asf-tooling opened a new issue, #1004:
URL: https://github.com/apache/tooling-trusted-releases/issues/1004
**ASVS Level(s):** [L1]
**Description:**
### Summary
No event-driven mechanism exists to automatically revoke credentials (PATs,
SSH keys, sessions) when an account is disabled in LDAP. Manual admin action is
required with no notification system. SSH keys have no bulk revocation method
at all - must be deleted individually. PATs can be bulk-revoked manually via
admin panel but this is not triggered automatically. Credentials persist
indefinitely in database after account disable, with window of exposure lasting
until manual cleanup (up to 72 hours for sessions, 180 days for PATs,
indefinite for SSH keys).
### Details
**Affected Files and Lines:**
- `atr/storage/writers/tokens.py:143-157` - PAT revocation (manual only)
- `atr/storage/writers/ssh.py` - No bulk SSH key revocation method
- `atr/admin/__init__.py:revoke_user_tokens_post()` - Manual revocation UI
The lack of automatic revocation means disabled accounts retain active
credentials until manual intervention, creating a significant security window.
### Recommended Remediation
Implement three-part solution:
**1. Add SSH key bulk revocation:**
```python
# In atr/storage/writers/ssh.py
def revoke_all_user_ssh_keys(self, asf_uid: str) -> int:
"""Revoke all SSH keys for a user."""
keys =
self.__db_session.query(sql.SSHKey).filter_by(owner_uid=asf_uid).all()
for key in keys:
self.__db_session.delete(key)
self.__db_session.commit()
return len(keys)
```
**2. Implement event handler:**
```python
def handle_ldap_account_disable(asf_uid: str) -> None:
"""Automatically revoke credentials when account disabled."""
storage.write().tokens.revoke_all_user_tokens(asf_uid)
storage.write().ssh.revoke_all_user_ssh_keys(asf_uid)
# Add user to session deny list (requires FINDING-005 fix)
```
**3. Add periodic cleanup task:**
```python
async def periodic_credential_cleanup() -> None:
"""Check for disabled accounts with active credentials every 10
minutes."""
# Query LDAP for disabled accounts
# Check for active credentials
# Revoke as needed
```
Long-term: integrate with LDAP pubsub events (GitHub Issue #872).
### Acceptance Criteria
- [ ] SSH key bulk revocation implemented
- [ ] Event handler for account disable
- [ ] Periodic cleanup task added
- [ ] Session deny list integration (requires FINDING-005)
- [ ] Integration test verifies automatic revocation
- [ ] Unit test verifying the fix
### References
- Source reports: L1:7.4.2.md
- Related findings: FINDING-006, FINDING-036, FINDING-130
- ASVS sections: 7.4.2
### Priority
High
---
---
**Triage notes:** related to 007 and session store
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
