jetpac/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
7c6c295eb87432549eb13aef27428ffeb53f857e
dotfiles/bin/codex-devops-auth.sh
Petr Nyc 7c6c295eb8 devops-mcp and codex-mcp config and auth wrapper
2026-03-11 16:59:17 +01:00

144 lines
3.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/zsh
set -euo pipefail
PKCS11_LIB="${PKCS11_LIB:-/usr/local/lib/opensc-pkcs11.so}"
TOKEN_HOST="${TOKEN_HOST:-operator-access-token.svc.ad1.r2}"
SSH_CONFIG_FILE="${SSH_CONFIG_FILE:-$HOME/.ssh/config.oci}"
OCI_BIN="${OCI_BIN:-/opt/homebrew/bin/oci}"
OCI_SESSION_REGION="${OCI_SESSION_REGION:-us-chicago-1}"
RESET_AGENT="${RESET_AGENT:-0}"
DEDICATED_AGENT_PID=""
log() {
print -u2 -- "$@"
}
inherited_agent_likely_rejects_pkcs11() {
[[ -n "${SSH_AUTH_SOCK:-}" ]] || return 1
[[ -z "${SSH_AGENT_PID:-}" ]] || return 1
case "${SSH_AUTH_SOCK}" in
/private/tmp/com.apple.launchd.*/Listeners)
return 0
;;
esac
return 1
}
cleanup() {
if [[ -n "${DEDICATED_AGENT_PID}" ]]; then
SSH_AGENT_PID="${DEDICATED_AGENT_PID}" ssh-agent -k >/dev/null 2>&1 || true
fi
}
ensure_oci_session() {
if [[ ! -x "${OCI_BIN}" ]]; then
print -u2 "OCI CLI not found or not executable: ${OCI_BIN}"
exit 1
fi
set +e
"${OCI_BIN}" session validate >/dev/null 2>&1
local validate_rc=$?
set -e
if [[ ${validate_rc} -eq 0 ]]; then
log "OCI CLI session is already valid."
return 0
fi
log "OCI CLI session is not valid; attempting refresh."
set +e
"${OCI_BIN}" session refresh >/dev/null 2>&1
local refresh_rc=$?
set -e
if [[ ${refresh_rc} -eq 0 ]]; then
log "OCI CLI session refresh succeeded."
return 0
fi
log "Running OCI CLI session authenticate for ${OCI_SESSION_REGION}."
"${OCI_BIN}" session authenticate --region "${OCI_SESSION_REGION}"
}
ensure_ssh_agent() {
if [[ -n "${SSH_AUTH_SOCK:-}" && -S "${SSH_AUTH_SOCK}" ]]; then
set +e
ssh-add -l >/dev/null 2>&1
local rc=$?
set -e
case ${rc} in
0|1)
return 0
;;
esac
fi
log "Starting ssh-agent for Codex."
eval "$(ssh-agent -s)" >/dev/null
DEDICATED_AGENT_PID="${SSH_AGENT_PID:-}"
}
add_pkcs11_provider() {
log "Loading PKCS#11 provider: ${PKCS11_LIB}"
ssh-add -s "${PKCS11_LIB}" >/dev/null
}
prepare_agent() {
local had_inherited_agent=0
if [[ -n "${SSH_AUTH_SOCK:-}" && -S "${SSH_AUTH_SOCK}" ]]; then
had_inherited_agent=1
fi
if inherited_agent_likely_rejects_pkcs11; then
log "Inherited launchd SSH agent is unlikely to support PKCS#11; starting a dedicated ssh-agent for Codex."
unset SSH_AUTH_SOCK SSH_AGENT_PID
had_inherited_agent=0
fi
ensure_ssh_agent
if add_pkcs11_provider; then
return 0
fi
if [[ ${had_inherited_agent} -eq 1 ]]; then
log "Existing SSH agent rejected PKCS#11 provider; starting a dedicated ssh-agent for Codex."
unset SSH_AUTH_SOCK SSH_AGENT_PID
ensure_ssh_agent
add_pkcs11_provider
return 0
fi
return 1
}
if [[ ! -f "${SSH_CONFIG_FILE}" ]]; then
print -u2 "SSH config file not found: ${SSH_CONFIG_FILE}"
exit 1
fi
if [[ "${RESET_AGENT}" == "1" ]]; then
log "Resetting SSH agent on explicit request."
pkill -9 ssh-agent >/dev/null 2>&1 || true
pkill -9 ssh-pkcs11-helper >/dev/null 2>&1 || true
sleep 1
fi
trap cleanup EXIT INT TERM
ensure_oci_session
prepare_agent
log "Refreshing OPERATOR_ACCESS_TOKEN from ${TOKEN_HOST} using ${SSH_CONFIG_FILE}"
export OPERATOR_ACCESS_TOKEN="$(ssh -F "${SSH_CONFIG_FILE}" "${TOKEN_HOST}" "generate --mode jwt")"
export OP_TOKEN="${OPERATOR_ACCESS_TOKEN}"
log "Using fresh OP_TOKEN for Codex and DevOps MCP."
/opt/homebrew/bin/codex "$@"
Reference in New Issue View Git Blame Copy Permalink