diff --git a/scripts/test-vault-token-renew.sh b/scripts/test-vault-token-renew.sh index d64d02b4..f2d02a3d 100644 --- a/scripts/test-vault-token-renew.sh +++ b/scripts/test-vault-token-renew.sh @@ -53,5 +53,21 @@ ok "ours: parse+decide renews" vtr_drift_ok "$(vtr_display_name "$LOOKUP_ no "woodpecker: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_WP")" "$(vtr_policies_csv "$LOOKUP_WP")" no "oidc: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_OIDC")" "$(vtr_policies_csv "$LOOKUP_OIDC")" +# --- vtr_accessor: parse accessor out of lookup JSON --- +LOOKUP_NEW='{"data":{"display_name":"token-devvm-wizard","accessor":"acc-new","policies":["default","sops-admin","vault-admin"],"identity_policies":null}}' +eq "accessor parsed" "acc-new" "$(vtr_accessor "$LOOKUP_NEW")" +eq "accessor absent -> empty" "" "$(vtr_accessor '{"data":{"display_name":"x"}}')" + +# --- vtr_is_stale_periodic: the heal's revoke filter — ONLY old token-devvm-wizard +# --- tokens are swept; the just-minted token, foreign tokens, and anything with an +# --- unknown accessor are kept. An empty keep-accessor sweeps NOTHING (fail-safe). +STALE_OURS='{"data":{"display_name":"token-devvm-wizard","accessor":"acc-old","policies":["default","sops-admin","vault-admin"]}}' +ok "older periodic token is stale" vtr_is_stale_periodic "$STALE_OURS" "acc-new" +no "the just-minted token is kept" vtr_is_stale_periodic "$LOOKUP_NEW" "acc-new" +no "foreign oidc token never swept" vtr_is_stale_periodic "$LOOKUP_OIDC" "acc-new" +no "woodpecker token never swept" vtr_is_stale_periodic "$LOOKUP_WP" "acc-new" +no "missing accessor never swept" vtr_is_stale_periodic '{"data":{"display_name":"token-devvm-wizard"}}' "acc-new" +no "empty keep-accessor sweeps nothing" vtr_is_stale_periodic "$STALE_OURS" "" + printf '\n%d passed, %d failed\n' "$pass" "$fail" (( fail == 0 )) diff --git a/scripts/vault-token-renew.sh b/scripts/vault-token-renew.sh index 2d73c862..60502ac5 100644 --- a/scripts/vault-token-renew.sh +++ b/scripts/vault-token-renew.sh @@ -45,6 +45,28 @@ vtr_drift_ok() { printf ',%s,' "$pols" | grep -q ",$REQUIRED_POLICY," || return 1 } +# vtr_accessor -> the token accessor (empty if absent). +vtr_accessor() { + printf '%s' "$1" | jq -r '.data.accessor // ""' +} + +# vtr_is_stale_periodic -> 0 if this lookup +# describes one of OUR periodic tokens (display name matches) that is NOT the +# one to keep — i.e. a stale leftover a heal should revoke. 1 otherwise. +# Name-only on purpose (no policy check): anything named token-devvm-wizard +# that isn't the current token is garbage from a previous mint. An empty +# keep-accessor sweeps NOTHING (fail-safe: never revoke when we don't know +# which token is current). +vtr_is_stale_periodic() { + local dn acc + [ -n "${2:-}" ] || return 1 + dn=$(vtr_display_name "$1") + acc=$(vtr_accessor "$1") + [ "$dn" = "$EXPECTED_DN" ] || return 1 + [ -n "$acc" ] || return 1 + [ "$acc" != "$2" ] +} + vtr_main() { set -euo pipefail export PATH="/usr/local/bin:/usr/bin:/bin:${PATH:-}"