Page MenuHomePhabricator
Create Task
Maniphest T131445

2FA seems to be broken on wmf.19
Closed, ResolvedPublic
Actions

Description

I had to roll it back to .18 to get it to work...

Basically, anything that requires elevated permissions and it was a PITA

Details

SubjectRepoBranchLines +/-
Reintroduce TwoFactorIsEnabled hookmediawiki/extensions/OATHAuthmaster+27 -0
Reintroduce TwoFactorIsEnabled hookmediawiki/extensions/OATHAuthwmf/1.27.0-wmf.19+27 -0
Customize query in gerrit

Event Timeline

Reedy created this task.Apr 1 2016, 8:49 AM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptApr 1 2016, 8:49 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy added a subscriber: Parent5446.Apr 1 2016, 8:52 AM
Parent5446 added a comment.Apr 1 2016, 9:14 AM

@Reedy I cannot seem to reproduce this locally. Could you provide some reproduction steps? I've tried visiting Special:Userrights and other restricted pages while logged in and it did not bother me. All other functionality seemed to be working as expected.

Reedy added a comment.Apr 1 2016, 9:15 AM
In T131445#2167612, @Parent5446 wrote:

@Reedy I cannot seem to reproduce this locally. Could you provide some reproduction steps? I've tried visiting Special:Userrights and other restricted pages while logged in and it did not bother me. All other functionality seemed to be working as expected.

Special:NovaInstance on wikitech triggered it

Parent5446 added a comment.Apr 1 2016, 9:16 AM

@Reedy Just so I know all the details, were you logged in already? And I presume your account has 2FA enabled on it?

Reedy added subscribers: bd808, valhallasw.Apr 1 2016, 9:17 AM
In T131445#2167618, @Parent5446 wrote:

@Reedy Just so I know all the details, were you logged in already? And I presume your account has 2FA enabled on it?

Originally, but I logged out and in again and still had the same issue. @bd808 and @valhallasw had the same issue

Reedy added a comment.Apr 1 2016, 9:31 AM

And the error message was:

"oathauth-abortlogin": "The two-factor authentication token provided was invalid.",
Parent5446 added a comment.Apr 1 2016, 9:33 AM

Literally the only place that error message is used is in the AbortChangePassword hook...

I think this might be due to https://gerrit.wikimedia.org/r/135597, which removed the TwoFactorIsEnabled hook, which SpecialNova uses to check for two-factor when loading higher privileged special pages. But I'm not sure why it would give that error message.

Krenair subscribed.Apr 1 2016, 3:20 PM
Andrew subscribed.Apr 1 2016, 3:21 PM

.19 is running now on https://labtestwikitech.wikimedia.org so y'all can see the problem.

bd808 added a comment.Apr 1 2016, 3:36 PM
In T131445#2167674, @Parent5446 wrote:

Literally the only place that error message is used is in the AbortChangePassword hook...

I think this might be due to https://gerrit.wikimedia.org/r/135597, which removed the TwoFactorIsEnabled hook, which SpecialNova uses to check for two-factor when loading higher privileged special pages. But I'm not sure why it would give that error message.

https://github.com/wikimedia/mediawiki-extensions-OpenStackManager/blob/fdbfb9af4bd5606514c444cec19338364fe4c9bf/special/SpecialNova.php#L61-L69

	function checkTwoFactor() {
		if ( $this->getUser()->isAllowed( 'userrights' ) ) {
			$isEnabled = false;
			Hooks::run( 'TwoFactorIsEnabled', array( &$isEnabled ) );
			if ( !$isEnabled ) {
				throw new ErrorPageError( 'openstackmanager-twofactorrequired', 'openstackmanager-twofactorrequired2' );
			}
		}
	}

So a hook was removed that a production extension depends on. :/

csteipp triaged this task as Unbreak Now! priority.Apr 1 2016, 8:08 PM
csteipp added a subscriber: dpatrick.
dpatrick moved this task from Backlog to In Progress on the MediaWiki-extensions-OATHAuth board.Apr 1 2016, 8:13 PM
gerritbot subscribed.Apr 1 2016, 8:33 PM

Change 281025 had a related patch set uploaded (by Dpatrick):
Reintroduce TwoFactorIsEnabled hook

https://gerrit.wikimedia.org/r/281025

gerritbot added a project: Patch-For-Review.Apr 1 2016, 8:33 PM
dpatrick added a comment.Apr 1 2016, 8:47 PM

I have a patch in now. I'd like to reproduce the issue on https://labtestwikitech.wikimedia.org/, then have the fix deployed there for testing, if possible. However, I'm having trouble reproducing the error. Is the problem be triggered by simply visiting https://labtestwikitech.wikimedia.org/Special:NovaInstance when logged in?

Reedy added a comment.Apr 1 2016, 8:48 PM
In T131445#2170441, @dpatrick wrote:

I have a patch in now. I'd like to reproduce the issue on https://labtestwikitech.wikimedia.org/, then have the fix deployed there for testing, if possible. However, I'm having trouble reproducing the error. Is the problem be triggered by simply visiting https://labtestwikitech.wikimedia.org/Special:NovaInstance when logged in?

It was, if you enable 2FA. I don't know if you require elevated permissions too, but that should be relatively easy to get if necessary

dpatrick added a comment.Apr 1 2016, 8:53 PM

I have 2FA enabled (for use dpatrick2) and I get an error from that page. I might need those elevated permissions.

bd808 added a comment.Apr 1 2016, 8:55 PM
In T131445#2170447, @dpatrick wrote:

I have 2FA enabled (for use dpatrick2) and I get an error from that page. I might need those elevated permissions.

Yeah, I think you need to have the cloudadmin bit to trigger the bug.

Andrew added a comment.Apr 1 2016, 9:04 PM

@dpatrick, I just gave you 'shell' and 'cloudadmin' on labtestwikitech

dpatrick added a comment.EditedApr 1 2016, 10:51 PM

Okay, I'm able to see the error now. Thanks! Is it possible, without too much trouble, to have https://gerrit.wikimedia.org/r/281025 deployed there for testing?

gerritbot added a comment.Apr 2 2016, 9:56 AM

Change 281119 had a related patch set uploaded (by Reedy):
Reintroduce TwoFactorIsEnabled hook

https://gerrit.wikimedia.org/r/281119

gerritbot added a comment.Apr 2 2016, 9:59 AM

Change 281119 merged by jenkins-bot:
Reintroduce TwoFactorIsEnabled hook

https://gerrit.wikimedia.org/r/281119

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-03-29_(1.27.0-wmf.19)).Apr 2 2016, 10:00 AM
Reedy added a comment.Apr 2 2016, 10:04 AM
In T131445#2170869, @dpatrick wrote:

Okay, I'm able to see the error now. Thanks! Is it possible, without too much trouble, to have https://gerrit.wikimedia.org/r/281025 deployed there for testing?

Cherry picked, merged, deployed, pulled

I don't have cloudadmin on that wiki, so can't test atm either...

Reedy added a comment.EditedApr 2 2016, 10:35 AM

Logged in with my wikitech details, createAndPromote to give me 'crat, and SQL insert on the db to make myself a cloud admin. 2FA enabled, and tested.

Works for me now :)

gerritbot added a comment.Apr 2 2016, 10:37 AM

Change 281025 merged by jenkins-bot:
Reintroduce TwoFactorIsEnabled hook

https://gerrit.wikimedia.org/r/281025

Reedy closed this task as Resolved.Apr 2 2016, 10:38 AM
Reedy claimed this task.
ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-04-05_(1.27.0-wmf.20)).Apr 2 2016, 11:00 AM
bd808 edited projects, added Wikimedia-Hackathon-2016; removed Patch-For-Review.Apr 2 2016, 3:45 PM
dpatrick added a comment.Apr 4 2016, 6:10 PM

Thanks Reedy!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits