Page MenuHomePhabricator
Create Task
Maniphest T402032

[api-gateway] https://api.svc.toolforge.org endpoint given in OpenAPI spec returns 403 forbidden errors
Closed, ResolvedPublicBUG REPORT
Actions

Description

Unclear if this is a configuration error or a documentation error.

The OpenAPI spec at https://api-docs.toolforge.org/openapi.json gives https://api.svc.toolforge.org/ as the API root. I am unable to auth to this endpoint:

tools.anomiebot@tools-bastion-12:~$ curl -k --cert ~/.toolskube/client.crt --key ~/.toolskube/client.key "https://api.svc.toolforge.org/jobs/v1/tool/anomiebot/jobs"
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.21.0</center>
</body>
</html>

The https://wikitech.wikimedia.org/wiki/Help:Toolforge/API#Authentication example gives https://api.svc.tools.eqiad1.wikimedia.cloud:30003 as the root. I am able to authenticate to this endpoint:

tools.anomiebot@tools-bastion-12:~$ curl -k --cert ~/.toolskube/client.crt --key ~/.toolskube/client.key "https://api.svc.tools.eqiad1.wikimedia.cloud:30003/jobs/v1/tool/anomiebot/jobs"
{"jobs":[...],"messages":{}}

Event Timeline

bd808 created this task.Aug 15 2025, 3:58 PM
Restricted Application added a project: cloud-services-team. · View Herald TranscriptAug 15 2025, 3:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
bd808 added a subscriber: Anomie.Aug 15 2025, 3:58 PM
dcaro subscribed.Aug 15 2025, 4:47 PM

Yep, that is the external endpoint, for which certificate -based Auth is not allowed, the other is internal, for which it works, if you were using the token aouth, or getting a non-authed endpoint to t would work. We should probably add that to the spec though, if it's not there (haven't checked).

bd808 added a comment.Aug 15 2025, 5:04 PM

I don't see anything on https://wikitech.wikimedia.org/wiki/Help:Toolforge/API about OAuth authentication.

The OpenAPI spec at https://api-docs.toolforge.org/openapi.json does not appear to have any securitySchemes documented to inform the caller how to auth to the various endpoints marked with security: [APIKeyHeader:[]].

dcaro added a comment.Aug 18 2025, 9:04 AM

I don't see anything on https://wikitech.wikimedia.org/wiki/Help:Toolforge/API about OAuth authentication.

Yep, there's no other authentication that deployment tokens right now through the public endpoint.

I added some extra info and clarification to that page, feel free to rephrase/edit.

The OpenAPI spec at https://api-docs.toolforge.org/openapi.json does not appear to have any securitySchemes documented to inform the caller how to auth to the various endpoints marked with security: [APIKeyHeader:[]].

That's left undefined currently as there's no external authentication method for the API yet. The header auth comes from the internal APIs, that expect a header for authentication passed down from the api gateway. Probably would make sense to remove/hide that though. Feel free also to send patches to it (https://gitlab.wikimedia.org/repos/cloud/toolforge/api-gateway/ would be the final generator of that info).

bd808 added a comment.Aug 19 2025, 10:42 PM

I wonder if the OpenApi spec should be changed for now to point to the internal endpoint and give the x509 auth information? The wiki page says "You can see a detailed up-to-date description of the methods and details on how to use them in the api-docs.toolforge.org tool.", but then that spec actually gives bad information about the "how" part by referencing an endpoint that does not yet work and leaving out the authorization information.

fnegri triaged this task as Low priority.Aug 20 2025, 2:56 PM
CodeReviewBot added a project: Patch-For-Review.Aug 21 2025, 5:48 PM

dcaro opened https://gitlab.wikimedia.org/repos/cloud/toolforge/api-gateway/-/merge_requests/76

openapi: add the internal server and some description

dcaro changed the task status from Open to In Progress.Aug 25 2025, 11:27 AM
dcaro claimed this task.
dcaro edited projects, added: Toolforge (Toolforge iteration 23); removed: Toolforge.
dcaro moved this task from Next Up to In Review on the Toolforge (Toolforge iteration 23) board.
dcaro edited projects, added: Toolforge (Toolforge iteration 24); removed: Toolforge (Toolforge iteration 23).Aug 27 2025, 9:42 AM
dcaro moved this task from Next Up to In Review on the Toolforge (Toolforge iteration 24) board.
CodeReviewBot added a comment.Sep 2 2025, 2:25 PM

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/api-gateway/-/merge_requests/76

openapi: add the internal server and some description

CodeReviewBot added a comment.Sep 2 2025, 2:27 PM

group_203_bot_f4d95069bb2675e4ce1fff090c1c1620 updated https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/941

api-gateway: bump to 0.0.78-20250902142533-4768f899

dcaro renamed this task from https://api.svc.toolforge.org endpoint given in OpenAPI spec returns 403 forbidden errors to [api-gateway] https://api.svc.toolforge.org endpoint given in OpenAPI spec returns 403 forbidden errors.Sep 2 2025, 3:35 PM
dcaro closed this task as Resolved.
dcaro moved this task from In Review to Done on the Toolforge (Toolforge iteration 24) board.
CodeReviewBot added a comment.Sep 2 2025, 3:37 PM

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/941

api-gateway: bump to 0.0.78-20250902142533-4768f899

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits