-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsystem-policy.service.ts
122 lines (115 loc) · 3.45 KB
/
system-policy.service.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
import fs from 'fs';
import path from 'path';
import winston from 'winston';
import { inject, injectable } from 'inversify';
import { PolicyRootService, VAULT_ROOT_SYSTEM } from '../policy-root.service';
import { TYPES } from '../../../inversify.types';
import { ConfigService } from '../../../services/config.service';
import oidcData from '../oidc-data.deco';
import { VAULT_APPROLE_MOUNT_POINT } from '../../vault-approle.controller';
import { AppService } from '../../../services/app.service';
import { HlcRenderSpec } from '../../../util/hcl.util';
@injectable()
/**
* System policy service root
*/
export class SystemPolicyService implements PolicyRootService<undefined> {
/**
* Constructor.
*/
constructor(
@inject(TYPES.AppService) private appService: AppService,
@inject(TYPES.ConfigService) private config: ConfigService,
@inject(TYPES.Logger) private logger: winston.Logger,
) {}
/**
* The name of this policy root
* @returns The name of this policy root
*/
getName(): string {
return VAULT_ROOT_SYSTEM;
}
/**
* Builds the hlc render spec for this policy root
* @returns An array of HlcRenderSpec
*/
@oidcData
async build(): Promise<HlcRenderSpec[]> {
return [
...(await this.buildSystem()),
...(await this.buildKvSecretEngines()),
];
}
/**
* Set the path to the system policy config
*/
private static readonly sysPolicyConfigPath = path.join(
__dirname,
'../../../../config/templates/system',
);
/**
* Sync system policies to vault
*/
public async buildSystem(): Promise<HlcRenderSpec[]> {
this.logger.debug(`Build system - global`);
const sysSpecs: HlcRenderSpec[] = [];
const templateFiles = fs.readdirSync(
SystemPolicyService.sysPolicyConfigPath,
);
const data = {
kvPaths: await this.config.getKvStores(),
authMount: VAULT_APPROLE_MOUNT_POINT,
restrictedPaths: await this.restrictedBrokerAppPaths(),
secretDbPath: 'db',
secretKvAppsPath: 'apps',
};
for (const file of templateFiles) {
if (file.endsWith('.hcl.tpl') && !file.startsWith('kv-')) {
const templateName = path.basename(file, '.hcl.tpl');
const spec: HlcRenderSpec = {
group: VAULT_ROOT_SYSTEM,
templateName,
data,
};
sysSpecs.push(spec);
}
}
return sysSpecs;
}
/**
* Sync kv engine policies to vault
*/
public async buildKvSecretEngines(): Promise<HlcRenderSpec[]> {
this.logger.debug(`Build system - kv`);
const kvSpecs: HlcRenderSpec[] = [];
for (const secretKvPath of await this.config.getKvStores()) {
kvSpecs.push({
group: VAULT_ROOT_SYSTEM,
templateName: 'kv-admin',
data: { secretKvPath },
});
kvSpecs.push({
group: VAULT_ROOT_SYSTEM,
templateName: 'kv-developer',
data: { secretKvPath },
});
if (secretKvPath === 'apps')
kvSpecs.push({
group: VAULT_ROOT_SYSTEM,
templateName: 'kv-tools-read',
data: { secretKvPath },
});
}
return kvSpecs;
}
private async restrictedBrokerAppPaths(): Promise<string[]> {
const brokerApps = (await this.appService.getAllApps())
.filter((app) => app.config?.approle)
.filter((app) => app.config?.brokerGlobal);
const paths: string[] = [];
for (const app of brokerApps) {
paths.push(`${app.project.toLowerCase()}_${app.app}_*`);
}
return paths;
}
}