Page MenuHomePhabricator

2FA seems to be broken on wmf.19
Closed, ResolvedPublic

Description

I had to roll it back to .18 to get it to work...

Basically, anything that requires elevated permissions and it was a PITA

Event Timeline

Reedy created this task.Apr 1 2016, 8:49 AM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptApr 1 2016, 8:49 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

@Reedy I cannot seem to reproduce this locally. Could you provide some reproduction steps? I've tried visiting Special:Userrights and other restricted pages while logged in and it did not bother me. All other functionality seemed to be working as expected.

Reedy added a comment.Apr 1 2016, 9:15 AM

@Reedy I cannot seem to reproduce this locally. Could you provide some reproduction steps? I've tried visiting Special:Userrights and other restricted pages while logged in and it did not bother me. All other functionality seemed to be working as expected.

Special:NovaInstance on wikitech triggered it

@Reedy Just so I know all the details, were you logged in already? And I presume your account has 2FA enabled on it?

@Reedy Just so I know all the details, were you logged in already? And I presume your account has 2FA enabled on it?

Originally, but I logged out and in again and still had the same issue. @bd808 and @valhallasw had the same issue

Reedy added a comment.Apr 1 2016, 9:31 AM

And the error message was:

"oathauth-abortlogin": "The two-factor authentication token provided was invalid.",

Literally the only place that error message is used is in the AbortChangePassword hook...

I think this might be due to https://gerrit.wikimedia.org/r/135597, which removed the TwoFactorIsEnabled hook, which SpecialNova uses to check for two-factor when loading higher privileged special pages. But I'm not sure why it would give that error message.

Krenair added a subscriber: Krenair.Apr 1 2016, 3:20 PM
Andrew added a subscriber: Andrew.Apr 1 2016, 3:21 PM

.19 is running now on https://labtestwikitech.wikimedia.org so y'all can see the problem.

bd808 added a comment.Apr 1 2016, 3:36 PM

Literally the only place that error message is used is in the AbortChangePassword hook...
I think this might be due to https://gerrit.wikimedia.org/r/135597, which removed the TwoFactorIsEnabled hook, which SpecialNova uses to check for two-factor when loading higher privileged special pages. But I'm not sure why it would give that error message.

https://github.com/wikimedia/mediawiki-extensions-OpenStackManager/blob/fdbfb9af4bd5606514c444cec19338364fe4c9bf/special/SpecialNova.php#L61-L69

	function checkTwoFactor() {
		if ( $this->getUser()->isAllowed( 'userrights' ) ) {
			$isEnabled = false;
			Hooks::run( 'TwoFactorIsEnabled', array( &$isEnabled ) );
			if ( !$isEnabled ) {
				throw new ErrorPageError( 'openstackmanager-twofactorrequired', 'openstackmanager-twofactorrequired2' );
			}
		}
	}

So a hook was removed that a production extension depends on. :/

csteipp triaged this task as Unbreak Now! priority.Apr 1 2016, 8:08 PM
csteipp added a subscriber: dpatrick.

Change 281025 had a related patch set uploaded (by Dpatrick):
Reintroduce TwoFactorIsEnabled hook

https://gerrit.wikimedia.org/r/281025

I have a patch in now. I'd like to reproduce the issue on https://labtestwikitech.wikimedia.org/, then have the fix deployed there for testing, if possible. However, I'm having trouble reproducing the error. Is the problem be triggered by simply visiting https://labtestwikitech.wikimedia.org/Special:NovaInstance when logged in?

Reedy added a comment.Apr 1 2016, 8:48 PM

I have a patch in now. I'd like to reproduce the issue on https://labtestwikitech.wikimedia.org/, then have the fix deployed there for testing, if possible. However, I'm having trouble reproducing the error. Is the problem be triggered by simply visiting https://labtestwikitech.wikimedia.org/Special:NovaInstance when logged in?

It was, if you enable 2FA. I don't know if you require elevated permissions too, but that should be relatively easy to get if necessary

I have 2FA enabled (for use dpatrick2) and I get an error from that page. I might need those elevated permissions.

bd808 added a comment.Apr 1 2016, 8:55 PM

I have 2FA enabled (for use dpatrick2) and I get an error from that page. I might need those elevated permissions.

Yeah, I think you need to have the cloudadmin bit to trigger the bug.

Andrew added a comment.Apr 1 2016, 9:04 PM

@dpatrick, I just gave you 'shell' and 'cloudadmin' on labtestwikitech

dpatrick added a comment.EditedApr 1 2016, 10:51 PM

Okay, I'm able to see the error now. Thanks! Is it possible, without too much trouble, to have https://gerrit.wikimedia.org/r/281025 deployed there for testing?

Change 281119 had a related patch set uploaded (by Reedy):
Reintroduce TwoFactorIsEnabled hook

https://gerrit.wikimedia.org/r/281119

Change 281119 merged by jenkins-bot:
Reintroduce TwoFactorIsEnabled hook

https://gerrit.wikimedia.org/r/281119

Reedy added a comment.Apr 2 2016, 10:04 AM

Okay, I'm able to see the error now. Thanks! Is it possible, without too much trouble, to have https://gerrit.wikimedia.org/r/281025 deployed there for testing?

Cherry picked, merged, deployed, pulled

I don't have cloudadmin on that wiki, so can't test atm either...

Reedy added a comment.EditedApr 2 2016, 10:35 AM

Logged in with my wikitech details, createAndPromote to give me 'crat, and SQL insert on the db to make myself a cloud admin. 2FA enabled, and tested.

Works for me now :)

Change 281025 merged by jenkins-bot:
Reintroduce TwoFactorIsEnabled hook

https://gerrit.wikimedia.org/r/281025

Reedy closed this task as Resolved.Apr 2 2016, 10:38 AM
Reedy claimed this task.