Update PluggableAuth to 7.x

[jeffw16]

Name of extension

PluggableAuth

MediaWiki.org page (if it exists)

https://www.mediawiki.org/wiki/Extension:PluggableAuth

Link to the repo

https://github.com/wikimedia/mediawiki-extensions-PluggableAuth

Description

Canasta currently still uses PluggableAuth 6. We should probably get it updated to PluggableAuth 7.

[jeffw16]

@cicalese, courtesy pinging you in case you see any concerns to this. As a FYI, the latest version of Canasta is now at PHP 8.1.

[yaronkoren]

Wow, I didn't realize that Canasta's version of PluggableAuth was 6. That means that at least the JWTAuth and LDAPAuthentication2 extensions don't work within Canasta - no?

[cicalese]

I don't foresee any issues with upgrading, and do agree that not upgrading could be problematic for compatibility with the plugins. Best to do an audit of the various versions.

[yaronkoren]

I did an informal audit. There are six PluggableAuth-based extensions in Canasta, as far as I know: the authentication extensions JWTAuth, LDAPAuthentication2, OpenID Connect and WSOAuth; and the authorization extensions EmailAuthorization and LDAPAuthorization. (In addition to PluggableAuth itself, of course.) Of these, I believe the following three will need to be upgraded at the same time that PluggableAuth is upgraded to version 7.0:

• OpenID Connect (currently at v. 6.2, needs to be v. 7.0.0)
• LDAPAuthorization (currently at v. 1.1.0, needs to be v. 2.0.0)
• WSOAuth (currently at v. 8.0.0, needs to be v. 9.0.0)

I think all the other extensions can stay as they are. (And, presumably, some will start working that don't currently work, like JWTAuth.)

[cicalese]

This should probably be in another task, but I'll add it here now, since I haven't had a chance to verify: when we re-created mwstake.org using Canasta, we installed EmailAuthorization with PluggableAuth. However, the table that is supposed to be rendered by DataTables on the page Special:ConfigureEmailAuthorization is not appearing. DataTables is included as a submodule, so the extension requires git submodule update --init. I'm guessing that is not happening as part of the Canasta install? I ran the command inside the container, and it fixed the issue.

[yaronkoren]

Oh, I didn't know DataTables was a dependency. The easiest solution for that would be to add DataTables to Email Authorization's composer.json file, under "require":

https://phabricator.wikimedia.org/diffusion/EEAU/browse/master/composer.json

Then I think just adding Email Authorization to composer.canasta.json would the trick:

https://github.com/CanastaWiki/Canasta/blob/master/_sources/configs/composer.canasta.json

Is that possible to do?

[cicalese]

I don't recall why DataTables was added as a submodule rather than a composer dependency, but I agree that would potentially solve the problem.

[yaronkoren]

It might be possible to have both - I don't know. The Widgets extension used to have the Smarty library as a Git submodule, but then made it a Composer dependency instead about 10 years ago, although there might have been some period of time when it was both; I'm not sure. Maybe the fear is that having both could cause problems if the admin accidentally calls both things. But at the very least, I would think it makes sense to add those few composer.json lines as a patch within Canasta.

[yaronkoren]

I created a separate issue for the Email Authorization dependency problem, at #402.