coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add KeyCape privacyIDEA token repair flow

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-29 03:07:17 +02:00
parent ab99380dec
commit c7b82df267
5 changed files with 345 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
tools/security-bootstrap-console/security_bootstrap_console.py
View File

@@ -1398,6 +1398,22 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
f"{kubectl_bin} get ingress keycape -n sso -o jsonpath='{{.status.loadBalancer.ingress[0].ip}}{{\"\\n\"}}'\n"
"NETKINGDOM_KEYCAPE_PUBLIC_ROUTE\n"
)
refresh_pi_token_state = "done" if login_verified else "redo" if auth_configured else "blocked"
refresh_pi_token_reason = (
"Optional repair action. Run this if KeyCape shows 'mfa check error'; "
"it refreshes the expired privacyIDEA admin token without printing it."
)
if refresh_pi_token_state == "done":
refresh_pi_token_reason = "OIDC-backed OpenBao login is verified; no MFA-token repair is currently needed."
if refresh_pi_token_state == "blocked":
refresh_pi_token_reason = "Configure OpenBao OIDC auth before repairing the MFA check path."
refresh_pi_token_command = (
"bash <<'NETKINGDOM_KEYCAPE_PI_TOKEN_REFRESH'\n"
"set -euo pipefail\n"
f"cd {keycape_dir}\n"
f"KUBECTL={kubectl_bin} bash ./refresh-pi-token-live.sh platform-root\n"
"NETKINGDOM_KEYCAPE_PI_TOKEN_REFRESH\n"
)
login_command = (
"# Terminal 1: bridge the browser callback to the bao CLI running in the OpenBao pod.\n"
"kubectl -n openbao port-forward pod/openbao-0 8250:8250\n\n"
@@ -1435,6 +1451,14 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
public_route_command,
downstream_taint if yes(data, "openbao_initialized") else {},
),
action(
"Repair KeyCape privacyIDEA MFA token",
"Refresh KeyCape's privacyIDEA admin token when the browser flow reaches MFA and reports 'mfa check error'. The command prompts for the pi-admin password and does not print the token.",
refresh_pi_token_state,
refresh_pi_token_reason,
refresh_pi_token_command,
downstream_taint if yes(data, "openbao_initialized") else {},
),
action(
"Verify OIDC-backed OpenBao admin login",
"Use the bao CLI already present in the OpenBao pod, bridge its localhost callback to your workstation, complete the KeyCape MFA browser flow, and verify the returned token before checking the confirmation box.",