This is an automated email from the ASF dual-hosted git repository.
wave pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 36876d56 Adding docs for auth bypass; fixes #659 (#848)
36876d56 is described below
commit 36876d56caf6554d82d64d26d5e383732a02b18f
Author: Andrew Musselman <[email protected]>
AuthorDate: Mon Mar 9 18:00:01 2026 -0700
Adding docs for auth bypass; fixes #659 (#848)
---
atr/docs/authorization-security.md | 9 ++++++++-
atr/docs/storage-interface.md | 2 ++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/atr/docs/authorization-security.md
b/atr/docs/authorization-security.md
index 9342c047..dbcaf892 100644
--- a/atr/docs/authorization-security.md
+++ b/atr/docs/authorization-security.md
@@ -203,7 +203,14 @@ The cache is per-user and in-memory. It does not persist
across server restarts.
### Test mode
-When `ALLOW_TESTS` is enabled in the configuration, a special "test" user and
"test" committee are available. All authenticated users are automatically added
to the test committee for testing purposes. This should never be enabled in
production.
+When `ALLOW_TESTS` is enabled in the configuration, a special "test" user and
"test" committee are available. **This should never be enabled in production.**
The security implications are significant:
+
+1. All authenticated users (not just the test user) are granted membership in
the "test" committee and project [`principal`](/ref/atr/principal.py).
+2. Authorization checks in the storage layer are completely skipped for the
test committee [`release`](/ref/atr/storage/writers/release.py).
+3. Rate limiting is disabled [`server`](/ref/atr/server.py).
+4. A hardcoded "test" user bypasses LDAP verification.
+
+If `ALLOW_TESTS` is accidentally left enabled in production, every
authenticated user gains unauthorized access to the test committee and its
resources. This flag is intended for use only in development and test
environments where `DEBUG_MODE` is also set.
## Implementation references
diff --git a/atr/docs/storage-interface.md b/atr/docs/storage-interface.md
index 2901c6df..e870fe6e 100644
--- a/atr/docs/storage-interface.md
+++ b/atr/docs/storage-interface.md
@@ -26,6 +26,8 @@ The storage interface recognizes several permission levels:
general public (unau
The storage interface does not make it impossible to bypass authorization,
because you can always import `db` directly and write to the database. But it
makes bypassing authorization an explicit choice that requires deliberate
action, and it makes the safer path the easier path. This is a pragmatic
approach to security: we cannot prevent all mistakes, but we can make it harder
to make them accidentally.
+**Note:** When `ALLOW_TESTS` is enabled, authorization checks in the storage
layer are completely skipped for the test committee
[`release`](/ref/atr/storage/writers/release.py). This is an intentional
exception for development and test environments only. See [Authorization
security](authorization-security#test-mode) for the full security implications
of this flag.
+
## How do we read from storage?
Reading from storage is a work in progress. There are some existing methods,
but most of the functionality is currently in `db` or `db.interaction`, and
much work is required to migrate this to the storage interface. We have given
this less priority because reads are generally safe, with the exception of a
few components such as user tokens, which should be given greater migration
priority.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
