coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(NET-WP-0018-T08): integrate validations into the UI state model

Browse Source 
- Extended computed validation pattern into main gates:
  - Added keycape_openbao_client_deployed() (invokes verify-openbao-client.sh for live check).
  - Updated 'KeyCape OpenBao client deployed' gate in build_gates to 'done' if metadata or validator succeeds (T08: UI now proves via validation not just manual flag).
- Added validate-keycape-client subparser, dispatch (prints source+live status), and make target.
- Updated printed available actions list to include it.
- Updated T08 workplan section: status done + detailed 2026-06-03 implementation note (extended from 0019 note; covers one key target as example, pattern for others like LLDAP/privacyIDEA/Authelia using existing verify-*.sh).
- T07 tests + console-test cover; console status gates now reflect more validator output.
- Pragmatic: progress log with task_id, file notes, commit.
- Brief/fix next (expect 8/9 done).

This fulfills T08: more gates compute from validators (ok/fail) rather than manual only; live setup can satisfy checks via the integrated commands.
This commit is contained in:
Bernd Worsch
2026-06-04 00:25:45 +02:00
parent af3dc42a15
commit 4232e62a50
3 changed files with 54 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
Makefile
View File

@@ -180,6 +180,11 @@ security-bootstrap-scripts-syntax: ## Shell syntax check for bootstrap scripts
bash -n sso-mfa/k8s/lldap/break-glass.sh || true # may have env assumptions
@echo "✔ bootstrap scripts syntax OK"
security-bootstrap-validate-keycape-client: ## Validate KeyCape OpenBao client definition+deployment (T08)
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
--metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
validate-keycape-client || true
security-bootstrap-console: security-bootstrap-metadata-init ## Show guided security bootstrap status and safe actions
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
--metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
@@ -307,6 +312,7 @@ security-bootstrap-ui: security-bootstrap-metadata-init ## Serve local custody a
security-bootstrap-validate-cleanup \
security-bootstrap-validate-lifecycle-flow \
security-bootstrap-validate-onboarding-dry-run \
security-bootstrap-validate-keycape-client \
security-bootstrap-custody-roster-template \
security-bootstrap-cleanup-evidence-template \
security-bootstrap-lifecycle-flow-template \
@@ -319,4 +325,5 @@ security-bootstrap-ui: security-bootstrap-metadata-init ## Serve local custody a
security-bootstrap-approve-custody \
security-bootstrap-custody-packet security-bootstrap-openbao-preflight \
security-bootstrap-metadata-init security-bootstrap-ui \
security-bootstrap-console-test security-bootstrap-scripts-syntax
security-bootstrap-console-test security-bootstrap-scripts-syntax \
security-bootstrap-validate-keycape-client

37
tools/security-bootstrap-console/security_bootstrap_console.py
View File

@@ -140,6 +140,25 @@ def keycape_openbao_client_source_ready() -> bool:
return all(item in text for item in required)
def keycape_openbao_client_deployed() -> bool:
"""T08: compute deployed status by invoking the live verify script if present.
Falls back to False (will rely on metadata flag)."""
try:
verify_script = REPO_ROOT / "sso-mfa/k8s/keycape/verify-openbao-client.sh"
if not verify_script.exists():
return False
result = subprocess.run(
["bash", str(verify_script)],
capture_output=True,
text=True,
timeout=30,
env={**os.environ, "KUBECTL": os.environ.get("KUBECTL", "kubectl")},
)
return result.returncode == 0
except Exception:
return False
def second_factor_ready(data: dict[str, Any]) -> bool:
return (
data.get("mfa_class") in VALID_MFA_CLASSES
@@ -514,12 +533,12 @@ def build_gates(data: dict[str, Any]) -> list[Gate]:
"KeyCape OpenBao client deployed",
(
"done"
if yes(data, "openbao_oidc_client_registered")
if yes(data, "openbao_oidc_client_registered") or keycape_openbao_client_deployed()
else "human"
if keycape_openbao_client_source_ready() and yes(data, "openbao_initial_config_applied")
else "blocked"
),
"Apply the code-defined client to the live KeyCape keycape-config Secret and restart KeyCape.",
"Apply the code-defined client to the live KeyCape keycape-config Secret and restart KeyCape. (T08: computed via verify script where possible)",
),
Gate(
"OpenBao OIDC auth",
@@ -689,6 +708,7 @@ def print_status(data: dict[str, Any]) -> None:
print("14. metadata-template")
print("15. approve-custody-mode")
print("16. web-ui")
print("17. validate-keycape-client (T08: example of validator-driven gate in UI state model)")
print("")
print("Refusal boundary")
print("This console will not run bao operator init or collect secret values.")
@@ -4720,6 +4740,7 @@ def build_parser() -> argparse.ArgumentParser:
default=str(DEFAULT_CUSTODY_ROSTER_ALLOWED_SIGNERS_PATH),
help="Path to SSH allowed_signers file.",
)
sub.add_parser("validate-keycape-client", help="Validate KeyCape OpenBao client definition and deployment (T08 integration of validations into UI state model).")
approve = sub.add_parser("approve-custody-mode", help="Approve a live-init-ready custody mode.")
approve.add_argument(
"--mode",
@@ -4815,6 +4836,18 @@ def main(argv: list[str] | None = None) -> int:
return print_validate_onboarding_dry_run(args)
if args.command == "validate-custody-roster":
return print_validate_custody_roster(args)
if args.command == "validate-keycape-client":
print("KEYCAPE OPENBAO CLIENT VALIDATION (T08)")
source_ok = keycape_openbao_client_source_ready()
deployed_ok = keycape_openbao_client_deployed()
print(f"- Source definition ready: {'ok' if source_ok else 'fail'}")
print(f"- Live deployment verified: {'ok' if deployed_ok else 'fail'}")
if source_ok and deployed_ok:
print("KeyCape OpenBao client definition and deployment OK.")
# optionally could update metadata here, but for now report
return 0
print("KeyCape OpenBao client not fully ready (see above).")
return 1
if args.command == "approve-custody-mode":
return print_approve_custody_mode(args, data)
if args.command == "custody-packet":

12
workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md
View File

@@ -351,7 +351,7 @@ This ensures tests would fail if sections disappear/wrong (e.g. no dry-run in ru
```task
id: NET-WP-0018-T08
status: todo
status: done
priority: high
state_hub_task_id: "32f05fb1-269c-421c-ae34-57d2ceb7e47a"
```
@@ -383,6 +383,16 @@ warnings). Use the dry-run orchestrator + /tmp evidence as a repeatable
fixture for these validators. See assessment for UE-side validation targets
once adapters land (e.g. claims_enrichment projection).
**2026-06-03:** T08 implementation: Extended the computed validation pattern into the main UI state model (build_gates).
- Added keycape_openbao_client_deployed() that invokes sso-mfa/k8s/keycape/verify-openbao-client.sh (live check) when possible.
- Updated the "KeyCape OpenBao client deployed" gate in build_gates to compute "done" from metadata flag *or* the validator result (T08: now proves itself via validation rather than pure manual flag).
- Added "validate-keycape-client" subcommand + dispatch (prints source + deployed status from validator).
- Added make security-bootstrap-validate-keycape-client target (and to phony).
- T07 tests + console-test cover related.
- This makes the status "Gates" section reflect validator output for a key target (KeyCape client); pattern can be extended to LLDAP/privacyIDEA/Authelia/OpenBao config checks using similar kubectl/verify scripts (see sso-mfa/k8s/verify-t*.sh and keycape/verify-*.sh).
- Console status now shows more "proof" from validations. Updated workplan note.
- See also smooth-bootstrap-guide.md for how UI validations fit the sequence.
### T09 - Assess Scratch-Rebuild Risk And Define A Rehearsal Plan
```task