Switch the Mediawiki config to the new LDAP dir structure

* Use a new read-only account instead of the admin LDAP account * Disable the LDAPAuthorization plugin. The LDAPAuthentication2 plugin is still used to authenticate users, but every kosmos.org user has access to the wiki. See https://www.mediawiki.org/wiki/Extension:PluggableAuth for the distinction between authentication and authorization Refs #127
2020-02-18 13:20:10 +01:00 · 2020-02-18 13:20:10 +01:00 · 276daf0ed7
commit 276daf0ed7
parent afaff86551
3 changed files with 30 additions and 32 deletions
--- a/data_bags/credentials/mediawiki.json
+++ b/data_bags/credentials/mediawiki.json
@ -1,15 +1,31 @@
 {
  "id": "mediawiki",
  "antispam_key": {
-    "encrypted_data": "0geoVeZ/umKaBCbhDfxkacWt4sWQBHrRxYGTSsaC5gw=\n",
-    "iv": "YxwNvI3HXeMZRHFpv+QLcQ==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "OD5RrVaQoUFbGV1Xs6i3hqZ024IJsbOC4CAWzrw5jQ==\n",
+    "iv": "8sfvTg7uGe1ofS2C\n",
+    "auth_tag": "hquilck+xxOQqHjE+szPgA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
  },
  "db_pass": {
-    "encrypted_data": "aQ1soJeRPq9TQuDglkXrl10rIx5RpBNd5HltKVsYgLHedS5zXy8ylBhNdgBW\nb6slPhsbAB9d45aZAac7LUSbMIDIg8P+Zdx/0+IaEuwcpuQ=\n",
-    "iv": "RDS39dqjBPO0CyyANsa+2g==\n",
-    "version": 1,
-    "cipher": "aes-256-cbc"
+    "encrypted_data": "2IntmJdBmfGyHghAXDJnaew58u9dvjKCz/q1Uivs8Q+nH3wVqARkf52BIHhZ\nbIHY3cy50EwcKTxDcr1arQFmb88cKBxt\n",
+    "iv": "pkCrp07s4LJfaPmq\n",
+    "auth_tag": "yBsriBc/X2bP6v25NY3cSg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap_user": {
+    "encrypted_data": "l/Q63Mvm/tANfvZ+1ijjTB1lpirOhAjWDz4k+R1OkzYIXQNwo6VM2saTH2eu\nBNHFLTyUSMqzlAcq6OvH++En05wk\n",
+    "iv": "y+n/Lo8t6O3Ab4/+\n",
+    "auth_tag": "7eHYjF8A0T611Y+JT1GeJg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "ldap_password": {
+    "encrypted_data": "+qYb9F/f9QRRCTsMoRIyWWVQyCSLcQRHSPWD2Nf7z7Kauywh1zIg\n",
+    "iv": "sivNzq6G+mScbRnn\n",
+    "auth_tag": "ybUpDlIOJm0bsqlY5qt1xA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
  }
 }
--- a/site-cookbooks/kosmos-mediawiki/metadata.rb
+++ b/site-cookbooks/kosmos-mediawiki/metadata.rb
@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.2.1'
+version          '0.3.0'

 depends "mediawiki"
 depends "ark"
--- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
@ -39,8 +39,8 @@ node.override['mediawiki']['server_name']     = server_name
 node.override['mediawiki']['site_name']       = 'Kosmos Wiki'
 protocol = node.chef_environment == "development" ? "http" : "https"
 node.override['mediawiki']['server']          = "#{protocol}://#{server_name}"
-mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
-mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
+mysql_credentials = data_bag_item('credentials', 'mysql')
+mediawiki_credentials = data_bag_item('credentials', 'mediawiki')

 node.override['mediawiki']['db']['root_password'] = mysql_credentials["root_password"]
 node.override['mediawiki']['db']['pass'] = mediawiki_credentials["db_pass"]
@ -167,15 +167,6 @@ if node["mediawiki"]["ldap_enabled"]
    action :dump
  end

-  ark "LDAPAuthorization" do
-    url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz"
-    path "#{node['mediawiki']['webdir']}/extensions"
-    owner node["nginx"]["user"]
-    group node["nginx"]["group"]
-    mode 0750
-    action :dump
-  end
-
  ark "LDAPAuthentication2" do
    url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz"
    path "#{node['mediawiki']['webdir']}/extensions"
@ -187,10 +178,9 @@ if node["mediawiki"]["ldap_enabled"]

  package "php-ldap"

-  ldap_credentials = data_bag_item("credentials", "dirsrv")
  ldap_domain = node['kosmos-dirsrv']['master_hostname']
  ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
-  ldap_base = "ou=users,dc=kosmos,dc=org"
+  ldap_base = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 end

 ruby_block "configuration" do
@ -260,8 +250,8 @@ $LDAPProviderDomainConfigProvider = function()
            "connection" => [
                "server" => "#{ldap_domain}",
                "enctype" => "#{ldap_encryption_type}",
-                "user" => "cn=Directory Manager",
-                "pass" => "#{ldap_credentials['admin_password']}",
+                "user" => "#{mediawiki_credentials['ldap_user']}",
+                "pass" => "#{mediawiki_credentials['ldap_password']}",
                "basedn" => "#{ldap_base}",
                "groupbasedn" => "#{ldap_base}",
                "userbasedn" => "#{ldap_base}",
@ -270,13 +260,6 @@ $LDAPProviderDomainConfigProvider = function()
                "usernameattribute" => "uid",
                "realnameattribute" => "cn",
                "emailattribute" => "mail"
-            ],
-            "authorization" => [
-                "rules" => [
-                        "attributes" => [
-                                        "wiki" => "enabled"
-                    ]
-                ]
            ]
        ]
    ];
@ -288,7 +271,6 @@ $LDAPProviderDomainConfigProvider = function()
 $wgPluggableAuth_ButtonLabel = 'Log in';
 wfLoadExtension( 'LDAPProvider' );
 wfLoadExtension( 'PluggableAuth' );
-wfLoadExtension( 'LDAPAuthorization' );
 wfLoadExtension( 'LDAPAuthentication2' );
 # Disable account creation page, since this is not possible to create an account
 # when only LDAP login is enabled