Arize-ai
diff --git a/‎scripts/ci/test_helm.py‎
Lines changed: 13 additions & 5 deletions b/‎scripts/ci/test_helm.py‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎src/phoenix/config.py‎
Lines changed: 19 additions & 7 deletions b/‎src/phoenix/config.py‎
Lines changed: 19 additions & 7 deletions
diff --git a/‎src/phoenix/db/models.py‎
Lines changed: 3 additions & 3 deletions b/‎src/phoenix/db/models.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/phoenix/server/api/routers/auth.py‎
Lines changed: 80 additions & 71 deletions b/‎src/phoenix/server/api/routers/auth.py‎
Lines changed: 80 additions & 71 deletions
@@ -2388,7 +2388,9 @@ def get_test_suite() -> list[TestCase]:
             all_of(
                 LDAPValidators.ldap_enabled(),
                 ConfigMapValidators.configmap_has_key("PHOENIX_LDAP_HOST", "ldap.corp.com"),
-                ConfigMapValidators.configmap_has_key("PHOENIX_LDAP_USER_SEARCH_BASE", "OU=Users,DC=corp,DC=com"),
+                ConfigMapValidators.configmap_has_key(
+                    "PHOENIX_LDAP_USER_SEARCH_BASE", "OU=Users,DC=corp,DC=com"
+                ),
             ),
         ),
         TestCase(
@@ -2409,7 +2411,9 @@ def get_test_suite() -> list[TestCase]:
             '--set auth.ldap.enabled=true --set auth.ldap.host=ldap.corp.com --set-string "auth.ldap.userSearchBase=OU=Users\\,DC=corp\\,DC=com" --set-string "auth.ldap.bindDn=CN=svc-phoenix\\,OU=Service Accounts\\,DC=corp\\,DC=com" --set auth.ldap.bindPassword=secret123',
             all_of(
                 LDAPValidators.ldap_enabled(),
-                LDAPValidators.ldap_bind_config("CN=svc-phoenix,OU=Service Accounts,DC=corp,DC=com"),
+                LDAPValidators.ldap_bind_config(
+                    "CN=svc-phoenix,OU=Service Accounts,DC=corp,DC=com"
+                ),
                 LDAPValidators.ldap_bind_password_in_secret(),
             ),
         ),
@@ -2449,10 +2453,12 @@ def get_test_suite() -> list[TestCase]:
         ),
         TestCase(
             "LDAP with group role mappings",
-            '--set auth.ldap.enabled=true --set auth.ldap.host=ldap.corp.com --set-string "auth.ldap.userSearchBase=OU=Users\\,DC=corp\\,DC=com" --set-string "auth.ldap.groupRoleMappings=[{\\\"group_dn\\\":\\\"CN=Admins\\,DC=corp\\,DC=com\\\"\\,\\\"role\\\":\\\"ADMIN\\\"}]"',
+            '--set auth.ldap.enabled=true --set auth.ldap.host=ldap.corp.com --set-string "auth.ldap.userSearchBase=OU=Users\\,DC=corp\\,DC=com" --set-string "auth.ldap.groupRoleMappings=[{\\"group_dn\\":\\"CN=Admins\\,DC=corp\\,DC=com\\"\\,\\"role\\":\\"ADMIN\\"}]"',
             all_of(
                 LDAPValidators.ldap_enabled(),
-                LDAPValidators.ldap_group_role_mappings('[{"group_dn":"CN=Admins,DC=corp,DC=com","role":"ADMIN"}]'),
+                LDAPValidators.ldap_group_role_mappings(
+                    '[{"group_dn":"CN=Admins,DC=corp,DC=com","role":"ADMIN"}]'
+                ),
             ),
         ),
         TestCase(
@@ -2510,7 +2516,9 @@ def get_test_suite() -> list[TestCase]:
             '--set auth.ldap.enabled=true --set-string "auth.ldap.host=dc1.corp.com\\,dc2.corp.com\\,dc3.corp.com" --set-string "auth.ldap.userSearchBase=OU=Users\\,DC=corp\\,DC=com"',
             all_of(
                 LDAPValidators.ldap_enabled(),
-                ConfigMapValidators.configmap_has_key("PHOENIX_LDAP_HOST", "dc1.corp.com,dc2.corp.com,dc3.corp.com"),
+                ConfigMapValidators.configmap_has_key(
+                    "PHOENIX_LDAP_HOST", "dc1.corp.com,dc2.corp.com,dc3.corp.com"
+                ),
             ),
         ),
         # Ingress
 
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import json
 import logging
 import os
 import re
@@ -1588,11 +1589,6 @@ def from_env(cls) -> Optional["LDAPConfig"]:
             ValueError: If configuration is invalid
             json.JSONDecodeError: If GROUP_ROLE_MAPPINGS is not valid JSON
         """
-        import json
-        import logging
-
-        logger = logging.getLogger(__name__)
-
         host = getenv(ENV_PHOENIX_LDAP_HOST)
         if not host:
             return None
@@ -1639,6 +1635,16 @@ def from_env(cls) -> Optional["LDAPConfig"]:
                     f"Got: '{mapping['role']}'"
                 )
 
+        # Require at least one role mapping to prevent silent authentication failures
+        # Without mappings, all LDAP users would be denied access with only a debug log,
+        # which is confusing for operators. Fail fast at startup with clear guidance.
+        if not group_role_mappings_list:
+            raise ValueError(
+                f"{ENV_PHOENIX_LDAP_GROUP_ROLE_MAPPINGS} must contain at least one mapping. "
+                f'Example: \'[{{"group_dn": "*", "role": "MEMBER"}}]\' '
+                f"(wildcard '*' grants MEMBER role to all authenticated LDAP users)"
+            )
+
         # Validate TLS mode
         tls_mode_str = getenv(ENV_PHOENIX_LDAP_TLS_MODE, "starttls").lower()
         if tls_mode_str not in ("starttls", "ldaps"):
@@ -1709,8 +1715,6 @@ def from_env(cls) -> Optional["LDAPConfig"]:
             )
 
         # Validate file paths exist
-        import os
-
         for env_var, file_path in [
             (ENV_PHOENIX_LDAP_TLS_CA_CERT_FILE, tls_ca_cert_file),
             (ENV_PHOENIX_LDAP_TLS_CLIENT_CERT_FILE, tls_client_cert_file),
@@ -1724,6 +1728,14 @@ def from_env(cls) -> Optional["LDAPConfig"]:
         attr_display_name = getenv(ENV_PHOENIX_LDAP_ATTR_DISPLAY_NAME, "displayName")
         attr_unique_id = getenv(ENV_PHOENIX_LDAP_ATTR_UNIQUE_ID)
 
+        # Validate required attribute is not empty
+        # (getenv returns "" if explicitly set to empty string, not the default)
+        if not attr_email:
+            raise ValueError(
+                f"{ENV_PHOENIX_LDAP_ATTR_EMAIL} cannot be empty. "
+                f"This attribute is required to identify users. Default: 'mail'"
+            )
+
         # Validate attribute names don't contain spaces
         # LDAP attribute names (e.g., objectGUID, entryUUID, mail) never contain spaces.
         # A space in the config is likely a typo that would cause silent failures.
 
@@ -1602,7 +1602,7 @@ def LDAPUser(
     *,
     email: str,
     username: str,
-    ldap_dn: str | None = None,
+    unique_id: str | None = None,
     user_role_id: int | None = None,
 ) -> OAuth2User:
     """Factory function to create an LDAP user stored as OAuth2User.
@@ -1615,7 +1615,7 @@ def LDAPUser(
     Args:
         email: User's email address
         username: User's display name
-        ldap_dn: User's LDAP Distinguished Name (stored in oauth2_user_id)
+        unique_id: User's LDAP unique ID (stored in oauth2_user_id)
         user_role_id: Phoenix role ID (ADMIN, MEMBER, VIEWER)
 
     Returns:
@@ -1627,7 +1627,7 @@ def LDAPUser(
         email=email,
         username=username,
         oauth2_client_id=LDAP_CLIENT_ID_MARKER,
-        oauth2_user_id=ldap_dn,
+        oauth2_user_id=unique_id,
         user_role_id=user_role_id,
     )
 
 
@@ -57,24 +57,55 @@
     partition_seconds=60,
     active_partitions=2,
 )
-login_rate_limiter = fastapi_ip_rate_limiter(
-    rate_limiter,
-    paths=[
+
+
+def create_auth_router(ldap_enabled: bool = False) -> APIRouter:
+    """Create auth router with all authentication endpoints.
+
+    Creates a fresh router instance each time to avoid global state issues
+    (e.g., route accumulation in tests).
+
+    Security: Only registers the /ldap/login endpoint when LDAP is actually configured.
+    This prevents information disclosure and reduces attack surface.
+
+    Args:
+        ldap_enabled: Whether LDAP authentication is configured
+
+    Returns:
+        APIRouter: Authentication router with all endpoints registered
+    """
+    # Build rate limiter paths based on configuration
+    rate_limited_paths = [
         "/auth/login",
-        "/auth/ldap/login",
         "/auth/logout",
         "/auth/refresh",
         "/auth/password-reset-email",
         "/auth/password-reset",
-    ],
-)
+    ]
+    if ldap_enabled:
+        rate_limited_paths.append("/auth/ldap/login")
+
+    login_rate_limiter = fastapi_ip_rate_limiter(rate_limiter, paths=rate_limited_paths)
+    auth_dependencies = [Depends(login_rate_limiter)] if not get_env_disable_rate_limit() else []
+
+    router = APIRouter(prefix="/auth", include_in_schema=False, dependencies=auth_dependencies)
+
+    # Register all authentication endpoints
+    router.add_api_route("/login", _login, methods=["POST"])
+    router.add_api_route("/logout", _logout, methods=["GET"])
+    router.add_api_route("/refresh", _refresh_tokens, methods=["POST"])
+    router.add_api_route("/password-reset-email", _initiate_password_reset, methods=["POST"])
+    router.add_api_route("/password-reset", _reset_password, methods=["POST"])
+
+    # Conditionally add LDAP endpoint only if configured
+    if ldap_enabled:
+        router.add_api_route("/ldap/login", _ldap_login, methods=["POST"])
 
-auth_dependencies = [Depends(login_rate_limiter)] if not get_env_disable_rate_limit() else []
-router = APIRouter(prefix="/auth", include_in_schema=False, dependencies=auth_dependencies)
+    return router
 
 
-@router.post("/login")
-async def login(request: Request) -> Response:
+async def _login(request: Request) -> Response:
+    """Authenticate user via email/password and return access/refresh tokens."""
     if get_env_disable_basic_auth():
         raise HTTPException(status_code=403)
     data = await request.json()
@@ -110,10 +141,8 @@ async def login(request: Request) -> Response:
     return await _create_auth_response(request, user)
 
 
-@router.get("/logout")
-async def logout(
-    request: Request,
-) -> Response:
+async def _logout(request: Request) -> Response:
+    """Log out user by revoking tokens and clearing cookies."""
     token_store: TokenStore = request.app.state.get_token_store()
     user_id = None
     if isinstance(user := request.user, PhoenixUser):
@@ -138,8 +167,8 @@ async def logout(
     return response
 
 
-@router.post("/refresh")
-async def refresh_tokens(request: Request) -> Response:
+async def _refresh_tokens(request: Request) -> Response:
+    """Refresh access and refresh tokens."""
     if (refresh_token := request.cookies.get(PHOENIX_REFRESH_TOKEN_COOKIE_NAME)) is None:
         raise HTTPException(status_code=401, detail="Missing refresh token")
     token_store: TokenStore = request.app.state.get_token_store()
@@ -176,8 +205,8 @@ async def refresh_tokens(request: Request) -> Response:
     return await _create_auth_response(request, user)
 
 
-@router.post("/password-reset-email")
-async def initiate_password_reset(request: Request) -> Response:
+async def _initiate_password_reset(request: Request) -> Response:
+    """Send password reset email to user."""
     if get_env_disable_basic_auth():
         raise HTTPException(status_code=403)
     data = await request.json()
@@ -220,8 +249,8 @@ async def initiate_password_reset(request: Request) -> Response:
     return Response(status_code=204)
 
 
-@router.post("/password-reset")
-async def reset_password(request: Request) -> Response:
+async def _reset_password(request: Request) -> Response:
+    """Reset user password using a valid reset token."""
     if get_env_disable_basic_auth():
         raise HTTPException(status_code=403)
     data = await request.json()
@@ -258,6 +287,37 @@ async def reset_password(request: Request) -> Response:
     return response
 
 
+async def _ldap_login(request: Request) -> Response:
+    """Authenticate user via LDAP and return access/refresh tokens."""
+    # Use cached authenticator instance to avoid re-parsing TLS config on every request
+    authenticator: LDAPAuthenticator | None = getattr(request.app.state, "ldap_authenticator", None)
+
+    if not authenticator:
+        raise HTTPException(
+            status_code=503, detail="LDAP authentication is not configured on this server"
+        )
+
+    data = await request.json()
+    username = data.get("username")
+    password = data.get("password")
+
+    if not username or not password:
+        raise HTTPException(status_code=401, detail="Username and password required")
+
+    # Authenticate against LDAP (reused authenticator, already parsed TLS config)
+    user_info = await authenticator.authenticate(username, password)
+
+    if not user_info:
+        # Generic error message to prevent username enumeration
+        raise HTTPException(status_code=401, detail="Invalid username and/or password")
+
+    # Get or create user in Phoenix database
+    async with request.app.state.db() as session:
+        user = await get_or_create_ldap_user(session, user_info, authenticator.config)
+
+    return await _create_auth_response(request, user)
+
+
 async def _create_auth_response(request: Request, user: models.User) -> Response:
     """
     Creates access and refresh tokens for the user and sets them as cookies in the response.
@@ -300,54 +360,3 @@ async def _create_auth_response(request: Request, user: models.User) -> Response
     status_code=401,
     detail="Invalid token",
 )
-
-
-def create_auth_router(ldap_enabled: bool = False) -> APIRouter:
-    """Create auth router with conditional LDAP endpoint registration.
-
-    Security: Only registers the /ldap/login endpoint when LDAP is actually configured.
-    This prevents information disclosure and reduces attack surface.
-
-    Args:
-        ldap_enabled: Whether LDAP authentication is configured
-
-    Returns:
-        APIRouter: Authentication router (with or without LDAP endpoint)
-    """
-    # router already has all non-LDAP endpoints registered via decorators
-    # Conditionally add LDAP endpoint only if configured
-    if ldap_enabled:
-        router.add_api_route("/ldap/login", ldap_login, methods=["POST"])
-
-    return router
-
-
-async def ldap_login(request: Request) -> Response:
-    """Authenticate user via LDAP and return access/refresh tokens."""
-    # Use cached authenticator instance to avoid re-parsing TLS config on every request
-    authenticator: LDAPAuthenticator | None = getattr(request.app.state, "ldap_authenticator", None)
-
-    if not authenticator:
-        raise HTTPException(
-            status_code=503, detail="LDAP authentication is not configured on this server"
-        )
-
-    data = await request.json()
-    username = data.get("username")
-    password = data.get("password")
-
-    if not username or not password:
-        raise HTTPException(status_code=401, detail="Username and password required")
-
-    # Authenticate against LDAP (reused authenticator, already parsed TLS config)
-    user_info = await authenticator.authenticate(username, password)
-
-    if not user_info:
-        # Generic error message to prevent username enumeration
-        raise HTTPException(status_code=401, detail="Invalid username and/or password")
-
-    # Get or create user in Phoenix database
-    async with request.app.state.db() as session:
-        user = await get_or_create_ldap_user(session, user_info, authenticator.config)
-
-    return await _create_auth_response(request, user)