From 5bc635109a4edc69f09918b5ff9733628234ec78 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 17 Sep 2025 14:53:53 +0200 Subject: [PATCH] mediawiki: normalize LocalSettings.php base settings (clean+append once); fail if missing oidc.php: autologin/localLogin templated via vars; optionally disable wgPasswordAttemptThrottle when 'web-svc-logout' present vars: set defaults (AUTOLOGIN=true, LOCALLOGIN=false); use path_join/url_join for clean paths/URLs Context: https://chatgpt.com/share/68caaf41-d098-800f-beb0-a473ff08c9c5 --- .../tasks/03_patch_settings.yml | 50 +++++++------------ roles/web-app-mediawiki/templates/oidc.php.j2 | 9 +++- roles/web-app-mediawiki/vars/main.yml | 8 +-- 3 files changed, 31 insertions(+), 36 deletions(-) diff --git a/roles/web-app-mediawiki/tasks/03_patch_settings.yml b/roles/web-app-mediawiki/tasks/03_patch_settings.yml index 23c8f169..f454d23d 100644 --- a/roles/web-app-mediawiki/tasks/03_patch_settings.yml +++ b/roles/web-app-mediawiki/tasks/03_patch_settings.yml @@ -1,5 +1,5 @@ # roles/web-app-mediawiki/tasks/03_patch_settings.yml -- name: "MEDIAWIKI | Ensure LocalSettings.php has correct base settings" +- name: "MEDIAWIKI | Normalize base settings in LocalSettings.php (clean + append once)" vars: _lsp_path: "{{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php" _server_url: "{{ MEDIAWIKI_URL | regex_replace('/+$', '') }}" @@ -14,46 +14,34 @@ docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc ' set -euo pipefail LSP="{{ _lsp_path }}" + [ -f "$LSP" ] || { echo "ERROR: LocalSettings.php not found."; exit 1; } + SERVER='\''{{ _server_url_sq }}'\'' DBNAME='\''{{ _db_name_sq }}'\'' DBUSER='\''{{ _db_user_sq }}'\'' DBPASS='\''{{ _db_pass_sq }}'\'' DBHOST='\''{{ _db_host_sq }}'\'' LANG='\''{{ _lang_sq }}'\'' - [ -f "$LSP" ] || { echo "LocalSettings.php not found, skipping."; exit 0; } + + tmp="$(mktemp)"; trap "rm -f \"$tmp\"" EXIT - need=0 + # 1) Copy existing file, but drop ALL prior assignments of our managed keys + grep -Ev "^[[:space:]]*\$(wgServer|wgCanonicalServer|wgDBname|wgDBuser|wgDBpassword|wgDBserver|wgLanguageCode)[[:space:]]*=" "$LSP" > "$tmp" || true - check_line() { - local key="$1" val="$2" - grep -Eq "^[[:space:]]*\$${key}[[:space:]]*=[[:space:]]*'\''${val}'\'';" "$LSP" || need=1 - } - - check_line wgServer "$SERVER" - check_line wgCanonicalServer "$SERVER" - check_line wgDBname "$DBNAME" - check_line wgDBuser "$DBUSER" - check_line wgDBpassword "$DBPASS" - check_line wgDBserver "$DBHOST" - check_line wgLanguageCode "$LANG" - - if [ "$need" -eq 1 ]; then - tmp="$(mktemp)" - # Remove any existing definitions for these keys - grep -Ev "^[[:space:]]*\$(wgServer|wgCanonicalServer|wgDBname|wgDBuser|wgDBpassword|wgDBserver|wgLanguageCode)[[:space:]]*=" "$LSP" > "$tmp" || true - - { - printf "\n\$wgServer = '\''%s'\'';\n" "$SERVER" - printf "\$wgCanonicalServer = '\''%s'\'';\n" "$SERVER" - printf "\$wgDBname = '\''%s'\'';\n" "$DBNAME" - printf "\$wgDBuser = '\''%s'\'';\n" "$DBUSER" - printf "\$wgDBpassword = '\''%s'\'';\n" "$DBPASS" - printf "\$wgDBserver = '\''%s'\'';\n" "$DBHOST" - printf "\$wgLanguageCode = '\''%s'\'';\n" "$LANG" - } >> "$tmp" + # 2) Append ONE clean, authoritative block + { + printf "\n\$wgServer = '\''%s'\'';\n" "$SERVER" + printf "\$wgCanonicalServer = '\''%s'\'';\n" "$SERVER" + printf "\$wgDBname = '\''%s'\'';\n" "$DBNAME" + printf "\$wgDBuser = '\''%s'\'';\n" "$DBUSER" + printf "\$wgDBpassword = '\''%s'\'';\n" "$DBPASS" + printf "\$wgDBserver = '\''%s'\'';\n" "$DBHOST" + printf "\$wgLanguageCode = '\''%s'\'';\n" "$LANG" + } >> "$tmp" + # 3) Idempotent write: only replace if content actually changed + if ! cmp -s "$LSP" "$tmp"; then cat "$tmp" > "$LSP" - rm -f "$tmp" echo CHANGED fi ' diff --git a/roles/web-app-mediawiki/templates/oidc.php.j2 b/roles/web-app-mediawiki/templates/oidc.php.j2 index 5f5269db..e4101009 100644 --- a/roles/web-app-mediawiki/templates/oidc.php.j2 +++ b/roles/web-app-mediawiki/templates/oidc.php.j2 @@ -3,11 +3,16 @@ {% if MEDIAWIKI_OIDC_ENABLED | bool %} +{% if 'web-svc-logout' in CURRENT_PLAY_APPLICATIONS %} +# The cookie deletion of the logout app leads to a login bug if this isn't set +$wgPasswordAttemptThrottle = []; +{% endif %} + wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'OpenIDConnect' ); -$wgPluggableAuth_EnableAutoLogin = true; -$wgPluggableAuth_EnableLocalLogin = false; +$wgPluggableAuth_EnableAutoLogin = {{ MEDIAWIKI_OIDC_AUTOLOGIN | bool | ternary('true','false') }}; +$wgPluggableAuth_EnableLocalLogin = {{ MEDIAWIKI_OIDC_LOCALLOGIN | bool | ternary('true','false') }}; $wgPluggableAuth_ButtonLabel = '{{ MEDIAWIKI_OIDC_BUTTON_TEXT }}'; $wgPluggableAuth_Config = [ diff --git a/roles/web-app-mediawiki/vars/main.yml b/roles/web-app-mediawiki/vars/main.yml index d15c1660..f91de751 100644 --- a/roles/web-app-mediawiki/vars/main.yml +++ b/roles/web-app-mediawiki/vars/main.yml @@ -32,12 +32,14 @@ MEDIAWIKI_OIDC_CLIENT_ID: "{{ OIDC.CLIENT.ID }}" MEDIAWIKI_OIDC_CLIENT_SECRET: "{{ OIDC.CLIENT.SECRET }}" MEDIAWIKI_OIDC_ISSUER: "{{ OIDC.CLIENT.ISSUER_URL }}" MEDIAWIKI_OIDC_BUTTON_TEXT: "{{ OIDC.BUTTON_TEXT }}" +MEDIAWIKI_OIDC_AUTOLOGIN: true +MEDIAWIKI_OIDC_LOCALLOGIN: false # Extensions MEDIAWIKI_EXT_BRANCH: "REL1_44" -MEDIAWIKI_EXT_CFG_BASE: "{{ [ MEDIAWIKI_CONFIG_DIR, 'mwext', MEDIAWIKI_EXT_BRANCH ] | url_join }}" +MEDIAWIKI_EXT_CFG_BASE: "{{ [ MEDIAWIKI_CONFIG_DIR, 'mwext', MEDIAWIKI_EXT_BRANCH ] | path_join }}" MEDIAWIKI_EXT_LIST: - name: "PluggableAuth" - url: "https://codeload.github.com/wikimedia/mediawiki-extensions-PluggableAuth/tar.gz/refs/heads/{{ MEDIAWIKI_EXT_BRANCH }}" + url: "{{ [ 'https://codeload.github.com/wikimedia/mediawiki-extensions-PluggableAuth/tar.gz/refs/heads/',MEDIAWIKI_EXT_BRANCH ] | url_join }}" - name: "OpenIDConnect" - url: "https://codeload.github.com/wikimedia/mediawiki-extensions-OpenIDConnect/tar.gz/refs/heads/{{ MEDIAWIKI_EXT_BRANCH }}" + url: "{{ [ 'https://codeload.github.com/wikimedia/mediawiki-extensions-OpenIDConnect/tar.gz/refs/heads/',MEDIAWIKI_EXT_BRANCH ] | url_join }}"