Mike Swanson
0ad62fbc9e
Auth selection logic: - Default: prefer cert when cert_thumbprint_b64url + cert_private_key_pem_b64 are present in the vault entry's credentials block; fall back to client_secret. - REMEDIATION_AUTH=secret -> force client_secret flow. - REMEDIATION_AUTH=cert -> force cert flow; error if cert fields missing. - Logs [INFO] auth=cert/secret to stderr so users see which path was taken. Cert flow signs an RS256 JWT (header includes x5t) via inline Python (PyJWT + cryptography), POSTs client_assertion_type + client_assertion=<jwt> in place of client_secret. Same scope, same cache, same error handling (AADSTS7000229 still emits the consent URL). Single sops -d to a mktemp file feeds both field reads to avoid repeated ~1s decrypt invocations on Windows; trap removes plaintext on exit. Verified end-to-end against tedards.net for all three modes after wiping /tmp/remediation-tool/.
14 KiB
Executable File
14 KiB
Executable File