Opened 14 years ago

Last modified 9 years ago

#1 new enhancement

MediaWiki certificate-based login

Reported by: andersk Owned by:
Priority: normal Milestone:
Component: autoinstallers Keywords:
Cc:

Description (last modified by broder)

(Imported from help.mit.edu #393622.)

MediaWiki? installs should support certificate authentication by default, with fallback to regular authentication.

Change History (14)

comment:1 Changed 14 years ago by broder

  • Description modified (diff)

Please contact hurwitz if this is ever done.

comment:2 Changed 14 years ago by price

FTR, there's an extension here that does something like what we want:

http://www.mediawiki.org/wiki/Extension:SSL_authentication

But it doesn't support also having password-based accounts.

The infrastructure it uses for tying into Mediawiki's authentication system is this:

http://www.mediawiki.org/wiki/AuthPlugin

whose API is documented here:

http://svn.wikimedia.org/doc/classAuthPlugin.html

So the task is to start from that extension, read the AuthPlugin? docs, and figure out how to adapt it to do what we want.

comment:3 Changed 14 years ago by broder

Yeah...that plugin is a piece of crap. It doesn't work with any moderately version of MediaWiki?. I have done significant hacking in the past to make it work, although I don't remember what I did and don't fancy figuring it out again.

comment:4 Changed 13 years ago by geofft

That plugin has now been updated fairly recently.

Also, Prof. Chuang in [help.mit.edu #687224] gave us a plugin.

comment:5 Changed 13 years ago by geofft

[help.mit.edu #747227] also wans to be notified, I guess. As would scripts-announce.

I'm vaguely working on this in my free time.

comment:6 Changed 12 years ago by adehnert

  • Owner set to adehnert

There's now a wiki with certificate auth running at https://scripts-demo.scripts.mit.edu/mediawiki/index.php?title=Main_Page (the DB gets wiped every day at 6:06AM, FYI). I'm using a pretty heavily modified version of http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER.

If people want to poke at that and let me know if it has issues, that'd be neat.

I'll probably do a bit more work on making the plugin less heavily modified, and then at some point I should probably talk with Edward about how to integrate this with the Wizard autoinstaller.

comment:7 follow-up: Changed 12 years ago by adehnert

Test plan:

  • Going to https://scripts-demo.scripts.mit.edu:444/mediawiki/index.php?title=Main_Page should log you in if you already have an account
  • "Create account" (on :44{3,4}) should let you create an account with your preferred username, password, email address, and real name
  • On port 444, it should auto-fill username and email address
  • Changing your password, email address, real name, and random preferences should work
  • If the email address of an account is <username>@mit.edu, you should be able to log into it without giving a password (and maybe if you give the wrong password, though we don't care about that) if you have certs for <username>
  • You should be able to use a password to log in (on :44{3,4})
  • If an account has an email address that *isn't* <username>@mit.edu, you shouldn't be able to log in to it, regardless of username
  • No assertions are being made about behavior if the email address isn't all lowercase
  • Using the email address in your cert should confirm it

comment:8 in reply to: ↑ 7 Changed 12 years ago by adehnert

Replying to adehnert:

Test plan:

Verified.

  • "Create account" (on :44{3,4}) should let you create an account with your preferred username, password, email address, and real name

Verified (I think).

  • On port 444, it should auto-fill username and email address

Verified.

  • Changing your password, email address, real name, and random preferences should work

Verified.

  • If the email address of an account is <username>@mit.edu, you should be able to log into it without giving a password (and maybe if you give the wrong password, though we don't care about that) if you have certs for <username>

Verified.

  • You should be able to use a password to log in (on :44{3,4})

Verified.

  • If an account has an email address that *isn't* <username>@mit.edu, you shouldn't be able to log in to it, regardless of username

Verified.

  • No assertions are being made about behavior if the email address isn't all lowercase

No verification required.

  • Using the email address in your cert should confirm it

Verified. (Well, for initial create. I've also verified that changing your email address to the one in your cert doesn't confirm it, but I don't care.)

comment:9 Changed 12 years ago by andersk

It sounds like Alex thinks the code is ready to be merged, so the next step is to turn it into a reviewable branch on top of git://scripts.mit.edu/autoinstalls/mediawiki.git master.

comment:10 Changed 12 years ago by andersk

My comment on the current implementation (having not looked at the code) is that changing the URL to https and port 444 is not a discoverable interface; there should be some way of automatically redirecting you. This could probably be done in .htaccess.

comment:11 Changed 10 years ago by ezyang

What happened to adehnert's prototype; w.r.t. the current Scripts FAQ entry? http://scripts.mit.edu/faq/129/how-do-i-authenticate-users-with-certificates

comment:12 Changed 9 years ago by adehnert

  • Owner adehnert deleted

In my Copious Free Time[*], I will resume work on this ticket (if not sooner, or later). Consequently, I'm unclaiming this ticket.

I kinda encourage the next person to, rather than working off my modified extension, go write one from scratch. It'll have clearer licensing, and plausibly be less buggy and complicated, and my version can't feasibly be synced from upstream.

[*] Expected delivery time: no earlier than six months from now. Reasonably likely not in the next forty-odd years.

comment:13 Changed 9 years ago by vasilvv

I cannot find the reassignment buttons right now, but I am now working on this ticket.

Note: See TracTickets for help on using tickets.