mediawiki: normalize LocalSettings.php base settings (clean+append once); fail if missing

oidc.php: autologin/localLogin templated via vars; optionally disable wgPasswordAttemptThrottle when 'web-svc-logout' present vars: set defaults (AUTOLOGIN=true, LOCALLOGIN=false); use path_join/url_join for clean paths/URLs Context: https://chatgpt.com/share/68caaf41-d098-800f-beb0-a473ff08c9c5
2025-11-03 19:58:14 +00:00 · 2025-09-17 14:53:53 +02:00
parent efb5488cfc
commit 5bc635109a
3 changed files with 31 additions and 36 deletions
--- a/roles/web-app-mediawiki/tasks/03_patch_settings.yml
+++ b/roles/web-app-mediawiki/tasks/03_patch_settings.yml
@@ -1,5 +1,5 @@
 # roles/web-app-mediawiki/tasks/03_patch_settings.yml
- name: "MEDIAWIKI | Ensure LocalSettings.php has correct base settings"
+- name: "MEDIAWIKI | Normalize base settings in LocalSettings.php (clean + append once)"
  vars:
    _lsp_path: "{{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php"
    _server_url: "{{ MEDIAWIKI_URL | regex_replace('/+$', '') }}"
@@ -14,46 +14,34 @@
    docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc '
      set -euo pipefail
      LSP="{{ _lsp_path }}"
+      [ -f "$LSP" ] || { echo "ERROR: LocalSettings.php not found."; exit 1; }
+
      SERVER='\''{{ _server_url_sq }}'\''
      DBNAME='\''{{ _db_name_sq }}'\''
      DBUSER='\''{{ _db_user_sq }}'\''
      DBPASS='\''{{ _db_pass_sq }}'\''
      DBHOST='\''{{ _db_host_sq }}'\''
      LANG='\''{{ _lang_sq }}'\''
-      [ -f "$LSP" ] || { echo "LocalSettings.php not found, skipping."; exit 0; }
      
-      need=0
+      tmp="$(mktemp)"; trap "rm -f \"$tmp\"" EXIT

-      check_line() {
-        local key="$1" val="$2"
-        grep -Eq "^[[:space:]]*\$${key}[[:space:]]*=[[:space:]]*'\''${val}'\'';" "$LSP" || need=1
-      }
+      # 1) Copy existing file, but drop ALL prior assignments of our managed keys
+      grep -Ev "^[[:space:]]*\$(wgServer|wgCanonicalServer|wgDBname|wgDBuser|wgDBpassword|wgDBserver|wgLanguageCode)[[:space:]]*=" "$LSP" > "$tmp" || true

-      check_line wgServer "$SERVER"
-      check_line wgCanonicalServer "$SERVER"
-      check_line wgDBname "$DBNAME"
-      check_line wgDBuser "$DBUSER"
-      check_line wgDBpassword "$DBPASS"
-      check_line wgDBserver "$DBHOST"
-      check_line wgLanguageCode "$LANG"
-
-      if [ "$need" -eq 1 ]; then
-        tmp="$(mktemp)"
-        # Remove any existing definitions for these keys
-        grep -Ev "^[[:space:]]*\$(wgServer|wgCanonicalServer|wgDBname|wgDBuser|wgDBpassword|wgDBserver|wgLanguageCode)[[:space:]]*=" "$LSP" > "$tmp" || true
-
-        {
-          printf "\n\$wgServer = '\''%s'\'';\n"           "$SERVER"
-          printf "\$wgCanonicalServer = '\''%s'\'';\n"    "$SERVER"
-          printf "\$wgDBname = '\''%s'\'';\n"             "$DBNAME"
-          printf "\$wgDBuser = '\''%s'\'';\n"             "$DBUSER"
-          printf "\$wgDBpassword = '\''%s'\'';\n"         "$DBPASS"
-          printf "\$wgDBserver = '\''%s'\'';\n"           "$DBHOST"
-          printf "\$wgLanguageCode = '\''%s'\'';\n"       "$LANG"
-        } >> "$tmp"
+      # 2) Append ONE clean, authoritative block
+      {
+        printf "\n\$wgServer = '\''%s'\'';\n"           "$SERVER"
+        printf "\$wgCanonicalServer = '\''%s'\'';\n"    "$SERVER"
+        printf "\$wgDBname = '\''%s'\'';\n"             "$DBNAME"
+        printf "\$wgDBuser = '\''%s'\'';\n"             "$DBUSER"
+        printf "\$wgDBpassword = '\''%s'\'';\n"         "$DBPASS"
+        printf "\$wgDBserver = '\''%s'\'';\n"           "$DBHOST"
+        printf "\$wgLanguageCode = '\''%s'\'';\n"       "$LANG"
+      } >> "$tmp"

+      # 3) Idempotent write: only replace if content actually changed
+      if ! cmp -s "$LSP" "$tmp"; then
        cat "$tmp" > "$LSP"
-        rm -f "$tmp"
        echo CHANGED
      fi
    '
--- a/roles/web-app-mediawiki/templates/oidc.php.j2
+++ b/roles/web-app-mediawiki/templates/oidc.php.j2
@@ -3,11 +3,16 @@

 {% if MEDIAWIKI_OIDC_ENABLED | bool %}

+{% if 'web-svc-logout' in CURRENT_PLAY_APPLICATIONS %}
+# The cookie deletion of the logout app leads to a login bug if this isn't set
+$wgPasswordAttemptThrottle = [];
+{% endif %}
+
 wfLoadExtension( 'PluggableAuth' );
 wfLoadExtension( 'OpenIDConnect' );

-$wgPluggableAuth_EnableAutoLogin = true;
-$wgPluggableAuth_EnableLocalLogin = false;
+$wgPluggableAuth_EnableAutoLogin = {{ MEDIAWIKI_OIDC_AUTOLOGIN | bool | ternary('true','false') }};
+$wgPluggableAuth_EnableLocalLogin = {{ MEDIAWIKI_OIDC_LOCALLOGIN | bool | ternary('true','false') }};
 $wgPluggableAuth_ButtonLabel = '{{ MEDIAWIKI_OIDC_BUTTON_TEXT }}';

 $wgPluggableAuth_Config = [
--- a/roles/web-app-mediawiki/vars/main.yml
+++ b/roles/web-app-mediawiki/vars/main.yml
@@ -32,12 +32,14 @@ MEDIAWIKI_OIDC_CLIENT_ID:         "{{ OIDC.CLIENT.ID }}"
 MEDIAWIKI_OIDC_CLIENT_SECRET:     "{{ OIDC.CLIENT.SECRET }}"
 MEDIAWIKI_OIDC_ISSUER:            "{{ OIDC.CLIENT.ISSUER_URL }}"
 MEDIAWIKI_OIDC_BUTTON_TEXT:       "{{ OIDC.BUTTON_TEXT }}"
+MEDIAWIKI_OIDC_AUTOLOGIN:         true
+MEDIAWIKI_OIDC_LOCALLOGIN:        false

 # Extensions
 MEDIAWIKI_EXT_BRANCH:   "REL1_44"
-MEDIAWIKI_EXT_CFG_BASE: "{{ [ MEDIAWIKI_CONFIG_DIR, 'mwext', MEDIAWIKI_EXT_BRANCH ] | url_join }}"
+MEDIAWIKI_EXT_CFG_BASE: "{{ [ MEDIAWIKI_CONFIG_DIR, 'mwext', MEDIAWIKI_EXT_BRANCH ] | path_join }}"
 MEDIAWIKI_EXT_LIST:
  - name: "PluggableAuth"
-    url: "https://codeload.github.com/wikimedia/mediawiki-extensions-PluggableAuth/tar.gz/refs/heads/{{ MEDIAWIKI_EXT_BRANCH }}"
+    url: "{{ [ 'https://codeload.github.com/wikimedia/mediawiki-extensions-PluggableAuth/tar.gz/refs/heads/',MEDIAWIKI_EXT_BRANCH ] | url_join }}"
  - name: "OpenIDConnect"
-    url: "https://codeload.github.com/wikimedia/mediawiki-extensions-OpenIDConnect/tar.gz/refs/heads/{{ MEDIAWIKI_EXT_BRANCH }}"
+    url: "{{ [ 'https://codeload.github.com/wikimedia/mediawiki-extensions-OpenIDConnect/tar.gz/refs/heads/',MEDIAWIKI_EXT_BRANCH ] | url_join }}"