andrewmusselman opened a new issue, #737: URL: https://github.com/apache/tooling-trusted-releases/issues/737
**ASVS References:** 7.4.2 **Findings:** 7.4.2-06, 7.4.1-LOW-001 ### Description When a user account is disabled in LDAP, their SSH keys (both persistent user SSH keys and ephemeral workflow SSH keys) are **not** automatically invalidated. The SSH authentication flow in `atr/ssh.py` validates key existence and expiration but does not check account status. Additionally, workflow SSH keys (20-minute TTL) lack a mechanism for immediate revocation before their expiration time — there is no `revoked` field on the `WorkflowSSHKey` model. *Note: PAT invalidation on account disable is tracked separately in #598.* ### Affected Files - `atr/ssh.py` — `begin_auth()` and `validate_public_key()` don't check account status - `atr/storage/writers/ssh.py` — Only single-key deletion exists; no bulk delete for disabled users - `atr/models/sql.py` — `WorkflowSSHKey` model lacks a `revoked` field ### Recommendation 1. Add an account status check (LDAP `is_banned()`) to the SSH authentication flow. 2. Add a `delete_all_user_keys(asf_uid)` method for bulk invalidation on account disable. 3. Add a `revoked` boolean field to `WorkflowSSHKey` and check it during validation. 4. Follow similar pattern to PAT deletion in admin top nav, add page -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
