Page MenuHomePhabricator
Create Task
Maniphest T172693

metawiki tables in labs: oauth_accepted_consumer oauth_registered_consumer
Closed, ResolvedPublic
Actions

Description

Hello,

When setting up the new labs infra, we realised that the following tables are on the labs hosts (both, old labs servers and new labs servers)
metawiki.oauth_accepted_consumer
metawiki.oauth_registered_consumer

They do contain sensitive data. These are the column names, easy to figure what they have :-)

mysql:root@localhost [metawiki]>  show create table oauth_accepted_consumer\G show create table oauth_registered_consumer\G
*************************** 1. row ***************************
       Table: oauth_accepted_consumer
Create Table: CREATE TABLE `oauth_accepted_consumer` (
  `oaac_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `oaac_wiki` varbinary(255) NOT NULL,
  `oaac_user_id` int(10) unsigned NOT NULL,
  `oaac_consumer_id` int(10) unsigned NOT NULL,
  `oaac_access_token` varbinary(32) NOT NULL,
  `oaac_access_secret` varbinary(32) NOT NULL,
  `oaac_grants` blob NOT NULL,
  `oaac_accepted` varbinary(14) NOT NULL,
  PRIMARY KEY (`oaac_id`),
  UNIQUE KEY `oaac_access_token` (`oaac_access_token`),
  UNIQUE KEY `oaac_user_consumer_wiki` (`oaac_user_id`,`oaac_consumer_id`,`oaac_wiki`),
  KEY `oaac_consumer_user` (`oaac_consumer_id`,`oaac_user_id`),
  KEY `oaac_user_id` (`oaac_user_id`,`oaac_id`)
) ENGINE=InnoDB AUTO_INCREMENT=96155 DEFAULT CHARSET=binary
1 row in set (0.00 sec)

*************************** 1. row ***************************
       Table: oauth_registered_consumer
Create Table: CREATE TABLE `oauth_registered_consumer` (
  `oarc_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `oarc_consumer_key` varbinary(32) NOT NULL,
  `oarc_name` varbinary(128) NOT NULL,
  `oarc_user_id` int(10) unsigned NOT NULL,
  `oarc_version` varbinary(32) NOT NULL,
  `oarc_callback_url` blob NOT NULL,
  `oarc_callback_is_prefix` tinyblob,
  `oarc_description` blob NOT NULL,
  `oarc_email` varbinary(255) NOT NULL,
  `oarc_email_authenticated` varbinary(14) DEFAULT NULL,
  `oarc_developer_agreement` tinyint(4) NOT NULL DEFAULT '0',
  `oarc_owner_only` tinyint(4) NOT NULL DEFAULT '0',
  `oarc_wiki` varbinary(32) NOT NULL,
  `oarc_grants` blob NOT NULL,
  `oarc_registration` varbinary(14) NOT NULL,
  `oarc_secret_key` varbinary(32) DEFAULT NULL,
  `oarc_rsa_key` blob,
  `oarc_restrictions` blob NOT NULL,
  `oarc_stage` tinyint(3) unsigned NOT NULL DEFAULT '0',
  `oarc_stage_timestamp` varbinary(14) NOT NULL,
  `oarc_deleted` tinyint(3) unsigned NOT NULL DEFAULT '0',
  PRIMARY KEY (`oarc_id`),
  UNIQUE KEY `oarc_consumer_key` (`oarc_consumer_key`),
  UNIQUE KEY `oarc_name_version_user` (`oarc_name`,`oarc_user_id`,`oarc_version`),
  KEY `oarc_user_id` (`oarc_user_id`),
  KEY `oarc_stage_timestamp` (`oarc_stage`,`oarc_stage_timestamp`)
) ENGINE=InnoDB AUTO_INCREMENT=926 DEFAULT CHARSET=binary
1 row in set (0.01 sec)

Those two tables are not accessible as they do not have a view to access them on labs databases, but yet they are present, if they are not being used, we should probably filter them on the sanitarium hosts and delete them from the labs servers to avoid any leak vector there.

Any objection to filter them out and truncate them?

CC: @jcrespo @chasemp @bd808

Details

SubjectRepoBranchLines +/-
realm.pp: Add two oauth tables to the private listoperations/puppetproduction+2 -0
Customize query in gerrit

Related Objects

Event Timeline

Marostegui created this task.Aug 7 2017, 2:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 7 2017, 2:40 PM
Marostegui updated the task description. (Show Details)Aug 7 2017, 2:41 PM
chasemp added a comment.Aug 7 2017, 2:45 PM

If it doesn't have a defined view in maintain-views.yaml now then I think filtering them pre-labsdb is at the DBA's discretion. so +1

Marostegui added a comment.EditedAug 7 2017, 2:51 PM
In T172693#3506027, @chasemp wrote:

If it doesn't have a defined view in maintain-views.yaml now then I think filtering them pre-labsdb is at the DBA's discretion. so +1

Just to confirm, there is no view defined there: https://github.com/wikimedia/puppet/blob/production/modules/role/templates/labs/db/views/maintain-views.yaml

Bawolff awarded a token.Aug 7 2017, 3:05 PM
bd808 added a comment.Aug 7 2017, 3:44 PM

Let's filter these tables out entirely if that's easily doable. As noted there is a lot of sensitive data in them.

Marostegui added a comment.EditedAug 7 2017, 4:03 PM

I have merged: https://gerrit.wikimedia.org/r/#/c/370489/
So pending:

  • Restart mysql (s7 instance) on db1069 and db1102 so the new filters are picked up [DONE]
  • Drop the tables on labsdb1001, labsdb1003, labsdb1009, labsdb1010, labsdb1011
Marostegui added a comment.Aug 7 2017, 5:14 PM

MySQL s7 restarted on db1069 and db1102 and filters applied:

%.oauth_accepted_consumer,%.oauth_registered_consumer

Pending: delete the tables (which I will not do today as it is late here and I will be traveling tomorrow to wikimania - just in case something breaks)

Marostegui added a comment.Aug 9 2017, 1:39 PM

I have executed this on labsdb1001 and labsdb1009:

mysql:root@localhost [metawiki]> rename table oauth_accepted_consumer to T172693_oauth_accepted_consumer;
Query OK, 0 rows affected (0.02 sec)

mysql:root@localhost [metawiki]> rename table oauth_registered_consumer to T172693_oauth_registered_consumer;
Query OK, 0 rows affected (0.01 sec)

If nothing breaks in a day I will drop them across all the servers.

Marostegui closed this task as Resolved.Aug 10 2017, 1:12 PM
Marostegui claimed this task.

I have dropped these tables on sanitarium hosts (with replication) and they are now gone on sanitarium (even if it will be decommissioned soon) and sanitarium2 and on the labs hosts.

chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
bd808 added a project: Data-Services.Mar 16 2020, 10:16 PM
bd808 changed the visibility from "Custom Policy" to "Public (No Login Required)".
Krenair subscribed.Mar 16 2020, 11:33 PM
bd808 mentioned this in T247800: (partially) expose oauth_registered_consumer table.Mar 17 2020, 5:59 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL