定制 mediawiki/auth-remoteuser 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

mediawiki/auth-remoteuser

Composer 安装命令:

composer require mediawiki/auth-remoteuser

包简介

Automatically logs-in users if they are already authenticated by a remote source. (e.g. environment variable REMOTE_USER)

README 文档

README

Auth_remoteuser is an extension for MediaWiki 1.27 and up which logs-in users into mediawiki automatically if they are already authenticated by a remote source. This can be anything ranging from webserver environment variables to request headers to arbitrary external sources if at least the remote user name maps to an existing user name in the local wiki database (or it can be created if the extension has the permissions to do so). The external source takes total responsibility in authenticating an authorized user.

Because it is implemented as a SessionProvider in MediaWikis AuthManager stack, which was introduced with MediaWiki 1.27, you need a version of Auth_remoteuser below 2.0.0 to use this extension in MediaWiki 1.26 and below.

Requirements

  • MediaWiki 1.27+

Installation

Either copy this extension directory Auth_remoteuser/ into your mediawiki extension folder extensions/ or, when installing with Composer, add an appropriate required package link to your composer.local.json file:

"require": { "mediawiki/auth-remoteuser": "~2" }

Then, enable the extension in MediaWiki by adding the following to your global configuration file LocalSettings.php:

wfLoadExtension( 'Auth_remoteuser' );

Take account of MediaWikis global permissions for account creation inside your LocalSettings.php. At least one of them must be true for anonymous users to let this extension create accounts for users as of yet unknown to the wiki database. If you set this to false, then automatic login works only for users who have a wiki account already:

$wgGroupPermissions['*']['createaccount'] = true;

// If account creation by anonymous users is forbidden, then allow
// it to be created automatically.
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;

// Only login users automatically if known to the wiki already.
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = false;

Configuration

You can adjust the behaviour of the extension to suit your needs by using a set of global configuration variables all starting with $wgAuthRemoteuser. Just add them to your LocalSettings.php. Default values, which you don't have to set explicitly are marked with the // default comment.

  • Set the name(s) to use for mapping into the local wiki user database. This can either be a simple string, a closure or a mixed array of strings and/or closures. If the value is null, the extension defaults to using the environment variables REMOTE_USER and REDIRECT_REMOTE_USER. The first name name in the given list, which can be used as a valid MediaWiki user name, will be taken for login (either by login to an existing wiki account or by creating first). Examples:

      $wgAuthRemoteuserUserName = null; // default
    
      // Same behaviour as default `null`.
      $wgAuthRemoteuserUserName = [
          $_SERVER[ 'REMOTE_USER' ],
          $_SERVER[ 'REDIRECT_REMOTE_USER' ]
      ];
    
      // Another remote source for user name(s).
      $wgAuthRemoteuserUserName = $_SERVER[ 'LOGON_USER' ];
    
      $wgAuthRemoteuserUserName = ""; // Will evaluate to nothing.
      $wgAuthRemoteuserUserName = []; // Will evaluate to nothing.
    
      // This is not advised, because it will evaluate every visitor
      // to the same wiki user 'Everybody'.
      $wgAuthRemoteuserUserName = "Everybody";
    
      // Create a closure instead of providing strings directly.
      $wgAuthRemoteuserUserName = function() {
          $credentials = explode( ':',$_SERVER['HTTP_AUTHORIZATION']);
          $username = $credentials[0];
          $password = $credentials[1];
          return MyOwnAuthorizer::authenticate( $username, $password )
              ? $username : "";
      };
    
  • When you need to process your remote user name before it can be used as an identifier into the wiki user list, for example to strip a Kerberos principal from the end, replacing invalid characters, or blacklisting some names, use the hook AuthRemoteuserFilterUserName provided by this extension. Just have a look at MediaWikis Hook documentation on how to register additional functions to this hook. It provides as first parameter the remote user name by reference to the hook function. If the function returns false, the remote user name will be ignored for automatic login.

  • This extension comes with predefined remote user name filters (which are using the hook mentioned above). If you want to replace something, set an array of search and replacement patterns to the following configuration variable (Each pattern can be a regular expression in PCRE syntax too):

      $wgAuthRemoteuserUserNameReplaceFilter = null; // default
    
      $wgAuthRemoteuserUserNameReplaceFilter = [
          '_' => ' ',                  // replace underscores with
                                       // spaces
          '@INTRA.EXAMPLE.COM$' => '', // strip Kerberos principal
                                       // from back
          '^domain\\' => '',           // strip NTLM domain from front
          'johndoe' => 'Admin',        // rewrite user johndoe
          '/JaNeDoE/i' => 'Admin',     // rewrite all case-insensitive
                                       // versions of janedoe
          '^(.*)$' => 'auto_$1',       // prepend string 'auto_'
          '^cn=(.*),dc=com$' => '$1',  // get nested user name
          '^([^,]*),(.*)$' => '$2 $1'  // reorder names
      ];
    
  • If you want to prevent some names from beeing logged in automatically, blacklist them with the following filter. It accepts a list of names, where each name can also be a regular expression in PCRE syntax:

      $wgAuthRemoteuserUserNameBlacklistFilter = null; // default
    
      $wgAuthRemoteuserUserNameBlacklistFilter = [
          'johndoe',
          'janedoe',
          '/john/i', // matches all case-insensitive versions of john
          '^f_'      // matches all users starting wit 'f_'
      ];
    
  • The opposite of the UserNameBlacklistFilter can be achieved by using the following filter, which permits the automatic login instead of preventing it:

      $wgAuthRemoteuserUserNameWhitelistFilter = null; // default
    
      $wgAuthRemoteuserUserNameWhitelistFilter = [
          'john',
          'jane'
      ];
    
  • When you have further user information available in your environment, which can be tied to a created user, for example email address or real name, then use one of the following configuration variables. Either UserPrefs or UserPrefsForced, which applies them to new users only or force them by applying them on each request. This can be useful if you don't want the user to change this preference inside MediaWiki (for example your company email address given by a remote source). They are expecting an array of key value pairs of which 'realname' and 'email' corresponds to the new users real name and email address. Any further key value pair specified gets mapped to a user preference of the same name. But take note of MediaWikis $wgDefaultUserOptions and $wgHiddenPrefsfor declaring user preference options. In most cases these globals are better suited for a definition of a default value and disabling their modifiability:

      $wgAuthRemoteuserUserPrefs = null;       // default
      $wgAuthRemoteuserUserPrefsForced = null; // default
    
      $wgAuthRemoteuserUserPrefs = [
          'realname' => $_SERVER[ 'AUTHENTICATE_DISPLAYNAME' ],
          'language' => 'en',
          'disablemail' => 0
      ];
      // Users email address should not be changed inside MediaWiki.
      $wgAuthRemoteuserUserPrefsForced = [
          'email' => $_SERVER[ 'AUTHENTICATE_MAIL' ]
      ];
    
      // Instead use MediaWiki global for the preference option.
      $wgDefaultUserOptions[ 'disablemail' ] = 0;
      // And disable it from being changed by the user.
      $wgHiddenPrefs[] = 'disablemail';
      // But change it depending on type of remote user (uses the
      // closure feature described below). For example if there are
      // guest accounts identified by a leading 'g_' existing at your
      // remote source, which have no valid email address, then
      // disable the option specifically for these type of accounts.
      $wgAuthRemoteuserUserPrefsForced = [
          'disablemail' => function ( $metadata ) {
              $name = $metadata[ 'remoteUserName' ];
              return ( preg_match( '/^g_/', $name ) ) ? 1 : 0;
          }
      ];
    

    You can specify an anonymous function for the values too. These closures getting called when the actual value is needed, and not when it is declared inside your LocalSettings.php. The first parameter given to the function is an associative array with the following keys:

    • userId - id of user in local wiki database or 0 if new/anonymous
    • remoteUserName - value as given by the environment
    • filteredUserName - after running hook for filtering user names
    • canonicalUserName - representation in the local wiki database
    • canonicalUserNameUsed - the user name used for the current session

    Take the following as an example in which a cost-intensive function (in a timely manner) is getting executed only once per user and not on every request:

      $wgAuthRemoteuserUserPrefs = [
          'email' => function( $metadata ) use ( $rpc ) {
              $name = $metadata[ 'remoteUserName' ];
              // costly remote procedure call to get email address
              return $rpc->query( 'email', $name );
          }
      ];
    
  • You can replace urls in MediaWiki, if your remote source is better suited for handling specific behaviour. For example by default no automatically logged-in user is allowed to logout (because he will be logged-in automatically again with the next request). But maybe your remote source should handle that logout (so that with the next request there isn't a remote user name provided anymore to this extension). Set an appropriate url to one of the following keys of the associative array wgAuthRemoteuserUserUrls:

    • logout - Provide a redirect url for the user logout. Depending on your other extension configuration settings this will either replace the link of the logout button in the user's personal url bar or redirect after a call to the special page Special:UserLogout. Accepts a string or a closure. If of type closure, then it should return a string with a valid url (either external or internal). The closure gets as first parameter the same array as closures for the user preferences (see description there).

    Examples:

      $wgAuthRemoteuserUserUrls = null; // default
    
      // Redirect to company domain controller host for logout.
      $wgAuthRemoteuserUserUrls = [
          'logout' => function( $metadata ) {
              $user = $metadata[ 'remoteUserName' ];
              return 'https://company.example.com/?logout=' . $user;
          }
      ];
    
      // Redirect to user login page instead of default logout page.
      // This is the default behaviour if user switching is allowed.
      $wgAuthRemoteuserUserUrls = [
          'logout' => function( $metadata ) {
              return 'Special:UserLogin';
          }
      ];
    
  • By default this extension mimics the behaviour of Auth_remoteuser versions prior 2.0.0, which prohibits using another local user then the one identified by the remote source. You can change this behaviour with the following configuration:

      $wgAuthRemoteuserAllowUserSwitch = false; // default
    
      $wgAuthRemoteuserAllowUserSwitch = true;
    
  • As an immutable SessionProvider (see AllowUserSwitch config above) all special pages and login/logout links for authentication aren't needed anymore by the identified user. If you still want them to be shown, for example if you are using other session providers besides this one, then set the following accordingly:

      $wgAuthRemoteuserRemoveAuthPagesAndLinks = true; // default
    
      $wgAuthRemoteuserRemoveAuthPagesAndLinks = false;
    
  • If you are using other SessionProvider extensions besides this one, you have to specify their significance by using an ascending priority:

      $wgAuthRemoteuserPriority = 50; // default
    
      $wgAuthRemoteuserPriority = SessionInfo::MAX_PRIORITY;
    

Upgrade

This extension doesn't use any database entries, therefore you don't need that extension to be enabled while upgrading. Just disable it and after you have upgraded your wiki, reenable this extension.

Upgrading from versions prior 2.0.0

All legacy configuration parameters are still fully supported. You don't have to rewrite your old LocalSettings.php settings. But to assist you in transitioning of old configuration parameters to new ones, the following list can guide you:

  • $wgAuthRemoteuserAuthz - This parameter has no equivalent new parameter, because you can achive the same with not loading the extension at all.
  • $wgAuthRemoteuserName - Superseded by $wgRemoteuserUserPrefs.
  • $wgAuthRemoteuserMail - Superseded by $wgRemoteuserUserPrefs.
  • $wgAuthRemoteuserNotify - Superseded by $wgRemoteuserUserPrefs.
  • $wgAuthRemoteuserDomain - Superseded by $wgRemoteuserUserNameReplaceFilter.
  • $wgAuthRemoteuserMailDomain - Superseded by $wgRemoteuserUserPrefs.

Additional notes

For a complete list of authors and any further documentation see the file extension.json or the Special:Version page on your wiki installation after you have enabled this extension.

For the license see the file COPYING.

mediawiki/auth-remoteuser 适用场景与选型建议

mediawiki/auth-remoteuser 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 24.06k 次下载、GitHub Stars 达 7, 最近一次更新时间为 2018 年 03 月 16 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「Authentication」 「extension」 「wiki」 「mediawiki」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 mediawiki/auth-remoteuser 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 mediawiki/auth-remoteuser 我们能提供哪些服务?
定制开发 / 二次开发

基于 mediawiki/auth-remoteuser 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 24.06k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 7
  • 点击次数: 9
  • 依赖项目数: 1
  • 推荐数: 0

GitHub 信息

  • Stars: 7
  • Watchers: 4
  • Forks: 9
  • 开发语言: PHP

其他信息

  • 授权协议: GPL-2.0-or-later
  • 更新时间: 2018-03-16