Record whynot OpenBao lane apply evidence

2026-06-28 12:41:39 +02:00
parent 3ef25cb787
commit 271aa94642
8 changed files with 134 additions and 12 deletions
--- a/scripts/credential-change.py
+++ b/scripts/credential-change.py
@@ -169,6 +169,19 @@ def validate_workload_kv_read(ccr: dict[str, Any], errors: list[str], warnings:
        errors.append("openbao.auth.method must be oidc or kubernetes")
    require_string(auth.get("mount"), "openbao.auth.mount", errors)
    require_string(auth.get("role"), "openbao.auth.role", errors)
+    if method == "oidc":
+        redirect_uris = require_list(
+            auth.get("allowed_redirect_uris"),
+            "openbao.auth.allowed_redirect_uris",
+            errors,
+        )
+        if not redirect_uris:
+            errors.append("openbao.auth.allowed_redirect_uris must not be empty for oidc")
+        for index, uri in enumerate(redirect_uris):
+            if not isinstance(uri, str) or not uri.strip():
+                errors.append(
+                    f"openbao.auth.allowed_redirect_uris[{index}] must be a non-empty string"
+                )
    policies = [str(policy) for policy in require_list(auth.get("policies"), "openbao.auth.policies", errors)]
    if policies != [policy_name]:
        errors.append("openbao.auth.policies must contain exactly openbao.policy_name")
@@ -346,6 +359,8 @@ def auth_payload(ccr: dict[str, Any]) -> dict[str, Any]:
    }
    if auth.get("groups_claim"):
        payload["groups_claim"] = auth["groups_claim"]
+    if auth.get("allowed_redirect_uris"):
+        payload["allowed_redirect_uris"] = auth["allowed_redirect_uris"]
    return payload