diff --git a/tools/security-bootstrap-console/security_bootstrap_console.py b/tools/security-bootstrap-console/security_bootstrap_console.py index ffd8cfc..e18358f 100755 --- a/tools/security-bootstrap-console/security_bootstrap_console.py +++ b/tools/security-bootstrap-console/security_bootstrap_console.py @@ -1207,41 +1207,28 @@ def print_lifecycle_guide() -> None: print("=== T06 DRY-RUN EXECUTION (adjacent polish) ===") print("Use after the above onboard/lock/offboard steps for a scoped non-root subject.") - print("This makes the T06 gate repeatable and less manual.") + print("This makes the T06 gate repeatable and less manual. See docs/smooth-bootstrap-guide.md Step 7 and NET-WP-0019.") print("") - print("1. Safe temp secret (never commit; auto-clean recommended):") - print(" KUBECTL=/home/worsch/.local/bin/kubectl") - print(" mkdir -p sso-mfa/bootstrap/secrets/lldap") - print(" $KUBECTL get secret -n sso lldap-secrets -o jsonpath='{.data.LLDAP_LDAP_USER_PASS}' | base64 -d \\") - print(" | (echo -n 'LLDAP_LDAP_USER_PASS='; cat) > sso-mfa/bootstrap/secrets/lldap/secrets.env") + print("Preferred: one-command via make (handles /tmp safe workspace + trap + k8s fallback for secrets, never persistent bootstrap/secrets for dry-runs):") + print(" make security-bootstrap-onboarding-dry-run SUBJECT= EMAIL= DISPLAY=\"\"") print("") - print("2. Onboard non-root (no --admin):") + print("Or direct script:") print(" cd sso-mfa/k8s/lldap") - print(" export KUBECTL=/home/worsch/.local/bin/kubectl") - print(" ./create-user.sh \"Display Name\" --test") - print(" # Verify immediately:") - print(" cd ../privacyidea; $KUBECTL=... ./check-user-mfa-state.sh # or for platform-root as precedent") - print(" cd ../keycape; $KUBECTL=... ./verify-openbao-client.sh") + print(" ./dry-run-nonroot-user.sh \"Display Name\" [--actor user] [--scope none]") + print(" # It will: safe secret extract (/tmp + trap), create --test, verifs (MFA/KeyCape), optional lock/offboard, emit /tmp/.../evidence.json, cleanup.") print("") - print("3. Exercise lock (GraphQL, non-secret):") - print(" # First get LLDAP_TOKEN as in inventory script or netkingdom-lifecycle-inventory.sh") - print(" curl ... /api/graphql -d '{\"query\":\"mutation { removeUserFromGroup(userId: \\\"\\\", groupId: 4) { ok } }\"}'") - print("") - print("4. Exercise offboard:") - print(" curl ... -d '{\"query\":\"mutation { deleteUser(userId: \\\"\\\") { ok } }\"}'") - print(" # Confirm: users list should no longer contain the subject; only admin + platform-root") - print("") - print("5. Generate evidence skeleton + validate:") - print(" make security-bootstrap-onboarding-dry-run-template > /tmp/netkingdom-onboarding-dry-run/evidence.json") - print(" # Edit the skeleton with actual outputs from above steps (subject, groups during life, lock/offboard results, etc.)") + print("Validate evidence:") print(" make security-bootstrap-validate-onboarding-dry-run") print("") - print("6. Cleanup (critical for taint hygiene):") - print(" rm -rf sso-mfa/bootstrap/secrets") - print(" # Optionally: a future lifecycle-cleanup-test-users helper for pattern-matched dry-run subjects") + print("Claims verification (non-secret, infers from LLDAP groups + T01 role):") + print(" python3 tools/security-bootstrap-console/security_bootstrap_console.py onboarding-dry-run-claims --subject --groups net-kingdom-users") print("") - print("All steps must leave LLDAP clean, no plaintext secrets on disk, and evidence with no secret markers.") - print("See workplan T06 note for the exact 2026-06-03 execution that was used to close the gate.") + print("Cleanup pattern-matched test users:") + print(" make security-bootstrap-lifecycle-cleanup-dryrun-users PATTERN=t06-*") + print(" # Or console 'lifecycle-cleanup-dryrun-users --pattern t06-*'") + print("") + print("All steps leave LLDAP clean, no plaintext secrets on disk, evidence with required bools (effective before save, no root grant, verified identity/claims, actor_class != king, etc.). See console lifecycle-flow-template / onboarding-dry-run-template and smooth-bootstrap-guide.md.") + print("See workplan T06/0019 notes for the 2026-06-03 execution.") print("") diff --git a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md index a3f05ac..8e88bce 100644 --- a/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md +++ b/workplans/NET-WP-0018-bootstrap-automation-and-rebuild-readiness.md @@ -258,7 +258,7 @@ dry-run + evidence is the model for user-lifecycle portion of the guide. ```task id: NET-WP-0018-T06 -status: todo +status: in_progress priority: high state_hub_task_id: "9bba26b3-b1be-4e58-a18b-a0533683d63b" ``` @@ -293,6 +293,8 @@ for the user-lifecycle slice. Full alignment awaits T05 guide + more validators in T08 (e.g. for OIDC client, OpenBao config). See 0019 workplan for details; lifecycle_guide T06 section needs refresh to deprecate old secret-mkdir path. +**2026-06-03:** Started T06 (after T05 guide complete). Per T05 recs and plan. Review console/make against new smooth-bootstrap-guide.md + T02/T03. Will refresh console lifecycle_guide T06 DRY-RUN to prefer 0019 orchestrator/make (deprecate old manual secret path); ensure status/actions reference the new guide; leverage existing 0019 validators for "replace passive with validators"; make wrong-order hard via next-safe/blocked in guide + console. Use pragmatic. Small targeted updates to console.py (print_lifecycle_guide) and perhaps Makefile/docs refs. + ### T07 - Add Automated Tests For Bootstrap UI Sections And Runbooks ```task