Page MenuHomePhabricator
Create Task
Maniphest T100797

Set up Pywikibot account on beta sites to run user tests
Closed, ResolvedPublic
Actions

Description

In order for the 'wikimedia' Travis-CI builds to run user tests on the beta sites, the standard test account 'Pywikibot-test' needs to exist with the same password used elsewhere.

As beta sites only use http, that means the password for the account used on real wikis needs to be used on the beta sites, and can be captured easily. It is a risk. The Pywikibot-test account could become compromised. That may not be a serious problem as the account doesnt have any special permissions. However HTTPS on beta (T50501) would be solve this problem.

The solution was to use an oauth account, which is less problematic from a shared password perspective.

Details

SubjectRepoBranchLines +/-
Use oauth on beta en.wp and add beta en.wspywikibot/coremaster+10 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

jayvdb created this task.May 29 2015, 2:04 PM
jayvdb claimed this task.
jayvdb raised the priority of this task from to High.
jayvdb updated the task description. (Show Details)
jayvdb added a project: Pywikibot-tests.
jayvdb added subscribers: Unknown Object (MLST), Aklapper, jayvdb, Legoktm.
jayvdb added a comment.May 29 2015, 2:21 PM

Using OAuth was suggested as an alternative to passwords, but pywikibot doesnt support that yet. We have an ongoing GSoC project for it: Pywikibot-OAuth

Legoktm added a comment.May 29 2015, 6:07 PM

The raw password for the Pywikibot-test account is in the "pywikibot" tool on tool labs in the file passwd.

jayvdb added a comment.EditedMay 30 2015, 5:30 PM

Thanks @Legoktm. At Lyon Hackathon we fetched that password and used it to create an account on a new empty wiki for T100802.

An alternative is to use a constant suffix for all 'unsafe' wikis. i.e. in .travis.yml use "${PYWIKIBOT2_USERNAME}-unsafe" e.g. 'Pywikibot-test-unsafe' for the Github 'wikimedia' account, and it would be "JVbot-test-unsafe" for mine, etc.
Then we can use a different Travis variable to create a different (user, pass) combination in the .travis.yml generated passwd file.

Another option is to globally lock the 'Pywikibot-test' account on the production wikis - we'd probably need to create a separate task to test and fix any unit test breakages caused by testing with a globally locked account, but I suspect their wouldnt be many as the test suite doesnt edit (or attempt to edit) using the 'Pywikibot-test' account.

Legoktm added a comment.May 30 2015, 5:57 PM

Global locks prevent a user from logging in, so I don't think that's what we want.

jayvdb moved this task from Backlog to Framework on the Pywikibot-tests board.Jun 9 2015, 6:25 AM
jayvdb added a parent task: T104764: Set up a Pywikibot OAuth test client on the Beta cluster.Jul 24 2015, 7:32 AM
jayvdb removed a parent task: T104764: Set up a Pywikibot OAuth test client on the Beta cluster.Jul 24 2015, 7:01 PM
jayvdb mentioned this in T104764: Set up a Pywikibot OAuth test client on the Beta cluster.Jul 24 2015, 7:06 PM
jayvdb mentioned this in T78668: occasional failures in TestUserContribs.Aug 23 2015, 11:47 PM
jayvdb added a project: Beta-Cluster-Infrastructure.

We now have an oauth test account on beta wikis, so the production password does not need to be used on beta wikis.
The oauth account is used on beta zh.wp, but isnt used on beta en.wp.

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptAug 23 2015, 11:48 PM
jayvdb added a project: Pywikibot-OAuth.Aug 23 2015, 11:49 PM
gerritbot subscribed.Aug 24 2015, 2:25 AM

Change 233341 had a related patch set uploaded (by John Vandenberg):
Use oauth on beta en.wp and add beta es.ws

https://gerrit.wikimedia.org/r/233341

gerritbot added a project: Patch-For-Review.Aug 24 2015, 2:25 AM
jayvdb mentioned this in T109289: Wrap-up report for "Implement support for OAuth in Pywikibot".Aug 24 2015, 3:01 AM
jayvdb moved this task from Backlog to Tests on the Pywikibot-OAuth board.Aug 24 2015, 3:07 AM
jayvdb mentioned this in T100903: Run pywikibot test suite regularly on beta cluster as part of MediaWiki/Wikimedia CI.Aug 26 2015, 10:09 AM
gerritbot added a comment.Aug 27 2015, 9:10 PM

Change 233341 merged by jenkins-bot:
Use oauth on beta en.wp and add beta en.ws

https://gerrit.wikimedia.org/r/233341

jayvdb mentioned this in rPWBC0c199c25b669: Use oauth on beta en.wp and add beta en.ws.Aug 27 2015, 9:11 PM
jayvdb renamed this task from Set up Pywikibot-test account on beta sites to Set up Pywikibot account on beta sites to run user tests.Aug 28 2015, 2:58 AM
jayvdb closed this task as Resolved.
jayvdb updated the task description. (Show Details)
jayvdb removed a project: Patch-For-Review.
jayvdb set Security to None.
valhallasw mentioned this in T173498: Travis jobs with OAuth wait for password input and get terminated.Sep 3 2017, 3:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits