From dba3681a43b34b9a11540a40f65bc762c112e2f8 Mon Sep 17 00:00:00 2001 From: GraceRuan Date: Tue, 13 Aug 2024 10:20:34 -0700 Subject: [PATCH] feat: add tools space access policy in system --- config/templates/system/kv-tools-read.hcl.tpl | 14 ++++++++++++++ config/templates/system/kv-tools-read.name.tpl | 1 + .../policy-roots/impl/system-policy.service.ts | 6 ++++++ 3 files changed, 21 insertions(+) create mode 100644 config/templates/system/kv-tools-read.hcl.tpl create mode 100644 config/templates/system/kv-tools-read.name.tpl diff --git a/config/templates/system/kv-tools-read.hcl.tpl b/config/templates/system/kv-tools-read.hcl.tpl new file mode 100644 index 0000000..6214d1d --- /dev/null +++ b/config/templates/system/kv-tools-read.hcl.tpl @@ -0,0 +1,14 @@ +# Write policy for tools space +# Scope: apps/data/tools access + +path "<%= secretKvPath %>/data/tools/+/+" { + capabilities = ["read"] +} + +path "<%= secretKvPath %>/metadata/tools/+/+" { + capabilities = ["read", "list"] +} + +path "<%= secretKvPath %>/config" { + capabilities = ["read"] +} \ No newline at end of file diff --git a/config/templates/system/kv-tools-read.name.tpl b/config/templates/system/kv-tools-read.name.tpl new file mode 100644 index 0000000..ce8594f --- /dev/null +++ b/config/templates/system/kv-tools-read.name.tpl @@ -0,0 +1 @@ +<%= secretKvPath %>-kv-tools-read \ No newline at end of file diff --git a/src/vault/policy-roots/impl/system-policy.service.ts b/src/vault/policy-roots/impl/system-policy.service.ts index 76f12bf..0acaaf2 100644 --- a/src/vault/policy-roots/impl/system-policy.service.ts +++ b/src/vault/policy-roots/impl/system-policy.service.ts @@ -99,6 +99,12 @@ export class SystemPolicyService implements PolicyRootService { templateName: 'kv-developer', data: { secretKvPath }, }); + if (secretKvPath == 'apps') + kvSpecs.push({ + group: VAULT_ROOT_SYSTEM, + templateName: 'kv-tools-read', + data: { secretKvPath }, + }); } return kvSpecs; }