asf-tooling opened a new issue, #1026:
URL: https://github.com/apache/tooling-trusted-releases/issues/1026
**ASVS Level(s):** [L1]
**Description:**
### Summary
The `is_active()` function in `atr/ldap.py` fails open (returns True) when
LDAP bind credentials are not configured or invalid. This is a fail-open
misconfiguration vulnerability where all account status checks are silently
bypassed with no errors or alerts. Banned/disabled users gain full access
during LDAP misconfiguration, credential rotation issues, or LDAP server
unavailability. This affects all authentication paths that rely on
`ldap.is_active()` including web, JWT, and (if fixed) SSH authentication.
### Details
Affected locations:
- `atr/ldap.py` lines 219-226: is_active() fails open
- `atr/ldap.py` get_bind_credentials(): Returns None when unconfigured
The function returns True when LDAP credentials are missing, treating
misconfiguration as "all users active" instead of "cannot verify status".
### Recommended Remediation
Modify `is_active()` to fail closed in production mode:
```python
def is_active(username: str) -> bool:
"""Check if LDAP account is active. Fail closed in production."""
credentials = get_bind_credentials()
if credentials is None:
# LDAP unconfigured
if is_production_mode():
# Fail closed in production
raise ASFQuartException(
"LDAP not configured. Cannot verify account status.",
status=503
)
else:
# Allow in debug mode with warning
log.warning('ldap_unconfigured_allowing_access',
extra={'username': username})
return True
# Normal LDAP check
try:
return _check_ldap_active(username, credentials)
except LDAPError as e:
if is_production_mode():
raise ASFQuartException(
"LDAP service unavailable. Cannot verify account status.",
status=503
)
else:
log.warning('ldap_unavailable_allowing_access',
extra={'username': username})
return True
```
Add `validate_ldap_configuration()` startup check that prevents application
start if LDAP unconfigured in production.
Implement `check_ldap_health()` monitoring endpoint to alert on LDAP
connectivity issues.
Behavior by mode:
- Production: Fail closed with 503 error
- Debug: Allow with warning log
- Test: Check ALLOW_TESTS flag
### Acceptance Criteria
- [ ] is_active() fails closed when LDAP unconfigured in production
- [ ] Startup check prevents running without LDAP in production
- [ ] Debug mode allows with warnings
- [ ] Monitoring endpoint exists for LDAP health
- [ ] Test cases verify fail-closed behavior
- [ ] Unit test verifying the fix
### References
- Source reports: L1:7.4.2.md
- Related findings: FINDING-006, FINDING-007
- ASVS sections: 7.4.2
### Priority
Medium
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/951
---
**Triage notes:** related to
https://github.com/apache/tooling-trusted-releases/issues/951
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
