Page MenuHomePhabricator
Create Task
Maniphest T260603

Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address
Closed, ResolvedPublic4 Estimated Story PointsSep 22 2020
Actions

Description

Create a REST API endpoint that returns mock data about an IP address. It accepts the following:

  • An IP address (returns data for the IP address) (restricted by permission and removed once T261555 is completed)
  • A log ID (returns data about the associated IP address, if the performer was anonymous)
  • A revision ID (returns data about the associated IP address, if the editor was anonymous)

The endpoint will return data for anon actions (and may return data for logged in users if the user has the proper permission, like checkuser, see T261555).

Details

Due Date
Sep 22 2020, 4:00 AM
SubjectRepoBranchLines +/-
Create REST API endpoint for retrieving IP Info from any IP addressmediawiki/extensions/IPInfomaster+241 -3
Create REST API endpoint for retrieving IP Info from a Log Entrymediawiki/extensions/IPInfomaster+378 -0
Create REST API endpoint for retrieving IP Info from a Revisionmediawiki/extensions/IPInfomaster+428 -2
Create InfoManager service to return information about a given IPmediawiki/extensions/IPInfomaster+219 -1
Create three REST API endpointsmediawiki/extensions/IPInfomaster+867 -3
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedSTranT298955 Return different data from IPInfo api based on context [M]
 ResolvedSTranT300825 IPInfo logger should queue a logging job instead of writing directly
 OpenNoneT285977 IP Info
 ResolvedNiharikaT287648 Reviews and deployment
 ResolvedTchandersT260597 Deploy IP Info extension to all wikis (as a beta feature)
 ResolvedNiharikaT261372 Replace mock data returned from API endpoint with live data
 ResolvedNiharikaT292755 Epic: IP Info access
 ResolvedSTranT292842 Log when the user's access level changes
 ResolvedNiharikaT263756 Create a table to store which users have access to IPInfo, and the timestamp when access was granted [L]
 ResolvedTchandersT264795 Decide how we want to store how we log which users have access to IP Info [8 hours]
 InvalidNoneT291827 Create IPInfo access manager
 InvalidNoneT291854 Create revoke user access maintenance script
 InvalidNoneT296186 Create a group that revokes all ipinfo* rights
 ResolvedSTranT264150 User needs to request access to IP information [L]
 ResolvedSTranT291582 Implement condition agreements in Special:Preferences [M]
 ResolvedSpikephuedxT291583 [SPIKE] Check that IPInfo-related user properties aren't replicated to publicly accessible databases [8H]
 ResolvedSTranT294658 Create a log entry when the RevisionHandler is called
 Resolved TThoabalaT294657 Create a log entry when the LogHandler is called
 ResolvedphuedxT294680 IP Info: Create a logger function to be used in both the popup and accordion presenters [M]
 DeclinedTchandersT296184 Automatically promote users to the group that grants basic rights
 ResolvedSTranT296085 Create a group that grants basic ipinfo* rights
 ResolvedSTranT296499 Grant certain groups the ipinfo-view-full right
 ResolvedTchandersT260598 Deploy IP Info extension to test.wikipedia.org
 ResolvedTchandersT260599 Deploy IP Info extension to beta cluster
 ResolvedsbassettT262963 Security Readiness Review For geoip2/geoip2
 ResolvedDec 15 2020TchandersT266136 Update CI config once geoip2 is available
 ResolvedTchandersT269475 Add geoip2/geoip2 library to mediawiki/vendor
 ResolvedTchandersT260602 Complete the necessary reviews for the IP Info extension
 InvalidNoneT260601 Remove the static mock data from the popup and make a request to the API endpoint for dynamic mock data
 InvalidNoneT270347 Remove 'ipinfo' right from administrators on the Beta Cluster
 StalledNoneT309318 Can global sysops have ipinfo-view-full and ipinfo-view-log access?
 ResolvedSecurityUrbanecmT309411 sysop access to ipinfo logs can leak IP addresses that sysops should not have access to
 ResolvedUrbanecmT309928 Remove `ipinfo-view-log` from sysops
 OpenNoneT261555 Allow CheckUser to provide IP addresses for logged in edits/actions
 ResolvedSep 22 2020TchandersT260603 Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address
 ResolvedTchandersT260609 Create a basic extension.json file and a new wikipage for the IP Info extension
 ResolveddbarrattT260611 Request a repository for the IP Info Extension

Event Timeline

dbarratt created this task.Aug 17 2020, 7:59 PM
dbarratt added a subtask: T260609: Create a basic extension.json file and a new wikipage for the IP Info extension.Aug 17 2020, 8:10 PM
Niharika moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.Aug 19 2020, 5:32 AM
dbarratt mentioned this in T260821: Performance review of IP Info extension.Aug 25 2020, 9:09 PM
ARamirez_WMF set the point value for this task to 4.Aug 26 2020, 4:19 PM
ARamirez_WMF moved this task from Triage/To be Estimated to Cards ready for development on the Anti-Harassment board.
ARamirez_WMF moved this task from Cards ready for development to The Letter Song on the Anti-Harassment board.Aug 26 2020, 4:44 PM
ARamirez_WMF edited projects, added Anti-Harassment (The Letter Song); removed Anti-Harassment.
Niharika triaged this task as Medium priority.Aug 26 2020, 4:44 PM
dbarratt added a subscriber: Tchanders.EditedAug 27 2020, 1:49 AM

I realized that sometimes we wont actually know the IP address of an edit or logged action. This could be the case if the user is logged in. In that instance the IP address only exists in CheckUser, but the user may or may not have permission to access that data.

I think we should resolve this by adding a hook in the new extension to pass a log id/revision id, and the request context. Then another extension like CheckUser can listen for that and respond with the IP address.

The extensions could put additional requirements on retrieving the IP address. For instance, perhaps CheckUser requires an additional parameter of a checkUserLogId (or something like that) token parameter. Then CheckUser could check to see if 1) the check user log entry belongs to the user making the request and 2) it matches the main log id/revision id of the lookup verify the token before returning the IP address. This ensures that they are using the API as part of Special:Investigate or Special:CheckUser

The hook should probably pass around a Status object so they can also return a helpful error message if necessary. For instance CheckUser could return an error message if the log id/revision id is older than 90 days.

@Tchanders I realize we already estimated this task (and arguably it doesn't fit anyways). Should I create a new task to be completed between this one and T261372: Replace mock data returned from API endpoint with live data?

Alternatively we could change the endpoint to accept IP addresses, but I think that goes against the direction we are headed. In addition, it could expose a user's IP address in the logs, which we avoided by using the token. I think using a log id/revision id is still the correct direction, even with this additional complexity.

dbarratt removed a subtask: T261372: Replace mock data returned from API endpoint with live data.Aug 27 2020, 1:52 AM
dbarratt added a parent task: T261372: Replace mock data returned from API endpoint with live data.
dbarratt added a comment.Aug 27 2020, 1:38 PM

And by checkUserLogId I really mean the token. The log id never expires (?) but the token is fairly short lived (preventing CheckUsers from seeing a user's IP address indefinitely).

Tchanders mentioned this in T260822: Security review of IP Info extension.Aug 28 2020, 2:59 PM
dbarratt mentioned this in T261555: Allow CheckUser to provide IP addresses for logged in edits/actions.Aug 29 2020, 5:33 PM

I moved the additional complexity of revisions/logs belonging to logged-in users to T261555

dbarratt added a parent task: T261555: Allow CheckUser to provide IP addresses for logged in edits/actions.Aug 29 2020, 5:34 PM
dbarratt updated the task description. (Show Details)
dbarratt claimed this task.Sep 1 2020, 3:54 PM
dbarratt moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (The Letter Song) board.
gerritbot added a comment.Sep 2 2020, 1:27 AM

Change 623670 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/IPInfo@master] Create two REST API endpoints

https://gerrit.wikimedia.org/r/623670

gerritbot added a project: Patch-For-Review.Sep 2 2020, 1:27 AM
dbarratt added a comment.Sep 2 2020, 1:28 AM

We should probably define what fields we need and in what format they should take.

Tchanders added a comment.Sep 4 2020, 6:30 PM

We should probably define what fields we need and in what format they should take.

Do you mean which information we should return about the IP?

dbarratt added a comment.Sep 4 2020, 6:45 PM
In T260603#6436865, @Tchanders wrote:

We should probably define what fields we need and in what format they should take.

Do you mean which information we should return about the IP?

Yeah. I'm going to use the data we need for T260604 for now. :)

Tchanders added a comment.Sep 4 2020, 6:47 PM

Yeah. I'm going to use the data we need for T260604 for now. :)

Sounds good. I guess this is another thing that will depend on the licenses.

ARamirez_WMF changed the point value for this task from 4 to 8.Sep 9 2020, 4:46 PM
ARamirez_WMF changed the point value for this task from 8 to 4.
ARamirez_WMF set Final Story Points to 8.
Tchanders added a subscriber: Niharika.Sep 9 2020, 4:58 PM

We discussed with @Niharika that we would:

  • Make IPInfo available on Special:Investigate first
  • Make IPInfo available to checkusers first
  • Make an endpoint that accepts the IP address, which may be deprecated later when IPs get masked
Tchanders updated the task description. (Show Details)Sep 9 2020, 5:10 PM
ARamirez_WMF changed the subtype of this task from "Task" to "Deadline".Sep 9 2020, 8:45 PM
ARamirez_WMF set Due Date to Sep 22 2020, 4:00 AM.
Niharika mentioned this in T260604: Display a popup with fixed mock data for an IP address on the specified page(s).Sep 9 2020, 9:00 PM
dbarratt updated the task description. (Show Details)Sep 11 2020, 5:10 PM
Tchanders moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment (The Letter Song) board.Sep 15 2020, 12:02 PM
gerritbot added a comment.Sep 15 2020, 6:11 PM

Change 627580 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/IPInfo@master] Create InfoManager service to return information about a given IP

https://gerrit.wikimedia.org/r/627580

gerritbot added a comment.Sep 15 2020, 6:49 PM

Change 627583 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/IPInfo@master] Create REST API endpoint for retrieving IP Info from a Revision

https://gerrit.wikimedia.org/r/627583

gerritbot added a comment.Sep 15 2020, 7:00 PM

Change 627585 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/IPInfo@master] Create REST API endpoint for retrieving IP Info from a Log Entry

https://gerrit.wikimedia.org/r/627585

gerritbot added a comment.Sep 15 2020, 7:54 PM

Change 627590 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/IPInfo@master] Create REST API endpoint for retrieving IP Info from any IP address

https://gerrit.wikimedia.org/r/627590

gerritbot added a comment.Sep 15 2020, 8:00 PM

Change 623670 abandoned by Dbarratt:
[mediawiki/extensions/IPInfo@master] Create three REST API endpoints

Reason:
Split into three patches

https://gerrit.wikimedia.org/r/623670

dbarratt mentioned this in T263075: Should the REST API return null/empty or should the property be missing?.Sep 16 2020, 11:34 PM
gerritbot added a comment.Sep 17 2020, 9:33 AM

Change 627580 merged by jenkins-bot:
[mediawiki/extensions/IPInfo@master] Create InfoManager service to return information about a given IP

https://gerrit.wikimedia.org/r/627580

dbarratt moved this task from Code Review 🔍 to In Progress 💪 on the Anti-Harassment (The Letter Song) board.Sep 17 2020, 1:26 PM
gerritbot added a comment.Sep 18 2020, 1:24 PM

Change 627583 merged by jenkins-bot:
[mediawiki/extensions/IPInfo@master] Create REST API endpoint for retrieving IP Info from a Revision

https://gerrit.wikimedia.org/r/627583

gerritbot added a comment.Sep 18 2020, 9:34 PM

Change 627585 merged by jenkins-bot:
[mediawiki/extensions/IPInfo@master] Create REST API endpoint for retrieving IP Info from a Log Entry

https://gerrit.wikimedia.org/r/627585

gerritbot added a comment.Sep 22 2020, 1:41 PM

Change 627590 merged by jenkins-bot:
[mediawiki/extensions/IPInfo@master] Create REST API endpoint for retrieving IP Info from any IP address

https://gerrit.wikimedia.org/r/627590

dbarratt moved this task from In Progress 💪 to QA/Testing 🐞 on the Anti-Harassment (The Letter Song) board.Sep 22 2020, 1:42 PM
ARamirez_WMF changed Final Story Points from 8 to 13.Sep 22 2020, 4:49 PM
ARamirez_WMF changed Final Story Points from 13 to 14.
Tchanders mentioned this in T263635: Allow IPInfo to return data for an IP address that is the target of a log entry.Sep 23 2020, 1:02 PM
Niharika closed subtask T260609: Create a basic extension.json file and a new wikipage for the IP Info extension as Resolved.Oct 2 2020, 7:42 PM
Niharika moved this task from QA/Testing 🐞 to Done: Q2 (2020-2021) ✅ on the Anti-Harassment (The Letter Song) board.Oct 7 2020, 3:30 PM
Aklapper removed a project: Patch-For-Review.Nov 30 2020, 8:43 AM

Anti-Harassment: Hi, the Due Date set for this open task was two months ago, and all related patches in Gerrit have been merged or abandoned. Is there more to do in this task and the Due Date and assignee should be updated? Or should this task be resolved? Thanks in advance.

dbarratt removed dbarratt as the assignee of this task.Nov 30 2020, 1:40 PM
dbarratt unsubscribed.
Tchanders closed this task as Resolved.Dec 3 2020, 1:13 PM
Tchanders claimed this task.
Niharika moved this task from Backlog to Closed on the IP Info board.Aug 8 2022, 8:02 PM
AGueyte mentioned this in T263442: Display API failure errors in the IPInfo popup.Aug 12 2022, 3:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL