Page MenuHomePhabricator

Set up Pywikibot account on beta sites to run user tests
Closed, ResolvedPublic

Description

In order for the 'wikimedia' Travis-CI builds to run user tests on the beta sites, the standard test account 'Pywikibot-test' needs to exist with the same password used elsewhere.

As beta sites only use http, that means the password for the account used on real wikis needs to be used on the beta sites, and can be captured easily. It is a risk. The Pywikibot-test account could become compromised. That may not be a serious problem as the account doesnt have any special permissions. However HTTPS on beta (T50501) would be solve this problem.

The solution was to use an oauth account, which is less problematic from a shared password perspective.

Details

Related Gerrit Patches:

Event Timeline

jayvdb created this task.May 29 2015, 2:04 PM
jayvdb claimed this task.
jayvdb raised the priority of this task from to High.
jayvdb updated the task description. (Show Details)
jayvdb added a project: Pywikibot-tests.
jayvdb added subscribers: Unknown Object (MLST), Aklapper, jayvdb, Legoktm.

Using OAuth was suggested as an alternative to passwords, but pywikibot doesnt support that yet. We have an ongoing GSoC project for it: Pywikibot-OAuth

The raw password for the Pywikibot-test account is in the "pywikibot" tool on tool labs in the file passwd.

jayvdb added a comment.EditedMay 30 2015, 5:30 PM

Thanks @Legoktm. At Lyon Hackathon we fetched that password and used it to create an account on a new empty wiki for T100802.

An alternative is to use a constant suffix for all 'unsafe' wikis. i.e. in .travis.yml use "${PYWIKIBOT2_USERNAME}-unsafe" e.g. 'Pywikibot-test-unsafe' for the Github 'wikimedia' account, and it would be "JVbot-test-unsafe" for mine, etc.
Then we can use a different Travis variable to create a different (user, pass) combination in the .travis.yml generated passwd file.

Another option is to globally lock the 'Pywikibot-test' account on the production wikis - we'd probably need to create a separate task to test and fix any unit test breakages caused by testing with a globally locked account, but I suspect their wouldnt be many as the test suite doesnt edit (or attempt to edit) using the 'Pywikibot-test' account.

Global locks prevent a user from logging in, so I don't think that's what we want.

jayvdb moved this task from Backlog to Framework on the Pywikibot-tests board.Jun 9 2015, 6:25 AM

We now have an oauth test account on beta wikis, so the production password does not need to be used on beta wikis.
The oauth account is used on beta zh.wp, but isnt used on beta en.wp.

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptAug 23 2015, 11:48 PM

Change 233341 had a related patch set uploaded (by John Vandenberg):
Use oauth on beta en.wp and add beta es.ws

https://gerrit.wikimedia.org/r/233341

jayvdb moved this task from Backlog to Tests on the Pywikibot-OAuth board.Aug 24 2015, 3:07 AM

Change 233341 merged by jenkins-bot:
Use oauth on beta en.wp and add beta en.ws

https://gerrit.wikimedia.org/r/233341

jayvdb renamed this task from Set up Pywikibot-test account on beta sites to Set up Pywikibot account on beta sites to run user tests.Aug 28 2015, 2:58 AM
jayvdb closed this task as Resolved.
jayvdb updated the task description. (Show Details)
jayvdb removed a project: Patch-For-Review.
jayvdb set Security to None.