railiance-apps/tools/check-backup-lane-auth.sh

31 lines
919 B
Bash
Raw Normal View History

#!/usr/bin/env bash
set -euo pipefail
path="${RAILIANCE_BACKUP_BAO_PATH:-platform/workloads/railiance/backup/offsite-lane}"
if ! bao status >/dev/null 2>&1; then
echo "ERROR: cannot reach OpenBao at ${BAO_ADDR:-https://bao.coulomb.social}" >&2
exit 1
fi
sealed="$(bao status -format=json 2>/dev/null | python3 -c "import json,sys; print(json.load(sys.stdin).get('sealed', True))")"
if [[ "$sealed" == "True" ]]; then
echo "ERROR: OpenBao is sealed" >&2
exit 1
fi
echo "ok: OpenBao unsealed"
if bao token lookup >/dev/null 2>&1; then
echo "ok: caller token valid"
else
echo "WARN: no valid caller token — run OIDC login:" >&2
echo " bao login -method=oidc -path=netkingdom role=railiance-backup-workload-kv-read" >&2
exit 1
fi
if bao kv metadata get "$path" >/dev/null 2>&1; then
echo "ok: backup offsite-lane path readable"
else
echo "ERROR: cannot read metadata for ${path}" >&2
exit 1
fi