coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix OpenBao public route action state

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-29 02:22:52 +02:00
parent e04603779c
commit dafcd329b2
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tools/security-bootstrap-console/security_bootstrap_console.py
View File

@@ -577,7 +577,9 @@ def next_action(
return "Run OpenBao OIDC auth setup"
if gate.name == "OIDC admin login":
if data and yes(data, "openbao_oidc_auth_configured") and not yes(data, "openbao_oidc_admin_login_verified"):
return "Check KeyCape public route"
if not yes(data, "openbao_oidc_client_registered"):
return "Check KeyCape public route"
return "Verify OpenBao OIDC admin login"
return "Verify OpenBao OIDC admin login"
return gate.name
if gate.status == "blocked":
@@ -597,7 +599,9 @@ def next_action(
return "Run OpenBao OIDC auth setup"
if gate.name == "OIDC admin login":
if data and yes(data, "openbao_oidc_auth_configured") and not yes(data, "openbao_oidc_admin_login_verified"):
return "Check KeyCape public route"
if not yes(data, "openbao_oidc_client_registered"):
return "Check KeyCape public route"
return "Verify OpenBao OIDC admin login"
return "Verify OpenBao OIDC admin login"
if gate.name == "Root-token disposition":
return "Record root-token disposition"
@@ -1377,12 +1381,12 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
"NETKINGDOM_KEYCAPE_APPLY\n"
)
configure_command = f"bash {shlex.quote(str(KEYCAPE_OPENBAO_CLIENT_CONFIG.parent / 'configure-openbao-oidc.sh'))}"
public_route_state = "done" if login_verified else "todo" if auth_configured else "blocked"
public_route_reason = "The public KeyCape route has been proven by a completed OIDC-backed OpenBao login."
public_route_state = "done" if client_deployed else "todo" if source_ready else "blocked"
public_route_reason = "The live KeyCape verifier has proven the public route, discovery endpoint, and openbao-admin client."
if public_route_state == "todo":
public_route_reason = "Operator action: confirm public DNS routes kc.coulomb.social to the patched KeyCape ingress and that /authorize recognizes openbao-admin."
if public_route_state == "blocked":
public_route_reason = "Configure OpenBao OIDC auth before probing the public login route."
public_route_reason = "Ship the code-defined KeyCape OpenBao client before probing the public login route."
public_route_command = (
"bash <<'NETKINGDOM_KEYCAPE_PUBLIC_ROUTE'\n"
"set -euo pipefail\n"