Record whynot identity group evidence

This commit is contained in:
2026-06-28 16:05:17 +02:00
parent 3527bc1cae
commit 2c1e76efca
2 changed files with 27 additions and 0 deletions

View File

@@ -118,6 +118,15 @@ verification:
- Positive login reported missing groups claim because the role did not request the groups scope. - Positive login reported missing groups claim because the role did not request the groups scope.
- Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups. - Updated auth/netkingdom/role/whynot-design-workload-kv-read with oidc_scopes openid/profile/email/groups.
- Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks. - Added the 127.0.0.1 local CLI callback URI alongside localhost and browser callbacks.
- at: '2026-06-28T14:01:47+00:00'
actor: codex
kind: non_secret_identity_group_check
result: applied
details:
- Positive login advanced from missing groups claim to bound claim mismatch; this confirms the groups scope is now requested.
- Live LLDAP group inventory did not contain whynot-design before this check.
- Created and verified the whynot-design LLDAP group for the approved OpenBao bound claim.
- No user membership was changed; positive verification still requires the authenticating account to be explicitly added to whynot-design.
lifecycle: lifecycle:
deactivate: Disable ops-warden catalog entry and remove or detach auth role policy. deactivate: Disable ops-warden catalog entry and remove or detach auth role policy.
rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation rotate: Replace NPM_AUTH_TOKEN value directly in OpenBao and record non-secret rotation

View File

@@ -12,6 +12,7 @@ This is the next-session handoff for `CCR-2026-0001` and the
- Catalog id: `whynot-design-npm-publish` - Catalog id: `whynot-design-npm-publish`
- Tenant/org: `coulomb` - Tenant/org: `coulomb`
- Workload/project: `whynot-design` - Workload/project: `whynot-design`
- Bound IAM group: `whynot-design`
- Secret path: `platform/workloads/coulomb/whynot-design/npm-publish` - Secret path: `platform/workloads/coulomb/whynot-design/npm-publish`
- Field: `NPM_AUTH_TOKEN` - Field: `NPM_AUTH_TOKEN`
- Token source: Gitea package token for - Token source: Gitea package token for
@@ -24,6 +25,13 @@ binding and redirect URIs, the secret metadata has the expected catalog id, and
the `NPM_AUTH_TOKEN` field is present. No secret value was printed, recorded, the `NPM_AUTH_TOKEN` field is present. No secret value was printed, recorded,
or copied into Git, State Hub, chat, or workplans. or copied into Git, State Hub, chat, or workplans.
On 2026-06-28, the attended positive OIDC login advanced from a missing
`groups` claim to a bound-claim mismatch. That means the role now requests the
`groups` scope correctly, but the authenticating identity is not a member of
`whynot-design`. The `whynot-design` LLDAP group was created and verified; no
user membership was changed. Add only the intended publisher/verifier identity
to that group before retrying positive verification.
## Safety Rules ## Safety Rules
- Do not paste `NPM_AUTH_TOKEN` into Git, State Hub, chat, shell history, logs, - Do not paste `NPM_AUTH_TOKEN` into Git, State Hub, chat, shell history, logs,
@@ -178,6 +186,16 @@ bao read auth/netkingdom/role/whynot-design-workload-kv-read
Positive verification proves the approved whynot-design identity can fetch the Positive verification proves the approved whynot-design identity can fetch the
field without exposing it in logs. field without exposing it in logs.
Before retrying, confirm the account used for OIDC login is a member of the
`whynot-design` LLDAP group. If OpenBao reports:
```text
claim "groups" does not match any associated bound claim values
```
then the groups claim is present, but the account is not in `whynot-design` or
KeyCape did not emit that membership in the fresh login.
Use an attended shell, keep tracing disabled, and suppress command output: Use an attended shell, keep tracing disabled, and suppress command output:
```bash ```bash