Sylvain Tremblay
19947ef1a5
Two ADR 020-1 auth-path polish items. **Renew-self on cached token.** `OpenbaoSecretStore::new` already validates the cached token against the server before reusing it. After validation, it now POSTs to `/v1/auth/token/renew-self` (via `Self::renew_self`, hand-rolled with reqwest because vaultrs 0.7.4 doesn't expose a typed helper) to extend the server-side lease. On success, the new `lease_duration` is persisted back into the on-disk cache (mode 0600 preserved). On failure, the warning is logged and the validated cached token is used as-is. ADR 020-1 motivates this: with `OpenbaoSetupScore`'s `harmony-developer` role defaulted to `ttl=4h, max_ttl=24h`, no in-flight renewal means the token expires every 4 hours of active use and the chain falls back to a fresh OIDC device flow — i.e. the operator goes back to the browser. With renewal the token rolls forward until `max_ttl`, at which point the OIDC refresh-token chain (90-day TTL) takes over silently. **Auto-open browser on device flow.** Adds the `webbrowser` crate (~50 KB on Linux, wraps xdg-open / open / start). After `print_verification_instructions` finishes its block, the function calls `webbrowser::open(verification_uri_complete)` (falling back to `verification_uri`) so the operator's default browser launches at the code-prefilled page. Failure (headless host, no $BROWSER, plain SSH) is non-fatal — the URL is already printed above, so a failed open logs a `warn!` and the flow continues unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
41 lines
1.3 KiB
TOML
41 lines
1.3 KiB
TOML
[package]
|
|
name = "harmony_secret"
|
|
edition = "2024"
|
|
version.workspace = true
|
|
readme.workspace = true
|
|
license.workspace = true
|
|
|
|
# `secrete2etest` is a custom cfg flag used to gate integration tests
|
|
# that require a live OpenBao instance. Declare it here so rustc doesn't
|
|
# emit `unexpected_cfg` warnings.
|
|
[lints.rust]
|
|
unexpected_cfgs = { level = "warn", check-cfg = ['cfg(secrete2etest)'] }
|
|
|
|
[dependencies]
|
|
harmony_secret_derive = { version = "0.1.0", path = "../harmony_secret_derive" }
|
|
serde = { version = "1.0.209", features = ["derive", "rc"] }
|
|
serde_json = "1.0.127"
|
|
thiserror.workspace = true
|
|
lazy_static.workspace = true
|
|
directories.workspace = true
|
|
log.workspace = true
|
|
# infisical = "0.0.2"
|
|
infisical = { git = "https://github.com/jggc/rust-sdk.git", branch = "patch-1" }
|
|
tokio.workspace = true
|
|
async-trait.workspace = true
|
|
http.workspace = true
|
|
inquire.workspace = true
|
|
interactive-parse = "0.1.5"
|
|
schemars = "0.8"
|
|
vaultrs = "0.7.4"
|
|
reqwest = { workspace = true, features = ["json"] }
|
|
url.workspace = true
|
|
# Used by ZitadelOidcAuth to best-effort launch the device-flow
|
|
# URL in the operator's browser. Failure to open is non-fatal —
|
|
# the URL is already printed to the terminal.
|
|
webbrowser = "1"
|
|
|
|
[dev-dependencies]
|
|
pretty_assertions.workspace = true
|
|
tempfile.workspace = true
|