Page MenuHomePhabricator
Create Task
Maniphest T78314

Add tests against beta to catch OAuth integration issues
Open, MediumPublic
Actions

Description

Based on past experience, these tests would be nice:

  • smoke test to try an API query with a pre-authorized provider (on beta, possibly prod as well)
  • smoke test to try /identify with a pre-authorized provider (on beta, possibly prod as well)
  • smoke test to try an API query with an owner-only provider (on beta, possibly prod as well)
  • browser test to create normal consumer (on CI)
  • browser test to create owner-only consumer (on CI)
  • maybe security tests? (wrong stage, wrong key, wrong wiki, wrong grant)

@Anomie's Hello World app is probably a good target for the smoke tests.

Related Objects
Search...

Event Timeline

csteipp created this task.Dec 11 2014, 5:41 PM
csteipp claimed this task.
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: MediaWiki-extensions-OAuth.
csteipp changed Security from none to None.
csteipp subscribed.
Aklapper triaged this task as Medium priority.Mar 17 2015, 10:56 AM
Tgr added a project: Browser-Tests-Infrastructure.Jun 23 2015, 12:31 AM
Tgr subscribed.

Do we really need a browser test for this? Those are the most expensive to develop and maintain and the least helpful when they break.

I can see the need for browser tests for the authorization dialog as that's nontrivial UI and essential functionality; for anything else, I would just use integration tests that create / recall some objects.

csteipp lowered the priority of this task from Medium to Low.Jun 23 2015, 4:31 PM

More integration tests would definitely help!

I made this to specifically test the /authorize dialog, since that's by far the most used UI element (all users have to go through it each time they approve something). The problem is that to test it, we need a request token, so we need a consumer in the DB and the code to generate the request token by hitting /initialize... which all gets complicated.

Maybe focus on adding a few integration tests in phpunit first, and then we can decide if this is still needed.

Tgr renamed this task from Add browser tests against beta to catch integration issues to Add tests against beta to catch OAuth integration issues.Jun 23 2015, 6:12 PM
Tgr added a comment.Jun 23 2015, 6:20 PM

The problem is that to test it, we need a request token, so we need a consumer in the DB and the code to generate the request token by hitting /initialize... which all gets complicated.

One thing we could do is set up a test consumer and a test application page which can just live on beta/testwiki/vagrant permanently (https://gerrit.wikimedia.org/r/#/c/210036/ does something like that for vagrant). The browser test would navigate to the application page, press a button, get redirected to the authorization dialog, verify it's there, press OK, verify it ended ap on the app's confirmation page. That's a bit of work and the browser test would be somewhat fragile (as it would test both OAuth and the test app) but very simple.

At any rate, browser tests are usually the highest-hanging fruit, so starting with integration tests is definitely the right approach.

Tgr added a comment.EditedJul 10 2015, 6:12 PM

T105387 is another good example of an outage that should have been caught by a smoke test.

zeljkofilipin moved this task from Inbox to Tracking MediaWiki Bug on the Browser-Tests-Infrastructure board.Nov 2 2015, 4:09 PM
zeljkofilipin moved this task from Tracking MediaWiki Bug to Tracking MediaWiki Feature on the Browser-Tests-Infrastructure board.Nov 2 2015, 4:37 PM
zeljkofilipin edited projects, added Browser-Tests; removed Browser-Tests-Infrastructure.Nov 6 2015, 5:40 PM
Tgr added a comment.Oct 27 2016, 3:26 AM

A python smoke test looks something like this:

import requests
from requests_oauthlib import OAuth1
from jose import jwt
auth = OAuth1(consumer_key, consumer_secret, access_token, access_secret)
r = requests.get('https://en.wikipedia.beta.wmflabs.org/w/api.php', params={'format': 'json', 'action': 'query', 'meta': 'userinfo'}, auth=auth)
data = r.json()
assert(data['query']['userinfo']['name'] == username)
r = requests.get('https://en.wikipedia.beta.wmflabs.org/w/index.php', params={'title': 'Special:OAuth/identify'}, auth=auth)
data = jwt.decode(r.text, consumer_secret, options={'verify_signature': False, 'verify_aud': False, 'verify_iat': False, 'verify_exp': False, 'verify_nbf': False, 'verify_iss': False, 'verify_sub': False, 'verify_jti': False})
assert(data['username'] == username)

Testing the authorization flow will require a proper browser test.

Tgr updated the task description. (Show Details)Jan 17 2017, 1:23 AM
Tgr added a subscriber: Anomie.
Tgr raised the priority of this task from Low to Medium.Mar 7 2017, 4:55 AM
zeljkofilipin subscribed.Mar 7 2017, 8:22 AM
In T78314#2747466, @Tgr wrote:

Testing the authorization flow will require a proper browser test.

If you are creating a new browser/selenium test(s), I would recommend webdriverio (node.js):

https://www.mediawiki.org/wiki/Selenium/Node.js
https://github.com/zeljkofilipin/mediawiki-webdriverio
https://gerrit.wikimedia.org/r/#/c/328191/
https://gerrit.wikimedia.org/r/#/c/337602/

Let me know if you want to learn more, or need help.

zeljkofilipin added a project: User-zeljkofilipin.Mar 7 2017, 8:22 AM
zeljkofilipin added a comment.Mar 9 2017, 3:50 PM

I have proposed a skill share session for Vienna hackathon T159945: Selenium/WebdriverIO tests in JavaScript/Node.js if you would like to pair in person.

Aklapper removed csteipp as the assignee of this task.Dec 9 2017, 4:40 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
zeljkofilipin removed a project: User-zeljkofilipin.Oct 7 2021, 3:20 PM
Tgr added a parent task: T248683: Create and run a suite of end-to-end tests for the Wikimedia environment.Jul 13 2023, 3:53 AM
Tgr mentioned this in T341759: Create functional tests for core OAuth functionality.
Tgr mentioned this in T348206: Improve logging, monitoring and test coverage for MediaWiki Platform team authentication extensions.Oct 23 2023, 2:09 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL