Make hotfix for CLA+1 req in wiki in ansible

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
author: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-03-17 19:39:30 +0000
committer: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-03-17 19:39:30 +0000
commit: e54ac16c8fc70519129fd28fd7e5debe1eed27db (patch)
tree: d890dcc9f180ffef5a145e592031fbfa4a3cb9bf
parent: 4ba0cdffa58ef5952b065fdf68faa2a6b8479d46 (diff)
2 files changed, 136 insertions, 1 deletions
diff --git a/roles/mediawiki/tasks/main.yml b/roles/mediawiki/tasks/main.yml
index 759a1e090..dc646837a 100644
--- a/roles/mediawiki/tasks/main.yml
+++ b/roles/mediawiki/tasks/main.yml
@@ -43,7 +43,7 @@
   - mediawiki
 
 - name: adding FAS auth
-  template: src=Auth_FAS.php.j2 dest=/usr/share/mediawiki119/extensions/Auth_FAS.php owner=root group=root mode=775
+  template: src=Auth_FAS_CLAPLUSONE.php.j2 dest=/usr/share/mediawiki119/extensions/Auth_FAS.php owner=root group=root mode=775
   tags:
   - config
   - mediawiki
diff --git a/roles/mediawiki/templates/Auth_FAS_CLAPLUSONE.php.j2 b/roles/mediawiki/templates/Auth_FAS_CLAPLUSONE.php.j2
new file mode 100644
index 000000000..281aaa64e
--- /dev/null
+++ b/roles/mediawiki/templates/Auth_FAS_CLAPLUSONE.php.j2
@@ -0,0 +1,135 @@
+<?php
+require_once('AuthPlugin.php');
+class Auth_FAS extends AuthPlugin {
+    function authenticate($username, $password) {
+        if ( ucfirst(strtolower($username)) != ucfirst($username) ) {
+            return false;
+        }
+
+        $username = strtolower( $username);
+        $ch = curl_init();
+
+{% if env == 'staging' %}
+        curl_setopt($ch, CURLOPT_URL, 'https://admin.stg.fedoraproject.org/accounts/json/person_by_username?tg_format=json');
+{% else %}
+        curl_setopt($ch, CURLOPT_URL, 'https://admin.fedoraproject.org/accounts/json/person_by_username?tg_format=json');
+{% endif %}
+        curl_setopt($ch, CURLOPT_POST, 1);
+        curl_setopt($ch, CURLOPT_USERAGENT, "Auth_FAS 0.9");
+        curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".urlencode($username)."&password=".urlencode($password)."&login=Login");
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+
+        # WARNING: Never leave this on in production, as it will cause
+        # plaintext passwords to show up in error logs.
+        curl_setopt($ch, CURLOPT_VERBOSE, 0);
+
+        # The following two lines need to be enabled when using a test FAS
+        # with an invalid cert.  Otherwise they should be commented (or
+        # set to True) for security.
+        #curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
+        #curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
+        $response = json_decode(curl_exec($ch), true);
+        curl_close ($ch);
+
+        if (!isset($response["success"])) {
+            error_log("FAS auth failed for $username: incorrect username or password", 0);
+            return false;
+        }
+
+        $groups = $response["person"]["approved_memberships"];
+
+        $has_cla = false;
+        $has_plus_one = false;
+        for ($i = 0, $cnt = count($groups); $i < $cnt; $i++) {
+            if ($groups[$i]["name"] == "cla_done" || $groups[$i]["name"] == "cla_fpca") {
+                $has_cla = true;
+            } else {
+                $has_plus_one = true;
+            }
+        }
+        if($has_cla && $has_plus_one) {
+            error_log("FAS auth succeeded for $username", 0);
+            return true;
+        }
+        error_log("FAS auth failed for $username: insufficient group membership", 0);
+        return false;
+    }
+
+    function userExists( $username ) {
+        if ( ucfirst(strtolower($username)) != ucfirst($username) ) {
+            return false;
+        }
+        return true;
+    }
+
+    function modifyUITemplate(&$template) {
+        $template->set('create', false);
+        $template->set('useemail', false);
+        $template->set('usedomain', false);
+    }
+
+    function updateUser( &$user ){
+        $user->mEmail = strtolower($user->getName())."@fedoraproject.org";
+        return true;
+    }
+
+    function autoCreate() {
+        return true;
+    }
+
+    function setPassword($password) {
+        return false;
+    }
+
+    function setDomain( $domain ) {
+        $this->domain = $domain;
+    }
+
+    function validDomain( $domain ) {
+        return true;
+    }
+
+    function updateExternalDB($user) {
+        return true;
+    }
+
+    function canCreateAccounts() {
+        return false;
+    }
+
+    function addUser($user, $password) {
+        return true;
+    }
+
+    function strict() {
+        return true;
+    }
+
+    function strictUserAuth( $username ) {
+        return true;
+    }
+
+    function allowPasswordChange() {
+        return false;
+    }
+
+    function initUser(&$user) {
+        $user->mEmail = strtolower($user->getName())."@fedoraproject.org";
+        $user->mEmailAuthenticated = wfTimestampNow();
+        $user->setToken();
+        $user->saveSettings();
+        return true;
+    }
+}
+
+/**
+ * Some extension information init
+ */
+$wgExtensionCredits['other'][] = array(
+    'name' => 'Auth_FAS',
+    'version' => '0.9.1',
+    'author' => 'Nigel Jones',
+    'description' => 'Authorisation plugin allowing login with FAS2 accounts'
+);
+
+?>
author	Patrick Uiterwijk <puiterwijk@redhat.com>	2016-03-17 19:39:30 +0000
committer	Patrick Uiterwijk <puiterwijk@redhat.com>	2016-03-17 19:39:30 +0000
commit	e54ac16c8fc70519129fd28fd7e5debe1eed27db (patch)
tree	d890dcc9f180ffef5a145e592031fbfa4a3cb9bf
parent	4ba0cdffa58ef5952b065fdf68faa2a6b8479d46 (diff)