andrewmusselman opened a new issue, #538:
URL: https://github.com/apache/tooling-trusted-releases/issues/538
## Summary
Specific user IDs are hardcoded to bypass LDAP-based authorization checks
for the "tooling" committee, creating an audit gap and violating principle of
least privilege.
## ASVS Requirements
- 8.2.2 - Vertical access control
## Related Audit Reports
- [Internal Access #402](ASVS/internal-access-402.md) - Section 3.1
- [Basic Access #404](ASVS/basic-access-404.md) - Issue 8.2.2-2
- [Documentation #408](ASVS/documentation-408.md) - Issue 3.2
## Affected Files
- `atr/principal.py:398-402`
## Current Behavior
```python
def is_member_of(self, committee_name: str) -> bool:
# TODO: This is a workaround for a bug
if self.__asf_uid in {"sbp", "tn", "wave"}:
if committee_name == "tooling":
return True # BYPASSES LDAP CHECK
# ... rest of authorization logic
```
## Risk
- Users bypass proper authorization verification
- No audit trail for bypassed access
- If accounts compromised, attackers gain immediate access
- Changes require code deployment
## Recommended Fix
1. Fix the underlying LDAP query issue
2. Remove the hardcoded workaround
3. Add proper logging for authorization decisions
```python
def is_member_of(self, committee_name: str) -> bool:
if self.__asf_uid is None:
return False
return self.__authoriser.is_member_of(self.__asf_uid, committee_name)
```
## Acceptance Criteria
- [ ] Hardcoded bypass removed from `principal.py`
- [ ] Underlying LDAP issue identified and fixed
- [ ] Users added to appropriate LDAP groups
- [ ] Authorization logging added
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
