Topic on Extension talk:SimpleSAMLphp

Hi!

I created a fork from you SimpleSAMLphp extension to make is work with Shibboleth. So far the auth part works fine, but I'm having some trouble with populateGroups function.

Inside the populateGroups function when I try to use $user->addGroup('sysop'), it runs into an exception.

Maybe I using this with a wrong syntax?

[04017fd989ba88c452adcb3c] /index.php/Speci%C3%A1lis:PluggableAuthLogin UnexpectedValueException from line 168 of /var/mediawiki/includes/user/UserGroupMembership.php: UserGroupMembership::insert() needs a positive user ID. Did you forget to add your User object to the database before calling addGroup()?

Backtrace:

#0 /var/mediawiki/includes/user/User.php(3425): UserGroupMembership->insert(boolean)

#1 /var/mediawiki/extensions/Shibboleth/Shibboleth.class.php(118): User->addGroup(string)

#2 /var/mediawiki/includes/Hooks.php(186): Shibboleth::populateGroups(User)

#3 /var/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(41): Hooks::run(string, array)

#4 /var/mediawiki/includes/specialpage/SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#5 /var/mediawiki/includes/specialpage/SpecialPageFactory.php(578): SpecialPage->run(NULL)

#6 /var/mediawiki/includes/MediaWiki.php(287): SpecialPageFactory::executePath(Title, RequestContext)

#7 /var/mediawiki/includes/MediaWiki.php(862): MediaWiki->performRequest()

#8 /var/mediawiki/includes/MediaWiki.php(523): MediaWiki->main()

#9 /var/mediawiki/index.php(43): MediaWiki->run()

#10 {main}

It looks like PluggableAuth is calling the populateGroups hook function too soon. New users will not yet have been created in the database yet at that point. The line of code calling the hook function:

        Hooks::run( 'PluggableAuthPopulateGroups', [ $user ] );

at https://phabricator.wikimedia.org/diffusion/EPLG/browse/master/includes/PluggableAuthLogin.php;4ef8379b5b9648048a8adf8abc461d9cb7386ff8$41 probably needs to be moved after

        $this->updateUserRealnameAndEmail( $user );

at https://phabricator.wikimedia.org/diffusion/EPLG/browse/master/includes/PluggableAuthPrimaryAuthenticationProvider.php;4ef8379b5b9648048a8adf8abc461d9cb7386ff8$66. Could you please try that and see if that fixes the problem?

It solved the problem, but created another one.

With this solution, I'm no longer able to access the Shibboleth's "$_SERVER" attributes. When it calls the populate function hook it redirects to another URL (index.php?title=Speciális:Belépés&returnto=Kezdőlap) which cannot be protected by Shibboleth apache module.

What does it mean that the URL cannot be protected by Sibboleth apache module? If the only problem is that it needs access to some attributes in $_SERVER, they can be passed as session variables. You could save the values in your plugin's authenticate() function as:

$authManager = AuthManager::singleton();

$authManager->setAuthenticationSessionData($key, $value);

Then, in the PopulateGroups hook use

$authManager = AuthManager::singleton();

$value = $authManager->getAuthenticationSessionData($key);

to retrieve the value. There are examples of similar code in the two links I sent above.

Thx for tip, it works!

I'm not an experienced MediaWiki developer, just a DevOp.

We want to update our wiki sites and they are 2,5 years old. My current task is to create a working fork, that works shibboleth+apache combo.

Great! I will try to release a new version of PluggableAuth soon with the hook moved to the new location. Thanks for finding this bug!

I hope you plan to release your Shibboleth extension.

That's the plan! When I think it's ready, I'm gonna someone check it whether it's good or not.

Hi and I wish you a happy new year!

Another thing that I noticed, is when a new user (who never logged in before) logs in, the "populateGroups" function does not take effect. So they have logout and login, in order get joined into the "sysop" group.

Happy New Year to you, too! Thanks for letting me know about the problem with new users. I'll look into that.