potiuk opened a new pull request, #134: URL: https://github.com/apache/airflow-steward/pull/134
## Summary The Apache Vulnogram instance at `cveprocess.apache.org` is gated behind ASF OAuth — the session cookie is only valid when captured from an `<id>@apache.org` login, not from a personal address that `git config user.email` happens to return. Before this change, `vulnogram-api-setup` accepted any auto-detected from-address (typically the personal email of the operator), with two failure modes: 1. The walkthrough's *"log in normally"* instruction did not tell the operator **which** identity to authenticate with, so they could log in with the wrong account and only discover the mistake at probe time (a 302 to `oauth.apache.org`). 2. The credentials file recorded the personal address, so `vulnogram-api-check` could not surface a meaningful audit trail of which `@apache.org` account the cookie belonged to. ## The change New helper in `setup_session.py`: ```python resolve_from_address(host, auto_detected, *, prompter=input) -> str ``` Enforces an `@apache.org` address whenever the host is `cveprocess.apache.org` or any other `*.apache.org` Vulnogram deployment. Three outcomes: - **Auto-detected value already ends in `@apache.org`** → passthrough. - **Auto-detected value missing or non-`@apache.org`** → prompt interactively. Bare names (e.g. `potiuk`) get the `@apache.org` suffix appended. Non-`@apache.org` responses are rejected up to 3 attempts before aborting cleanly, before any cookie is captured. - **Non-ASF host** → no enforcement; auto-detected value passes through as before. The walkthrough then names the resolved address explicitly so the operator knows which identity to authenticate with: > Step 2. Complete the ASF OAuth login normally (username + 2FA via oauth.apache.org). **Make sure you are logged in as `[email protected]`** — the @apache.org account that owns the session cookie. If you are logged in under a different identity, log out first, then log back in as `[email protected]` before continuing. `check.py` now surfaces the address on a **second line** after `valid` for audit-trail visibility: ``` $ vulnogram-api-check valid logged in as [email protected] ``` The first line stays a bare `valid` so exact-match parsers (e.g. `security-issue-sync` Step 5b decision flow) are unaffected. ## Suppressing the prompt Three escape hatches, all already supported: - `--from-address [email protected]` on the command line - `\[email protected]` - `git config user.email [email protected]` (per-repo or `--global`) ## Stacking Stacks on top of #133 (*"auto-push CVE JSON via Vulnogram OAuth API"*). Both touch the `tools/vulnogram/oauth-api/` package but in different files; no conflict. ## Tests Six new unit tests cover the resolver: - non-ASF host passthrough (with value, with `None`) - ASF host accept (already `@apache.org`) - ASF host prompt-missing (bare name → suffix appended) - ASF host prompt-personal (auto-detected non-apache.org gets rejected, prompt accepts) - ASF host three-retry exhaustion (SystemExit, no cookie captured) - ASF sub-domain enforcement (`*.apache.org` matches) All 43 existing tests still pass. ## Follow-ups (out of scope for this PR) - Tracker template (`airflow-s/.apache-steward-overrides/user.md.template` and `.example`) should grow an `identity.apache_id` field so future adopters self-document the account. Tracker-side change, not framework — separate PR if anyone wants it. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
