generated from coulomb/repo-seed
Close OpenBao OIDC admin bootstrap path
This commit is contained in:
@@ -8,7 +8,7 @@ status: active
|
||||
owner: codex
|
||||
topic_slug: netkingdom
|
||||
created: "2026-05-26"
|
||||
updated: "2026-05-29"
|
||||
updated: "2026-06-01"
|
||||
depends_on:
|
||||
- NET-WP-0015
|
||||
- NET-WP-0016
|
||||
@@ -40,8 +40,9 @@ first non-root onboarding dry run must prove the lifecycle model.
|
||||
- Trial unseal shares were rotated.
|
||||
- The KeyCape `openbao-admin` client is live and verified, including the public
|
||||
`https://kc.coulomb.social` route and certificate.
|
||||
- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login is
|
||||
still pending.
|
||||
- OpenBao OIDC auth configuration is applied; MFA-backed OpenBao admin login
|
||||
completed successfully and the resulting token lookup showed the
|
||||
`platform-admin` policy for `platform-root`.
|
||||
- Declarative/durable audit handling, residual taint closeout, cleanup/rotation,
|
||||
and the first ordinary-user onboarding dry run are still pending.
|
||||
|
||||
@@ -51,7 +52,7 @@ first non-root onboarding dry run must prove the lifecycle model.
|
||||
|
||||
```task
|
||||
id: NET-WP-0017-T01
|
||||
status: in_progress
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "9b087bbd-631b-4316-b94d-a8265a05b065"
|
||||
```
|
||||
@@ -74,6 +75,51 @@ the OpenBao `auth/keycape` OIDC configuration and `platform-admin` role. The
|
||||
remaining T01 gate is the human browser login with MFA and a token lookup that
|
||||
shows the expected OpenBao `platform-admin` policy.
|
||||
|
||||
**2026-06-01:** Added a guided console recovery action for the observed
|
||||
privacyIDEA state-loss blocker: if the live instance lacks the `coulomb` realm,
|
||||
LLDAP resolver, or self-service policies, the operator can run **Repair
|
||||
privacyIDEA realm and self-service** from **Usecases & Runbooks**. The action
|
||||
does not store secrets; it calls `repair-realm-live.sh`, prompts live, creates
|
||||
temporary env files for `bootstrap-realm.sh`, removes them on exit, and then
|
||||
runs `verify-t06.sh`. After repair, `platform-root` TOTP
|
||||
enrollment/re-enrollment and the MFA-backed `bao login` proof are still
|
||||
required.
|
||||
|
||||
**2026-06-01:** Fixed the follow-up OpenBao OIDC token exchange
|
||||
`user not found` error caused by live `keycape-config` drift: the Secret had
|
||||
lost the non-secret LLDAP lookup fields `userOU: ou=people` and
|
||||
`groupOU: ou=groups`. The KeyCape live patch helper now enforces those fields
|
||||
alongside the `openbao-admin` client, the live Secret was patched, KeyCape was
|
||||
restarted, and `verify-openbao-client.sh` passes again.
|
||||
|
||||
**2026-06-01:** Deployed a KeyCape runtime lookup fix for the remaining
|
||||
`user not found` token-exchange failure after config drift was ruled out. The
|
||||
LDAP adapter now treats provisioning metadata validation failures as runtime
|
||||
warnings instead of blocking token issuance for an otherwise resolved LLDAP
|
||||
user. The patched image `main-runtime-lookup-0601` is live and
|
||||
`verify-openbao-client.sh` passes after rollout.
|
||||
|
||||
**2026-06-01:** Deployed the follow-up KeyCape OIDC nonce fix after OpenBao
|
||||
rejected the exchanged ID token with `invalid id_token nonce`. KeyCape now
|
||||
persists the original authorization `nonce` through pending state and the
|
||||
authorization-code session, then emits it in the ID token. The patched image
|
||||
`main-nonce-0601` is live, reports 1/1 ready, and `verify-openbao-client.sh`
|
||||
passes after rollout.
|
||||
|
||||
**2026-06-01:** Fixed the next OpenBao role configuration failure,
|
||||
`error converting claim 'groups' to string`. KeyCape correctly emits `groups`
|
||||
as an array for `groups_claim`; OpenBao only failed because the role also copied
|
||||
that array through scalar `claim_mappings`. The helper now leaves groups in
|
||||
`groups_claim`/`bound_claims` and maps only scalar `email` and
|
||||
`preferred_username` metadata.
|
||||
|
||||
**2026-06-01:** The operator reached the OpenBao success page, "Signed in via
|
||||
your OIDC provider", after reapplying the corrected role. The follow-up
|
||||
terminal proof showed `token_policies`/`policies` containing `platform-admin`,
|
||||
`token_meta_role: platform-admin`, and `token_meta_username: platform-root`.
|
||||
T01 is closed; the pasted short-lived token should be treated as disclosed and
|
||||
revoked or allowed to expire after the check.
|
||||
|
||||
### T02 - Close OpenBao Audit And Recovery Production Gates
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user