Close OpenBao OIDC admin bootstrap path

This commit is contained in:
2026-06-01 21:20:53 +02:00
parent ed2cc17165
commit c48e076429
15 changed files with 374 additions and 86 deletions

View File

@@ -8,7 +8,7 @@ status: active
owner: codex
topic_slug: netkingdom
created: "2026-05-24"
updated: "2026-05-26"
updated: "2026-06-01"
depends_on:
- NK-WP-0006
- NK-WP-0012
@@ -407,7 +407,7 @@ remain part of the user-onboarding readiness work in `NET-WP-0017`.
```task
id: NET-WP-0015-T06
status: in_progress
status: done
priority: medium
state_hub_task_id: "ef97f3cb-9792-4b9d-bd2b-8871d368a50f"
```
@@ -416,12 +416,32 @@ Replace temporary operator tokens with NetKingdom IAM-backed OpenBao admin
auth when the issuer and claim mapping are ready. The OpenBao root token must
not be the normal admin path.
**2026-05-26:** The KeyCape `openbao-admin` client is code-defined, patched
**2026-05-26:** The KeyCape `openbao-admin` client was code-defined, patched
into the live `keycape-config` Secret, rolled out, and verified without
requiring decrypted bootstrap secrets. This task remains in progress because
OpenBao `auth/keycape` still needs the fixed helper command to complete and
the MFA-backed `bao login -method=oidc -path=keycape role=platform-admin` path
still needs verification.
requiring decrypted bootstrap secrets. At that point, OpenBao `auth/keycape`
still needed the fixed helper command and the MFA-backed
`bao login -method=oidc -path=keycape role=platform-admin` path still needed
verification.
**2026-06-01:** Added a guided bootstrap runbook action for the live
privacyIDEA state-loss case encountered during OpenBao OIDC login testing. The
new action recreates the `coulomb` realm, `lldap-coulomb` resolver,
self-enrollment policy, and phase-one passthrough policy by prompting for
`pi-admin` and LLDAP bind/admin passwords, writing them only to temporary
files through `repair-realm-live.sh`, and running `bootstrap-realm.sh` plus
`verify-t06.sh`. TOTP enrollment/re-enrollment and the final MFA-backed
OpenBao login verification remain operator steps.
**2026-06-01:** Closed after the `platform-root` MFA-backed OpenBao OIDC login
completed through KeyCape and the resulting token lookup showed
`platform-admin` in both token policy fields. The remaining OpenBao hardening,
audit, escrow, reset/rotation, and reopening gates continue under T07/T08 and
`NET-WP-0017`.
**2026-06-01:** Added OpenBao token revocation to the guided
Usecases & Runbooks section. The UI now includes a self-revoke card for the
current pod token-helper token and an accessor-based revocation card for
disclosed tokens, both keeping OpenBao token values off the local command line.
### T07 - Verify Recovery, Audit, And Rotation

View File

@@ -8,7 +8,7 @@ status: active
owner: codex
topic_slug: netkingdom
created: "2026-05-26"
updated: "2026-05-29"
updated: "2026-06-01"
depends_on:
- NET-WP-0015
- NET-WP-0016
@@ -40,8 +40,9 @@ first non-root onboarding dry run must prove the lifecycle model.
- Trial unseal shares were rotated.
- The KeyCape `openbao-admin` client is live and verified, including the public
`https://kc.coulomb.social` route and certificate.
- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is
still pending.
- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login
completed successfully and the resulting token lookup showed the
`platform-admin` policy for `platform-root`.
- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
and the first ordinary-user onboarding dry run are still pending.
@@ -51,7 +52,7 @@ first non-root onboarding dry run must prove the lifecycle model.
```task
id: NET-WP-0017-T01
status: in_progress
status: done
priority: high
state_hub_task_id: "9b087bbd-631b-4316-b94d-a8265a05b065"
```
@@ -74,6 +75,51 @@ the OpenBao `auth/keycape` OIDC configuration and `platform-admin` role. The
remaining T01 gate is the human browser login with MFA and a token lookup that
shows the expected OpenBao `platform-admin` policy.
**2026-06-01:** Added a guided console recovery action for the observed
privacyIDEA state-loss blocker: if the live instance lacks the `coulomb` realm,
LLDAP resolver, or self-service policies, the operator can run **Repair
privacyIDEA realm and self-service** from **Usecases & Runbooks**. The action
does not store secrets; it calls `repair-realm-live.sh`, prompts live, creates
temporary env files for `bootstrap-realm.sh`, removes them on exit, and then
runs `verify-t06.sh`. After repair, `platform-root` TOTP
enrollment/re-enrollment and the MFA-backed `bao login` proof are still
required.
**2026-06-01:** Fixed the follow-up OpenBao OIDC token exchange
`user not found` error caused by live `keycape-config` drift: the Secret had
lost the non-secret LLDAP lookup fields `userOU: ou=people` and
`groupOU: ou=groups`. The KeyCape live patch helper now enforces those fields
alongside the `openbao-admin` client, the live Secret was patched, KeyCape was
restarted, and `verify-openbao-client.sh` passes again.
**2026-06-01:** Deployed a KeyCape runtime lookup fix for the remaining
`user not found` token-exchange failure after config drift was ruled out. The
LDAP adapter now treats provisioning metadata validation failures as runtime
warnings instead of blocking token issuance for an otherwise resolved LLDAP
user. The patched image `main-runtime-lookup-0601` is live and
`verify-openbao-client.sh` passes after rollout.
**2026-06-01:** Deployed the follow-up KeyCape OIDC nonce fix after OpenBao
rejected the exchanged ID token with `invalid id_token nonce`. KeyCape now
persists the original authorization `nonce` through pending state and the
authorization-code session, then emits it in the ID token. The patched image
`main-nonce-0601` is live, reports 1/1 ready, and `verify-openbao-client.sh`
passes after rollout.
**2026-06-01:** Fixed the next OpenBao role configuration failure,
`error converting claim 'groups' to string`. KeyCape correctly emits `groups`
as an array for `groups_claim`; OpenBao only failed because the role also copied
that array through scalar `claim_mappings`. The helper now leaves groups in
`groups_claim`/`bound_claims` and maps only scalar `email` and
`preferred_username` metadata.
**2026-06-01:** The operator reached the OpenBao success page, "Signed in via
your OIDC provider", after reapplying the corrected role. The follow-up
terminal proof showed `token_policies`/`policies` containing `platform-admin`,
`token_meta_role: platform-admin`, and `token_meta_username: platform-root`.
T01 is closed; the pasted short-lived token should be treated as disclosed and
revoked or allowed to expire after the check.
### T02 - Close OpenBao Audit And Recovery Production Gates
```task