This is an automated email from the ASF dual-hosted git repository. akm pushed a commit to branch document-auth-bypass-659 in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 748e1f2375e0148f2de61660aacb55c6aab1cd57 Author: Andrew K. Musselman <[email protected]> AuthorDate: Mon Mar 9 17:50:30 2026 -0700 Adding docs for auth bypass; fixes #659 --- atr/docs/authorization-security.md | 9 ++++++++- atr/docs/storage-interface.md | 2 ++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/atr/docs/authorization-security.md b/atr/docs/authorization-security.md index 9342c047..dbcaf892 100644 --- a/atr/docs/authorization-security.md +++ b/atr/docs/authorization-security.md @@ -203,7 +203,14 @@ The cache is per-user and in-memory. It does not persist across server restarts. ### Test mode -When `ALLOW_TESTS` is enabled in the configuration, a special "test" user and "test" committee are available. All authenticated users are automatically added to the test committee for testing purposes. This should never be enabled in production. +When `ALLOW_TESTS` is enabled in the configuration, a special "test" user and "test" committee are available. **This should never be enabled in production.** The security implications are significant: + +1. All authenticated users (not just the test user) are granted membership in the "test" committee and project [`principal`](/ref/atr/principal.py). +2. Authorization checks in the storage layer are completely skipped for the test committee [`release`](/ref/atr/storage/writers/release.py). +3. Rate limiting is disabled [`server`](/ref/atr/server.py). +4. A hardcoded "test" user bypasses LDAP verification. + +If `ALLOW_TESTS` is accidentally left enabled in production, every authenticated user gains unauthorized access to the test committee and its resources. This flag is intended for use only in development and test environments where `DEBUG_MODE` is also set. ## Implementation references diff --git a/atr/docs/storage-interface.md b/atr/docs/storage-interface.md index 2901c6df..e870fe6e 100644 --- a/atr/docs/storage-interface.md +++ b/atr/docs/storage-interface.md @@ -26,6 +26,8 @@ The storage interface recognizes several permission levels: general public (unau The storage interface does not make it impossible to bypass authorization, because you can always import `db` directly and write to the database. But it makes bypassing authorization an explicit choice that requires deliberate action, and it makes the safer path the easier path. This is a pragmatic approach to security: we cannot prevent all mistakes, but we can make it harder to make them accidentally. +**Note:** When `ALLOW_TESTS` is enabled, authorization checks in the storage layer are completely skipped for the test committee [`release`](/ref/atr/storage/writers/release.py). This is an intentional exception for development and test environments only. See [Authorization security](authorization-security#test-mode) for the full security implications of this flag. + ## How do we read from storage? Reading from storage is a work in progress. There are some existing methods, but most of the functionality is currently in `db` or `db.interaction`, and much work is required to migrate this to the storage interface. We have given this less priority because reads are generally safe, with the exception of a few components such as user tokens, which should be given greater migration priority. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
