Security review of Tool Labs console application
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	bd808
	May 19 2016, 11:13 PM

Description

Project Information

Name of tool/project: Tool Labs console (Striker)
Project home page: https://meta.wikimedia.org/wiki/Community_Tech/Tool_Labs_support/Tool_Labs_vision
Name of team requesting review: Community-Tech-Tool-Labs Toolforge
Primary contact: @bd808
Target date for deployment: "as soon as it's ready", June/July 2016
Link to code repository / patchset: https://github.com/bd808/striker

Description of the tool/project

Django-based web interface for management of Tool Labs related workflows.

The initial deployable application will:

Authenticate to LDAP using auth bind
Authenticate to SUL wikis using OAuth
Communicate with Phabricator using conduit APIs
Store association of LDAP, SUL and Phabricator accounts in local database
Create Diffusion hosted git repositories associated with Tool Labs tools

This will eventually be the single point of management for:

Becoming a member of the Tool Labs project
Creating new tool accounts
Managing tool account membership
Creating git repos related to tools
Managing metadata related to tools

Description of how the tool will be used at WMF

See tool description.

Because this system will authenticate with LDAP and eventually edit some LDAP data it must be deployed in the WMF production network where it is safe to collect LDAP passwords and the LDAP editing credentials can be secured.

Dependencies

Various Python libraries (full list in requirements.txt):

Django
django-auth-ldap
django-ldapdb
mwoauth
requests

Has this project been reviewed before?

Working test environment

Demo site at http://striker.wmflabs.org/
MediaWiki-Vagrant role: striker (https://gerrit.wikimedia.org/r/#/c/290156)

Post-deployment

The Community-Tech-Tool-Labs and Toolforge teams will be responsible for the application in WMF production with @bd808 being the initial maintainer and primary point of contact.

Related Objects
Search...

Status	Assigned	Task
Resolved	LucasWerkmeister	T320140 Migrate wd-shex-infer from Toolforge GridEngine to Toolforge Kubernetes
Resolved	matmarex	T319707 Migrate dtcheck from Toolforge GridEngine to Toolforge Kubernetes
Resolved	Legoktm	T320062 Migrate steve-adder from Toolforge GridEngine to Toolforge Kubernetes
Resolved	Legoktm	T320011 Migrate rfa-voting-history from Toolforge GridEngine to Toolforge Kubernetes
Open	dcaro	T194332 [Epic,builds-api,components-api,webservice,jobs-api] Make Toolforge a proper platform as a service with push-to-deploy and build packs
Resolved	yuvipanda	T111885 Initial Deployment of Kubernetes to Tool Labs
Resolved	dcaro	T117071 Figure out a git hosting solution for tools/kubernetes
Resolved	bd808	T102066 Make sure tools can be taken over after they are abandoned
Resolved	bd808	T102081 Provide an easy way for Tool Labs tools to expose their source code
Resolved	None	T128158 Tools web interface for tool authors (Brainstorming ticket)
Resolved	bd808	T133252 Create application "Striker" to manage Diffusion repositories for a Tool Labs project
Resolved	bd808	T134188 Create application that allows associating a LDAP account with a SUL account
Resolved	bd808	T136256 Deploy "Striker" Tool Labs console to WMF production
Resolved	• dpatrick	T135784 Security review of Tool Labs console application

Event Timeline

bd808 created this task.May 19 2016, 11:13 PM

Restricted Application added a project: Cloud-Services. · View Herald TranscriptMay 19 2016, 11:13 PM

Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript

bd808 added a parent task: T134188: Create application that allows associating a LDAP account with a SUL account.May 19 2016, 11:15 PM

bd808 added a parent task: T133252: Create application "Striker" to manage Diffusion repositories for a Tool Labs project.

bd808 updated the task description. (Show Details)May 25 2016, 10:58 PM

bd808 mentioned this in T136256: Deploy "Striker" Tool Labs console to WMF production.May 25 2016, 11:46 PM

bd808 added a parent task: T136256: Deploy "Striker" Tool Labs console to WMF production.

tom29739 subscribed.May 26 2016, 7:06 AM

• chasemp triaged this task as Medium priority.May 31 2016, 3:40 PM

@dpatrick and @Bawolff Can I get a guesstimate on when you might get to this review? The core code is complete for the initial needs and I'm trying to decide if I should tidy things up and start planning a deployment plan or continue on to add more features prior to review and deployment.

zhuyifei1999 subscribed.Jun 7 2016, 5:22 PM

@bd808 How does the week of July 4th and into part of the week of the 11th work for you? That's the earliest we can schedule this.

In T135784#2362070, @dpatrick wrote:

@bd808 How does the week of July 4th and into part of the week of the 11th work for you? That's the earliest we can schedule this.

Sounds great! I'll start planning for other follow on events accordingly.

bd808 moved this task from Backlog to Ready on the Community-Tech-Tool-Labs board.Jun 23 2016, 9:21 PM

• dpatrick moved this task from Incoming to In Progress on the deprecated-security-team-reviews board.Jul 6 2016, 5:12 PM

@dpatrick any status update on this review?

Overall, really nice job on entire application. This is a great example of solid Django development. I'm really into striker/settings.py and the use of an ini file. The app's handling of trusted proxies, CSP, CSRF protection by default, rate-limiting connections to LDAP--all great.

Non-security issues:

Vagrant tools cannot find Python.h; needs to depends on -dev package
Database calls fails if roles is enabled prior to first "vagrant up"

Non-security questions:

Are tools in Tool Labs now required to only use Diffusion? In other words, do tool repos already hosted elsewhere (Github) have to be imported to Diffusion?

striker/tools/models.py, line 78

fix TODO for field lengths

striker/labsauth/views.py, line 48

Should session expiry be an ini-based config parameter?

In T135784#2472547, @dpatrick wrote:

Overall, really nice job on entire application. This is a great example of solid Django development. I'm really into striker/settings.py and the use of an ini file. The app's handling of trusted proxies, CSP, CSRF protection by default, rate-limiting connections to LDAP--all great.

Thanks. :)

I tried several different config management ideas and the ini-file one seemed like it would be easiest to manage via Puppet, plus I like the added bonus of non-executable config. That's one aspect of Django that has always bugged me a little.

Non-security issues:

Vagrant tools cannot find Python.h; needs to depends on -dev package

Database calls fails if roles is enabled prior to first "vagrant up"

Good catches. I'll touch up the mw-vagrant role and try to get these fixed.

Non-security questions:

Are tools in Tool Labs now required to only use Diffusion? In other words, do tool repos already hosted elsewhere (Github) have to be imported to Diffusion?

No. The intent here is just to make it really simple to setup version control for a tool. Using some other VCS (github, bitbucket, whatever) is fine.

I would like to add support for mirroring externally hosted git VCS into Diffusion to make discovery of source code easier for folks who want to help fix up an existing tool. It would also be nice to add mirroring out to github for folks who like to keep track of their contributions there. Neither of these seemed necessary for the initial release functionality however.

striker/tools/models.py, line 78

fix TODO for field lengths

Thanks for reminding me. I punted on that one during dev but should be able to at least make a lower limit for the phid I think.

striker/labsauth/views.py, line 48

Should session expiry be an ini-based config parameter?

That sounds like a good idea. That will make tuning things easier if we decide 2 week sessions are too long/short.

In T135784#2472547, @dpatrick wrote:

Vagrant tools cannot find Python.h; needs to depends on -dev package

Database calls fails if roles is enabled prior to first "vagrant up"

https://gerrit.wikimedia.org/r/#/c/299708/