[MediaWiki-commits] [Gerrit] labs/striker[master]: Add support for authenticated Action API use

Fri, 09 Dec 2016 11:45:38 -0800 

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/324637 )

Change subject: Add support for authenticated Action API use
......................................................................


Add support for authenticated Action API use

Upgrade to mwoauth >= 0.8.2 and add configuration for authenticating to
the MediaWiki Action API using OAuth. A method for getting an anonymous
client is also provided and used when checking for username availability
so that on wiki rights do not accidentally allow usernames that would
otherwise be blocked.

When this is deployed to production there will be private Puppet changes
needed to add configuration settings for the StrikerBot wikitech user.

Bug: T144712
Change-Id: Ibfc4b35498e59bf02da3c8562fea802a573f139c
---
M requirements.txt
M striker/mediawiki.py
M striker/register/utils.py
M striker/settings.py
M striker/striker.ini
5 files changed, 55 insertions(+), 9 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/requirements.txt b/requirements.txt
index e786a18..a2820f4 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -11,7 +11,7 @@
 django-parsley>=0.6  # BSD
 django-ratelimit-backend>=1.0  # BSD
 idna>=2.1  # BSD
-mwclient>=0.8.1  # MIT
+mwclient>=0.8.2  # MIT
 mwoauth>=0.2.7  # MIT
 mysqlclient>=1.3.7  # GPLv2
 oauthlib>=1.1.2  # BSD
diff --git a/striker/mediawiki.py b/striker/mediawiki.py
index a306ad9..2439750 100644
--- a/striker/mediawiki.py
+++ b/striker/mediawiki.py
@@ -32,27 +32,59 @@
 class Client(object):
     """MediaWiki client"""
     _default_instance = None
+    _anon_instance = None
 
     @classmethod
     def default_client(cls):
         """Get a MediaWiki client using the default credentials."""
         if cls._default_instance is None:
             logger.debug('Creating default instance')
-            cls._default_instance = cls(settings.WIKITECH_URL)
+            cls._default_instance = cls(
+                settings.WIKITECH_URL,
+                consumer_token=settings.WIKITECH_CONSUMER_TOKEN,
+                consumer_secret=settings.WIKITECH_CONSUMER_SECRET,
+                access_token=settings.WIKITECH_ACCESS_TOKEN,
+                access_secret=settings.WIKITECH_ACCESS_SECRET
+            )
         return cls._default_instance
 
-    def __init__(self, url):
+    @classmethod
+    def anon_client(cls):
+        """Get a MediaWiki client that is not authenticated."""
+        if cls._anon_instance is None:
+            logger.debug('Creating anon instance')
+            cls._anon_instance = cls(settings.WIKITECH_URL)
+        return cls._anon_instance
+
+    def __init__(
+        self, url,
+        consumer_token=None, consumer_secret=None,
+        access_token=None, access_secret=None
+    ):
         self.url = url
-        self.site = self._site_for_url(url)
-        self.site.force_login = False
+        self.site = self._site_for_url(
+            url, consumer_token, consumer_secret, access_token, access_secret)
 
     @classmethod
-    def _site_for_url(cls, url):
+    def _site_for_url(
+        cls, url,
+        consumer_token=None, consumer_secret=None,
+        access_token=None, access_secret=None
+    ):
         parts = urllib.parse.urlparse(url)
         host = parts.netloc
         if parts.scheme != 'https':
             host = (parts.scheme, parts.netloc)
-        return mwclient.Site(host, clients_useragent='Striker')
+        force_login = consumer_token is not None
+        return mwclient.Site(
+            host,
+            consumer_token=consumer_token,
+            consumer_secret=consumer_secret,
+            access_token=access_token,
+            access_secret=access_secret,
+            clients_useragent='Striker',
+            force_login=force_login
+        )
 
     def query_users_cancreate(self, *users):
         """Check to see if the given usernames could be created or not.
diff --git a/striker/register/utils.py b/striker/register/utils.py
index cd411e2..2cacc45 100644
--- a/striker/register/utils.py
+++ b/striker/register/utils.py
@@ -31,7 +31,6 @@
 
 
 logger = logging.getLogger(__name__)
-mwapi = mediawiki.Client.default_client()
 
 
 def sul_available(name):
@@ -109,6 +108,9 @@
     - name : Canonicalized version of the given name
     - error : Error message if ok is False; None otherwise
     """
+    # Make sure to use the anon client here because on-wiki rights can affect
+    # the result of the cancreate check.
+    mwapi = mediawiki.Client.anon_client()
     user = mwapi.query_users_cancreate(name)[0]
     # Example response:
     # [{'missing': True, 'name': 'Puppet',
@@ -141,6 +143,7 @@
 
     Returns a block reason or False if not blocked.
     """
+    mwapi = mediawiki.Client.default_client()
     res = mwapi.query_blocks_ip(ip)
     for block in res:
         if block['nocreate']:
diff --git a/striker/settings.py b/striker/settings.py
index 3e0152b..87c6589 100644
--- a/striker/settings.py
+++ b/striker/settings.py
@@ -366,6 +366,11 @@
 
 # == Wikitech settings ==
 WIKITECH_URL = ini.get('wikitech', 'SERVER_URL')
+WIKITECH_USER = ini.get('wikitech', 'USER')
+WIKITECH_CONSUMER_TOKEN = ini.get('wikitech', 'CONSUMER_TOKEN')
+WIKITECH_CONSUMER_SECRET = ini.get('wikitech', 'CONSUMER_SECRET')
+WIKITECH_ACCESS_TOKEN = ini.get('wikitech', 'ACCESS_TOKEN')
+WIKITECH_ACCESS_SECRET = ini.get('wikitech', 'ACCESS_SECRET')
 
 # == Tools settings ==
 TOOLS_MAINTAINER_BASE_DN = ini.get('ldap', 'TOOLS_MAINTAINER_BASE_DN')
diff --git a/striker/striker.ini b/striker/striker.ini
index fea3725..f2d13f8 100644
--- a/striker/striker.ini
+++ b/striker/striker.ini
@@ -21,7 +21,7 @@
 # /etc/striker/striker.ini.
 
 [secrets]
-# The should *ALWAYS* be overriden in a local config file
+# This should *ALWAYS* be overriden in a local config file
 SECRET_KEY = 000000000000000000000000000000000000000000000000000000
 
 [debug]
@@ -112,3 +112,9 @@
 
 [wikitech]
 SERVER_URL = https://wikitech.wikimedia.org
+USER = StrikerBot
+# These should *ALWAYS* be overriden in a local config file
+CONSUMER_TOKEN =
+CONSUMER_SECRET =
+ACCESS_TOKEN =
+ACCESS_SECRET =

-- 
To view, visit https://gerrit.wikimedia.org/r/324637
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ibfc4b35498e59bf02da3c8562fea802a573f139c
Gerrit-PatchSet: 1
Gerrit-Project: labs/striker
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Alex Monk <a...@wikimedia.org>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Madhuvishy <mviswanat...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to