Prompt for credentials when creating Admin acct

freephile · freephile · commit a799fa8765d5 · 2025-10-29T10:20:29.000-04:00
When Meza creates an Admin account, whether for the initial 'demo' or for any new wiki, prompt for the secure password and do not log it. This way it is only known to the user, and not a vulnerability. Note: the way that this is executed in the role hierarchy is that verify-wiki runs import-wiki-sql tasks for new wikis, which in turn runs init-wiki tasks. Since 'init-wiki.yml' ONLY creates an Admin account it was renamed 'create-admin-account.yml' Fixes Issue #217
diff --git a/src/roles/verify-wiki/tasks/create-admin-account.yml b/src/roles/verify-wiki/tasks/create-admin-account.yml
@@ -0,0 +1,53 @@
+---
+
+# Renamed the file to create-admin-account.yml since that is its only purpose.
+# This task file is only included when initializing new wikis.
+# Prompt for secure admin password for Demo Wiki
+- name: Prompt for Admin password on Demo Wiki
+  ansible.builtin.pause:
+    prompt: |
+
+      Creating Admin user for Demo Wiki ({{ wiki_id }})
+
+      MediaWiki Password Requirements:
+      - Minimum 8 characters
+      - Must contain at least one uppercase letter
+      - Must contain at least one lowercase letter
+      - Must contain at least one number
+      - Must contain at least one special character (!@#$%^&*()_+-=[]{}|;:,.<>?)
+      - Cannot contain spaces
+
+      Enter a secure password for the Admin user
+    echo: false
+  register: admin_password_prompt
+  run_once: true
+  when: wiki_id == "demo"
+
+# Validate password meets MediaWiki requirements
+- name: Validate Admin password meets requirements
+  ansible.builtin.fail:
+    msg: |
+      Password does not meet MediaWiki requirements:
+      - Must be at least 8 characters long
+      - Must contain uppercase, lowercase, number, and special character
+      - Cannot contain spaces
+  when:
+    - wiki_id == "demo"
+    - >
+      admin_password_prompt.user_input | length < 8 or
+      admin_password_prompt.user_input is not regex('[A-Z]') or
+      admin_password_prompt.user_input is not regex('[a-z]') or
+      admin_password_prompt.user_input is not regex('[0-9]') or
+      admin_password_prompt.user_input is not regex('[!@#$%^&*()_+\-=\[\]{}|;:,.<>?]') or
+      ' ' in admin_password_prompt.user_input
+  run_once: true
+
+# Create an admin user for Demo Wiki with the provided secure password
+# https://www.mediawiki.org/wiki/Manual:CreateAndPromote.php
+# https://meta.wikimedia.org/wiki/Password_policy
+- name: Create Admin user on Demo Wiki
+  ansible.builtin.shell: >
+    WIKI={{ wiki_id | quote }} {{ m_mediawiki | quote }}/maintenance/run createAndPromote --force --sysop --bureaucrat Admin {{ admin_password_prompt.user_input | quote }}
+  run_once: true
+  when: wiki_id == "demo"
+  no_log: true
diff --git a/src/roles/verify-wiki/tasks/import-wiki-sql.yml b/src/roles/verify-wiki/tasks/import-wiki-sql.yml
@@ -119,8 +119,8 @@
 #
 # SECTION: init new wiki
 #
-- name: "{{ wiki_id }} - Include init-wiki.yml only when a new wiki created (but not imported)"
-  include_tasks: init-wiki.yml
+- name: "Include create-admin-account.yml for a new (not imported) wiki - {{ wiki_id }}"
+  include_tasks: create-admin-account.yml
   when: created_new_wiki
 
 
diff --git a/src/roles/verify-wiki/tasks/init-wiki.yml b/src/roles/verify-wiki/tasks/init-wiki.yml

Original file line number	Diff line number	Diff line change
`@@ -119,8 +119,8 @@`
`119`	`119`	`#`
`120`	`120`	`# SECTION: init new wiki`
`121`	`121`	`#`
`122`		`-- name: "{{ wiki_id }} - Include init-wiki.yml only when a new wiki created (but not imported)"`
`123`		`- include_tasks: init-wiki.yml`
	`122`	`+- name: "Include create-admin-account.yml for a new (not imported) wiki - {{ wiki_id }}"`
	`123`	`+ include_tasks: create-admin-account.yml`
`124`	`124`	`when: created_new_wiki`
`125`	`125`
`126`	`126`