First attempt at OpenID login

See https://git.autonomic.zone/compose-stacks/mediawiki/issues/14.
2020-10-19 16:50:47 +02:00 · 2020-10-19 16:50:47 +02:00 · 3ffc239373
parent d75e15310c
commit 3ffc239373
6 changed files with 82 additions and 14 deletions
--- a/.envrc.sample
+++ b/.envrc.sample
@ -18,6 +18,7 @@ export MEDIAWIKI_SECRET_KEY_VERSION=v1
 export LOCAL_SETTINGS_CONF_VERSION=v1
 export HTACCESS_CONF_VERSION=v1
 export ENTRYPOINT_CONF_VERSION=v1
+export COMPOSER_LOCAL_CONF_VERSION=v1

 # SAML

@ -40,3 +41,11 @@ export ENTRYPOINT_CONF_VERSION=v1
 ## SMTP
 #export COMPOSE_FILE="compose.yml:compose.mailrelay.yml"
 #export SMTP_HOST=postfix_relay_app
+
+# OpenID Connect
+
+# export OPENID_ENABLED=1
+# export COMPOSE_FILE="compose.yml:compose.openid.yml"
+# export OPENID_KEYCLOAK_URL="https://keycloak.local:8080/auth/realms/acme/"
+# export OPENID_CLIENT_ID="mediawiki"
+# export OPENID_CLIENT_SECRET_VERSION=v1
--- a/LocalSettings.php.tmpl
+++ b/LocalSettings.php.tmpl
@ -183,6 +183,16 @@ $wgGroupPermissions['*']['createaccount'] = false;
 $wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";
 {{ end }}

+{{ if eq (env "OPENID_ENABLED") "1" }}
+wfLoadExtension( 'PluggableAuth' );
+wfLoadExtension( 'OpenIDConnect' );
+
+$wgOpenIDConnect_Config['{{ env "OPENID_KEYCLOAK_URL" }}'] = [
+  'clientID' => '{{ env "OPENID_CLIENT_ID"}}',
+  'clientsecret' => '{{ secret "openid-client-secret" }}'
+];
+{{ end }}
+
 {{ if env "SMTP_HOST" }}
 $wgSMTP = [
    'host'     => '{{ env "SMTP_HOST" }}', // could also be an IP address. Where the SMTP server is located
--- a/README.md
+++ b/README.md
@ -10,18 +10,18 @@ Based on [`mediawiki-ve-bundle`][mediawiki-ve].

 1. Set up Docker Swarm and [`abra`][abra]
 2. Deploy [`compose-stacks/traefik`][compose-traefik]
-2. `cp .envrc.sample .envrc`
-3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
+3. `cp .envrc.sample .envrc`
+4. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
   your Docker swarm box
-4. `direnv allow` (or `. .envrc`)
-5. Generate secrets:
+5. `direnv allow` (or `. .envrc`)
+6. Generate secrets:
   ```
   abra secret_generate db_password v1
   abra secret_generate db_root_password v1
   abra secret_generate mediawiki_secret_key v1 "pwgen -n 64 1"
   ```
-6. `abra deploy`
-7. Create an initial admin user:
+7. `abra deploy`
+8. Create an initial admin user:
   `abra run app php /var/www/html/maintenance/createAndPromote.php YourUsername YourPassword`

 ## SimpleSAMLphp
@ -57,6 +57,12 @@ system. Patches to make this configurable are welcome!
   # 'sqlite:/var/simplesamlphp/data/simplesamlphp.sq3'
   ```

+## OpenID Connect
+
+1. Edit `.envrc` and uncomment lines in the `OPENID` section (including `COMPOSE_FILE`)
+1. `direnv allow`
+1. Get your Keycloak generated client secret and `docker secret create` it as `openid_client_secret`
+
 ## License

 MIT License
@ -65,7 +71,6 @@ MIT License
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [compose-traefik]: https://git.autonomic.zone/compose-stacks/traefik
 [mediawiki-ve]: https://hub.docker.com/r/revianlabs/mediawiki-ve-bundle
-
 [simplesamlphp]: https://simplesamlphp.org/
 [mw-simplesamlphp]: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
 [venatorfox-simplesamlphp]: https://hub.docker.com/r/venatorfox/simplesamlphp
--- a/compose.openid.yml
+++ b/compose.openid.yml
@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - OPENID_KEYCLOAK_URL
+      - OPENID_CLIENT_ID
+    secrets:
+      - openid_client_secret
+
+secrets:
+  openid_client_secret:
+    name: ${STACK_NAME}_openid_client_secret_${OPENID_CLIENT_SECRET_VERSION}
+    external: true
+
+configs:
+  composer_local_conf:
+    name: ${STACK_NAME}_composer_local_${COMPOSER_LOCAL_CONF_VERSION}
+    file: composer.local.json.tmpl
+    template_driver: golang
--- a/composer.local.json
+++ b/composer.local.json
@ -0,0 +1,9 @@
+{
+  "extra": {
+    "merge-plugin": {
+      "include": [
+        "extensions/OpenIDConnect/composer.json"
+      ]
+    }
+  }
+}
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -2,12 +2,24 @@

 set -eu -o pipefail

-init_php() {
-	if ! type composer > /dev/null 2>&1; then
-		apt update && apt install -y curl git
-		curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
-		php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15
-		composer -V
+init_composer() {
+	set -eu
+
+	if [ -n "$OPENID_ENABLED" ]; then
+		if ! type composer > /dev/null 2>&1; then
+			apt update && apt install -y curl git
+			curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
+			php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer --version=1.10.15
+			composer -V
+		fi
+	fi
+}
+
+composer_update() {
+	set -eu
+
+	if [ -n "$OPENID_ENABLED" ]; then
+		cd /var/www/html/ && composer update
 	fi
 }

@ -60,7 +72,9 @@ main() {
 	install_extensions

 	init_db
-	init_php
+
+	init_composer
+	composer_update
 }

 main