#8381 staging wiki auth from openqa-stg01.qa fails
Opened 11 months ago by adamwill. Modified 5 months ago

The two openQA boxes - openqa01.qa and openqa-stg01.qa - both have a key that should allow them to authenticate to the appropriate wiki (prod for openqa01, stg or openqa-stg01). It is installed as /root/.openidc/oidc_wikitcms.json and is stored in the ansible secrets - the staging key is retrieved as {{ private }}/files/openidc/staging/wikitcms.json and the prod key as {{ private }}/files/openidc/production/wikitcms.json.

On prod everything is fine - openqa01.qa can happily auth to the wiki and do stuff on it. But this isn't working right on staging. When staging tries to login to the wiki with the token file in place, this happens:

>>> import wikitcms.wiki
>>> site = wikitcms.wiki.Wiki('stg.fedoraproject.org')
>>> site.login()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/wikitcms/wiki.py", line 214, in login
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 143, in site_init
    info = self.get('query', meta='userinfo', uiprop='groups|rights')
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 235, in get
    return self.api(action, 'GET', *args, **kwargs)
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 286, in api
    info = self.raw_api(action, http_method, **kwargs)
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 434, in raw_api
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 405, in raw_call
  File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://stg.fedoraproject.org/w/api.php?meta=userinfo%7Cuserinfo&uiprop=groups%7Crights%7Cblockinfo%7Chasmsg&continue=&action=query&format=json

after this, the token file is edited to contain only the string {}, and subsequent login attempts give this:

>>> site.login()
Please visit https://id.stg.fedoraproject.org/openidc/Authorization?scope=openid+https%3A%2F%2Ffedoraproject.org%2Fwiki%2Fapi&response_type=code&client_id=wikitcms&redirect_uri=http%3A%2F%2Flocalhost%3A23456%2F&response_mode=query to grant authorization

I don't know what's wrong, but this isn't how it's meant to be :)

@codeblock might have some idea (he was looking at issues from our ipsilon upgrade)

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: authentication

11 months ago

Metadata Update from @mizdebsk:
- Issue tagged with: staging

11 months ago

Is this still failing ? or was it fixed ?

I disabled the services for now. I can test it again for you.

Login to comment on this ticket.