Page MenuHomePhabricator
Create Task
Maniphest T376176

Stashbot needs new owner-only OAuth grant following Wikitech config change
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):
!log something

What happens?:
Failed to log message to wiki. Somebody should check the error logs.

What should have happened instead?:
A successful Wikitech edit

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):
Likely needs a password reset due to T371374: mediawiki-config: consolidate labswiki/T161859: Make Wikitech an SUL wiki, see https://wikitech.wikimedia.org/wiki/Wikitech/SUL-migration

Related Objects
Search...

Event Timeline

AntiCompositeNumber created this task.Oct 1 2024, 4:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 1 2024, 4:21 PM
AntiCompositeNumber added a subtask: T376140: Setting new password at wikitech does not work.Oct 1 2024, 4:39 PM
bd808 subscribed.Oct 1 2024, 4:41 PM
Error writing to wiki
Traceback (most recent call last):
  File "/data/project/stashbot/stashbot/sal.py", line 204, in log
    url = self._write_to_wiki(bang, channel_conf)
  File "/data/project/stashbot/stashbot/sal.py", line 350, in _write_to_wiki
    page = site.get_page(channel_conf["page"] % bang)
  File "/data/project/stashbot/stashbot/mediawiki.py", line 69, in get_page
    page = self.site.Pages[title]
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/listing.py", line 237, in __getitem__
    return self.get(name, None)
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/listing.py", line 268, in get
    return cls(self.site, full_page_name, info)
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/page.py", line 31, in __init__
    info = self.site.get('query', prop=prop, titles=name,
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 302, in get
    return self.api(action, 'GET', *args, **kwargs)
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 363, in api
    if self.handle_api_result(info, sleeper=sleeper):
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 420, in handle_api_result
    raise errors.APIError(info['error']['code'],
mwclient.errors.APIError: ('mwoauth-invalid-authorization', 'The authorization headers in your request are not valid: Invalid consumer', 'See https://wikitech.wikimedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes.')
bd808 added a comment.Oct 1 2024, 4:52 PM

There is a https://meta.wikimedia.org/wiki/Special:CentralAuth/Stashbot account that the Wikitech local https://wikitech.wikimedia.org/wiki/User:Stashbot account should be attached to. The bot itself is using an owner-only OAuth grant to edit at Wikitech.

bd808 added a comment.Oct 1 2024, 4:56 PM

I think the root cause of this is that Wikitech is no longer configured to have a local OAuth registry. The same problem is going to affect all of the bots that were using owner-only OAuth to edit Wikitech.

bd808 added a comment.Oct 1 2024, 5:03 PM

Taavi did magic in P69441 to attach Stashbot's SUL account to Wikitech.

bd808 added a comment.Oct 1 2024, 5:05 PM
In T376176#10192961, @bd808 wrote:

I think the root cause of this is that Wikitech is no longer configured to have a local OAuth registry. The same problem is going to affect all of the bots that were using owner-only OAuth to edit Wikitech.

These OAuth consumers are now orphaned:

wikiadmin2023@10.192.21.14(labswiki)> select oarc_name from oauth_registered_consumer;
+----------------------------------------+
| oarc_name                              |
+----------------------------------------+
| BryanDavis                             |
| BryanDavis                             |
| DeploymentCalendar                     |
| DeploymentCalendarTool                 |
| Gitlabaccountapprovalbot               |
| MABot                                  |
| MABot                                  |
| Phabbanbot                             |
| ROSEdu challenge                       |
| ScheduleDeploymentBot                  |
| Striker                                |
| Tool Labs admin console                |
| Wikitech double redirect bot Pywikibot |
| dcaro-pywikibot                        |
| make-deployments-calendar (Samtar)     |
| marcoaurelio-adminbot                  |
| schedule-deployment personal test      |
| schedule-deployment personal test      |
| stashbot                               |
| tf-image-bot                           |
| tf-image-bot-self                      |
| wmfkeystonehooks                       |
+----------------------------------------+
22 rows in set (0.001 sec)
bd808 added a project: wikitech.wikimedia.org.Oct 1 2024, 5:06 PM
bd808 added a subtask: T292707: ☂ Migrate Wikitech to Kubernetes.Oct 1 2024, 5:08 PM
bd808 added a comment.Oct 1 2024, 5:21 PM

OAuth issue split out to T376188: OAuth consumers registered locally at Wikitech are no longer configured to be used

Stashbot added a comment.Oct 1 2024, 5:26 PM

Mentioned in SAL (#wikimedia-cloud) [2024-10-01T17:26:53Z] <wmbot~bd808@tools-bastion-12> Switched OAuth credentials (T376176)

bd808 added a comment.Oct 1 2024, 5:37 PM

I created a new owner-only consumer grant at https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/9d357563021064fb204d827a8c8479bb and reconfigured the bot to use those credentials. Attempts to use the new credentials are also failing:

Error writing to wiki
Traceback (most recent call last):
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 188, in __init__
    self.site_init()
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 211, in site_init
    meta = self.get('query', meta='siteinfo|userinfo',
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 302, in get
    return self.api(action, 'GET', *args, **kwargs)
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 363, in api
    if self.handle_api_result(info, sleeper=sleeper):
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 420, in handle_api_result
    raise errors.APIError(info['error']['code'],
mwclient.errors.APIError: ('mwoauth-invalid-authorization', 'The authorization headers in your request are not valid: Invalid consumer', 'See https://wikitech.wikimedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/&gt; for notice of API deprecations and breaking changes.')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/data/project/stashbot/stashbot/sal.py", line 204, in log
    url = self._write_to_wiki(bang, channel_conf)
  File "/data/project/stashbot/stashbot/sal.py", line 349, in _write_to_wiki
    site = self._get_mediawiki_client(channel_conf["wiki"])
  File "/data/project/stashbot/stashbot/sal.py", line 386, in _get_mediawiki_client
    self._cached_wikis[name] = mediawiki.Client(
  File "/data/project/stashbot/stashbot/mediawiki.py", line 39, in __init__
    self.site = self._site_for_url(
  File "/data/project/stashbot/stashbot/mediawiki.py", line 57, in _site_for_url
    return mwclient.Site(
  File "/data/project/stashbot/venv-k8s-py39/lib/python3.9/site-packages/mwclient/client.py", line 191, in __init__
    raise errors.OAuthAuthorizationError(self, e.code, e.info)
mwclient.errors.OAuthAuthorizationError: The authorization headers in your request are not valid: Invalid consumer
Stashbot added a comment.Oct 1 2024, 5:44 PM

Mentioned in SAL (#wikimedia-cloud) [2024-10-01T17:44:09Z] <wmbot~bd808@tools-bastion-12> Switched OAuth credentials in the proper config file this time (T376176)

bd808 renamed this task from stashbot logging to Wikitech fails because of SUL migration to Stashbot needs new owner-only OAuth grant following Wikitech config change.Oct 1 2024, 6:10 PM
bd808 added a parent task: T376188: OAuth consumers registered locally at Wikitech are no longer configured to be used .
Ladsgroup closed subtask T376140: Setting new password at wikitech does not work as Resolved.Oct 1 2024, 6:12 PM
bd808 closed this task as Resolved.Oct 1 2024, 6:12 PM
bd808 claimed this task.
Restricted Application added a project: User-bd808. · View Herald TranscriptOct 1 2024, 6:12 PM
jijiki removed a subtask: T292707: ☂ Migrate Wikitech to Kubernetes.Oct 1 2024, 7:33 PM
aborrero reopened subtask T376140: Setting new password at wikitech does not work as Open.Oct 2 2024, 8:44 AM
Ladsgroup closed subtask T376140: Setting new password at wikitech does not work as Resolved.Oct 2 2024, 10:51 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits