mozilla :: #conduit

21 Apr 2017
00:08circleci-botHello from CircleCI
13:34zalunmy idea for the extension:
13:36zalunI haven't touched the regexp yet
13:37dklzalun: i do not see where const FIELDKEY is used anywhere
13:40dklfyi: also doing some BMO admin stuff today since dylan is out
13:40zalundkl: /me has no idea as well
13:40zalunabout the FIELDKEY, I might add a comment to remove if needed
13:41dklzalun: ah ok. I thought you added that
13:41zalunit seems like the FIELDKEY is used in parser
13:41dklah so used outside of the class
13:42dkli see a function to add to the conduit dict so that means the API probably also shows the value which helps with out security model work
13:42zalunit might be it is some sort of leftover from former design
13:43zalunI've modified the etherpad as I went deeper today -
13:51marssmacleod: I'm going to move the autoland rename card into an etherpad so we can have a +/- poll
13:52smacleodmars: fine with me. Feel free to add any names you can think of
13:52marssmacleod: I added "Autobot" and "Autofox" :)
13:54smacleodmars: can you link the etherpad here for me?
13:58marsDid that extension bot on the Firefox 3 posters have a name?
14:03* smacleod makes a joke about us building "Uber for commits"
14:03smacleodmars: ^
14:04smacleodmars: I was thinking Firefly with mal :)
14:06mars"Serenity" would be an awesome name. A scrappy, heroic bucket of bolts. Sometimes pieces break off, but it still flies! :D
14:06dklmars: smacleod : is "auto" in the name really accurate? Doesn't someone with proper perms need to manually hit a button to land a change?
14:07dklor are there cases that the change will land without manual intervention if the conditions are right?
14:07smacleodEventually we will want to land as soon as r+ is given
14:07dklsmacleod: have you started a new security design document for phab anywhere or am I able to start one myself?
14:07smacleodThink of clicking the button now as giving your approval
14:07dkldidnt want to dupe work
14:07smacleodThat just tells autoland it's ready to go, then what it does is automatic
14:09smacleodmars: I accidentally erased one of your pluses, sorry
14:15* imadueme
14:21smacleoddkl: sorry I haven't made a doc yet, wanna link me to what you're making?
14:27dklsmacleod: soon
14:27dklshould i do a flow chart as well?
14:27smacleoddkl: We should probably include some diagrams to make things more clear
14:29smacleodproduction docker image is built from there
14:29smacleodshows up here:
14:31circleci-botFixed: smacleod's build (#5; push) in mozilla-services/mozphab (master) --
14:36smacleodzalun: what's your github username?
14:47smacleoddavidwalsh: standup?
14:48davidwalshsmacleod: My Vidyo wont let me sign in. Maybe I was fired
14:48smacleodfinally... means I need to thank someone now
14:48davidwalshnm, I'm in
14:49dklsmacleod: doesnt have the latest in hg conduitdemo, primarily
14:49smacleoddkl: ya, can you guys update it so we can move to it? chris copied before you made changes
14:51* zalun is looking at
14:51smacleodzalun: :)
14:53dklsmacleod: sure
14:55imaduemesmacleod: add me?
14:55dklsmacleod: are we using some sort of migrator script to go from hg to git so that we retain history or just starting from scratch?
14:55dkllooks like from scratch. nm
14:55smacleodimadueme: already did to mozilla-conduit stuff. Can't to the mozilla-services, cloud ops has to do that
15:05marsdavidwalsh: you still have to vote on the new autoland service name
15:06davidwalshmars: Oh wtf, where are we voting?
15:59dklthanks. quick bite for lunch
16:08smacleoddkl|lunch: hey, do you know why client_api_login is sent and what it's needed for in BMO auth delegation?
16:43marsimadueme: I've started to build out a tasks list for porting autoland to connexion here:
16:45marsimadueme: I thought we were sticking with the current setup for now, frontend and backend in the same repo?
16:47marsjust to keep things simple
16:47imaduememars: pretty sure they have to be separate? if we want to avoid all the problems we had with deploying them separately. smacleod - were you planning to put the ui and api in the same github repo? Or have 2 like lando-api and lando-ui
16:47imaduemei could be wrong
16:48marsckolos: ^ ?
16:50marsimadueme: it would be best to decide if we are splitting the repo before we start doing the work
16:50marsbefore we start porting it
16:54dklsmacleod: let me check
16:57smacleodimadueme: I think that comes down to how auth0 flow will work, along with if we're adding a backend to the frontend (cc mars)
16:58imaduemeim looking into that right now - for anyone else interested:
17:00smacleodLando is the mayor of Cloud (commit) Ciry
17:08dklsmacleod: ok memory refreshed. client_api_login and client_api_key are POSTed JSON to the site needing auth such as autoland. autoland will then record the two locally, send a unique token back to BMO. BMO then redirects back to autoland with the client_api_login value and token which autoland would then verify match properly.
17:08dklsmacleod: make sense?
17:08dkljust some extra safeguard
17:10smacleoddkl: ya I was just wondering why client_api_login was needed and figured it was for some security aspect I wasnt considering. So you're supposed to make sure it matches too?
17:11dklright. plus auth delegation assumes the calling system is using user login as a profile key so the caller can store the api key against the right user
17:11dkli assume in context of mozreview, the email value would match the BMO login
17:12smacleodFor phabricator we're planning to store the BMO account id instead of matching them with email. Is that fine?
17:13smacleodLike, phabricator will use that as it's primary reference to which bugzilla account it is once login is done
17:37dklare you talking about the BMO internal id? You can get that but it would be another API call.
17:38dklGET /rest/user?
17:43imaduemeupdate: I think I've come up with a good plan for the ui/api/auth0/bugzilla story and I'm writing a google doc now.
17:43* imadueme also thinks lando is a fine name
17:57davidwalshStupid phabricator 500s but no error shows in the shell
18:02davidwalshHooray for cURL
18:03* imadueme
18:18dklsmacleod: google doc link sent
18:36davidwalshomg I'm hacking on bmo, dkl
18:36davidwalshWhat a time to be alive
18:36dklheh. good luck!
18:55imaduemesmacleod/dkl: im just wrapping up that google doc. But after thinking about this more. Why exactly do we need auth0? For example mozreview uses bugzilla to auth and I know RB has some special code to connect to LDAP, but, since I also see an LDAP box in the moqup. Assuming the UI had a backend - would it be necessary to use Auth0 or could we just use
18:55imaduemeBugzilla/LDAP directly?
19:07davidwalshsmacleod: So we've run into a chicken--egg problem with our plan
19:10davidwalshsmacleod: You can't use '' without having CSRF'd first, but you can't CSRF in the `if ($request->isHTTPPost())` block because it's happening "inside" Bugzilla, i.e. no pcid (cookie)
19:10davidwalshSo...I'm trying to navigate around that
19:13dklimadueme: as i understand it, if the user has used auth0 to authenticate with BMO and also to authenticate with LDAP, then autoland will have information from both systems at its disposal. So there would be no need for autoland to contact the LDAP server directly
19:14dklauth0 will return a data structure containing both LDAP information along with BMO info such as group membership etc.
19:14imaduemedkl, thanks that clears things up and makes this even better!
19:14dklautolando would not need to figure out how to get that information directly from any of the auth providers
19:14dklone source
19:15dklimadueme: the downside is that autoland would need to the user to login to both providers before it could do anything useful
19:16dklbut i dont think that would be too much to ask
19:16imaduemedkl - another question: is there any advantage to "logging in" to bugzilla vs just using an api key? Assuming that the only interaction we want with bugzilla will be through the api
19:18dklimadueme: probably not. from what i know though auth0 would still need BMO to act as an oauth2 provider an not the simple auth delegation it supports now
19:18dklimadueme: do you mean just have autoland ask the user for their api key directly and enter it?
19:19imaduemedkl: yea. that would allow us to know if you can see a bug or not right
19:19dklapi key basically a password
19:19imaduemecool, thanks!
19:28smacleoddkl / imadueme that's not quite right. BMO and auth0 are not linked
19:28smacleodWe need auth0 to get the LDAP information, so we can query LDAP for their group membership
19:29smacleodMozreviews strategy was a hack
19:29dklsmacleod: they can be. once BMO supports being an oauth2 provider. not right now though
19:29smacleodNope, nothing to do with oauth2
19:29dklhmm. ok
19:30smacleodIt has to do with licensing. And our auth0 strategy
19:30smacleodCost per account etc
19:30dkli was understanding that for autoland (not phab) to use BMO for auth it would need to be have oauth implemented for auth0 to connect to it
19:31dkland by having that bmo->ldap connection via auth0 we can get all of the info we need to make autoland work
19:32smacleodIf they were linked, ya we could use BMO, but we'd still do it though auth0, or a BMO API key
19:32imaduemesmacleod/mars/davidwalsh/dkl: Here are my thoughts on how we should change autoland. I feel pretty strongly about this change so lets talk about it :)
19:32smacleodBut linking them has nothing to do with oauth
19:32imaduememcote too i guess ^
19:33imaduemealso im not counting on them bmo/auth0 being linked.
19:34imaduemesmacleod: if that doc is cool with everyone then it looks like we would have 2 repos, as they would be separate deploys
19:34smacleoddkl: Auth0 is charged per account, and BMO has too many active accounts. This problem is actively being worked on but it blocks us using it for everything
19:35smacleodAuth0 is definitely the way to go for ldap though
19:35dklsmacleod: ok. realistically it would be a very small subset of the 30000 yearly active users.
19:35dklok so autoland could then use auth delegation, store the api key and use auth0 for the ldap side
19:36smacleoddkl: the thing that really matters for lando is scm level, so auth0 is the main authentication method
19:36dklsmacleod: did you get a chance to look at the security workflow doc?
19:36smacleodwe will only use BMO auth if the bug is security sensitive and to see it to land you'll have to log in with bmo as well
19:36smacleodthat should be less common though
19:37smacleodthat case will use auth delegation for now, until the auth0 bmo stuff is figured out
19:37smacleoddkl: I have not
19:37smacleodjust opened it
19:38davidwalshdkl: Do you know if I can send a CSRF to Bugzilla which Bugzilla would then pass back during auth?
19:42dkldavidwalsh: no. bmo uses a token to protect against csrf
19:42dkloh wait
19:42dklyou mean phab sends a token that BMO passes back
19:43dklyes that happens as part of the normal workflow.
19:44dklwhen BMO posts the client login and api key to phab, phab should return a one time token. BMO will redirect back to phab with the token that phab needs to verify is correct or else throw away the client login and api key
19:44smacleodimadueme: do you want me to just make comments inside your doc?
19:44imaduemego for it smacleod
19:45davidwalshdkl: Yeah, I have that; I didn't ask the question properly
19:45davidwalshdkl: phabricator is being really strict with its CSRF
19:45davidwalshdkl: but since bugzilla doesn't do the POST from the browser, there's no session ID
19:45dklwhat if you embed the token in the callback url?
19:45davidwalshdkl: Just tried it and didn't work, but I'm keeping at it
19:46dklhmm not sure then. let me know if i can help
19:46dklmozreview does it the same way but it may not be as strict as phab
19:48dklsmacleod: feel free to just edit the security doc as you see fit
19:48smacleoddkl: will do, going to look in depth after looking through imadueme's doc
20:01smacleodimadueme: so you think we're better off moving to a less javascript heavy (less react) solution here? How strongly do you feel about that?
20:01smacleodmars: there is a comment button in google docs ;)
20:01marssmacleod: it's not a comment, its an addendum :D
20:03smacleoda wild mcote appears
20:03smacleodhow's tribe?
20:05imaduemesmacleod: on a scale of 1 - 10. 10. Just because I realize we're not getting much out of react that we couldn't do with templates and pure js. And we will be getting much out of a server behind the UI. That being said, I'm looking for feedback
20:05smacleodimadueme: I'm on the same page as you. You might have to convince davidwalsh
20:10imaduemeI think davidwalsh and I will have a lot more fun writing pure ES6 :)
20:13smacleoddkl: didn't like the default blue in moqups eh?
20:14dklsmacleod: :)
20:14smacleoddkl: you can double click a connector to attach a label to it where you click on it
20:15dklah i never used it before so i just fumbled around til i got the desired effect.
20:15dklthen exported as png to google drive
20:15smacleoddkl: you can actually add the diagrams to drive, and it links out to them
20:15smacleoddkl: mind if I change a few things with what you did?
20:19dklsmacleod: be my guest
20:19smacleoddkl: "add bug roles to subscriber list", what does that mean?
20:20dklassignee, reporter, qa contact, and cc list
20:21smacleodah, those are called roles?
20:21dklpeople who can normally see the bug even if private
20:21dkli call them roles :)
20:21dkli am more detailed in the workflow text
20:31davidwalshSo let's say I send the CSRF in the bugzilla URI; it becomes something like ``
20:32davidwalshWhen bugzilla posts to me, I get the "31ff...."; but how do I compare that?
20:32davidwalshJust look in the CSRF registry to see if it exists, and assume it's the right person
20:33smacleoddkl: updated diagram:
20:33smacleod(I set the default style on that doc so any future edits will be black and white like that
20:36dklsmacleod: looks much better. feel free to link it in the google doc
20:36dklyeah left out the part about missing bug id in my version
20:37smacleodimadueme: nice work on the document btw :)
20:40smacleoddkl: looking good so far, we should probably expand how "projects" will be used and security group syncing
20:40dklyeah wasnt sure if the group syncing would better in a different document
20:40dkl*would be
20:40* smacleod nods
20:41smacleodmaybe something high level about it, we gloss over how objects can be made private in the public space
20:41smacleodthen dig into the actual sync etc in another doc
20:41dklk. gotta take the rug rats to a kids thing at the museum soon. will check in later tonight to make adjustments
20:42dklsmacleod: so more detail then about how projects will work? make a comment and i can add it in
20:45smacleodimadueme: any idea how we can fake auth0 in testing / local dev?
20:56imaduemesmacloed: thanks! as for testing no idea. If we actually wanted to go through the flow we would have to deploy the app (so that auth0 has something to hit on the internet). At that point we could probably just request a dev client id.
20:56imaduemeAs for locally, hmmm... I think we will have to get creative and just create a mock provider. requests-mock can definitely\ come in handy here.
21:00imaduemeDoes anyone know who's in charge of auth0?
21:01smacleodimadueme / dkl: there is a folder for conduit documents btw:
21:02* imadueme
21:13imaduemeactually I take that back smacleod. It is possible to test auth0 locally - Although that might be hard to convince IT or whoever owns auth0 to let us do that. Maybe mcote knows :)
21:20imaduemeAlso noteworthy is that auth0 supports accounts so that should take care of getting outside contributors access. (
21:37davidwalshI'm giving up for the day
21:37davidwalshToo frustrated
22 Apr 2017
No messages
Last message: 124 days and 9 hours ago