[GH] Invalidate SSH keys (tooling-trusted-releases)

Mon, 23 Mar 2026 10:10:11 -0700 


sbp commented on code in PR #922:
URL: 
https://github.com/apache/tooling-trusted-releases/pull/922#discussion_r2976387377


##########
atr/ssh.py:
##########
@@ -101,7 +102,14 @@ async def begin_auth(self, username: str) -> bool:
         if username == "github":
             log.info("GitHub authentication will use validate_public_key")
             return True
-
+        try:
+            account = await ldap.account_lookup(username)

Review Comment:
   We also return `None` when LDAP isn't configured, which will be the case for 
external contributors and in CI. Won't this new code break those environments, 
therefore?



##########
atr/admin/__init__.py:
##########
@@ -895,6 +900,85 @@ async def revoke_user_tokens_post(
     return await session.redirect(revoke_user_tokens_get)
 
 
[email protected]
+async def revoke_user_ssh_keys_get(
+    _session: web.Committer, _revoke_user_ssh_keys: 
Literal["revoke-user-ssh-keys"]
+) -> str:
+    """
+    URL: GET /revoke-user-ssh-keys
+
+    Revoke all SSH keys for a specified user.
+    """
+    via = sql.validate_instrumented_attribute
+    ssh_key_counts: list[tuple[str, int]] = []
+    workflow_key_counts: list[tuple[str, int]] = []
+    async with db.session() as data:
+        ssh_stmt = (
+            sqlmodel.select(
+                sql.SSHKey.asf_uid,
+                sqlmodel.func.count(),
+            )
+            .group_by(sql.SSHKey.asf_uid)
+            .order_by(sql.SSHKey.asf_uid)
+        )
+        ssh_rows = await data.execute_query(ssh_stmt)
+        ssh_key_counts = [(row[0], row[1]) for row in ssh_rows]
+
+        workflow_stmt = (

Review Comment:
   I don't think we delete workflow SSH keys when they expire, only when a 
release is deleted, so this would pick up keys which have expired anyway. We 
should probably add `expires > now` to this query.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to