Page MenuHomePhabricator

Security Readiness Review For Enhancements to OAuth Extension
Closed, ResolvedPublic

Description

Project Information

Description of the tool/project::
We are developing a publicly accessible API portal. The work is described by the API Gateway documentation plan.

Description of how the tool will be used at WMF:
As part of this project we will be launching a new wiki on which we will make API requests to new API endpoints implemented by the OAuth extension hosted on meta.

Above we have listed the patchset adding this functionality and an additional patchset adding unit testing.

Working test environment
The extension is hosted on the beta environment for the API Portal wiki here:
https://meta.wikimedia.beta.wmflabs.org/w/rest.php/oauth2/client

Dependencies
This extension should be reviewable independently.

Has this project been reviewed before?
This is an existing extension, my understanding is that it has been previously reviewed but I was not able to find a task covering this.

Post-deployment:
Platform Engineering will continue to own the extension in production

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett changed the task status from Open to Stalled.Jun 17 2020, 4:03 PM
sbassett triaged this task as Low priority.
sbassett added a subscriber: sbassett.

Backlogging and stalling for Security-Team for now.

@sbassett The final patch for the OAuth extension is ready, is it appropriate to receive the sec review on the patch or should it merge first?

@sbassett The final patch for the OAuth extension is ready, is it appropriate to receive the sec review on the patch or should it merge first?

@WDoranWMF - the same expectations mentioned within T254947#6272837 would also apply here. Thanks.

@CCicalese_WMF - does this ticket meet the condition sbassett described below?

"@WDoranWMF - As @Reedy implied above, we'd like the code to be as close to production-deployable as possible before we expend cycles on a formal security review. The patch doesn't have to be merged IMO, but it should be ready to have the Submit button clicked and then ride the train."

WDoranWMF renamed this task from Security Review Request for Enhancements to OAuth Extension to Security Readiness Review For Enhancements to OAuth Extension.Sep 2 2020, 8:56 PM
WDoranWMF changed the task status from Stalled to Open.
WDoranWMF raised the priority of this task from Low to Needs Triage.
WDoranWMF updated the task description. (Show Details)

@Jcross How do we push this back onto the stack?

Patch is merged, moving to Back Orders so that we can schedule on Wed. call. Apologies for delay, I've been out.

sbassett assigned this task to Reedy.
sbassett moved this task from Back Orders to Our Part Is Done on the secscrum board.

As discussed in our application security scrum, we're assigning a final risk rating of: low for this change set. Resolving task for now.