asf-tooling opened a new issue, #1086: URL: https://github.com/apache/tooling-trusted-releases/issues/1086
**ASVS Level(s):** L1 **Description:** ### Summary While authorization rules are well-defined by operation category (releases, tokens, etc.), there is no comprehensive mapping of HTTP endpoints to their specific authorization requirements. This makes it difficult to verify complete authorization coverage during audits, understand authorization requirements when reviewing routes, ensure consistent authorization across similar endpoints, and onboard new developers to the authorization model. Authorization documentation is organized by operation type rather than by HTTP endpoint. ### Details The file `atr/docs/authorization-matrix.md` does not exist. Authorization documentation is scattered across operation-specific documents, making it difficult to get a complete view of endpoint-level authorization requirements. ### Recommended Remediation Create `atr/docs/authorization-matrix.md` with comprehensive mapping of all HTTP endpoints to authentication and authorization requirements. Include sections for: - Web Endpoints (public, authenticated, admin) - API Endpoints (token management, release management, trusted publisher operations, public API) - SSH/Rsync Endpoints For each endpoint document: - HTTP method - Path - Authentication requirements - Authorization checks - Additional validation - Rate limits - Phase restrictions Include authorization legend explaining authorization levels. Document enforcement layers and mechanisms. List known gaps with references to security findings. Generate authorization matrix as part of CI/CD pipeline to keep synchronized with code. ### Acceptance Criteria - [ ] Comprehensive authorization matrix created - [ ] All endpoints documented with authorization requirements - [ ] CI/CD integration for keeping matrix synchronized - [ ] Documentation reviewed and approved ### References - Source reports: L1:8.1.1.md - Related findings: FINDING-157 - ASVS sections: 8.1.1 ### Priority Low --- --- **Triage notes:** very-low -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
