vault-token-renew: pure helpers for the self-heal revoke filter
vtr_accessor parses the accessor from lookup JSON; vtr_is_stale_periodic decides which old token-devvm-wizard tokens a heal may revoke (never the just-minted one, never foreign tokens, nothing when the keeper is unknown). TDD red-green for the heal branch that lands next. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
a07a603b80
commit
8631709ca2
2 changed files with 38 additions and 0 deletions
|
|
@ -53,5 +53,21 @@ ok "ours: parse+decide renews" vtr_drift_ok "$(vtr_display_name "$LOOKUP_
|
||||||
no "woodpecker: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_WP")" "$(vtr_policies_csv "$LOOKUP_WP")"
|
no "woodpecker: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_WP")" "$(vtr_policies_csv "$LOOKUP_WP")"
|
||||||
no "oidc: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_OIDC")" "$(vtr_policies_csv "$LOOKUP_OIDC")"
|
no "oidc: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_OIDC")" "$(vtr_policies_csv "$LOOKUP_OIDC")"
|
||||||
|
|
||||||
|
# --- vtr_accessor: parse accessor out of lookup JSON ---
|
||||||
|
LOOKUP_NEW='{"data":{"display_name":"token-devvm-wizard","accessor":"acc-new","policies":["default","sops-admin","vault-admin"],"identity_policies":null}}'
|
||||||
|
eq "accessor parsed" "acc-new" "$(vtr_accessor "$LOOKUP_NEW")"
|
||||||
|
eq "accessor absent -> empty" "" "$(vtr_accessor '{"data":{"display_name":"x"}}')"
|
||||||
|
|
||||||
|
# --- vtr_is_stale_periodic: the heal's revoke filter — ONLY old token-devvm-wizard
|
||||||
|
# --- tokens are swept; the just-minted token, foreign tokens, and anything with an
|
||||||
|
# --- unknown accessor are kept. An empty keep-accessor sweeps NOTHING (fail-safe).
|
||||||
|
STALE_OURS='{"data":{"display_name":"token-devvm-wizard","accessor":"acc-old","policies":["default","sops-admin","vault-admin"]}}'
|
||||||
|
ok "older periodic token is stale" vtr_is_stale_periodic "$STALE_OURS" "acc-new"
|
||||||
|
no "the just-minted token is kept" vtr_is_stale_periodic "$LOOKUP_NEW" "acc-new"
|
||||||
|
no "foreign oidc token never swept" vtr_is_stale_periodic "$LOOKUP_OIDC" "acc-new"
|
||||||
|
no "woodpecker token never swept" vtr_is_stale_periodic "$LOOKUP_WP" "acc-new"
|
||||||
|
no "missing accessor never swept" vtr_is_stale_periodic '{"data":{"display_name":"token-devvm-wizard"}}' "acc-new"
|
||||||
|
no "empty keep-accessor sweeps nothing" vtr_is_stale_periodic "$STALE_OURS" ""
|
||||||
|
|
||||||
printf '\n%d passed, %d failed\n' "$pass" "$fail"
|
printf '\n%d passed, %d failed\n' "$pass" "$fail"
|
||||||
(( fail == 0 ))
|
(( fail == 0 ))
|
||||||
|
|
|
||||||
|
|
@ -45,6 +45,28 @@ vtr_drift_ok() {
|
||||||
printf ',%s,' "$pols" | grep -q ",$REQUIRED_POLICY," || return 1
|
printf ',%s,' "$pols" | grep -q ",$REQUIRED_POLICY," || return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# vtr_accessor <lookup-json> -> the token accessor (empty if absent).
|
||||||
|
vtr_accessor() {
|
||||||
|
printf '%s' "$1" | jq -r '.data.accessor // ""'
|
||||||
|
}
|
||||||
|
|
||||||
|
# vtr_is_stale_periodic <lookup-json> <keep-accessor> -> 0 if this lookup
|
||||||
|
# describes one of OUR periodic tokens (display name matches) that is NOT the
|
||||||
|
# one to keep — i.e. a stale leftover a heal should revoke. 1 otherwise.
|
||||||
|
# Name-only on purpose (no policy check): anything named token-devvm-wizard
|
||||||
|
# that isn't the current token is garbage from a previous mint. An empty
|
||||||
|
# keep-accessor sweeps NOTHING (fail-safe: never revoke when we don't know
|
||||||
|
# which token is current).
|
||||||
|
vtr_is_stale_periodic() {
|
||||||
|
local dn acc
|
||||||
|
[ -n "${2:-}" ] || return 1
|
||||||
|
dn=$(vtr_display_name "$1")
|
||||||
|
acc=$(vtr_accessor "$1")
|
||||||
|
[ "$dn" = "$EXPECTED_DN" ] || return 1
|
||||||
|
[ -n "$acc" ] || return 1
|
||||||
|
[ "$acc" != "$2" ]
|
||||||
|
}
|
||||||
|
|
||||||
vtr_main() {
|
vtr_main() {
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
export PATH="/usr/local/bin:/usr/bin:/bin:${PATH:-}"
|
export PATH="/usr/local/bin:/usr/bin:/bin:${PATH:-}"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue