnect_Config['{{ env "OPENID_KEYCLOAK_URL" }}'] = [ + 'clientID' => '{{ env "OPENID_CLIENT_ID"}}', + 'clientsecret' => '{{ secret "openid-client-secret" }}' +]; +{{ end }} + {{ if env "SMTP_HOST" }} $wgSMTP = [ 'host' => '{{ env "SMTP_HOST" }}', // could also be an IP address. Where the SMTP server is located diff --git a/README.md b/README.md index ccb9741..a34000a 100644 --- a/README.md +++ b/README.md @@ -10,18 +10,18 @@ Based on [`mediawiki-ve-bundle`][mediawiki-ve]. 1. Set up Docker Swarm and [`abra`][abra] 2. Deploy [`compose-stacks/traefik`][compose-traefik] -2. `cp .envrc.sample .envrc` -3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to +3. `cp .envrc.sample .envrc` +4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to your Docker swarm box -4. `direnv allow` (or `. .envrc`) -5. Generate secrets: +5. `direnv allow` (or `. .envrc`) +6. Generate secrets: ``` abra secret_generate db_password v1 abra secret_generate db_root_password v1 abra secret_generate mediawiki_secret_key v1 "pwgen -n 64 1" ``` -6. `abra deploy` -7. Create an initial admin user: +7. `abra deploy` +8. Create an initial admin user: `abra run app php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword` ## SimpleSAMLphp @@ -57,6 +57,12 @@ system. Patches to make this configurable are welcome! # 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3' ``` +## OpenID Connect + +1. Edit `.envrc` and uncomment lines in the `OPENID` section (including `COMPOSE_FILE`) +1. `direnv allow` +1. Get your Keycloak generated client secret and `docker secret create` it as `openid_client_secret` + ## License MIT License @@ -65,7 +71,6 @@ MIT License [abra]: https://git.autonomic.zone/autonomic-cooperative/abra [compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik [mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle - [simplesamlphp]: https://simplesamlphp.org/ [mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp [venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp diff --git a/compose.openid.yml b/compose.openid.yml new file mode 100644 index 0000000..be21cef --- /dev/null +++ b/compose.openid.yml @@ -0,0 +1,21 @@ +--- +version: "3.8" + +services: + app: + environment: + - OPENID_KEYCLOAK_URL + - OPENID_CLIENT_ID + secrets: + - openid_client_secret + +secrets: + openid_client_secret: + name: ${STACK_NAME}_openid_client_secret_${OPENID_CLIENT_SECRET_VERSION} + external: true + +configs: + composer_local_conf: + name: ${STACK_NAME}_composer_local_${COMPOSER_LOCAL_CONF_VERSION} + file: composer.local.json.tmpl + template_driver: golang diff --git a/composer.local.json b/composer.local.json new file mode 100644 index 0000000..6a93b46 --- /dev/null +++ b/composer.local.json @@ -0,0 +1,9 @@ +{ + "extra": { + "merge-plugin": { + "include": [ + "extensions/OpenIDConnect/composer.json" + ] + } + } +} diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index efe29c3..6d1f8ec 100755 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -2,12 +2,24 @@ set -eu -o pipefail -init_php() { - if ! type composer > /dev/null 2>&1; then - apt update && apt install -y curl git - curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php - php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15 - composer -V +init_composer() { + set -eu + + if [ -n "$OPENID_ENABLED" ]; then + if ! type composer > /dev/null 2>&1; then + apt update && apt install -y curl git + curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php + php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15 + composer -V + fi + fi +} + +composer_update() { + set -eu + + if [ -n "$OPENID_ENABLED" ]; then + cd /var/www/html/ && composer update fi } @@ -60,7 +72,9 @@ main() { install_extensions init_db - init_php + + init_composer + composer_update } main