vault-token-renew: pure helpers for the self-heal revoke filter

vtr_accessor parses the accessor from lookup JSON; vtr_is_stale_periodic
decides which old token-devvm-wizard tokens a heal may revoke (never the
just-minted one, never foreign tokens, nothing when the keeper is unknown).
TDD red-green for the heal branch that lands next.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-07-03 20:19:09 +00:00
parent a07a603b80
commit 8631709ca2
2 changed files with 38 additions and 0 deletions

View file

@ -45,6 +45,28 @@ vtr_drift_ok() {
printf ',%s,' "$pols" | grep -q ",$REQUIRED_POLICY," || return 1
}
# vtr_accessor <lookup-json> -> the token accessor (empty if absent).
vtr_accessor() {
printf '%s' "$1" | jq -r '.data.accessor // ""'
}
# vtr_is_stale_periodic <lookup-json> <keep-accessor> -> 0 if this lookup
# describes one of OUR periodic tokens (display name matches) that is NOT the
# one to keep — i.e. a stale leftover a heal should revoke. 1 otherwise.
# Name-only on purpose (no policy check): anything named token-devvm-wizard
# that isn't the current token is garbage from a previous mint. An empty
# keep-accessor sweeps NOTHING (fail-safe: never revoke when we don't know
# which token is current).
vtr_is_stale_periodic() {
local dn acc
[ -n "${2:-}" ] || return 1
dn=$(vtr_display_name "$1")
acc=$(vtr_accessor "$1")
[ "$dn" = "$EXPECTED_DN" ] || return 1
[ -n "$acc" ] || return 1
[ "$acc" != "$2" ]
}
vtr_main() {
set -euo pipefail
export PATH="/usr/local/bin:/usr/bin:/bin:${PATH:-}"