Page MenuHomePhabricator

Block RESTBase cxserver v1 endpoints in favor of the new endpoints
Closed, ResolvedPublic

Description

Background Information

After discussions on T372753: Decommission cxserver endpoints from RESTBase and investigations on the RESTBase codebase, we realised that cxserver v1 endpoints are not supported anymore and they should be removed from our infrastructure.

What

Like we did for MCS in T328036: MCS decommission (2023) we should block the requests before removing the code.

How

Block the following endpoints:

  • POST <domain>/api/rest_v1/transform/html/from/{from}
  • POST <domain>/api/rest_v1/transform/html/from/{from}/{provider}
  • GET <domain>/api/rest_v1/transform/word/from/{from}/{word}
  • GET <domain>/api/rest_v1/transform/word/from/{from}/{word}/{provider}
  • GET <domain>/api/rest_v1/page/segments/{title}
  • GET <domain>/api/rest_v1/page/segments/{title}/{revision}
  • POST <domain>/api/rest_v1/transform/html/from/{from_lang}/to/{to_lang}
  • POST <domain>/api/rest_v1/transform/html/from/{from_lang}/to/{to_lang}/{provider}
  • GET <domain>/api/rest_v1/transform/word/from/{from_lang}/to/{to_lang}/{word}
  • GET <domain>/api/rest_v1/transform/word/from/{from_lang}/to/{to_lang}/{word}/{provider}
  • GET <domain>/api/rest_v1/list/pair/{from}/{to}/
  • GET <domain>/api/rest_v1/list/tool/{tool}
  • GET <domain>/api/rest_v1/list/tool/{tool}/{from}/{to}
  • GET <domain>/api/rest_v1/list/languagepairs/

Why is safe to block requests

It's safe to block the requests for the following reasons:

  • Looking at the requests data, example here, no relevant clients consume it and the majority of the requests are attempts to exploit the endpoint.
  • Clients already had time to migrate cxserver to v2, and there's no appetite to make further communications.
  • The endpoints are either not supported or broken

Event Timeline

MSantos renamed this task from Block to [DRAFT] Block RESTBase cxserver v1 endpoints in favor of the new endpoints.Sep 25 2024, 12:04 PM

The cxserver API v2 end-points were introduced back in 2017 (383788: cxserver v2 apis | https://gerrit.wikimedia.org/r/c/mediawiki/services/cxserver/+/383788) but we never formally deprecated the v1 API's.

We were looking at the clients of cxserver v1 endpoint, and noticed that Translate uses it, but not via RESTBase.

I think it should be safe to remove the cxserver RESTBase endpoint.

MSantos renamed this task from [DRAFT] Block RESTBase cxserver v1 endpoints in favor of the new endpoints to Block RESTBase cxserver v1 endpoints in favor of the new endpoints.Oct 29 2024, 1:33 PM
MSantos updated the task description. (Show Details)
MSantos added a subscriber: Jgiannelos.

I gather that we disable this at the CDN layer at any time, so I 'll be doing it this week. Let me know if the timing is bad (or any other blockers)

I gather that we disable this at the CDN layer at any time, so I 'll be doing it this week. Let me know if the timing is bad (or any other blockers)

That's right, you can proceed as there are no blockers.

Mentioned in SAL (#wikimedia-operations) [2024-11-20T09:38:15Z] <akosiaris> decommission cxserver endpoints /api/rest_v1/list/(pair|tool|languagepairs) from RESTBase T375616

akosiaris updated the task description. (Show Details)

I 've gone ahead and blocked

GET <domain>/api/rest_v1/list/pair/{from}/{to}/
GET <domain>/api/rest_v1/list/tool/{tool}
GET <domain>/api/rest_v1/list/tool/{tool}/{from}/{to}
GET <domain>/api/rest_v1/list/languagepairs/

As a first easy step. HTTP status code is a 403 with a message CXServer decommissioned. See https://phabricator.wikimedia.org/T372753

I am going through the list and I think I 've spotted a couple of errrors. Namely the following lack a page part in the URL. Correct me if I am wrong.

currentshould be
GET <domain>/api/rest_v1/segments/{title}GET <domain>/api/rest_v1/page/segments/{title}
GET <domain>/api/rest_v1/segments/{title}/{revision}GET <domain>/api/rest_v1/page/segments/{title}/{revision}

Furthermore the following (from transform-global.yaml) do not apply to any domain, but only to wikimedia.org. So we have the following table.

currentshould be
POST <domain>/api/rest_v1/transform/html/from/{from_lang}/to/{to_lang}POST wikimedia.org/api/rest_v1/transform/html/from/{from_lang}/to/{to_lang}
POST <domain>/api/rest_v1/transform/html/from/{from_lang}/to/{to_lang}/{provider}POST wikimedia.org/api/rest_v1/transform/html/from/{from_lang}/to/{to_lang}/{provider}
GET <domain>/api/rest_v1/transform/word/from/{from_lang}/to/{to_lang}/{word}GET wikimedia.org/api/rest_v1/transform/word/from/{from_lang}/to/{to_lang}/{word}
GET <domain>/api/rest_v1/transform/word/from/{from_lang}/to/{to_lang}/{word}/{provider}GET wikimedia.org /api/rest_v1/transform/word/from/{from_lang}/to/{to_lang}/{word}/{provider}

@MSantos does the above look correct to you?

I just noticed that the wikimedia.org argument applies to

GET <domain>/api/rest_v1/list/pair/{from}/{to}/
GET <domain>/api/rest_v1/list/tool/{tool}
GET <domain>/api/rest_v1/list/tool/{tool}/{from}/{to}
GET <domain>/api/rest_v1/list/languagepairs/

as well. They aren't exposed in anything else, as far as I can tell, than wikimedia.org domain.

Mentioned in SAL (#wikimedia-operations) [2024-11-20T11:22:39Z] <akosiaris> decommission cxserver endpoints /api/rest_v1/transform/html/from, /api/rest_v1/transform/word/from from RESTBase T375616

[...]
@MSantos does the above look correct to you?

Yes, it does. Thanks for raising it.

akosiaris updated the task description. (Show Details)

All done. Resolving, hopefully we won't have to reopen.

Courtesy of requestctl, we have the following superset view we can monitor to see if someone tries to use those endpoints in the future.