Split OpenBao admin identity tasks

This commit is contained in:
2026-05-26 02:13:55 +02:00
parent 9dc7e140b8
commit f3c8d70270
5 changed files with 292 additions and 23 deletions

View File

@@ -9,7 +9,7 @@
# 3. At least one non-admin user exists in LLDAP
# 4. Break-glass user exists and is in net-kingdom-admins
# 5. privacyIDEA self-service portal reachable
# 6. KeyCape config has at least one OIDC client registered
# 6. KeyCape config has OIDC clients, including openbao-admin
#
# Usage:
# chmod +x verify-t07.sh
@@ -174,6 +174,39 @@ if [[ -n "$KC_POD" ]]; then
else
warn "No OIDC clients registered — add clients to keycape/create-secrets.sh and re-run it"
fi
OPENBAO_CLIENT_CHECK=$(echo "$CONFIG" | python3 -c '
import sys
import yaml
cfg = yaml.safe_load(sys.stdin.read()) or {}
clients = cfg.get("clients") or []
target = next((client for client in clients if client.get("clientId") == "openbao-admin"), None)
if not target:
print("missing openbao-admin client")
raise SystemExit(2)
required_redirects = {
"http://localhost:8250/oidc/callback",
"http://127.0.0.1:8250/oidc/callback",
}
required_scopes = {"openid", "profile", "email", "groups"}
missing_redirects = sorted(required_redirects - set(target.get("redirectUris") or []))
missing_scopes = sorted(required_scopes - set(target.get("allowedScopes") or []))
if target.get("clientType") != "public":
print("openbao-admin clientType must be public for the current PKCE-only KeyCape profile")
raise SystemExit(3)
if missing_redirects:
print("openbao-admin missing redirect URI(s): " + ", ".join(missing_redirects))
raise SystemExit(4)
if missing_scopes:
print("openbao-admin missing scope(s): " + ", ".join(missing_scopes))
raise SystemExit(5)
print("openbao-admin client has local CLI redirects and required scopes")
' 2>/dev/null || echo "missing or invalid openbao-admin client")
if [[ "$OPENBAO_CLIENT_CHECK" == openbao-admin* ]]; then
pass "$OPENBAO_CLIENT_CHECK"
else
fail "$OPENBAO_CLIENT_CHECK"
fi
else
warn "Skipping client check — KeyCape not reachable in-cluster"
fi