Confirm whynot credential binding

2026-06-27 23:45:31 +02:00
parent aee0dcefad
commit 52687d8b3e
6 changed files with 115 additions and 41 deletions
--- a/scripts/credential-change.py
+++ b/scripts/credential-change.py
@@ -487,6 +487,29 @@ def append_decision(path: Path, status: str, reviewer: str, comment: str) -> Non
    dump_yaml(path, ccr)


+def confirm_binding(path: Path, reviewer: str, comment: str) -> None:
+    ccr, errors, _warnings = validate_ccr(path)
+    if errors:
+        for error in errors:
+            print(f"[FAIL] {path.name}: {error}", file=sys.stderr)
+        raise SystemExit(1)
+    ccr["openbao"]["auth"]["bound_claims_confirmed"] = True
+    review = ccr.setdefault("review", {})
+    comments = review.setdefault("comments", [])
+    if not isinstance(comments, list):
+        fail("review.comments must be a list")
+    comments.append(
+        {
+            "at": utc_now(),
+            "reviewer": reviewer,
+            "decision": "binding_confirmed",
+            "comment": comment,
+        }
+    )
+    ccr["updated"] = datetime.now(timezone.utc).date().isoformat()
+    dump_yaml(path, ccr)
+
+
 def command_validate(args: argparse.Namespace) -> int:
    refs = args.refs or [str(path) for path in sorted(ccr_dir().glob("*.y*ml"))]
    if not refs:
@@ -554,6 +577,13 @@ def command_decision(args: argparse.Namespace, status: str) -> int:
    return 0


+def command_confirm_binding(args: argparse.Namespace) -> int:
+    path = resolve_ccr(args.ref)
+    confirm_binding(path, args.reviewer, args.comment)
+    print(f"[OK] {path.name} -> binding_confirmed")
+    return 0
+
+
 def build_parser() -> argparse.ArgumentParser:
    parser = argparse.ArgumentParser(
        description="Validate, render, and review non-secret credential change requests."
@@ -594,6 +624,15 @@ def build_parser() -> argparse.ArgumentParser:
        decision.add_argument("--comment", required=True)
        decision.set_defaults(func=lambda args, status=status: command_decision(args, status))

+    binding = sub.add_parser(
+        "confirm-binding",
+        help="Record that the non-secret OpenBao auth binding was confirmed",
+    )
+    binding.add_argument("ref")
+    binding.add_argument("--reviewer", required=True)
+    binding.add_argument("--comment", required=True)
+    binding.set_defaults(func=command_confirm_binding)
+
    return parser