Page MenuHomePhabricator
Create Task
Maniphest T183722

Maintenance script to generate fake login attemps from any IP
Closed, ResolvedPublic
Actions

Description

In order to test LoginNotify in a single-IP environment (such as a VM on which a developer is testing the code), we need a way to create fake login attempts from an arbitrary IP address. I think the best solution is a maintenance script used as such:

maintenance/loginAttempt.php --user Admin --IP 1.2.3.4 --UA "Some User Agent" --success 1

Where user is the username for which a login attempt will be made, IP and UA are self-explanatory, and success is 0 if the login failed, and 1 if it succeeded.

By default, success is 0, and UA also defaults to something like Login attempt by LoginNotify maintenance script. The user and IP parameters would be mandatory.

Details

SubjectRepoBranchLines +/-
Use the proper way to override the User-Agent header of a requestmediawiki/extensions/LoginNotifymaster+7 -3
Maintenance script to generate fake login attemps from any IPmediawiki/extensions/LoginNotifymaster+76 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Huji created this task.Dec 27 2017, 3:52 PM
Huji updated the task description. (Show Details)
Huji added subscribers: Umherirrender, MaxSem, MusikAnimal, Bawolff.Dec 29 2017, 7:57 PM

Adding some of the original contributors to the MediaWiki-extensions-LoginNotify code, as they may have ideas on how to approach this (after all, I presume they had a way to test their code when the committed it).

Umherirrender unsubscribed.Dec 29 2017, 8:46 PM
Bawolff added a comment.Dec 31 2017, 5:39 PM

You could also probably setup your network to have tunnel interfaces so you could connect from various IPs

gerritbot subscribed.Jan 1 2018, 10:24 PM

Change 401410 had a related patch set uploaded (by Huji; owner: Huji):
[mediawiki/extensions/LoginNotify@master] Maintenance script to generate fake login attemps from any IP

https://gerrit.wikimedia.org/r/401410

gerritbot added a project: Patch-For-Review.Jan 1 2018, 10:24 PM
Huji claimed this task.Jan 1 2018, 10:25 PM
Huji triaged this task as Low priority.
Huji added a project: MediaWiki-Maintenance-system.
Huji mentioned this in rELGN21c3fb9a90fc: Maintenance script to generate fake login attemps from any IP.Jan 1 2018, 10:26 PM
Huji mentioned this in rELGN9b68570ff2f4: Maintenance script to generate fake login attemps from any IP.Jan 1 2018, 10:34 PM
Huji mentioned this in rELGNbcff6714c883: Maintenance script to generate fake login attemps from any IP.Jan 1 2018, 10:40 PM
Huji raised the priority of this task from Low to High.Jan 2 2018, 12:18 AM
Huji added a parent task: T174388: LoginNotify should inform users of the IP address of failed login attempts to their account.

To match parent task

Huji mentioned this in T174388: LoginNotify should inform users of the IP address of failed login attempts to their account.Jan 3 2018, 12:17 AM
Huji mentioned this in rELGNc669c72a18c4: Maintenance script to generate fake login attemps from any IP.Jan 4 2018, 3:38 AM
kaldari added a comment.Jan 17 2018, 12:11 AM

@Huji: Any thoughts on Niharika's and Max's comments on the patch?

kaldari edited projects, added Community-Tech-Sprint; removed Community-Tech.Jan 17 2018, 12:45 AM
Huji mentioned this in rELGN5c3d3a1fbe24: Maintenance script to generate fake login attemps from any IP.Jan 28 2018, 8:27 PM
Huji mentioned this in rELGNfcf27e0c5ba4: Maintenance script to generate fake login attemps from any IP.Jan 28 2018, 9:13 PM
Huji mentioned this in rELGN75619f9e36dd: Maintenance script to generate fake login attemps from any IP.Jan 28 2018, 9:21 PM
Huji added a comment.EditedJan 28 2018, 9:30 PM

@MaxSem regarding your comment on not using a Hook, I uploaded a new PS on https://gerrit.wikimedia.org/r/#/c/401410/ but here is my issue:

We either have to duplicate the code inside doSuccessfulLogin() and doFailedLogin(), or we have to call those functions (which means we have to make them public, like in my latest PS). Duplicating code is bad. Making those functions public is also bad, as they are not supposed to be called directly. Because the maintenance script is not in a descendant namespace of \LoginNotify\Hooks, making them protected won't allow using them in the maintenance script either.

So, if you think making the public is okay, then please review the last PS, otherwise, please suggest alternatives.

Huji mentioned this in rELGN828cb49842b4: Maintenance script to generate fake login attemps from any IP.Jan 28 2018, 9:32 PM
Huji mentioned this in rELGN2a820facd100: Maintenance script to generate fake login attemps from any IP.
Huji mentioned this in T186287: WebRequest should allow overriding headers.Feb 2 2018, 1:09 AM
Huji mentioned this in rELGN0cd8f9e92646: Maintenance script to generate fake login attemps from any IP.Feb 2 2018, 1:16 AM
gerritbot added a comment.Feb 2 2018, 5:32 PM

Change 401410 merged by jenkins-bot:
[mediawiki/extensions/LoginNotify@master] Maintenance script to generate fake login attemps from any IP

https://gerrit.wikimedia.org/r/401410

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-02-06 (1.31.0-wmf.20)).Feb 2 2018, 6:00 PM
Niharika closed this task as Resolved.Feb 2 2018, 9:13 PM
Niharika moved this task from Ready to Q1 2018-19 on the Community-Tech-Sprint board.

I believe this is done. There's a dependency patch for core to allow user-agent to be specified (tracked in T186287). That's not crucial for the matter at hand (T174388) however, so I'm resolving this ticket.

Thanks for working on this @Huji!

gerritbot added a comment.Feb 3 2018, 2:46 AM

Change 407871 had a related patch set uploaded (by Huji; owner: Huji):
[mediawiki/extensions/LoginNotify@master] Use the proper way to override the User-Agent header of a request

https://gerrit.wikimedia.org/r/407871

Huji reopened this task as Open.Feb 3 2018, 2:50 AM
Huji mentioned this in rELGN14a437037c1b: Use the proper way to override the User-Agent header of a request.Feb 3 2018, 2:52 AM
Huji closed subtask T186287: WebRequest should allow overriding headers as Declined.Feb 3 2018, 11:14 PM
Huji removed a subtask: T186287: WebRequest should allow overriding headers.
Huji mentioned this in rELGN90c0d56f327a: Use the proper way to override the User-Agent header of a request.Feb 3 2018, 11:16 PM
Huji added a comment.Feb 3 2018, 11:18 PM

@Niharika the dependency is now removed, and a revision to the script is submitted in r/407871 accordingly. Once that is merged, this task can be marked as resolved.

Huji mentioned this in rELGNdc821dbb1e1f: Use the proper way to override the User-Agent header of a request.Feb 4 2018, 1:15 AM
gerritbot added a comment.Feb 5 2018, 9:34 PM

Change 407871 merged by jenkins-bot:
[mediawiki/extensions/LoginNotify@master] Use the proper way to override the User-Agent header of a request

https://gerrit.wikimedia.org/r/407871

Huji closed this task as Resolved.Feb 6 2018, 1:28 AM
Huji removed a project: Patch-For-Review.
TheDJ awarded a token.Feb 6 2018, 9:44 AM
TBolliger edited projects, added Community-Tech; removed Community-Tech-Sprint.Feb 14 2018, 12:56 AM
TBolliger moved this task from New & TBD Tickets to Archive on the Community-Tech board.Feb 14 2018, 1:13 AM
Huji mentioned this in T187519: loginAttempt.php should use a hook, not a LoginNotify instance.Feb 16 2018, 1:37 AM
Huji closed subtask T187519: loginAttempt.php should use a hook, not a LoginNotify instance as Resolved.Feb 22 2018, 1:54 PM
Huji mentioned this in rELGNc8d66c984599: Final NoteDb migration updates.Jun 10 2018, 2:37 AM
Huji mentioned this in rELGNa4cdc0cd8dee: Update patch set 1.
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-LoginNotify board.Jun 17 2018, 11:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits