[security] tool_security.py fails closed on auth errors, locking out admins #675

New issue

Closed

opened 2026-06-02 23:41:14 +02:00 by sleepy · 1 comment

sleepy commented

2026-06-02 23:41:14 +02:00

Owner

Security: tool_security.py fails closed on auth errors

File: `src/tool_security.py`

The owner_is_admin_or_single_user() function (line 56-67):

def owner_is_admin_or_single_user(owner: Optional[str]) -> bool:
    try:
        from core.auth import AuthManager
        auth = AuthManager()
        if not auth.is_configured:
            return True
        return bool(owner and auth.is_admin(owner))
    except Exception as exc:
        logger.warning("Unable to evaluate owner admin status: %s", exc)
        return False

Issue

When AuthManager() instantiation fails or is_admin() throws, the function returns False
This means any auth system error blocks all non-trivial tool access for every user including admins
A transient database error, import failure, or misconfiguration would lock out even admin users from bash, python, file operations, email, calendar, etc.
The except Exception is too broad — it catches ImportError, AttributeError, configuration errors, DB connection failures

Suggested fix

Distinguish between "auth checked and user is not admin" vs. "auth check failed unexpectedly"
On unexpected errors, either:
- Log the error and allow access (fail-open for availability), or
- Return a tri-state (admin / not-admin / unknown) and let callers decide based on context
Narrow the exception catch to specific expected failures

## Security: tool_security.py fails closed on auth errors ### File: `src/tool_security.py` The `owner_is_admin_or_single_user()` function (line 56-67): ```python def owner_is_admin_or_single_user(owner: Optional[str]) -> bool: try: from core.auth import AuthManager auth = AuthManager() if not auth.is_configured: return True return bool(owner and auth.is_admin(owner)) except Exception as exc: logger.warning("Unable to evaluate owner admin status: %s", exc) return False ``` ### Issue - When `AuthManager()` instantiation fails or `is_admin()` throws, the function returns `False` - This means **any auth system error blocks all non-trivial tool access** for every user including admins - A transient database error, import failure, or misconfiguration would lock out even admin users from bash, python, file operations, email, calendar, etc. - The `except Exception` is too broad — it catches `ImportError`, `AttributeError`, configuration errors, DB connection failures ### Suggested fix - Distinguish between "auth checked and user is not admin" vs. "auth check failed unexpectedly" - On unexpected errors, either: - Log the error and **allow** access (fail-open for availability), or - Return a tri-state (admin / not-admin / unknown) and let callers decide based on context - Narrow the exception catch to specific expected failures

sleepy added the

bug

label

2026-06-02 23:41:14 +02:00

sleepy referenced this issue from a commit

2026-06-04 02:18:48 +02:00

[security] Fix tool_security fail-closed on auth errors (#675)

sleepy closed this issue

2026-06-04 02:19:55 +02:00

sleepy commented

2026-06-04 02:19:59 +02:00

Author