alitheg commented on code in PR #922:
URL:
https://github.com/apache/tooling-trusted-releases/pull/922#discussion_r2963374307
##########
atr/ssh.py:
##########
@@ -154,10 +162,23 @@ async def validate_public_key(self, username: str, key:
asyncssh.SSHKey) -> bool
if workflow_key is None:
return False
+ if workflow_key.revoked:
+ log.failed_authentication("workflow_key_revoked")
+ return False
+
# In some cases this will be a service account
self._github_asf_uid = workflow_key.asf_uid
log.set_asf_uid(self._github_asf_uid)
+ try:
+ account = await ldap.account_lookup(self._github_asf_uid)
+ if account is None or ldap.is_banned(account):
+ log.failed_authentication("account_banned_or_deleted")
Review Comment:
Oh actually, here it is
##########
atr/ssh.py:
##########
@@ -154,10 +162,23 @@ async def validate_public_key(self, username: str, key:
asyncssh.SSHKey) -> bool
if workflow_key is None:
return False
+ if workflow_key.revoked:
+ log.failed_authentication("workflow_key_revoked")
+ return False
+
# In some cases this will be a service account
self._github_asf_uid = workflow_key.asf_uid
log.set_asf_uid(self._github_asf_uid)
+ try:
+ account = await ldap.account_lookup(self._github_asf_uid)
+ if account is None or ldap.is_banned(account):
+ log.failed_authentication("account_banned_or_deleted")
Review Comment:
So I'd do the same set of the uid and log like this too
##########
atr/ssh.py:
##########
@@ -101,7 +102,14 @@ async def begin_auth(self, username: str) -> bool:
if username == "github":
log.info("GitHub authentication will use validate_public_key")
return True
-
+ try:
+ account = await ldap.account_lookup(username)
+ if account is None or ldap.is_banned(account):
Review Comment:
I can't think where but there's a pattern somewhere for recording failed
authentications. It's worth grabbing the asfuid if there was a match (ie. If
they're banned) and setting it in the log context, that way we see in the logs
who tried and failed to authenticate. Then I think it's a log warning plus
something else. I'll find it tomorrow if you can't!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
