Page MenuHomePhabricator
Create Task
Maniphest T260587

Security Readiness Review For Wikimedia/oauth2-server
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:
The fork includes changes from a pull request which adds support for private claims in a JSON Web Token. We're working with upstream to get the pull request accepted in the upstream library, and the need for the fork will eventually disappear.

Description of how the tool will be used at WMF:
The fork will be temporarily used by the OAuth and OAuthRateLimiter extensions until a new version of oauth2-server is released with the new changes.

Working test environment
Test environment instructions from T257930 can be used to test these changes

Post-deployment
Platform Engineering will own the fork until a new version is released

Related Objects
Search...

Event Timeline

Clarakosi created this task.Aug 17 2020, 6:10 PM
Clarakosi moved this task from Backlog to Blocked on the Platform Team Workboards (Green) board.
sbassett triaged this task as Medium priority.Aug 20 2020, 4:10 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.
Naike edited projects, added Platform Team Sprints Board (Sprint 2); removed Platform Team Sprints Board (Sprint 1).Aug 21 2020, 1:18 PM
Reedy subscribed.Aug 27 2020, 11:48 AM

The fork includes changes from a pull request which adds support for private claims in a JSON Web Token. We're working with upstream to get the pull request accepted in the upstream library, and the need for the fork will eventually disappear.

For clarity/documentation purposes...

Is https://github.com/wikimedia/oauth2-server/commits/v9.0.0-alpha made from https://github.com/wikimedia/oauth2-server/tree/8.1.1 plus https://github.com/thephpleague/oauth2-server/pull/1122 ?

Or more specifically, it's not https://github.com/thephpleague/oauth2-server/tree/9.0.0-WIP plus https://github.com/thephpleague/oauth2-server/pull/1122 is it?

Clarakosi added a comment.Aug 27 2020, 2:03 PM

@Reedy Its from the current master and the pull request.

The only difference between the master and v8.1.1 is a couple of commits fixing a typo: https://github.com/wikimedia/oauth2-server/compare/09f22e8121fa1832962dba18213b80d4267ef8a3..340d1ab713a112fba72728e096d820d064f4ee54

Jcross moved this task from Back Orders to In Progress on the secscrum board.Aug 27 2020, 4:49 PM
Jcross assigned this task to Reedy.Aug 27 2020, 4:54 PM
Reedy closed this task as Resolved.EditedAug 27 2020, 9:23 PM

So this is good to go.

As per the task description, and other discussions, the use of the fork must be reverted when the PR lands upstream and an appropriate release is made. Doesn't have to be done immediately, but within a reasonable timescale of it happening. Might want to create a task somewhere in this task tree under T235270: Wikimedia API Gateway for doing that, tagging it Upstream and stalling as appropriate as a reminder that the work has to be done later.

And as appropriate, while we're still using the fork, please keep an eye on the upstream commits (though I admit it's not the busiest of repos, so should be easier) and releases for anything that might be appropriate, ie security fixes or other relevant bug fixes to our deployment, those obviously would have to be manually put into the branch on our fork and vendor updated as appropriate.

The use of a fork obviously brings in a small amount risk (divergence of code, lack of composer telling us of updates etc), but nothing that blocks this going out.

Reedy moved this task from In Progress to Our Part Is Done on the secscrum board.Aug 27 2020, 9:23 PM
Pchelolo added a comment.Aug 27 2020, 9:30 PM

Created the ticket T261462

Reedy mentioned this in T260588: Security Readiness Review For Adding Private Claims To OAuth Extension.Aug 27 2020, 9:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL