asf-tooling opened a new issue, #1113:
URL: https://github.com/apache/tooling-trusted-releases/issues/1113
**ASVS Level(s):** L1
**Description:**
### Summary
PAT creation (`add_token()` in `atr/storage/writers/tokens.py:48-71`) sends
an email notification to the user but does not write an entry to the audit log.
This creates an inconsistency with PAT deletion and JWT issuance operations,
which are properly audit-logged using `append_to_audit_log()`. While email
notification provides user-level audit trail, the audit log should contain
complete PAT lifecycle events for forensic purposes.
### Details
Token deletion properly calls `append_to_audit_log()` with
action='token_deleted', but token creation only sends email without audit
logging. This creates an incomplete audit trail for PAT lifecycle management.
### Recommended Remediation
Add audit logging to match deletion behavior. After `await
self.__data.commit()` and before sending email, add:
```python
self.__write_as.append_to_audit_log(
asf_uid=self.__asf_uid,
token_id=pat.id,
action='token_created',
label=label,
expires=expires.isoformat()
)
```
### Acceptance Criteria
- [ ] PAT creation logged to audit log
- [ ] Audit log entry includes all relevant metadata
- [ ] Consistent with PAT deletion logging
- [ ] Unit tests verify audit logging
### References
- Source reports: L1:7.2.2.md
- Related findings: FINDING-134, FINDING-136
- ASVS sections: 7.2.2
### Priority
Low
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
