Tool:Gitlab-account-approval

Toolforge tools

GitLab Account Approval Bot
Website	https://toolsadmin.wikimedia.org/tools/id/gitlab-account-approval
Description	Bot for approving GitLab accounts of trusted contributors
Keywords	gitlab, python, admin
Author(s)	BryanDavis
Maintainer(s)	BryanDavis (View all)
Source code	gitlab
License	GNU General Public License 3.0 or later
Issues	Open tasks · Report a bug
Admin log	Tools.gitlab-account-approval/SAL

GitLab Account Approval Bot is an automated process running on Toolforge that looks for GitLab accounts in the "blocked_pending_approval" state and tries to find existing trust for the backing Developer account. When the user is found to already be trusted by virtue of things like organizational association (Foundation staff for example), project access (Toolforge members), or technical community web of trust (#trusted_contributors, Trusted-Contributors) the bot will mark the GitLab account as "approved".

Audit log

Deployment

The bot is deployed as a Toolforge scheduled job running a build service managed container. The container exposes two commands:

approve

Scan for trusted users in the pending accounts list and approve those that are found.

dry-run

Same as approve, but do not actually make changes to the Gitlab accounts. This command also uses very verbose logging to describe what the application is doing. This is hoped to be useful when debugging issues with the bot.

Rebuilding the image

Until we have an ability to configure automatic container builds, someone needs to ssh into a Toolforge bastion and kick off a new build when gitlab:toolforge-repos/gitlab-account-approval contains new code for release.

$ ssh dev.toolforge.org
$ become gitlab-account-approval
$ toolforge build start https://gitlab.wikimedia.org/toolforge-repos/gitlab-account-approval

Scheduled jobs

The approve job is run on a schedule by toolforge jobs. Jobs descriptions are maintained in $HOME/jobs.yaml:

# https://wikitech.wikimedia.org/wiki/Help:Toolforge/Jobs_framework
---
- name: approve
  command: approve
  image: tool-gitlab-account-approval/tool-gitlab-account-approval:latest
  no-filelog: true
  emails: onfailure
  # Run every 3 minutes, 24/7, 365.25
  schedule: '*/3 * * * *'

Configuration

The glaab python script uses twelve-factor app style config via environment variables. In Toolforge this configuration is managed with the toolforge envvars command.

$ toolforge envvars list
name                       value
GERRIT_PASSWORD            <redacted>
GITLAB_ACCESS_TOKEN        <redacted>
MEDIAWIKI_ACCESS_SECRET    <redacted>
MEDIAWIKI_ACCESS_TOKEN     <redacted>
MEDIAWIKI_CONSUMER_SECRET  <redacted>
MEDIAWIKI_CONSUMER_TOKEN   c204f317e1640c80808ce79a810f5bd3
PHABRICATOR_TOKEN          <redacted>
PHABRICATOR_USER           glaab
TOOL_REPLICA_PASSWORD      <redacted>
TOOL_REPLICA_USER          s55655
TOOL_TOOLSDB_PASSWORD      <redacted>
TOOL_TOOLSDB_USER          s55655

See also: Special:OAuthManageConsumers/c204f317e1640c80808ce79a810f5bd3

Development tips

Use an SSH tunnel to access LDAP

The easiest way that bd808 has found to connect to the live Developer account LDAP directory when developing locally is by using an SSH tunnel. One way to do that is ssh -o ExitOnForwardFailure=yes -f -N -L 3389:ldap-ro.eqiad.wikimedia.org:389 login.toolforge.org. Then add LDAP_SERVERS=127.0.0.1:3389 to a .env configuration file in the directory that you are running the glaab code from. A .env file in the current working directory will be read automatically by the glaab.settings module.

Breakdown of the ssh command:

• -o ExitOnForwardFailure=yes: Exit if the forward cannot be created
• -f: Put ssh into the background after connecting
• -N: Do not execute any remote command
• -L 3389:ldap-ro.eqiad.wikimedia.org:389: Route connections to local port 3389 to port 389 to the ldap-ro.eqiad.wikimedia.org host via the remote host
• login.toolforge.org: A Toolforge bastion

See also

• Gitlabaccountapprovalbot Wikitech user
• @gitlabaccountapprovalbot GitLab user
• @glaab Phabricator user