Feat/broker policy additions (#73)

* feat: add tools path update for kv * feat: Improve templating * feat: Improve templates * chore: update dependencies * fix: individual app broker tools secret create/patch
bcgov-nr · Jul 23, 2024 · 5129ca9 · 5129ca9
1 parent d8a2fdf
commit 5129ca9
Show file tree

Hide file tree

Showing 12 changed files with 131 additions and 94 deletions.
diff --git a/README-dev.md b/README-dev.md
@@ -23,6 +23,8 @@ See: [Oclif CLI](https://oclif.io)
 podman build . -t vsync
 ```
 
+The built container can be substituted for the released container when running locally with NR Broker.
+
 ## Hashicorp Vault Setup for local testing
 
 ### With NR Broker

diff --git a/config/templates/apps/app-auth.hcl.tpl b/config/templates/apps/app-auth.hcl.tpl
@@ -8,3 +8,10 @@ path "auth/<%= authMount %>/role/<%= project %>_<%= application %>_<%= environme
 path "auth/<%= authMount %>/role/<%= project %>_<%= application %>_<%= environment %>/secret-id" {
   capabilities = ["update"]
 }
+
+path "<%= secretKvPath %>/subkeys/tools/<%= project %>/<%= application %>" {
+  capabilities = ["read"]
+}
+path "<%= secretKvPath %>/data/tools/<%= project %>/<%= application %>" {
+  capabilities = ["create", "update", "patch"]
+}
diff --git a/config/templates/apps/app-kv-read.hcl.tpl b/config/templates/apps/app-kv-read.hcl.tpl
@@ -2,7 +2,7 @@
 # Scope: Approle
 
 <% if (appCanReadProject) { %>
-path "apps/metadata/<%= environment %>/<%= project %>/shared" {
+path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/shared" {
   capabilities = ["read", "list"]
 }
 

diff --git a/config/templates/apps/app-kv-write.hcl.tpl b/config/templates/apps/app-kv-write.hcl.tpl
@@ -2,11 +2,11 @@
 # Scope: Approle
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/<%= application %>" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/<%= application %>/+" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/<%= application %>" {

diff --git a/config/templates/apps/project-kv-read.hcl.tpl b/config/templates/apps/project-kv-read.hcl.tpl
@@ -19,7 +19,7 @@ path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+" {
   capabilities = ["read"]
 }
 
-path "apps/metadata/<%= environment %>/<%= project %>/+/+" {
+path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/+/+" {
   capabilities = ["read", "list"]
 }
 

diff --git a/config/templates/apps/project-kv-write.hcl.tpl b/config/templates/apps/project-kv-write.hcl.tpl
@@ -1,14 +1,14 @@
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+/+" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/+" {

diff --git a/config/templates/system/admin-audit-hash.hcl.tpl b/config/templates/system/admin-audit-hash.hcl.tpl
@@ -1,8 +1,11 @@
-# Audit hash admin Policy
+# Audit hash
 # Scope: Users and applications with a need to calculate the hash of data
-# Note: Access to this path will allow someone to map well known data to their hash. Only trusted entities should have access.
+# Note: Access to this path will allow someone to map known possible values to
+# their hash. Only trusted entities should have access.
+# Warning: This policy is referenced by name. Ensure changes do not break references
+# or character of this policy.
 
-# Allow create tokens
+# Allow checking of hash values (post)
 path "/sys/audit-hash/+" {
     capabilities = ["update"]
 }
diff --git a/config/templates/system/broker-auth.hcl.tpl b/config/templates/system/broker-auth.hcl.tpl
@@ -1,5 +1,7 @@
 # Authentication policy for global broker
 # Scope: Broker Approle
+# Warning: This policy is referenced by name. Ensure changes do not break references
+# or character of this policy.
 
 path "auth/<%= authMount %>/role/+/role-id" {
   capabilities = ["read"]
@@ -13,4 +15,11 @@ path "auth/<%= authMount %>/role/+/secret-id" {
 path "auth/<%= authMount %>/role/<%= path %>" {
   capabilities = ["deny"]
 }
-<% }); %>
+<% }); %>
+
+path "<%= secretKvAppsPath %>/subkeys/tools/+/+" {
+  capabilities = ["read"]
+}
+path "<%= secretKvAppsPath %>/data/tools/+/+" {
+  capabilities = ["create", "update", "patch"]
+}
diff --git a/package-lock.json b/package-lock.json