MPSDivisionWiki/webauth - Robert Schumann

Integrating Moin wiki with webauth Single Sign-On

Below is a snippet of python code, which is basically that from MoinMoin.auth with some cosmetic changes (notably changing function name from http to webauth). I am not yet entirely sure what changes are necessary to fully integrate with the webauth setup at Oxford, but essentially the following needs to be configured in wikiconfig.py:

   1    from data.plugins.webauth import webauth
   2    auth = [webauth]
   3    user_autocreate = true

Things which can be done later (although preferably sooner) include:

access OUCS LDAP (still experimental) to auto-set user email addresses
access LDAP for user alias-names (i.e. Joe Bloggs rather than dpmp9367)
implementing logout, which is not done in the current http auth method.
figure out a way to make the wiki publicly available - perhaps just a static dump?

There is also the issue of who has the right to use webauth/Herald. I believe every member of the university is entitled to this, simply by visiting the registration page. For reference, a list of all the unit codes (like magd for Magdalen) is available at the OUCS website.

   1 # Filename data/plugins/webauth.py
   2 from MoinMoin import user
   3 
   4 def webauth(request, **kw):
   5    """ authenticate via http basic/digest/ntlm auth """
   6    from MoinMoin.request import RequestTwisted, RequestCLI
   7    u = None
   8    # check if we are running Twisted
   9    if isinstance(request, RequestTwisted):
  10       username = request.twistd.getUser()
  11       password = request.twistd.getPassword()
  12       # when using Twisted http auth, we use username and password from
  13       # the moin user profile, so both can be changed by user.
  14       u = user.User(request, auth_username=username, password=password,
  15          auth_method='http', auth_attribs=())
  16 
  17    elif not isinstance(request, RequestCLI):
  18       env = request.env
  19       auth_type = env.get('AUTH_TYPE','')
  20       if auth_type in ['WebAuth']:
  21          username = env.get('REMOTE_USER','')
  22          # when using http auth, we have external user name and password,
  23          # we don't use the moin user profile for those attributes.
  24          u = user.User(request, auth_username=username,
  25             auth_method='webauth', auth_attribs=('name', 'password'))
  26 
  27    if u:
  28       u.create_or_update()
  29    if u and u.valid:
  30       return u, False
  31    else:
  32       return None, True