This is an automated email from the ASF dual-hosted git repository.
arm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 9e18e43e #725 - make sure failures are logged from PAT failure and
they include the user
9e18e43e is described below
commit 9e18e43ead443a25b81e7645a32ec47cb675a8ec
Author: Alastair McFarlane <[email protected]>
AuthorDate: Mon Feb 23 16:33:50 2026 +0000
#725 - make sure failures are logged from PAT failure and they include the
user
---
atr/api/__init__.py | 3 +--
atr/storage/writers/tokens.py | 13 +++++++++++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/atr/api/__init__.py b/atr/api/__init__.py
index a582cffc..7929bddc 100644
--- a/atr/api/__init__.py
+++ b/atr/api/__init__.py
@@ -435,12 +435,11 @@ async def jwt_create(data: models.api.JwtCreateArgs) ->
DictResponse:
# Expects {"asfuid": "uid", "pat": "pat-token"}
# Returns {"asfuid": "uid", "jwt": "jwt-token"}
asf_uid = data.asfuid
+ log.add_context(user_id=asf_uid)
async with storage.write(asf_uid) as write:
wafc = write.as_foundation_committer()
jwt = await wafc.tokens.issue_jwt(data.pat)
- log.add_context(user_id=asf_uid)
-
return models.api.JwtCreateResults(
endpoint="/jwt/create",
asfuid=data.asfuid,
diff --git a/atr/storage/writers/tokens.py b/atr/storage/writers/tokens.py
index bf412286..d700dee5 100644
--- a/atr/storage/writers/tokens.py
+++ b/atr/storage/writers/tokens.py
@@ -27,6 +27,7 @@ import sqlmodel
import atr.db as db
import atr.jwtoken as jwtoken
import atr.ldap as ldap
+import atr.log as log
import atr.mail as mail
import atr.models.sql as sql
import atr.storage as storage
@@ -116,11 +117,23 @@ class FoundationCommitter(GeneralPublic):
)
)
if (pat is None) or (pat.expires <
datetime.datetime.now(datetime.UTC)):
+ log.warning(
+ "Authentication failed",
+ extra={
+ "reason": "invalid_or_expired_pat",
+ },
+ )
raise storage.AccessError("Authentication failed")
# Verify account still exists in LDAP
account_details = await ldap.account_lookup(self.__asf_uid)
if (account_details is None) or ldap.is_banned(account_details):
+ log.warning(
+ "Authentication failed",
+ extra={
+ "reason": "account_deleted_or_banned",
+ },
+ )
raise storage.AccessError("Authentication failed")
issued_jwt = jwtoken.issue(self.__asf_uid)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
