net-kingdom/sso-mfa/k8s/keycape/verify-openbao-client.sh

#!/usr/bin/env bash
# Verify the live KeyCape config carries the OpenBao admin client and KeyCape
# is serving OIDC discovery after rollout.

set -euo pipefail

NAMESPACE="${KEYCAPE_NAMESPACE:-sso}"
SECRET="${KEYCAPE_CONFIG_SECRET:-keycape-config}"
KUBECTL="${KUBECTL:-kubectl}"
PORT="${KEYCAPE_VERIFY_PORT:-18080}"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

"$KUBECTL" get secret "$SECRET" -n "$NAMESPACE" -o json \
  | python3 "$SCRIPT_DIR/openbao-client-config.py" verify

PUBLIC_URL="${KEYCAPE_PUBLIC_URL:-https://kc.coulomb.social}"
PUBLIC_AUTHORIZE_URL="${PUBLIC_URL%/}/authorize"

probe_redirect() {
  local label="$1"
  local redirect_uri="$2"
  local output
  output=$(
    curl -sS -i -G "$PUBLIC_AUTHORIZE_URL" \
      --data-urlencode "client_id=openbao-admin" \
      --data-urlencode "redirect_uri=$redirect_uri" \
      --data-urlencode "response_type=code" \
      --data-urlencode "scope=openid profile email groups" \
      --data-urlencode "state=netkingdom-openbao-client-probe" \
      --data-urlencode "code_challenge=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ" \
      --data-urlencode "code_challenge_method=S256" \
      2>&1 || true
  )

  if grep -q '"unknown client_id"' <<<"$output"; then
    echo "[FAIL] $PUBLIC_AUTHORIZE_URL rejects openbao-admin with unknown client_id" >&2
    echo "       Check DNS for kc.coulomb.social and ensure it reaches the KeyCape ingress that was patched." >&2
    exit 1
  fi
  if ! grep -qE '^HTTP/[0-9.]+ 302 ' <<<"$output"; then
    echo "[FAIL] $PUBLIC_AUTHORIZE_URL did not accept the $label redirect URI for openbao-admin" >&2
    echo "       Redirect URI: $redirect_uri" >&2
    echo "       First response:" >&2
    sed -n '1,12p' <<<"$output" >&2
    exit 1
  fi
  echo "[PASS] public KeyCape authorize endpoint accepts $label redirect"
}

probe_redirect "CLI" "http://localhost:8250/oidc/callback"
probe_redirect "browser UI netkingdom mount" "https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback"
probe_redirect "browser UI keycape compatibility mount" "https://bao.coulomb.social/ui/vault/auth/keycape/oidc/callback"

KC_POD=$("$KUBECTL" get pod -n "$NAMESPACE" \
  -l app.kubernetes.io/name=keycape \
  --field-selector=status.phase=Running \
  -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || true)

if [[ -z "$KC_POD" ]]; then
  echo "[FAIL] no running KeyCape pod found in namespace $NAMESPACE" >&2
  exit 1
fi

PF_LOG="${TMPDIR:-/tmp}/netkingdom-keycape-openbao-client-port-forward.log"
rm -f "$PF_LOG"

"$KUBECTL" -n "$NAMESPACE" port-forward --address 127.0.0.1 svc/keycape "$PORT:8080" \
  >"$PF_LOG" 2>&1 &
PF_PID=$!

cleanup() {
  kill "$PF_PID" 2>/dev/null || true
  wait "$PF_PID" 2>/dev/null || true
}
trap cleanup EXIT

for _ in $(seq 1 30); do
  if python3 - "$PORT" <<'PY' >/dev/null 2>&1
import json
import sys
import urllib.request

port = sys.argv[1]
with urllib.request.urlopen(f"http://127.0.0.1:{port}/.well-known/openid-configuration", timeout=2) as response:
    payload = json.load(response)
if not payload.get("issuer"):
    raise SystemExit("missing issuer")
PY
  then
    echo "[PASS] KeyCape discovery endpoint responds via local port-forward to pod $KC_POD"
    exit 0
  fi
  if ! kill -0 "$PF_PID" 2>/dev/null; then
    echo "[FAIL] KeyCape port-forward exited before discovery responded" >&2
    cat "$PF_LOG" >&2
    exit 1
  fi
  sleep 1
done

echo "[FAIL] KeyCape discovery endpoint did not respond via local port-forward" >&2
cat "$PF_LOG" >&2
exit 1