From 25fc47e5f270b1ee11cb5fd1c2f91ab06066ad3c Mon Sep 17 00:00:00 2001 From: tegwick Date: Sun, 12 Jul 2026 16:01:53 +0200 Subject: [PATCH] Add CCR-2026-0006 Forgejo admin PAT OpenBao lane Establish proposed workload-kv-read custody for the Forgejo site-admin PAT at platform/workloads/forgejo/forgejo-admin, sibling to forgejo-mailer. OIDC workstation fetch mirrors the railiance-backup-offsite pattern. --- ...026-0006-forgejo-admin-api-token-lane.yaml | 103 ++++++++++++++++++ docs/workload-kv-access-lanes.md | 40 +++++++ .../workload-kv-read-forgejo-admin.hcl | 13 +++ 3 files changed, 156 insertions(+) create mode 100644 credential-change-requests/CCR-2026-0006-forgejo-admin-api-token-lane.yaml create mode 100644 openbao/policies/workload-kv-read-forgejo-admin.hcl diff --git a/credential-change-requests/CCR-2026-0006-forgejo-admin-api-token-lane.yaml b/credential-change-requests/CCR-2026-0006-forgejo-admin-api-token-lane.yaml new file mode 100644 index 0000000..d37fc16 --- /dev/null +++ b/credential-change-requests/CCR-2026-0006-forgejo-admin-api-token-lane.yaml @@ -0,0 +1,103 @@ +id: CCR-2026-0006 +kind: credential-change-request +schema_version: 1 +request_type: workload-kv-read +title: Forgejo operator/admin API token (PAT) lane +status: proposed +created: '2026-07-12' +updated: '2026-07-12' +requester: + agent: grok + message_id: 54125f84-e9df-4fa0-9309-7370633a20d3 + reason: Establish OpenBao custody for the Forgejo site-admin PAT currently dropped + at /tmp/forgejo-tegwick-api-token or FORGEJO_ADMIN_TOKEN on workstations. + Drivers include ACTIVITY-WP-0020 weekly package prune and railiance-apps / + railiance-platform Forgejo automation tools. +review: + required: true + required_approvers: + - platform-operator +target: + domain: infotech + tenant: coulomb + workload: forgejo + environment: production + purpose: Forgejo admin API token for package prune, registry ops, org webhooks, + and operator bootstrap on workstations and activity-core worker +openbao: + mount: platform + kv_path: platform/workloads/forgejo/forgejo-admin + fields: + - API_TOKEN + - API_USER + - API_BASE_URL + - TOKEN_SCOPES + - GENERATED_AT + policy_name: workload-kv-read-forgejo-admin + policy_file: openbao/policies/workload-kv-read-forgejo-admin.hcl + auth: + method: oidc + mount: netkingdom + role: forgejo-admin-workload-kv-read + allowed_redirect_uris: + - https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback + - http://localhost:8250/oidc/callback + - http://127.0.0.1:8250/oidc/callback + oidc_scopes: + - openid + - profile + - email + - groups + user_claim: sub + groups_claim: groups + bound_claims: + groups: + - net-kingdom-admins + bound_claims_confirmed: true + policies: + - workload-kv-read-forgejo-admin + ttl: 15m +access_frontdoor: + type: ops-warden + catalog_id: forgejo-admin-api-token + selector: forgejo admin PAT package prune FORGEJO_ADMIN_TOKEN + command: warden access forgejo-admin-api-token --fetch API_TOKEN + resolvable: false + readiness: pending-review +delivery: + surface: operator-workstation + target: railiance-platform tools/cmd/forgejo-package-prune, activity-core + weekly-forgejo-package-prune shell resolver, and railiance-apps Forgejo tools + (load_token pattern after lane verified) +risk: + classification: high + notes: + - API_TOKEN is a Forgejo site-admin PAT for user tegwick (coulomb Owners). + - Grants package, repository, and admin API operations on forgejo.coulomb.social. + - Must not be stored on production hosts or pasted into Git, State Hub, or chat. + - ops-warden must proxy reads as the caller and must not retain values. + - Distinct from forgejo-mailer (SMTP) and railiance-backup-offsite-lane (WebDAV). +verification: + positive: + - Approved net-kingdom-admins identity can read API_TOKEN through OpenBao or + warden access without printing values in logs or hub messages. + - warden route find "forgejo admin pat" resolves to catalog id forgejo-admin-api-token. + negative: + - default-policy token denied on platform/data/workloads/forgejo/forgejo-admin. + activation_conditions: + - CCR approved by platform-operator. + - Policy and OIDC role applied with platform-admin or delegated applier authority. + - PAT minted in attended Forgejo session (tegwick → Settings → Applications) + and stored at platform/workloads/forgejo/forgejo-admin; metadata fields optional. + - Positive and negative verification recorded with non-secret audit references. + - ops-warden catalog entry promoted from draft after verification. +lifecycle: + deactivate: Disable ops-warden catalog entry and detach OIDC role policy; revoke + PAT in Forgejo and retire workstation file-drop path. + rotate: Mint a new PAT in Forgejo, update API_TOKEN in OpenBao, record non-secret + rotation evidence, and restart dependent automation after downstream consumers + load from OpenBao. + compromised: Revoke PAT in Forgejo immediately, deactivate front door, rotate, + audit package/webhook changes, record blast-radius notes. +state_hub: + workplan_id: ACTIVITY-WP-0020 \ No newline at end of file diff --git a/docs/workload-kv-access-lanes.md b/docs/workload-kv-access-lanes.md index 9f80fe2..e63dfec 100644 --- a/docs/workload-kv-access-lanes.md +++ b/docs/workload-kv-access-lanes.md @@ -320,3 +320,43 @@ Or let `lib/railiance-backup-common.sh` load from OpenBao after login when env i Recovery escrow (`AGE_PRIVATE_KEY`) is stored in the same path for disaster recovery; prefer the password-manager copy on restore drills per `railiance-cluster/docs/backup-restore.md`. Fetch only in attended sessions. + +## Forgejo admin API token lane (`CCR-2026-0006`) + +Workstation and activity-core automation (`forgejo-package-prune`, org webhooks, +operator bootstrap) need a Forgejo site-admin PAT. Phase 1 replaces the legacy +workstation file `/tmp/forgejo-tegwick-api-token` and `FORGEJO_ADMIN_TOKEN` env +drops with OpenBao custody. Sibling to `forgejo-mailer` (SMTP); no cluster ESO +in phase 1. + +| Item | Value | +| --- | --- | +| CCR | `CCR-2026-0006-forgejo-admin-api-token-lane` | +| KV mount | `platform` | +| OpenBao CLI path | `platform/workloads/forgejo/forgejo-admin` | +| Fields | `API_TOKEN` (secret); optional metadata `API_USER`, `API_BASE_URL`, `TOKEN_SCOPES`, `GENERATED_AT` | +| Read policy | `workload-kv-read-forgejo-admin` | +| Policy file | `openbao/policies/workload-kv-read-forgejo-admin.hcl` | +| OIDC auth mount | `netkingdom` | +| OIDC role | `forgejo-admin-workload-kv-read` | +| Bound claim | `groups=net-kingdom-admins` | +| ops-warden catalog id | `forgejo-admin-api-token` (draft until front door verified) | + +Caller login: + +```bash +bao login -method=oidc -path=netkingdom role=forgejo-admin-workload-kv-read +``` + +Fetch PAT for a Forgejo API run (do not log the value): + +```bash +export FORGEJO_ADMIN_TOKEN=$( + bao kv get -field=API_TOKEN platform/workloads/forgejo/forgejo-admin +) +``` + +PAT mint: attended session as Forgejo user `tegwick` (site admin). Minimum scopes: +`read:package`, `write:package`, `read:repository`, `write:repository`, plus admin +scopes required by `forgejo-operator-bootstrap`. Downstream repos update `load_token()` +to read OpenBao when env is unset after lane verification. diff --git a/openbao/policies/workload-kv-read-forgejo-admin.hcl b/openbao/policies/workload-kv-read-forgejo-admin.hcl new file mode 100644 index 0000000..3ca7adb --- /dev/null +++ b/openbao/policies/workload-kv-read-forgejo-admin.hcl @@ -0,0 +1,13 @@ +# Least-privilege read policy for the Forgejo operator/admin API token (PAT). +# +# Grants read access to the site-admin PAT used by workstation and activity-core +# automation (package prune, org webhooks, operator bootstrap). Sibling to +# forgejo-mailer (SMTP); no cluster ESO delivery in phase 1. + +path "platform/data/workloads/forgejo/forgejo-admin" { + capabilities = ["read"] +} + +path "platform/metadata/workloads/forgejo/forgejo-admin" { + capabilities = ["read"] +} \ No newline at end of file