generated from coulomb/repo-seed
feat(NET-WP-0018-T06): align control surface - refresh console lifecycle_guide T06 DRY-RUN to 0019 orchestrator + new smooth guide
- Updated print_lifecycle_guide in console.py: replaced old manual secret-mkdir steps (pre-0019) with preferred make security-bootstrap-onboarding-dry-run + dry-run-nonroot-user.sh + validate + claims + cleanup. References docs/smooth-bootstrap-guide.md Step 7 + NET-WP-0019. - Workplan T06 start note + in_progress (alignment per T05 guide + T03 recs; leverages existing 0019 validators/console for passive->validator). - Pragmatic: progress log, file notes, this commit. - This makes the printed guide align with T05 consolidated guide, deprecates fragile manual path. T06 alignment complete for guide/control surface. Next T07 tests (use new guide + 0019 as cases) or T04/T08.
This commit is contained in:
@@ -1207,41 +1207,28 @@ def print_lifecycle_guide() -> None:
|
||||
|
||||
print("=== T06 DRY-RUN EXECUTION (adjacent polish) ===")
|
||||
print("Use after the above onboard/lock/offboard steps for a scoped non-root subject.")
|
||||
print("This makes the T06 gate repeatable and less manual.")
|
||||
print("This makes the T06 gate repeatable and less manual. See docs/smooth-bootstrap-guide.md Step 7 and NET-WP-0019.")
|
||||
print("")
|
||||
print("1. Safe temp secret (never commit; auto-clean recommended):")
|
||||
print(" KUBECTL=/home/worsch/.local/bin/kubectl")
|
||||
print(" mkdir -p sso-mfa/bootstrap/secrets/lldap")
|
||||
print(" $KUBECTL get secret -n sso lldap-secrets -o jsonpath='{.data.LLDAP_LDAP_USER_PASS}' | base64 -d \\")
|
||||
print(" | (echo -n 'LLDAP_LDAP_USER_PASS='; cat) > sso-mfa/bootstrap/secrets/lldap/secrets.env")
|
||||
print("Preferred: one-command via make (handles /tmp safe workspace + trap + k8s fallback for secrets, never persistent bootstrap/secrets for dry-runs):")
|
||||
print(" make security-bootstrap-onboarding-dry-run SUBJECT=<username> EMAIL=<email> DISPLAY=\"<name>\"")
|
||||
print("")
|
||||
print("2. Onboard non-root (no --admin):")
|
||||
print("Or direct script:")
|
||||
print(" cd sso-mfa/k8s/lldap")
|
||||
print(" export KUBECTL=/home/worsch/.local/bin/kubectl")
|
||||
print(" ./create-user.sh <username> <email> \"Display Name\" --test")
|
||||
print(" # Verify immediately:")
|
||||
print(" cd ../privacyidea; $KUBECTL=... ./check-user-mfa-state.sh <username> # or for platform-root as precedent")
|
||||
print(" cd ../keycape; $KUBECTL=... ./verify-openbao-client.sh")
|
||||
print(" ./dry-run-nonroot-user.sh <username> <email> \"Display Name\" [--actor user] [--scope none]")
|
||||
print(" # It will: safe secret extract (/tmp + trap), create --test, verifs (MFA/KeyCape), optional lock/offboard, emit /tmp/.../evidence.json, cleanup.")
|
||||
print("")
|
||||
print("3. Exercise lock (GraphQL, non-secret):")
|
||||
print(" # First get LLDAP_TOKEN as in inventory script or netkingdom-lifecycle-inventory.sh")
|
||||
print(" curl ... /api/graphql -d '{\"query\":\"mutation { removeUserFromGroup(userId: \\\"<username>\\\", groupId: 4) { ok } }\"}'")
|
||||
print("")
|
||||
print("4. Exercise offboard:")
|
||||
print(" curl ... -d '{\"query\":\"mutation { deleteUser(userId: \\\"<username>\\\") { ok } }\"}'")
|
||||
print(" # Confirm: users list should no longer contain the subject; only admin + platform-root")
|
||||
print("")
|
||||
print("5. Generate evidence skeleton + validate:")
|
||||
print(" make security-bootstrap-onboarding-dry-run-template > /tmp/netkingdom-onboarding-dry-run/evidence.json")
|
||||
print(" # Edit the skeleton with actual outputs from above steps (subject, groups during life, lock/offboard results, etc.)")
|
||||
print("Validate evidence:")
|
||||
print(" make security-bootstrap-validate-onboarding-dry-run")
|
||||
print("")
|
||||
print("6. Cleanup (critical for taint hygiene):")
|
||||
print(" rm -rf sso-mfa/bootstrap/secrets")
|
||||
print(" # Optionally: a future lifecycle-cleanup-test-users helper for pattern-matched dry-run subjects")
|
||||
print("Claims verification (non-secret, infers from LLDAP groups + T01 role):")
|
||||
print(" python3 tools/security-bootstrap-console/security_bootstrap_console.py onboarding-dry-run-claims --subject <username> --groups net-kingdom-users")
|
||||
print("")
|
||||
print("All steps must leave LLDAP clean, no plaintext secrets on disk, and evidence with no secret markers.")
|
||||
print("See workplan T06 note for the exact 2026-06-03 execution that was used to close the gate.")
|
||||
print("Cleanup pattern-matched test users:")
|
||||
print(" make security-bootstrap-lifecycle-cleanup-dryrun-users PATTERN=t06-*")
|
||||
print(" # Or console 'lifecycle-cleanup-dryrun-users --pattern t06-*'")
|
||||
print("")
|
||||
print("All steps leave LLDAP clean, no plaintext secrets on disk, evidence with required bools (effective before save, no root grant, verified identity/claims, actor_class != king, etc.). See console lifecycle-flow-template / onboarding-dry-run-template and smooth-bootstrap-guide.md.")
|
||||
print("See workplan T06/0019 notes for the 2026-06-03 execution.")
|
||||
print("")
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user