(tooling-trusted-releases) branch main updated: #598 - Check for account ban before issuing JWT

Wed, 28 Jan 2026 07:28:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

arm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git


The following commit(s) were added to refs/heads/main by this push:
     new 9b0d1db  #598 - Check for account ban before issuing JWT
9b0d1db is described below

commit 9b0d1dbb65c9f4710b274be5762346b04270eebf
Author: Alastair McFarlane <[email protected]>
AuthorDate: Wed Jan 28 15:28:16 2026 +0000

    #598 - Check for account ban before issuing JWT
---
 atr/ldap.py                   | 9 +++++++++
 atr/storage/writers/tokens.py | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/atr/ldap.py b/atr/ldap.py
index f374246..039f6f1 100644
--- a/atr/ldap.py
+++ b/atr/ldap.py
@@ -183,6 +183,15 @@ async def github_to_apache(github_numeric_uid: int) -> str:
     return ldap_uid_val[0] if isinstance(ldap_uid_val, list) else ldap_uid_val
 
 
+def is_banned(account: dict[str, str | list[str]]) -> bool:
+    banned_attr = account.get("asf-banned", "no")
+    # This is mostly for the type checker, but since asf-banned is missing 
from non-banned accounts,
+    # it should be safe to say if it has any value then the account is banned.
+    if not isinstance(banned_attr, str):
+        return True
+    return banned_attr.lower() == "yes"
+
+
 def parse_dn(dn_string: str) -> dict[str, list[str]]:
     parsed = collections.defaultdict(list)
     parts = dn.parse_dn(dn_string)
diff --git a/atr/storage/writers/tokens.py b/atr/storage/writers/tokens.py
index c72cd8e..1c875f5 100644
--- a/atr/storage/writers/tokens.py
+++ b/atr/storage/writers/tokens.py
@@ -120,7 +120,7 @@ class FoundationCommitter(GeneralPublic):
 
         # Verify account still exists in LDAP
         account_details = await ldap.account_lookup(self.__asf_uid)
-        if account_details is None:
+        if account_details is None or ldap.is_banned(account_details):
             raise storage.AccessError("Authentication failed")
 
         issued_jwt = jwtoken.issue(self.__asf_uid)


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to