Page MenuHomePhabricator

Set up Pywikibot account on beta sites to run user tests
Closed, ResolvedPublic


In order for the 'wikimedia' Travis-CI builds to run user tests on the beta sites, the standard test account 'Pywikibot-test' needs to exist with the same password used elsewhere.

As beta sites only use http, that means the password for the account used on real wikis needs to be used on the beta sites, and can be captured easily. It is a risk. The Pywikibot-test account could become compromised. That may not be a serious problem as the account doesnt have any special permissions. However HTTPS on beta (T50501) would be solve this problem.

The solution was to use an oauth account, which is less problematic from a shared password perspective.

Event Timeline

jayvdb claimed this task.
jayvdb raised the priority of this task from to High.
jayvdb updated the task description. (Show Details)
jayvdb added a project: Pywikibot-tests.
jayvdb added subscribers: Unknown Object (MLST), Aklapper, jayvdb, Legoktm.

Using OAuth was suggested as an alternative to passwords, but pywikibot doesnt support that yet. We have an ongoing GSoC project for it: Pywikibot-OAuth

The raw password for the Pywikibot-test account is in the "pywikibot" tool on tool labs in the file passwd.

Thanks @Legoktm. At Lyon Hackathon we fetched that password and used it to create an account on a new empty wiki for T100802.

An alternative is to use a constant suffix for all 'unsafe' wikis. i.e. in .travis.yml use "${PYWIKIBOT2_USERNAME}-unsafe" e.g. 'Pywikibot-test-unsafe' for the Github 'wikimedia' account, and it would be "JVbot-test-unsafe" for mine, etc.
Then we can use a different Travis variable to create a different (user, pass) combination in the .travis.yml generated passwd file.

Another option is to globally lock the 'Pywikibot-test' account on the production wikis - we'd probably need to create a separate task to test and fix any unit test breakages caused by testing with a globally locked account, but I suspect their wouldnt be many as the test suite doesnt edit (or attempt to edit) using the 'Pywikibot-test' account.

Global locks prevent a user from logging in, so I don't think that's what we want.

We now have an oauth test account on beta wikis, so the production password does not need to be used on beta wikis.
The oauth account is used on beta zh.wp, but isnt used on beta en.wp.

Change 233341 had a related patch set uploaded (by John Vandenberg):
Use oauth on beta en.wp and add beta

Change 233341 merged by jenkins-bot:
Use oauth on beta en.wp and add beta

jayvdb renamed this task from Set up Pywikibot-test account on beta sites to Set up Pywikibot account on beta sites to run user tests.Aug 28 2015, 2:58 AM
jayvdb closed this task as Resolved.
jayvdb updated the task description. (Show Details)
jayvdb removed a project: Patch-For-Review.
jayvdb set Security to None.