net-kingdom/sso-mfa/bootstrap/creds-status.sh

#!/usr/bin/env bash
# creds-status.sh — print a human-readable credential state table.
#
# Usage:
#   bash sso-mfa/bootstrap/creds-status.sh
#   make creds-status

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
STATE_FILE="${1:-$SCRIPT_DIR/creds-state.yaml}"

if [[ ! -f "$STATE_FILE" ]]; then
    echo "ERROR: creds-state.yaml not found: $STATE_FILE" >&2
    echo "       This file is created at repo init — check your working directory." >&2
    exit 1
fi

# Simple key extractors (no yaml lib dependency)
top_val()    { grep -E "^$1:" "$STATE_FILE" | sed 's/^[^:]*: *//' | sed 's/ *#.*//' | tr -d '"'; }
nested_val() { grep -E "^  $1:" "$STATE_FILE" | sed 's/^[^:]*: *//' | sed 's/ *#.*//' | tr -d '"'; }

status_icon() {
    case "$1" in
        true)  echo "✔" ;;
        false) echo "✗" ;;
        null)  echo "—" ;;
        *)     echo "?" ;;
    esac
}

echo "=== net-kingdom Credential State ==="
echo ""

generated_at="$(top_val generated_at)"
bundle_at="$(top_val bundle_at)"
keepass_confirmed="$(top_val keepass_confirmed)"

printf "  %-30s %s\n" "Generated at:"      "${generated_at:-—}"
printf "  %-30s %s\n" "Bundle at:"         "${bundle_at:-—}"
printf "  %-30s %s  %s\n" "KeePassXC confirmed:" \
    "$(status_icon "$keepass_confirmed")" \
    "$([ "$keepass_confirmed" = "false" ] && echo "(set keepass_confirmed: true manually)" || true)"
echo ""

echo "  Secrets applied:"
for component in postgres lldap authelia privacyidea keycape; do
    val="$(nested_val "$component")"
    note=""
    [[ "$component" == "keycape" && "$val" == "false" ]] && \
        note=" (requires PI_ADMIN_TOKEN — post-T04)"
    printf "    %-28s %s%s\n" "$component" "$(status_icon "$val")" "$note"
done
echo ""

enckey="$(top_val enckey_bootstrapped)"
pi_admin="$(top_val pi_admin_created)"

printf "  %-30s %s%s\n" "enckey bootstrapped:" \
    "$(status_icon "$enckey")" \
    "$([ "$enckey" = "false" ] && echo "  ← TIME-SENSITIVE once pod is live" || true)"
printf "  %-30s %s\n" "pi-admin created:" "$(status_icon "$pi_admin")"

echo ""
echo "Run 'make creds-verify' to refresh state from the live cluster."