Page MenuHomePhabricator
Create Task
Maniphest T254948

Security Readiness Review For Enhancements to OAuth Extension
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project::
We are developing a publicly accessible API portal. The work is described by the API Gateway documentation plan.

Description of how the tool will be used at WMF:
As part of this project we will be launching a new wiki on which we will make API requests to new API endpoints implemented by the OAuth extension hosted on meta.

Above we have listed the patchset adding this functionality and an additional patchset adding unit testing.

Working test environment
The extension is hosted on the beta environment for the API Portal wiki here:
https://meta.wikimedia.beta.wmflabs.org/w/rest.php/oauth2/client

Dependencies
This extension should be reviewable independently.

Has this project been reviewed before?
This is an existing extension, my understanding is that it has been previously reviewed but I was not able to find a task covering this.

Post-deployment:
Platform Engineering will continue to own the extension in production

Related Objects
Search...

Event Timeline

CCicalese_WMF created this task.Jun 9 2020, 10:23 PM
Restricted Application added a project: secscrum. · View Herald TranscriptJun 9 2020, 10:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a subscriber: Tgr.Jun 10 2020, 12:01 PM
sbassett changed the task status from Open to Stalled.Jun 17 2020, 4:03 PM
sbassett triaged this task as Low priority.
sbassett added a subscriber: sbassett.

Backlogging and stalling for Security-Team for now.

sbassett moved this task from Incoming to Back Orders on the secscrum board.Jun 17 2020, 4:04 PM
WDoranWMF added a comment.Jun 30 2020, 1:25 PM

@sbassett The final patch for the OAuth extension is ready, is it appropriate to receive the sec review on the patch or should it merge first?

sbassett added a comment.Jul 1 2020, 7:36 PM
In T254948#6267630, @WDoranWMF wrote:

@sbassett The final patch for the OAuth extension is ready, is it appropriate to receive the sec review on the patch or should it merge first?

@WDoranWMF - the same expectations mentioned within T254947#6272837 would also apply here. Thanks.

WDoranWMF added a project: Platform Team Workboards (Green).Jul 28 2020, 12:25 PM
WDoranWMF moved this task from Backlog to Blocked on the Platform Team Workboards (Green) board.
WDoranWMF added a project: Platform Team Sprints Board (Sprint 0).Jul 31 2020, 12:19 PM
Naike edited projects, added Platform Team Sprints Board (Sprint 1); removed Platform Team Sprints Board (Sprint 0).Aug 7 2020, 10:42 AM
Reedy mentioned this in T257930: Security Readiness Review For OAuthRateLimiter.Aug 7 2020, 3:49 PM
Naike added subscribers: Reedy, Naike.Aug 10 2020, 4:29 AM

@CCicalese_WMF - does this ticket meet the condition sbassett described below?

"@WDoranWMF - As @Reedy implied above, we'd like the code to be as close to production-deployable as possible before we expend cycles on a formal security review. The patch doesn't have to be merged IMO, but it should be ready to have the Submit button clicked and then ride the train."

Reedy added a comment.Aug 12 2020, 4:27 PM

I'm presuming with the C-1 from Petr on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/597281 it's still not ready...

Jcross moved this task from Back Orders to Waiting on the secscrum board.Aug 20 2020, 4:05 PM
Naike edited projects, added Platform Team Sprints Board (Sprint 2); removed Platform Team Sprints Board (Sprint 1).Aug 21 2020, 1:27 PM
WDoranWMF added a subtask: T259660: Enable new OAuth extension functionality on Beta Meta to support API Portal testing.Aug 26 2020, 3:53 PM
WDoranWMF removed a subtask: T259660: Enable new OAuth extension functionality on Beta Meta to support API Portal testing.
WDoranWMF updated the task description. (Show Details)Sep 1 2020, 6:15 PM
WDoranWMF added a subscriber: BPirkle.
WDoranWMF renamed this task from Security Review Request for Enhancements to OAuth Extension to Security Readiness Review For Enhancements to OAuth Extension.Sep 2 2020, 8:56 PM
WDoranWMF changed the task status from Stalled to Open.
WDoranWMF raised the priority of this task from Low to Needs Triage.
WDoranWMF updated the task description. (Show Details)
WDoranWMF updated the task description. (Show Details)Sep 2 2020, 9:48 PM
WDoranWMF moved this task from Blocked to Waiting for Review on the Platform Team Workboards (Green) board.Sep 3 2020, 1:26 AM
WDoranWMF added a subscriber: Jcross.Sep 3 2020, 1:04 PM

@Jcross How do we push this back onto the stack?

WDoranWMF updated the task description. (Show Details)Sep 8 2020, 2:14 PM
Jcross moved this task from Waiting to Back Orders on the secscrum board.EditedSep 14 2020, 7:02 PM

Patch is merged, moving to Back Orders so that we can schedule on Wed. call. Apologies for delay, I've been out.

sbassett closed this task as Resolved.Sep 16 2020, 4:09 PM
sbassett assigned this task to Reedy.
sbassett moved this task from Back Orders to Our Part Is Done on the secscrum board.

As discussed in our application security scrum, we're assigning a final risk rating of: low for this change set. Resolving task for now.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL