fix(workstation): claude-auth-sync must merge, not overwrite, the shared Vault path
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
cas_backup did `vault kv put secret/workstation/claude-users/<user>`, a full KV-v2 replace that rewrote the document with only its 3 OAuth keys. Because `homelab vault setup` co-locates the user's vaultwarden_* credentials on that same path, every six-hourly sync silently deleted them — so `homelab vault` reported "not configured" within hours of each setup. (Reported as: homelab vault "keeps getting reset / logged out", set up 3 times.) Switch the backup to a merge: `kv patch -method=rw` (read+update, needs no `patch` capability) when the path exists, and `kv put` only to create it on the first backup. Add a regression test with a fake vault asserting a pre-existing sibling key survives a backup, and document the merge requirement in the renewal runbook. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
6f1951af93
commit
d105713ae7
3 changed files with 72 additions and 1 deletions
|
|
@ -28,5 +28,61 @@ ok "accept own scoped Vault token" cas_vault_identity_ok token-devvm-claude-auth
|
|||
no "reject another user's token" cas_vault_identity_ok token-devvm-claude-auth-anca default,workstation-claude-anca
|
||||
no "reject wrong policy" cas_vault_identity_ok token-devvm-claude-auth-emo default,workstation-claude-anca
|
||||
|
||||
# --- Regression: cas_backup must MERGE into the shared Vault path, preserving
|
||||
# sibling keys that other tools co-locate there (e.g. `homelab vault`'s
|
||||
# vaultwarden_* creds) — NOT overwrite the whole KV document. A blind `kv put`
|
||||
# wiped them every 6h (claude-auth-sync clobber, 2026-06-26).
|
||||
fakebin="$tmp/bin"; mkdir -p "$fakebin"
|
||||
store="$tmp/vault-store.json"
|
||||
cat > "$fakebin/vault" <<'FAKE'
|
||||
#!/usr/bin/env bash
|
||||
# Minimal KV-v2 fake backed by $VAULT_FAKE_STORE (a flat JSON object).
|
||||
[[ "$1" == kv ]] || { echo '{}'; exit 0; } # token lookup etc. -> ignore
|
||||
op="$2"; shift 2
|
||||
store="$VAULT_FAKE_STORE"
|
||||
case "$op" in
|
||||
get)
|
||||
for a in "$@"; do [[ "$a" == -field=* ]] && field="${a#-field=}"; done
|
||||
if [[ "$*" == *-format=json* ]]; then
|
||||
[[ -f "$store" ]] || { echo "No value found"; exit 2; }
|
||||
jq -n --argjson d "$(cat "$store")" '{data:{data:$d}}'; exit 0
|
||||
fi
|
||||
[[ -f "$store" ]] || exit 2 # bare get == existence check
|
||||
if [[ -n "${field:-}" ]]; then
|
||||
v="$(jq -r --arg k "$field" '.[$k] // empty' "$store")"; [[ -n "$v" ]] || exit 1
|
||||
printf '%s' "$v"; exit 0
|
||||
fi
|
||||
exit 0 ;;
|
||||
put) echo '{}' > "$store" ;; # full replace
|
||||
patch) [[ -f "$store" ]] || { echo "No value found"; exit 2; } ;; # merge (rw)
|
||||
*) exit 1 ;;
|
||||
esac
|
||||
for a in "$@"; do
|
||||
case "$a" in
|
||||
-*|secret/*) continue ;; # flags + the path arg
|
||||
*=*) k="${a%%=*}"; v="${a#*=}"
|
||||
t="$(mktemp)"; jq --arg k "$k" --arg v "$v" '.[$k]=$v' "$store" > "$t" && mv "$t" "$store" ;;
|
||||
esac
|
||||
done
|
||||
exit 0
|
||||
FAKE
|
||||
chmod +x "$fakebin/vault"
|
||||
|
||||
CAS_VAULT_PATH="secret/workstation/claude-users/test"
|
||||
CAS_CREDENTIALS="$tmp/credentials.json"
|
||||
CAS_STATE_DIR="$tmp/state"
|
||||
_oldpath="$PATH"; PATH="$fakebin:$PATH"; export VAULT_FAKE_STORE="$store"
|
||||
|
||||
printf '{"vaultwarden_master_password":"keep-me"}\n' > "$store" # pretend `homelab vault setup` ran
|
||||
ok "backup succeeds (existing doc)" cas_backup
|
||||
eq "merge preserves sibling key" keep-me "$(jq -r '.vaultwarden_master_password' "$store")"
|
||||
eq "merge writes claude oauth" access "$(jq -r '.claude_ai_oauth_json|fromjson|.accessToken' "$store")"
|
||||
|
||||
rm -f "$store" # fresh user: no doc yet
|
||||
ok "backup succeeds (creates doc)" cas_backup
|
||||
eq "create writes claude oauth" access "$(jq -r '.claude_ai_oauth_json|fromjson|.accessToken' "$store")"
|
||||
|
||||
PATH="$_oldpath"; unset VAULT_FAKE_STORE
|
||||
|
||||
printf '\n%d passed, %d failed\n' "$pass" "$fail"
|
||||
(( fail == 0 ))
|
||||
|
|
|
|||
|
|
@ -82,7 +82,17 @@ cas_backup() {
|
|||
return 1
|
||||
}
|
||||
expires="$(jq -r '.expiresAt' <<<"$oauth")"
|
||||
vault kv put "$CAS_VAULT_PATH" \
|
||||
# MERGE into the shared path so sibling keys other tools co-locate there
|
||||
# (e.g. `homelab vault`'s vaultwarden_* creds) survive. `kv patch -method=rw`
|
||||
# is read+update (needs no `patch` capability) but requires the secret to
|
||||
# already exist, so create it with `kv put` on the very first backup only.
|
||||
local -a write_cmd
|
||||
if vault kv get "$CAS_VAULT_PATH" >/dev/null 2>&1; then
|
||||
write_cmd=(vault kv patch -method=rw "$CAS_VAULT_PATH")
|
||||
else
|
||||
write_cmd=(vault kv put "$CAS_VAULT_PATH")
|
||||
fi
|
||||
"${write_cmd[@]}" \
|
||||
claude_ai_oauth_json="$oauth" \
|
||||
credential_expires_at_ms="$expires" \
|
||||
backed_up_at="$(date -Is)" >/dev/null || {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue