From 80648a78b7820d2d6655c2458672778946738ce1 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 19 Jun 2026 21:07:37 +0200 Subject: [PATCH] Stop OpenBao login redirect loop by removing URL rewriting Remove redirect-bootstrap and mount polling that fought Ember's token fallback. Keep cosmetic overlay and direct KeyCape OIDC on sign-in only. --- helm/openbao-ui-overlay/README.md | 2 +- helm/openbao-ui-overlay/nginx.conf | 2 +- helm/openbao-ui-overlay/overlay.js | 68 ++----------------- helm/openbao-ui-overlay/redirect-bootstrap.js | 23 ------- scripts/openbao-ui-overlay-apply.sh | 3 +- scripts/openbao-verify-login-overlay.sh | 5 -- 6 files changed, 8 insertions(+), 95 deletions(-) delete mode 100644 helm/openbao-ui-overlay/redirect-bootstrap.js diff --git a/helm/openbao-ui-overlay/README.md b/helm/openbao-ui-overlay/README.md index 20ddc12..1c26c47 100644 --- a/helm/openbao-ui-overlay/README.md +++ b/helm/openbao-ui-overlay/README.md @@ -31,7 +31,7 @@ behaviour. | `VERSION` | OpenBao image tag this overlay targets (`openbao-values.yaml`) | | `presets.json` | Hidden login defaults (`netkingdom`, `platform-admin`, …) | | `overlay.css` | Hide raw OpenBao login fields | -| `overlay.js` | Apply presets, branding, mount deep-link | +| `overlay.js` | Apply presets, branding, direct KeyCape OIDC sign-in | | `nginx.conf` | Gateway proxy + HTML injection | | `patches//manifest.sha256` | Upstream UI fingerprints for drift detection | diff --git a/helm/openbao-ui-overlay/nginx.conf b/helm/openbao-ui-overlay/nginx.conf index efcb7ea..8facdf3 100644 --- a/helm/openbao-ui-overlay/nginx.conf +++ b/helm/openbao-ui-overlay/nginx.conf @@ -49,7 +49,7 @@ http { sub_filter_types text/html; sub_filter_once on; - sub_filter '' ''; + sub_filter '' ''; } } } \ No newline at end of file diff --git a/helm/openbao-ui-overlay/overlay.js b/helm/openbao-ui-overlay/overlay.js index 2bdc3b6..8d96ee0 100644 --- a/helm/openbao-ui-overlay/overlay.js +++ b/helm/openbao-ui-overlay/overlay.js @@ -4,8 +4,6 @@ const PRESETS_URL = "/ui/platform-overlay/presets.json"; const MAX_APPLY_ATTEMPTS = 40; const APPLY_INTERVAL_MS = 250; - const MOUNT_WATCH_MS = 500; - const MOUNT_WATCH_MAX = 24; const DEFAULT_PRESETS = { namespace: "", method: "oidc", @@ -20,7 +18,6 @@ let presets = { ...DEFAULT_PRESETS }; let applyAttempts = 0; let applyTimer = null; - let mountWatchTimer = null; let overlayApplied = false; let signInHandlerInstalled = false; @@ -32,38 +29,8 @@ ); } - function normalizedMount(value) { - return (value || "").replace(/\/$/, ""); - } - - function desiredMount() { - return normalizedMount(presets.mount || "netkingdom"); - } - - function currentMountFromQuery() { - return normalizedMount( - new URLSearchParams(window.location.search).get("with") || "" - ); - } - - function ensureAuthMountSelected() { - const mount = desiredMount(); - const current = currentMountFromQuery(); - - if (current === mount || current === "keycape") { - return false; - } - - if (!isAuthPage() || window.location.pathname.includes("/oidc/")) { - return false; - } - - const params = new URLSearchParams(window.location.search); - params.set("with", `${mount}/`); - window.location.replace( - `${window.location.pathname}?${params.toString()}` - ); - return true; + function isOidcCallbackPage() { + return window.location.pathname.includes("/oidc/"); } function hideNode(node) { @@ -121,7 +88,7 @@ document.addEventListener( "click", (event) => { - if (!isAuthPage()) return; + if (!isAuthPage() || isOidcCallbackPage()) return; const button = event.target.closest( '#auth-submit, button[data-test="auth-submit"], form#auth-form button[type="submit"]' @@ -151,7 +118,7 @@ } function applyDom() { - if (!isAuthPage() || overlayApplied) return false; + if (!isAuthPage() || isOidcCallbackPage() || overlayApplied) return false; hideNode(document.querySelector(".toolbar-namespace-picker")); document @@ -245,25 +212,6 @@ } } - function stopMountWatch() { - if (mountWatchTimer !== null) { - window.clearInterval(mountWatchTimer); - mountWatchTimer = null; - } - } - - function watchAuthMount() { - stopMountWatch(); - let checks = 0; - - mountWatchTimer = window.setInterval(() => { - checks += 1; - if (ensureAuthMountSelected() || checks >= MOUNT_WATCH_MAX) { - stopMountWatch(); - } - }, MOUNT_WATCH_MS); - } - function scheduleApply() { stopApplyLoop(); applyAttempts = 0; @@ -292,15 +240,9 @@ } async function init() { - if (!isAuthPage()) return; + if (!isAuthPage() || isOidcCallbackPage()) return; await loadPresets(); - - if (ensureAuthMountSelected()) { - return; - } - - watchAuthMount(); installKeyCapeSignInHandler(); if (document.readyState === "loading") { diff --git a/helm/openbao-ui-overlay/redirect-bootstrap.js b/helm/openbao-ui-overlay/redirect-bootstrap.js deleted file mode 100644 index bf391de..0000000 --- a/helm/openbao-ui-overlay/redirect-bootstrap.js +++ /dev/null @@ -1,23 +0,0 @@ -(function () { - "use strict"; - - var path = window.location.pathname; - if (path.indexOf("/oidc/") !== -1) { - return; - } - - if (!/\/ui\/vault\/auth(?:\/|$)/.test(path) && !/\/ui\/?$/.test(path)) { - return; - } - - var params = new URLSearchParams(window.location.search); - var current = (params.get("with") || "").replace(/\/$/, ""); - if (current === "netkingdom" || current === "keycape") { - return; - } - - params.set("with", "netkingdom/"); - window.location.replace( - window.location.pathname + "?" + params.toString() - ); -})(); \ No newline at end of file diff --git a/scripts/openbao-ui-overlay-apply.sh b/scripts/openbao-ui-overlay-apply.sh index 0d4a9f2..93e2c25 100755 --- a/scripts/openbao-ui-overlay-apply.sh +++ b/scripts/openbao-ui-overlay-apply.sh @@ -27,7 +27,7 @@ if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then exit 0 fi -for required in overlay.css overlay.js redirect-bootstrap.js presets.json nginx.conf VERSION; do +for required in overlay.css overlay.js presets.json nginx.conf VERSION; do if [ ! -f "$OVERLAY_DIR/$required" ]; then echo "missing overlay asset: $OVERLAY_DIR/$required" >&2 exit 1 @@ -47,7 +47,6 @@ $KUBECTL create configmap openbao-ui-overlay \ --namespace "$OPENBAO_NAMESPACE" \ --from-file="$OVERLAY_DIR/overlay.css" \ --from-file="$OVERLAY_DIR/overlay.js" \ - --from-file="$OVERLAY_DIR/redirect-bootstrap.js" \ --from-file="$OVERLAY_DIR/presets.json" \ --from-file="$OVERLAY_DIR/VERSION" \ --dry-run=client -o yaml | $KUBECTL apply -f - diff --git a/scripts/openbao-verify-login-overlay.sh b/scripts/openbao-verify-login-overlay.sh index 37ce461..0170634 100755 --- a/scripts/openbao-verify-login-overlay.sh +++ b/scripts/openbao-verify-login-overlay.sh @@ -58,11 +58,6 @@ overlay_js="$(curl -fsS "$BASE_URL/ui/platform-overlay/overlay.js")" overlay_css="$(curl -fsS "$BASE_URL/ui/platform-overlay/overlay.css")" presets_json="$(curl -fsS "$BASE_URL/ui/platform-overlay/presets.json")" -require_pattern \ - "index.html injects redirect bootstrap" \ - "$index_html" \ - '/ui/platform-overlay/redirect-bootstrap\.js' - require_pattern \ "index.html injects overlay.js" \ "$index_html" \