coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49be67f267c6cdce2e8a4f76fd36e879cf28855f
net-kingdom/sso-mfa/k8s/privacyidea/check-user-mfa-state.sh

90 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# check-user-mfa-state.sh — non-secret privacyIDEA MFA state diagnostic.
#
# Reports realm presence and user/token counts for a user without printing
# passwords, OTP seeds, admin JWTs, token serials, or token metadata.
#
# Usage:
# bash check-user-mfa-state.sh [username]
set -euo pipefail
USERNAME="${1:-platform-root}"
PI_URL="${PI_URL:-https://pink.coulomb.social}"
SSO_NAMESPACE="${SSO_NAMESPACE:-sso}"
KUBECTL="${KUBECTL:-kubectl}"
TOKEN="$(
"$KUBECTL" get secret keycape-pi-token -n "$SSO_NAMESPACE" \
-o jsonpath='{.data.token}' 2>/dev/null | base64 -d 2>/dev/null || true
)"
if [[ -z "$TOKEN" ]]; then
TOKEN="$(
"$KUBECTL" get secret keycape-pi-token -n "$SSO_NAMESPACE" \
-o jsonpath='{.data.pi_admin_token}' 2>/dev/null | base64 -d 2>/dev/null || true
)"
fi
if [[ -z "$TOKEN" || "$TOKEN" == "PENDING_create-pi-token.sh" ]]; then
echo "[FAIL] keycape-pi-token is missing or still a placeholder."
exit 1
fi
api_get() {
local path="$1"
curl -sk -H "Authorization: $TOKEN" "$PI_URL$path"
}
json_field() {
python3 -c "$1"
}
echo "privacyIDEA MFA state for user: $USERNAME"
echo "Endpoint: $PI_URL"
echo ""
REALM_RESP="$(api_get "/realm/")"
echo "Realms:"
printf '%s' "$REALM_RESP" | json_field '
import json
import sys
data = json.load(sys.stdin)
if not data.get("result", {}).get("status", False):
print(" [WARN] realm query returned status=false")
err = data.get("result", {}).get("error", {})
if err:
print(" [WARN] error=" + str(err.get("message", err)))
realms = data.get("result", {}).get("value", {})
if not realms:
print(" [WARN] no realms returned")
for name in sorted(realms):
print(" - " + name + " default=" + str(bool(realms[name].get("default"))))
'
for realm in coulomb netkingdom; do
echo ""
echo "Realm: $realm"
USER_RESP="$(api_get "/user/?realm=$realm&username=$USERNAME")"
TOKEN_RESP="$(api_get "/token/?realm=$realm&user=$USERNAME")"
printf '%s' "$USER_RESP" | json_field '
import json
import sys
data = json.load(sys.stdin)
users = data.get("result", {}).get("value", {}).get("users", [])
print(f" users={len(users)}")
'
printf '%s' "$TOKEN_RESP" | json_field '
import json
import sys
data = json.load(sys.stdin)
value = data.get("result", {}).get("value", {})
tokens = value.get("tokens", []) if isinstance(value, dict) else []
active = sum(1 for token in tokens if token.get("active", True))
print(f" tokens={len(tokens)} active={active}")
'
done
Reference in New Issue View Git Blame Copy Permalink