Track OpenBao post-unseal verification

2026-05-25 14:30:57 +02:00
parent d964cf46a3
commit 907675b4f4
1 changed files with 10 additions and 5 deletions
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -578,6 +578,7 @@ def merged_approval_metadata(
        "openbao_preflight_passed",
        "openbao_init_output_produced",
        "openbao_initialized",
+        "openbao_post_unseal_verified",
        "openbao_trial_material_exposed",
        "openbao_compromise_response_complete",
        "openbao_unseal_keys_rotated",
@@ -793,6 +794,7 @@ def metadata_template() -> dict[str, Any]:
        "openbao_preflight_passed": False,
        "openbao_init_output_produced": False,
        "openbao_initialized": False,
+        "openbao_post_unseal_verified": False,
        "openbao_trial_material_exposed": False,
        "openbao_compromise_response_complete": False,
        "openbao_unseal_keys_rotated": False,
@@ -1149,10 +1151,10 @@ def command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
    custody_approved = custody_mode_approved(data)
    init_output = yes(data, "openbao_init_output_produced")
    initialized = yes(data, "openbao_initialized")
+    post_unseal_verified = yes(data, "openbao_post_unseal_verified")
    trial_exposed = yes(data, "openbao_trial_material_exposed")
    keys_rotated = yes(data, "openbao_unseal_keys_rotated")
    root_disposed = data.get("root_token_disposition") in {"revoked", "offline-sealed"}
-    restore_done = yes(data, "restore_drill_passed")

    status_state = "todo"
    status_reason = "Run any time to inspect the current OpenBao deployment state."
@@ -1199,10 +1201,10 @@ def command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
            config_state = "blocked"
            config_reason = "OpenBao must be initialized and unsealed first."

-    verify_state = "done" if restore_done else "todo"
-    verify_reason = "Restore proof has been recorded."
-    if not restore_done:
-        verify_reason = "Verify post-unseal readiness, snapshot, and isolated restore."
+    verify_state = "done" if post_unseal_verified else "todo"
+    verify_reason = "Post-unseal readiness has been verified."
+    if not post_unseal_verified:
+        verify_reason = "Verify filesystem and post-unseal readiness before live secrets move in."
    if not initialized:
        verify_state = "blocked"
        verify_reason = "OpenBao must be initialized and unsealed first."
@@ -2201,6 +2203,7 @@ def ui_html() -> str:
            <label class="choice"><input id="openbao_preflight_passed" type="checkbox"><span><strong>OpenBao preflight passed</strong><span>Status and verification checks completed after custody approval.</span></span></label>
            <label class="choice"><input id="openbao_init_output_produced" type="checkbox"><span><strong>Init output produced</strong><span>OpenBao generated unseal shares and the initial root token outside this UI. Do not paste those values here.</span></span></label>
            <label class="choice"><input id="openbao_initialized" type="checkbox"><span><strong>Initialized and unsealed</strong><span>The human ceremony completed outside this UI under the approved strategy.</span></span></label>
+            <label class="choice"><input id="openbao_post_unseal_verified" type="checkbox"><span><strong>Post-unseal verification passed</strong><span>Filesystem and post-unseal readiness checks completed without recording secret material.</span></span></label>
            <label class="choice"><input id="restore_drill_passed" type="checkbox"><span><strong>Restore drill passed</strong><span>Snapshot and isolated restore proof completed before live secrets are migrated.</span></span></label>
          </div>
          <label class="field" style="margin-top: 14px;">
@@ -2311,6 +2314,7 @@ def ui_html() -> str:
      "openbao_preflight_passed",
      "openbao_init_output_produced",
      "openbao_initialized",
+      "openbao_post_unseal_verified",
      "openbao_trial_material_exposed",
      "openbao_compromise_response_complete",
      "openbao_unseal_keys_rotated",
@@ -2576,6 +2580,7 @@ def ui_html() -> str:
        openbao_preflight_passed: document.getElementById("openbao_preflight_passed").checked,
        openbao_init_output_produced: document.getElementById("openbao_init_output_produced").checked,
        openbao_initialized: document.getElementById("openbao_initialized").checked,
+        openbao_post_unseal_verified: document.getElementById("openbao_post_unseal_verified").checked,
        openbao_trial_material_exposed: document.getElementById("openbao_trial_material_exposed").checked,
        openbao_compromise_response_complete: document.getElementById("openbao_compromise_response_complete").checked,
        openbao_unseal_keys_rotated: document.getElementById("openbao_unseal_keys_rotated").checked,