Tool:Gitlab-account-approval
GitLab Account Approval Bot | |
---|---|
Website | https://toolsadmin.wikimedia.org/tools/id/gitlab-account-approval |
Description | Bot for approving GitLab accounts of trusted contributors |
Keywords | gitlab, python, admin |
Author(s) | BryanDavis |
Maintainer(s) | BryanDavis (View all) |
Source code | gitlab |
License | GNU General Public License 3.0 or later |
Issues | Open tasks · Report a bug |
Admin log | Tools.gitlab-account-approval/SAL |
GitLab Account Approval Bot is an automated process running on Toolforge that looks for GitLab accounts in the "blocked_pending_approval" state and tries to find existing trust for the backing Developer account. When the user is found to already be trusted by virtue of things like organizational association (Foundation staff for example), project access (Toolforge members), or technical community web of trust (#trusted_contributors, Trusted-Contributors) the bot will mark the GitLab account as "approved".
Audit log
2024-11-09
- 17:15 @f4udeveloper was approved.
2024-11-07
- 19:15 @zulf was approved.
- 05:33 @hassanamin was approved.
2024-11-06
- 19:39 @daniuu was approved.
- 00:18 @rlopez-wmf was approved.
2024-10-09
- 14:45 @jtweed was approved.
- 10:24 @ifrahkh was approved.
- 09:06 @wikibayer was approved.
2024-10-06
- 10:27 @keerthan16 was approved.
2024-10-04
- 07:45 [... (more)
Deployment
The bot is deployed as a Toolforge scheduled job running a build service managed container. The container exposes two commands:
- approve
- Scan for trusted users in the pending accounts list and approve those that are found.
- dry-run
- Same as approve, but do not actually make changes to the Gitlab accounts. This command also uses very verbose logging to describe what the application is doing. This is hoped to be useful when debugging issues with the bot.
Rebuilding the image
Until we have an ability to configure automatic container builds, someone needs to ssh into a Toolforge bastion and kick off a new build when gitlab:toolforge-repos/gitlab-account-approval contains new code for release.
$ ssh dev.toolforge.org
$ become gitlab-account-approval
$ toolforge build start https://gitlab.wikimedia.org/toolforge-repos/gitlab-account-approval
Scheduled jobs
The approve job is run on a schedule by toolforge jobs. Jobs descriptions are maintained in $HOME/jobs.yaml:
# https://wikitech.wikimedia.org/wiki/Help:Toolforge/Jobs_framework
---
- name: approve
command: approve
image: tool-gitlab-account-approval/tool-gitlab-account-approval:latest
no-filelog: true
emails: onfailure
# Run every 3 minutes, 24/7, 365.25
schedule: '*/3 * * * *'
Configuration
The glaab
python script uses twelve-factor app style config via environment variables. In Toolforge this configuration is managed with the toolforge envvars command.
$ toolforge envvars list
name value
GERRIT_PASSWORD <redacted>
GITLAB_ACCESS_TOKEN <redacted>
MEDIAWIKI_ACCESS_SECRET <redacted>
MEDIAWIKI_ACCESS_TOKEN <redacted>
MEDIAWIKI_CONSUMER_SECRET <redacted>
MEDIAWIKI_CONSUMER_TOKEN c204f317e1640c80808ce79a810f5bd3
PHABRICATOR_TOKEN <redacted>
PHABRICATOR_USER glaab
TOOL_REPLICA_PASSWORD <redacted>
TOOL_REPLICA_USER s55655
TOOL_TOOLSDB_PASSWORD <redacted>
TOOL_TOOLSDB_USER s55655
See also: Special:OAuthManageConsumers/c204f317e1640c80808ce79a810f5bd3
Development tips
Use an SSH tunnel to access LDAP
The easiest way that bd808 has found to connect to the live Developer account LDAP directory when developing locally is by using an SSH tunnel. One way to do that is ssh -o ExitOnForwardFailure=yes -f -N -L 3389:ldap-ro.eqiad.wikimedia.org:389 login.toolforge.org
. Then add LDAP_SERVERS=127.0.0.1:3389
to a .env
configuration file in the directory that you are running the glaab code from. A .env
file in the current working directory will be read automatically by the glaab.settings module.
Breakdown of the ssh command:
- -o ExitOnForwardFailure=yes: Exit if the forward cannot be created
- -f: Put
ssh
into the background after connecting - -N: Do not execute any remote command
- -L 3389:ldap-ro.eqiad.wikimedia.org:389: Route connections to local port 3389 to port 389 to the ldap-ro.eqiad.wikimedia.org host via the remote host
- login.toolforge.org: A Toolforge bastion