Page MenuHomePhabricator
Create Task
Maniphest T344273

Add proxies, tunnels API endpoints to ipoid service
Closed, ResolvedPublic
Actions

Description

We want to be able to feed IP reputation data to our CDN caches. We're currently importing the data directly from the feed, but once iPoid is up and running, we'd like to be able to get the data from it instead of implementing a second feed import mechanism.

We would need the following endpoints:

  • /proxies returning a {LABEL: [ip1, ip2,...], LABEL2: ...} json map
  • /proxies/LABEL returning only the list of IPs
  • /vpns returning a similar map to the one returned by proxies, but for vpn tunnels
  • /vpns/LABEL again more of the above.

I would suggest we don't set up pagination from the start, as it shouldn't be needed IMHO.

Details

Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Add proxies, tunnels API endpoints to ipoid servicerepos/mediawiki/services/ipoid!49tsepothoabalaT344273-add-endpointsmain
Customize query in GitLab

Related Objects

Event Timeline

Tchanders created this task.Aug 15 2023, 5:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2023, 5:00 PM
Tchanders added subscribers: SCherukuwada, Joe, acooper.Aug 15 2023, 5:01 PM
Joe renamed this task from Add proxies API endpoint to ipoid service to Add proxies, tunnels API endpoints to ipoid service.Aug 16 2023, 8:46 AM
Joe updated the task description. (Show Details)
kostajh subscribed.Aug 23 2023, 3:14 PM
TThoabala claimed this task.Aug 25 2023, 9:36 AM
CodeReviewBot added a project: Patch-For-Review.Aug 25 2023, 9:40 AM

tsepothoabala opened https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/49

Add proxies, tunnels API endpoints to ipoid service

TThoabala moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Code Review 🔍 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.Aug 25 2023, 9:41 AM
kostajh mentioned this in T345151: Support capability to inform WMF tools about new, removed, and updated information .Aug 29 2023, 12:47 PM
STran moved this task from Backlog to In Progress on the iPoid-Service board.Aug 29 2023, 6:11 PM
TThoabala moved this task from Code Review 🔍 to In Progress 💪 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.Aug 30 2023, 4:34 PM
TThoabala moved this task from In Progress 💪 to Code Review 🔍 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.Sep 6 2023, 3:38 PM
TThoabala mentioned this in T345747: Create Tests for v1 endpoints.Sep 6 2023, 3:44 PM
TThoabala added a comment.Sep 6 2023, 3:46 PM

I have created a separate ticket to write tests on T345747

CodeReviewBot added a comment.Sep 7 2023, 12:36 PM

stran merged https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/49

Add proxies, tunnels API endpoints to ipoid service

Maintenance_bot removed a project: Patch-For-Review.Sep 7 2023, 1:11 PM
AGueyte moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.Sep 7 2023, 5:29 PM
dom_walden subscribed.EditedSep 19 2023, 7:10 AM

@TThoabala I am finding the requests to /vpns and /vpn/:label can be very slow.

I imported part of the Spur data, about 600000 rows in actor_data. Because the tunnels table did not have anything in the type column (see T346634), I set it to VPN in every row. This might not be realistic.

Calls to /vpn/:label can take anywhere from a few seconds to 30 minutes.

For example, /vpn/ABCPROXY_PROXY takes about 10 minutes (I ran the request in both curl and querying the database directly). It only returns 139 IPs.

/vpn/LUMINATI_PROXY took about 30 minutes and returned ~1300 IPs.

The call to /vpns took over 10 minutes before I cancelled it.

This is running on docker.

dom_walden added a comment.Sep 19 2023, 9:02 AM

The :label in /vpn/:label refers to a proxy (from the proxies table) not to a tunnel operator (operator column in the tunnels table). Is this right? What if an IP has multiple proxies but one tunnel? Is it assumed the tunnel operator is running all the proxies? What about multiple tunnels but one proxy?

STran mentioned this in T345156: DBA audit of ipoid database.Sep 19 2023, 9:33 AM
dom_walden added a comment.Sep 20 2023, 6:33 AM

With a large amount of data, sometimes the numbers of IPs returned for a particular proxy is different depending whether you call /proxies or /proxy/:label.

For example, importing the attached data, the number of IPs for the LUMINATI_PROXY is 74232 for /proxies but is 99858 for /proxy/LUMINATI_PROXY.

I haven't tested yet whether a similar thing happens for vpns.

{F37741556}

dom_walden added a comment.Sep 20 2023, 7:37 AM

The results of /vpn/:label and /vpns sometimes include duplicate IP addresses.

For example, with the test data from T344273#9181633, /vpn/LUMINATI_PROXY produces duplicates for 5 IPs (I won't mention which they are here). The same duplicate IPs appear for that proxy in /vpns.

dom_walden moved this task from QA/Testing 🐞 to Blocked/Stalled 🚧 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.EditedSep 20 2023, 2:32 PM

Further testing of the accuracy of the data returned by the new endpoints is hard due to T346643 (meaning I cannot reliably import data to test), the performance issues in T344273#9177308 and (to a lesser extent) T346634. Moving to blocked just for now.

Aklapper removed TThoabala as the assignee of this task.Oct 9 2023, 1:00 AM
Aklapper added a subscriber: TThoabala.

Removing inactive task assignee (please do so as part of offboarding steps).

Tchanders added a comment.Oct 11 2023, 2:34 PM
In T344273#9183303, @dom_walden wrote:

Further testing of the accuracy of the data returned by the new endpoints is hard due to T346643 (meaning I cannot reliably import data to test),

This was fixed (a duplicate task was filed and cited in the commit message, so I've merged the original in as a duplicate).

the performance issues in T344273#9177308

These should hopefully be fixed by that patches to T345156: DBA audit of ipoid database

and (to a lesser extent) T346634. Moving to blocked just for now.

This was half fixed, and the other half is up for discussion (see comment on the task for more info).

@dom_walden The actual issues you found via testing haven't been fixed yet. Do you think we should wait for those to be fixed before further QA?

dom_walden moved this task from Blocked/Stalled 🚧 to QA/Testing 🐞 on the Anti-Harassment-Team (AHaT Sprint 32 - Baseball Cap) board.Oct 12 2023, 1:53 PM
In T344273#9243228, @Tchanders wrote:

@dom_walden The actual issues you found via testing haven't been fixed yet. Do you think we should wait for those to be fixed before further QA?

Thanks. I will raise the remaining bugs separately and move this back into the QA column.

In T344273#9181633, @dom_walden wrote:

With a large amount of data, sometimes the numbers of IPs returned for a particular proxy is different depending whether you call /proxies or /proxy/:label.

Raised as T348745.

STran moved this task from In Progress to Blocked on the iPoid-Service board.Oct 17 2023, 8:15 AM
Tchanders moved this task from Blocked to QA on the iPoid-Service board.Oct 24 2023, 3:25 PM
Tchanders added a project: Trust and Safety Product Sprint.Oct 27 2023, 10:42 AM
Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Bodhrán); removed Trust and Safety Product Sprint.Oct 30 2023, 4:42 PM
dom_walden moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Bodhrán) board.Oct 30 2023, 4:42 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Bodhrán) board.Nov 1 2023, 3:36 PM

So far, the only bug I have found is T348745. More testing will be done after the fix for that.

But, otherwise, the IPs being returned from the API have been accurate.

I note that:

  • /proxies and /proxy/:label returns information for client.proxies
  • /vpns and /vpn/:label returns information for tunnels of type VPN

We don't do anything with tunnels of type PROXY.

I also don't know if these API endpoints need documenting more publicly than in code comments. Perhaps if they are only used by SRE it does not matter.

Testing script: https://gitlab.wikimedia.org/dwalden/ipmasking-testing/-/blob/main/ipoid_api_accuracy.py

STran closed this task as Resolved.Dec 12 2023, 8:39 AM
STran claimed this task.
STran moved this task from QA to Done on the iPoid-Service board.Jan 17 2024, 12:42 PM
kostajh mentioned this in T358448: Support pagination of results.Feb 25 2024, 6:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits