Simplify KeyCape MFA token refresh

2026-05-29 03:21:58 +02:00
parent ed991860fa
commit 7ce5f5bab0
1 changed files with 5 additions and 77 deletions
--- a/sso-mfa/k8s/keycape/refresh-pi-token-live.sh
+++ b/sso-mfa/k8s/keycape/refresh-pi-token-live.sh
@@ -87,58 +87,6 @@ cleanup() {
 }
 trap cleanup EXIT

-api_get() {
-    local path="$1"
-    "$KUBECTL" exec -n "$MFA_NAMESPACE" "$PI_POD" -- \
-        env PI_TOKEN="$PI_TOKEN" PI_PATH="$path" \
-        python3 -c '
-import os
-import sys
-import urllib.request
-
-path = os.environ["PI_PATH"]
-token = os.environ["PI_TOKEN"]
-req = urllib.request.Request(
-    "http://localhost:8080" + path,
-    headers={"Authorization": token},
-)
-try:
-    with urllib.request.urlopen(req, timeout=10) as response:
-        sys.stdout.write(response.read().decode())
-except Exception as exc:
-    print(str(exc), file=sys.stderr)
-    sys.exit(1)
-'
-}
-
-echo "Inspecting non-secret MFA state for $USERNAME ..."
-realm_summary="$(
-    for realm in coulomb netkingdom; do
-        users_json="$(api_get "/user/?realm=$realm&username=$USERNAME" || true)"
-        tokens_json="$(api_get "/token/?realm=$realm&user=$USERNAME" || true)"
-        REALM="$realm" USERS_JSON="$users_json" TOKENS_JSON="$tokens_json" python3 -c '
-import json
-import os
-
-realm = os.environ["REALM"]
-users = []
-tokens = []
-try:
-    users = json.loads(os.environ["USERS_JSON"]).get("result", {}).get("value", {}).get("users", [])
-except Exception:
-    pass
-try:
-    value = json.loads(os.environ["TOKENS_JSON"]).get("result", {}).get("value", {})
-    tokens = value.get("tokens", []) if isinstance(value, dict) else []
-except Exception:
-    pass
-active = sum(1 for token in tokens if token.get("active", True))
-print(f"{realm} users={len(users)} tokens={len(tokens)} active={active}")
-'
-    done
-)"
-printf '%s\n' "$realm_summary"
-
 current_config="$(
    "$KUBECTL" get secret "$KEYCAPE_SECRET" -n "$SSO_NAMESPACE" \
        -o jsonpath='{.data.config\.yaml}' | base64 -d
@@ -148,37 +96,17 @@ current_realm="$(
 import os
 import re

-match = re.search(r"(?m)^  realm:\s*[\"'\"']?([^\"'\"'\n]+)", os.environ["CONFIG_YAML"])
+match = re.search(r"(?m)^  realm:\s*[\"'\'']?([^\"'\'']+)", os.environ["CONFIG_YAML"])
 print(match.group(1).strip() if match else "")
 '
 )"

 selected_realm="${KEYCAPE_PI_REALM:-}"
+if [[ -z "$selected_realm" && -n "$current_realm" ]]; then
+    selected_realm="$current_realm"
+fi
 if [[ -z "$selected_realm" ]]; then
-    selected_realm="$(
-        REALM_SUMMARY="$realm_summary" CURRENT_REALM="$current_realm" python3 -c '
-import os
-
-lines = os.environ["REALM_SUMMARY"].splitlines()
-counts = {}
-for line in lines:
-    parts = dict(item.split("=", 1) for item in line.split()[1:])
-    counts[line.split()[0]] = {
-        "users": int(parts.get("users", "0")),
-        "tokens": int(parts.get("tokens", "0")),
-        "active": int(parts.get("active", "0")),
-    }
-for realm in ("coulomb", "netkingdom"):
-    if counts.get(realm, {}).get("active", 0) > 0:
-        print(realm)
-        raise SystemExit
-current = os.environ.get("CURRENT_REALM", "")
-if current:
-    print(current)
-else:
-    print("coulomb")
-'
-    )"
+    selected_realm="coulomb"
 fi

 if [[ "$selected_realm" != "coulomb" && "$selected_realm" != "netkingdom" ]]; then