Page MenuHomePhabricator
Create Task
Maniphest T373778

NetworkSession and AbuseFilter may be spammy
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

Reported at https://www.mediawiki.org/wiki/Topic:Ybk8j4rz9c0v7ta4

It is unclear what the resolution should be but it appears that a particular set of AbuseFilter rules (autocreateaccount) and the use of an NetworkSession auth scheme will cause AbuseFilter to believe that an account was created automatically.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
auth: Pass canAlwaysAutocreate from session to pre-auth providersmediawiki/coremaster+11 -0
Skip auth checks when autocreate is allowed by providermediawiki/extensions/AbuseFiltermaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

dcausse created this task.Sep 2 2024, 7:27 AM
Restricted Application added a project: Discovery-Search. · View Herald TranscriptSep 2 2024, 7:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Ferien subscribed.Sep 2 2024, 10:04 AM
Gehel moved this task from needs triage to Current work on the Discovery-Search board.Sep 2 2024, 3:16 PM
Gehel edited projects, added Discovery-Search (Current work); removed Discovery-Search.
Gehel set the point value for this task to 3.Sep 2 2024, 3:22 PM
Gehel moved this task from Incoming to Ready for Dev -- SWE on the Discovery-Search (Current work) board.
Bugreporter subscribed.Sep 2 2024, 7:29 PM

A long-term solution is T354487: Apply local policy during CentralAuth autocreation as a "block" (logged-in) instead of "prevent" (logged-out). For now, you can force create local account in that wiki as a workaround.

Pppery mentioned this in T373826: NetworkSessionProvider / CirrusSearch Streaming Updater causing 'session' log spam and possibly Sessionstore (Kask) problems.Sep 2 2024, 11:58 PM
matmarex subscribed.Sep 3 2024, 12:15 AM
EBernhardson subscribed.Sep 3 2024, 9:22 PM

I tried creating the account with the createAndPromote.php script, but it gets rejected in the same way that the normal account creation gets rejected. I'm not sure how else to go about creating the account?

Bugreporter added a comment.Sep 4 2024, 12:02 AM

Did Special:CreateLocalAccount work?

EBernhardson added a comment.EditedSep 4 2024, 1:25 PM
In T373778#10115576, @Bugreporter wrote:

Did Special:CreateLocalAccount work?

Nope, I'm not an admin or a steward. Any of my "elevated" access is primarily through shell access. I could plausibly temporarily grant myself admin, but not sure that's appropriate.

Tacsipacsi subscribed.Sep 4 2024, 7:49 PM
Pppery subscribed.Sep 4 2024, 9:57 PM

This is moot now, given NetworkSession being disabled in T373826, but the correct maintenance script to run appears to be createLocalAccount.php from the CentralAuth extension, not createAndPromote.php from core.

Tgr subscribed.Sep 5 2024, 12:09 AM

How does AbuseFilter prevent autocreation? Permission checks should be skipped since NetworkSession returns true for canAlwaysAutocreate().

Pppery added a comment.Sep 5 2024, 12:35 AM

It uses a preAuthenticationProvider, defining both testForAccountCreation and testUserForCreation. Code at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/AbuseFilter/+/refs/heads/master/includes/AbuseFilterPreAuthenticationProvider.php

Tgr added a comment.Sep 5 2024, 1:56 AM

Hm, I guess we can't just skip testUserForCreation, it's used for non-permission-related things like preventing CentralAuth username conflicts. So the way to go is probably to pass in the "can always autocreate" flag and let the provider decide what's appropriate.

@EBernhardson do you want to make a patch for that?

gerritbot added a comment.Sep 5 2024, 6:16 PM

Change #1071013 had a related patch set uploaded (by Ebernhardson; author: Ebernhardson):

[mediawiki/core@master] auth: Pass canAlwaysAutocreate from session to pre-auth providers

https://gerrit.wikimedia.org/r/1071013

gerritbot added a project: Patch-For-Review.Sep 5 2024, 6:16 PM

Change #1071014 had a related patch set uploaded (by Ebernhardson; author: Ebernhardson):

[mediawiki/extensions/AbuseFilter@master] Skip auth checks when autocreate is allowed by provider

https://gerrit.wikimedia.org/r/1071014

EBernhardson moved this task from Ready for Dev -- SWE to Needs review on the Discovery-Search (Current work) board.Sep 5 2024, 7:57 PM
gerritbot added a comment.Sep 6 2024, 1:16 AM

Change #1071014 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] Skip auth checks when autocreate is allowed by provider

https://gerrit.wikimedia.org/r/1071014

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.22; 2024-09-10).Sep 6 2024, 2:00 AM
gerritbot added a comment.Sep 9 2024, 4:04 AM

Change #1071013 merged by jenkins-bot:

[mediawiki/core@master] auth: Pass canAlwaysAutocreate from session to pre-auth providers

https://gerrit.wikimedia.org/r/1071013

Maintenance_bot removed a project: Patch-For-Review.Sep 9 2024, 4:30 AM
Gehel triaged this task as High priority.Sep 9 2024, 2:05 PM
Gehel assigned this task to EBernhardson.Sep 9 2024, 3:20 PM
Gehel moved this task from Needs review to To Be Deployed on the Discovery-Search (Current work) board.
dr0ptp4kt moved this task from To Be Deployed to Needs Reporting on the Discovery-Search (Current work) board.Sep 16 2024, 3:07 PM
matmarex mentioned this in T374987: "Account autocreation denied for CirrusSearch Streaming Updater by ClosedWikiProvider".Sep 17 2024, 5:04 PM
jeremyb-phone subscribed.Sep 20 2024, 6:13 AM
Gehel closed this task as Resolved.Sep 20 2024, 8:57 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits