[MediaWiki-commits] [Gerrit] mediawiki...SimpleSAMLphp[master]: Update user with groups from SAML attributes.

[Cicalese (Code Review)]

Cicalese has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/361676 )

Change subject: Update user with groups from SAML attributes.
......................................................................


Update user with groups from SAML attributes.

* This is inspired by Extension:SimpleSamlAuth by Jorn de Jong.
* Implementing PluggableAuthPopulateGroups Hook (needs v5.1 of PluggableAuth) 
to provision the groups
* Mapping configurable in LocalSettings.php: `$wgSimpleSAMLphp_GroupMap = 
array( 'mw group' => array( 'saml attrib' => array('value1', 'value2', ...)))`

Change-Id: I0e7c28b1dfa5dbfb8153af07ce3a0d6cb70507ae
---
M SimpleSAMLphp.class.php
M extension.json
2 files changed, 41 insertions(+), 6 deletions(-)

Approvals:
  Cicalese: Verified; Looks good to me, approved
  jenkins-bot: Checked



diff --git a/SimpleSAMLphp.class.php b/SimpleSAMLphp.class.php
index 2b87420..ede0fcf 100644
--- a/SimpleSAMLphp.class.php
+++ b/SimpleSAMLphp.class.php
@@ -37,7 +37,7 @@
        public function authenticate( &$id, &$username, &$realname, &$email,
                &$errorMessage ) {
 
-               $saml = $this->getSAMLClient();
+               $saml = self::getSAMLClient();
                try {
                        $saml->requireAuth();
                } catch ( Exception $e ) {
@@ -120,7 +120,7 @@
         * @param User &$user
         */
        public function deauthenticate( User &$user ) {
-               $saml = $this->getSAMLClient();
+               $saml = self::getSAMLClient();
                $returnto = null;
                if ( array_key_exists( 'returnto', $_REQUEST ) ) {
                        $title = Title::newFromText( $_REQUEST['returnto'] );
@@ -144,7 +144,39 @@
                // intentionally left blank
        }
 
-       private function getSAMLClient() {
+       /**
+        * @since 4.1
+        * Update MediaWiki group membership of the authenticated user (given 
as object).
+        * Override function of parent class to use groups from SAML attributes.
+        * Credits to Extension:SimpleSamlAuth by Jorn de Jong
+        * @param User &$user
+        */
+       public static function populateGroups( User $user ) {
+               $saml = self::getSAMLClient();
+               $attributes = $saml->getAttributes();
+
+               if ( is_array( $GLOBALS['wgSimpleSAMLphp_GroupMap'] ) ) {
+                       # group map: [mediawiki group][saml attribute][saml 
attribute value]
+                       foreach ( $GLOBALS['wgSimpleSAMLphp_GroupMap'] as 
$group => $rules ) {
+                               foreach ( $rules as $attrName => $needles ) {
+                                       if ( !isset( $attributes[$attrName] ) ) 
{
+                                               continue;
+                                       }
+                                       foreach ( $needles as $needle ) {
+                                               if ( in_array( $needle, 
$attributes[$attrName] ) ) {
+                                                       $user->addGroup( $group 
);
+                                               } else {
+                                                       $user->removeGroup( 
$group );
+                                               }
+                                       }
+                               }
+                       }
+               } else {
+                       wfDebug( 'SimpleSAMLphp: $wgSimpleSAMLphp_GroupMap is 
not an array' );
+               }
+       }
+
+       private static function getSAMLClient() {
                require_once rtrim( $GLOBALS['wgSimpleSAMLphp_InstallDir'],
                        DIRECTORY_SEPARATOR ) . DIRECTORY_SEPARATOR . 'lib' .
                        DIRECTORY_SEPARATOR . '_autoload.php';
@@ -152,4 +184,3 @@
                        $GLOBALS['wgSimpleSAMLphp_AuthSourceId'] );
        }
 }
-
diff --git a/extension.json b/extension.json
index e7b1923..9c04f15 100644
--- a/extension.json
+++ b/extension.json
@@ -1,6 +1,6 @@
 {
        "name": "SimpleSAMLphp",
-       "version": "4.0",
+       "version": "4.1",
        "author": [
                "[https://www.mediawiki.org/wiki/User:Cindy.cicalese Cindy 
Cicalese]"
        ],
@@ -9,7 +9,7 @@
        "type": "other",
        "requires": {
                "extensions": {
-                       "PluggableAuth": ">= 4.0"
+                       "PluggableAuth": ">= 5.1"
                }
        },
        "MessagesDirs": {
@@ -20,7 +20,11 @@
        "AutoloadClasses": {
                "SimpleSAMLphp": "SimpleSAMLphp.class.php"
        },
+       "Hooks": {
+               "PluggableAuthPopulateGroups": [ 
"SimpleSAMLphp::populateGroups" ]
+       },
        "config": {
+               "SimpleSAMLphp_GroupMap": null,
                "PluggableAuth_Class": "SimpleSAMLphp"
        },
        "manifest_version": 1

-- 
To view, visit https://gerrit.wikimedia.org/r/361676
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I0e7c28b1dfa5dbfb8153af07ce3a0d6cb70507ae
Gerrit-PatchSet: 5
Gerrit-Project: mediawiki/extensions/SimpleSAMLphp
Gerrit-Branch: master
Gerrit-Owner: Poikilotherm <oli...@bertuch.eu>
Gerrit-Reviewer: Cicalese <cin...@gmail.com>
Gerrit-Reviewer: MarkAHershberger <m...@nichework.com>
Gerrit-Reviewer: Poikilotherm <oli...@bertuch.eu>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits