Page MenuHomePhabricator
Create Task
Maniphest T333541

Add CentralAuth to gated extensions
Open, Stalled, Needs TriagePublic
Actions

Description

T331602: Make $wgHooks a regular configuration variable caused numerous extensions to fail due to CentralAuth not being included in the gated extensions list.

T252244: CentralAuth extension: Code stewardship review outlines numerous issues with the extension; the relevant one to us is:

Regularly at high risk of breakage. Its code is among the oldest and least maintained. It is at constant risk of breakage due to being very different from our current principles. E.g. if you change something in core or far away from it in an extension, there's a good chance that if no reasable extension could be affected by your change, CentralAuth will be. This leads to train blockers, which tend to take days to be seen by anyone given no team (officially) looks after CentralAuth.

So, let's add it so that we catch issues in CI, rather than in train deployments

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
zuul: Add CentralAuth to gatedextensionsintegration/configmaster+2 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

kostajh created this task.Mar 30 2023, 10:46 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 30 2023, 10:46 AM
kostajh claimed this task.Mar 30 2023, 10:46 AM
kostajh added a subscriber: hashar.
gerritbot added a comment.Mar 30 2023, 10:47 AM

Change 904497 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[integration/config@master] zuul: Add CentralAuth to gatedextensions

https://gerrit.wikimedia.org/r/904497

gerritbot added a project: Patch-For-Review.Mar 30 2023, 10:47 AM
kostajh mentioned this in T333535: SpecialPageFatalTest::testSpecialPageDoesNotFatal.Mar 30 2023, 10:47 AM
taavi subscribed.Mar 30 2023, 12:02 PM

I've asked about this before, and my understanding is that the presence of CA completely breaks most of core's authentication tests.

Jdforrester-WMF subscribed.Mar 30 2023, 12:44 PM

Yeah, this was previously declined sadly for that reason. :-( In the magical post-GitLab world I suppose we could build a new CI runner that runs multiple configuration suites in parallel, with and without CentralAuth?

Jdforrester-WMF added a parent task: T249674: Have all Wikimedia production extensions and skins in the CI gate.Mar 30 2023, 12:45 PM
hashar added a comment.Mar 30 2023, 12:48 PM
In T333541#8741475, @taavi wrote:

I've asked about this before, and my understanding is that the presence of CA completely breaks most of core's authentication tests.

CentralAuth replaces mediawiki/core authentication system, that breaks other extensions (and mediawiki authentication related tests as well). Adding CentralAuth has been proposed previously via T321864 and declined. There are also poor interactions between extensions which prevent us from adding some cause they will break test for other extensions.

That being said, we could imagine a system in which mediawiki/core auth related tests will set a known working state to prevent CentralAuth code from interacting. Then I have no idea how CentralAuth overrides MediaWiki authentication system, if it is solely via hooks and config system, I guess the mediawiki/core tests can set them to known good values discarding the CentralAuth config.

We can add an experimental job at least if one wants to investigate.

Novem_Linguae subscribed.Apr 6 2023, 10:56 AM
gerritbot added a comment.Apr 12 2023, 8:42 AM

Change 904497 abandoned by Hashar:

[integration/config@master] zuul: Add CentralAuth to gatedextensions

Reason:

https://gerrit.wikimedia.org/r/904497

Maintenance_bot removed a project: Patch-For-Review.Apr 12 2023, 9:10 AM
kostajh closed this task as Declined.Apr 19 2023, 2:23 PM
Lucas_Werkmeister_WMDE mentioned this in T344536: Drop old RDBMS class aliases from MW 1.28.Aug 29 2023, 11:10 AM
Tgr reopened this task as Stalled.May 21 2024, 8:02 AM
Tgr subscribed.

We should revisit this, it's bad not to test the Wikimedia authentication stack for changes. (Latest CI break was T365403: CentralAuthApiSessionProviderTest::testUserScriptsDisabled is failing in CI, but a CI break is not the worst that can happen. E.g. at some point central login was partially broken because another extension overrode a hook used by CentralAuth.)

I think if you unset $wgCentralAuthLoginWiki and $wgCentralAuthCookies that essentially disables CentralAuth.

We are likely to work on T359116: Split up CentralAuth into smaller extensions some time this (calendar) year so probably not worth doing anything before that though. Also, right now CentralAuth doesn't have good browser tests so that's probably the more urgent problem to solve.

ArielGlenn subscribed.May 21 2024, 9:03 AM
Tgr added a parent task: T204252: Have dependencies of gated extensions in the gate.May 21 2024, 10:32 AM

I suspect T358985: Admin account created by the installer isn't made global by CentralAuth is one thing we'd have to figure out to avoid causing issues in other extensions' tests.

kostajh removed kostajh as the assignee of this task.May 27 2024, 8:59 AM
Daimona mentioned this in T387148: MediaWiki core selenium test "Special:RecentChanges shows page creation" fails consistently when CentralAuth loaded in CI.Feb 24 2025, 6:46 PM
Daimona mentioned this in T393178: SpecialGlobalContributionsTest::testExecuteForIPWhenEndTimestampHidesSomeRevisions failures in other extensions' build.May 2 2025, 1:57 PM
A_smart_kitten subscribed.May 2 2025, 2:13 PM
Daimona mentioned this in T389998: Allow control over which extra extensions are installed (Math REL1_43 jobs exceed 60min timeout).May 7 2025, 11:52 AM
Urbanecm_WMF mentioned this in T397193: New accounts created from editor redirect to welcome survey, not back to editor.Aug 20 2025, 10:40 PM
Urbanecm_WMF mentioned this in T402719: Write an automated test to ensure users creating a new account from the editor are redirected back to the editor, not to Welcome survey.Aug 23 2025, 3:57 PM
Daimona mentioned this in T406357: MediaWiki core interface change breaks CentralAuth.Oct 3 2025, 4:18 PM
Jdforrester-WMF added a comment.Oct 3 2025, 5:17 PM

Can I suggest either re-purposing this task, or creating a different one, for "Provide a CI job that runs against all MediaWiki patches and stops them from merging if it breaks CentralAuth's tests"? As CA is such a critical part of our infrastructure, maybe we should just create a bespoke job for that?

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptOct 3 2025, 5:17 PM
Tgr added a comment.Oct 4 2025, 8:37 PM

Isn't that the same thing as adding it to the gated extensions? Or do you mean MediaWiki core patches only?

Historically I think the concern was slowing CI down. Now that tests are parallelized, that's probably not that much of an issue.

Jdforrester-WMF added a comment.Oct 6 2025, 4:31 PM
In T333541#11243876, @Tgr wrote:

Isn't that the same thing as adding it to the gated extensions? Or do you mean MediaWiki core patches only?

No, I mean a new CI job, not adding it to the list in gated extensions.

Historically I think the concern was slowing CI down. Now that tests are parallelized, that's probably not that much of an issue.

No, that's the general concern about the gate; for CA, the problem is that CA disables regular MW login and so (a) stops us from testing critical functionality in MW, like log-in to officewiki, and (b) can break some extensions' tests (IIRC, browser tests are affected).

Tgr mentioned this in T406582: Block the merging of patches to MediaWiki core that would break CentralAuth tests.Oct 7 2025, 1:13 PM

Right, the PHPUnit code overrides CentralAuth and restores the core authentication provider, but that does not help browser tests. (Plus, probably there are still minor ways where CentralAuth might conflict with other things, via hooks etc.)

I still think we should work out how to run CentralAuth in a more compatible way, as there have been examples of patches to other extensions breaking CentralAuth (and occasionally causing problems in production that took an embarrassingly long time to notice and fix), so running CA tests on core patches isn't always sufficient. But that's a more complicated problem.

Filed as T406582: Block the merging of patches to MediaWiki core that would break CentralAuth tests.

JTweed-WMF moved this task from Inbox, needs triage to Waiting on the MediaWiki-Platform-Team board.Oct 13 2025, 2:37 PM
Daimona subscribed.Oct 14 2025, 9:28 PM
Michael subscribed.Dec 23 2025, 4:13 PM
hashar mentioned this in T416456: Lcobucci\JWT\Signer\InvalidKeyProvided: Key cannot be empty (/w/rest.php/oauth2/access_token).Wed, Feb 4, 12:53 PM
hashar mentioned this in T249674: Have all Wikimedia production extensions and skins in the CI gate.Wed, Feb 11, 9:18 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits