Fix #62, Fix #64: Refactor permissions file

Clean it up so things are a bit more declarative, as well as moving the
simpelsaml group config code over to the permissions, so that the
separation of concerns is a bit more straightforward.

Issue #62: Create security model for torque-sites
Issue #64: Pluralize the names of the abstract user groups

roles/permissions/files/default-permissions.php

@@ -1,55 +1,49 @@
 <?php
-$wgGroupPermissions['*']['read'] = false;
-$wgGroupPermissions['bot']['protect'] = true;
-$wgRestrictionLevels[] = 'generated';
-$wgGroupPermissions['bot']['generated'] = true;
-
-# Permissions that we want sysops/admins to have that
-# but not for staff go here
-$wgGroupPermissions['sysop']['generated'] = true;
-$wgGroupPermissions['sysop']['edittorqueconfig'] = true;
-$wgGroupPermissions['sysop']['torquedataconnect-admin'] = true;
-
-# Groups requested specifically by LFC.
+# Even if these groups aren't used in the wiki (no users assigned), this should be the
+# master list of all groups enabled on the wiki
 $wgGroupPermissions['LFCConsultingPartners']['read'] = true;
-$wgGroupPermissions['LFCConsultingPartners']['torquedataconnect-edit'] = true;
 $wgGroupPermissions['LFCResearchPartners']['read'] = true;
 $wgGroupPermissions['LFCEvaluators']['read'] = true;
-
-# These are OTS Torque Standard Groups
-$wgGroupPermissions['OutsideReviewers']['read'] = true;
-$wgGroupPermissions['Staff']['read'] = true;
 $wgGroupPermissions['PseudoDecisionMakers']['read'] = true;
 $wgGroupPermissions['DecisionMakers']['read'] = true;
+$wgGroupPermissions['OutsideReviewers']['read'] = true;
+
+$wgGroupPermissions['*']['read'] = false;
+$wgGroupPermissions['bot']['protect'] = true;
+$wgRestrictionLevels[] = 'generated';
+$wgGroupPermissions['bot']['generated'] = true;
 
 # Disable teamcomments for users on this wiki by default.
 $wgGroupPermissions['*']['teamcomment'] = false;
 $wgGroupPermissions['*']['teamcommentseeusernames'] = false;
 
-# Then enable teamcomments for the groups that should be leaving comments
-$wgGroupPermissions['Staff']['teamcomment'] = true;
-$wgGroupPermissions['PseudoDecisionMakers']['teamcomment'] = true;
-$wgGroupPermissions['DecisionMakers']['teamcomment'] = true;
-$wgGroupPermissions['sysop']['teamcomment'] = true;
-$wgGroupPermissions['LFCResearchPartners']['teamcomment'] = true;
-$wgGroupPermissions['LFCEvaluators']['teamcomment'] = true;
+# Log permissions (ability to see Special:Log)
+$wgAvailableRights[] = 'view-special-log';
+$wgGroupPermissions['*']['view-special-log'] = false;
 
-# Allow some groups to see usernames
-$wgGroupPermissions['Staff']['teamcommentseeusernames'] = true;
-$wgGroupPermissions['PseudoDecisionMakers']['teamcommentseeusernames'] = true;
-$wgGroupPermissions['DecisionMakers']['teamcommentseeusernames'] = true;
+# Configuration of different user groups
+$wgGroupPermissions['sysop']['generated'] = true;
+$wgGroupPermissions['sysop']['edittorqueconfig'] = true;
+$wgGroupPermissions['sysop']['torquedataconnect-admin'] = true;
+$wgGroupPermissions['sysop']['teamcomment'] = true;
 $wgGroupPermissions['sysop']['teamcommentseeusernames'] = true;
+$wgGroupPermissions['sysop']['picksome'] = true;
+$wgGroupPermissions['sysop']['picksome-admin'] = true;
+$wgGroupPermissions['sysop']['view-special-log'] = true;
 
-# PickSome permissions
+$wgGroupPermissions['DecisionMakers']['teamcomment'] = true;
+$wgGroupPermissions['DecisionMakers']['teamcommentseeusernames'] = true;
 $wgGroupPermissions['DecisionMakers']['picksome'] = true;
 $wgGroupPermissions['DecisionMakers']['picksome-write'] = true;
-$wgGroupPermissions['sysop']['picksome'] = true;
-$wgGroupPermissions['sysop']['picksome-admin'] = true;
 
-# Log permissions (ability to see Special:Log)
-$wgAvailableRights[] = 'view-special-log';
-$wgGroupPermissions['*']['view-special-log'] = false;
-$wgGroupPermissions['sysop']['view-special-log'] = true;
+$wgGroupPermissions['PseudoDecisionMakers']['teamcomment'] = true;
+$wgGroupPermissions['PseudoDecisionMakers']['teamcommentseeusernames'] = true;
+
+$wgGroupPermissions['LFCConsultingPartners']['torquedataconnect-edit'] = true;
+
+$wgGroupPermissions['LFCResearchPartners']['teamcomment'] = true;
+
+$wgGroupPermissions['LFCEvaluators']['teamcomment'] = true;
 
 # Disable Special:Log for groups that don't have view-special-log above
 $wgHooks['SpecialPage_initList'][] = function ( &$list ) {
@@ -60,4 +54,25 @@
   }
   return true;
 };
+
+# This is the SimpleSAMLphp group mapping.  This is how incoming groups
+# from SSO map to mediawiki groups.
+$wgSimpleSAMLphp_SyncAllGroups_LocallyManaged = [
+  "sysop",
+  "bureaucrat",
+  "interface-admin",
+  "DecisionMakers"
+  "LFCConsultingPartners",
+  "LFCResearchPartners",
+  "LFCEvaluators",
+  "PseudoDecisionMakers",
+];
+
+$wgSimpleSAMLphp_GroupMap = [
+  'sysop' => ['groups' => ['LFC Torque Admin', 'LFC Staff']],
+  'interface-admin' => ['groups' => ['LFC Torque Admin', 'LFC Staff']],
+  'bureaucrat' => ['groups' => ['LFC Torque Admin', 'LFC Staff']],
+  'DecisionMakers' => ['groups' => ['LFC Decision Makers']]
+];
+
 ?>

roles/simplesaml/templates/simplesaml.php.j2

@@ -10,16 +10,11 @@ $wgInvalidUsernameCharacters = "";
 
 # Enable SimpleSAMLphp
 wfLoadExtension( 'SimpleSAMLphp' );
-$wgSimpleSAMLphp_SyncAllGroups_LocallyManaged = ["sysop", "DecisionMakers"];
 $wgSimpleSAMLphp_InstallDir = '{{ simplesaml_install_directory }}/simplesamlphp-1.18.4';
 $wgSimpleSAMLphp_AuthSourceId = '{{ simplesaml_okta_metadata_name }}';
 $wgSimpleSAMLphp_RealNameAttribute = ['firstName', 'lastName'];
 $wgSimpleSAMLphp_EmailAttribute = 'email';
 $wgSimpleSAMLphp_UsernameAttribute = 'username';
-$wgSimpleSAMLphp_GroupMap = [
-  'sysop' => ['groups' => ['LFC Torque Admin', 'LFC Staff']],
-  'DecisionMakers' => ['groups' => ['LFC Decision Makers']]
-];
 
 $wgSimpleSAMLphp_SyncAllGroups_GroupNameModificationCallback = function($origGroupName){
 # Remove spaces