Feat/broker policy additions (#73)

mbystedt · web-flow · commit 5129ca9a0bb9 · 2024-07-23T15:12:39.000-07:00
* feat: add tools path update for kv

* feat: Improve templating

* feat: Improve templates

* chore: update dependencies

* fix: individual app broker tools secret create/patch
diff --git a/README-dev.md b/README-dev.md
@@ -23,6 +23,8 @@ See: [Oclif CLI](https://oclif.io)
 podman build . -t vsync
 ```
 
+The built container can be substituted for the released container when running locally with NR Broker.
+
 ## Hashicorp Vault Setup for local testing
 
 ### With NR Broker
diff --git a/config/templates/apps/app-auth.hcl.tpl b/config/templates/apps/app-auth.hcl.tpl
@@ -8,3 +8,10 @@ path "auth/<%= authMount %>/role/<%= project %>_<%= application %>_<%= environme
 path "auth/<%= authMount %>/role/<%= project %>_<%= application %>_<%= environment %>/secret-id" {
   capabilities = ["update"]
 }
+
+path "<%= secretKvPath %>/subkeys/tools/<%= project %>/<%= application %>" {
+  capabilities = ["read"]
+}
+path "<%= secretKvPath %>/data/tools/<%= project %>/<%= application %>" {
+  capabilities = ["create", "update", "patch"]
+}
diff --git a/config/templates/apps/app-kv-read.hcl.tpl b/config/templates/apps/app-kv-read.hcl.tpl
@@ -2,7 +2,7 @@
 # Scope: Approle
 
 <% if (appCanReadProject) { %>
-path "apps/metadata/<%= environment %>/<%= project %>/shared" {
+path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/shared" {
   capabilities = ["read", "list"]
 }
 
diff --git a/config/templates/apps/app-kv-write.hcl.tpl b/config/templates/apps/app-kv-write.hcl.tpl
@@ -2,11 +2,11 @@
 # Scope: Approle
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/<%= application %>" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/<%= application %>/+" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/<%= application %>" {
diff --git a/config/templates/apps/project-kv-read.hcl.tpl b/config/templates/apps/project-kv-read.hcl.tpl
@@ -19,7 +19,7 @@ path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+" {
   capabilities = ["read"]
 }
 
-path "apps/metadata/<%= environment %>/<%= project %>/+/+" {
+path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/+/+" {
   capabilities = ["read", "list"]
 }
 
diff --git a/config/templates/apps/project-kv-write.hcl.tpl b/config/templates/apps/project-kv-write.hcl.tpl
@@ -1,14 +1,14 @@
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+/+" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "patch", "delete"]
 }
 
 path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/+" {
diff --git a/config/templates/system/admin-audit-hash.hcl.tpl b/config/templates/system/admin-audit-hash.hcl.tpl
@@ -1,8 +1,11 @@
-# Audit hash admin Policy
+# Audit hash
 # Scope: Users and applications with a need to calculate the hash of data
-# Note: Access to this path will allow someone to map well known data to their hash. Only trusted entities should have access.
+# Note: Access to this path will allow someone to map known possible values to
+# their hash. Only trusted entities should have access.
+# Warning: This policy is referenced by name. Ensure changes do not break references
+# or character of this policy.
 
-# Allow create tokens
+# Allow checking of hash values (post)
 path "/sys/audit-hash/+" {
     capabilities = ["update"]
 }
diff --git a/config/templates/system/broker-auth.hcl.tpl b/config/templates/system/broker-auth.hcl.tpl
@@ -1,5 +1,7 @@
 # Authentication policy for global broker
 # Scope: Broker Approle
+# Warning: This policy is referenced by name. Ensure changes do not break references
+# or character of this policy.
 
 path "auth/<%= authMount %>/role/+/role-id" {
   capabilities = ["read"]
@@ -13,4 +15,11 @@ path "auth/<%= authMount %>/role/+/secret-id" {
 path "auth/<%= authMount %>/role/<%= path %>" {
   capabilities = ["deny"]
 }
-<% }); %>
+<% }); %>
+
+path "<%= secretKvAppsPath %>/subkeys/tools/+/+" {
+  capabilities = ["read"]
+}
+path "<%= secretKvAppsPath %>/data/tools/+/+" {
+  capabilities = ["create", "update", "patch"]
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
diff --git a/src/vault/policy-roots/impl/system-policy.service.ts b/src/vault/policy-roots/impl/system-policy.service.ts
diff --git a/src/vault/vault-approle.controller.ts b/src/vault/vault-approle.controller.ts

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`# Scope: Approle`
`3`	`3`
`4`	`4`	`<% if (appCanReadProject) { %>`
`5`		`-path "apps/metadata/<%= environment %>/<%= project %>/shared" {`
	`5`	`+path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/shared" {`
`6`	`6`	`capabilities = ["read", "list"]`
`7`	`7`	`}`
`8`	`8`
Original file line number	Diff line number	Diff line change
`@@ -2,11 +2,11 @@`
`2`	`2`	`# Scope: Approle`
`3`	`3`
`4`	`4`	`path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/<%= application %>" {`
`5`		`- capabilities = ["create", "update", "delete"]`
	`5`	`+ capabilities = ["create", "update", "patch", "delete"]`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/<%= application %>/+" {`
`9`		`- capabilities = ["create", "update", "delete"]`
	`9`	`+ capabilities = ["create", "update", "patch", "delete"]`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/<%= application %>" {`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+" {`
`19`	`19`	`capabilities = ["read"]`
`20`	`20`	`}`
`21`	`21`
`22`		`-path "apps/metadata/<%= environment %>/<%= project %>/+/+" {`
	`22`	`+path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/+/+" {`
`23`	`23`	`capabilities = ["read", "list"]`
`24`	`24`	`}`
`25`	`25`
Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,14 @@`
`1`	`1`
`2`	`2`	`path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>" {`
`3`		`- capabilities = ["create", "update", "delete"]`
	`3`	`+ capabilities = ["create", "update", "patch", "delete"]`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+" {`
`7`		`- capabilities = ["create", "update", "delete"]`
	`7`	`+ capabilities = ["create", "update", "patch", "delete"]`
`8`	`8`	`}`
`9`	`9`
`10`	`10`	`path "<%= secretKvPath %>/data/<%= environment %>/<%= project %>/+/+" {`
`11`		`- capabilities = ["create", "update", "delete"]`
	`11`	`+ capabilities = ["create", "update", "patch", "delete"]`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`path "<%= secretKvPath %>/metadata/<%= environment %>/<%= project %>/+" {`