Page MenuHomePhabricator

Maintenance script to generate fake login attemps from any IP
Closed, ResolvedPublic

Description

In order to test LoginNotify in a single-IP environment (such as a VM on which a developer is testing the code), we need a way to create fake login attempts from an arbitrary IP address. I think the best solution is a maintenance script used as such:

maintenance/loginAttempt.php --user Admin --IP 1.2.3.4 --UA "Some User Agent" --success 1

Where user is the username for which a login attempt will be made, IP and UA are self-explanatory, and success is 0 if the login failed, and 1 if it succeeded.

By default, success is 0, and UA also defaults to something like Login attempt by LoginNotify maintenance script. The user and IP parameters would be mandatory.

Details

Related Gerrit Patches:

Related Objects

Event Timeline

Huji created this task.Dec 27 2017, 3:52 PM
Huji updated the task description. (Show Details)

Adding some of the original contributors to the MediaWiki-extensions-LoginNotify code, as they may have ideas on how to approach this (after all, I presume they had a way to test their code when the committed it).

You could also probably setup your network to have tunnel interfaces so you could connect from various IPs

Change 401410 had a related patch set uploaded (by Huji; owner: Huji):
[mediawiki/extensions/LoginNotify@master] Maintenance script to generate fake login attemps from any IP

https://gerrit.wikimedia.org/r/401410

Huji claimed this task.Jan 1 2018, 10:25 PM
Huji triaged this task as Low priority.

@Huji: Any thoughts on Niharika's and Max's comments on the patch?

Huji added a comment.EditedJan 28 2018, 9:30 PM

@MaxSem regarding your comment on not using a Hook, I uploaded a new PS on https://gerrit.wikimedia.org/r/#/c/401410/ but here is my issue:

We either have to duplicate the code inside doSuccessfulLogin() and doFailedLogin(), or we have to call those functions (which means we have to make them public, like in my latest PS). Duplicating code is bad. Making those functions public is also bad, as they are not supposed to be called directly. Because the maintenance script is not in a descendant namespace of \LoginNotify\Hooks, making them protected won't allow using them in the maintenance script either.

So, if you think making the public is okay, then please review the last PS, otherwise, please suggest alternatives.

Change 401410 merged by jenkins-bot:
[mediawiki/extensions/LoginNotify@master] Maintenance script to generate fake login attemps from any IP

https://gerrit.wikimedia.org/r/401410

Niharika closed this task as Resolved.Feb 2 2018, 9:13 PM
Niharika moved this task from Ready to Q1 2018-19 on the Community-Tech-Sprint board.

I believe this is done. There's a dependency patch for core to allow user-agent to be specified (tracked in T186287). That's not crucial for the matter at hand (T174388) however, so I'm resolving this ticket.

Thanks for working on this @Huji!

Change 407871 had a related patch set uploaded (by Huji; owner: Huji):
[mediawiki/extensions/LoginNotify@master] Use the proper way to override the User-Agent header of a request

https://gerrit.wikimedia.org/r/407871

Huji reopened this task as Open.Feb 3 2018, 2:50 AM
Huji added a comment.Feb 3 2018, 11:18 PM

@Niharika the dependency is now removed, and a revision to the script is submitted in r/407871 accordingly. Once that is merged, this task can be marked as resolved.

Change 407871 merged by jenkins-bot:
[mediawiki/extensions/LoginNotify@master] Use the proper way to override the User-Agent header of a request

https://gerrit.wikimedia.org/r/407871

Huji closed this task as Resolved.Feb 6 2018, 1:28 AM
Huji removed a project: Patch-For-Review.
TheDJ awarded a token.Feb 6 2018, 9:44 AM