feat: add tools space access policy in system

bcgov-nr · Aug 13, 2024 · dba3681 · dba3681
1 parent 5ce43ab
commit dba3681
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/config/templates/system/kv-tools-read.hcl.tpl b/config/templates/system/kv-tools-read.hcl.tpl
@@ -0,0 +1,14 @@
+# Write policy for tools space
+# Scope: apps/data/tools access
+
+path "<%= secretKvPath %>/data/tools/+/+" {
+  capabilities = ["read"]
+}
+
+path "<%= secretKvPath %>/metadata/tools/+/+" {
+  capabilities = ["read", "list"]
+}
+
+path "<%= secretKvPath %>/config" {
+  capabilities = ["read"]
+}
diff --git a/config/templates/system/kv-tools-read.name.tpl b/config/templates/system/kv-tools-read.name.tpl
@@ -0,0 +1 @@
+<%= secretKvPath %>-kv-tools-read
diff --git a/src/vault/policy-roots/impl/system-policy.service.ts b/src/vault/policy-roots/impl/system-policy.service.ts
@@ -99,6 +99,12 @@ export class SystemPolicyService implements PolicyRootService<undefined> {
         templateName: 'kv-developer',
         data: { secretKvPath },
       });
+      if (secretKvPath == 'apps')
+        kvSpecs.push({
+        group: VAULT_ROOT_SYSTEM,
+        templateName: 'kv-tools-read',
+        data: { secretKvPath },
+      });
     }
     return kvSpecs;
   }