Skip to content

Commit

Permalink
Add kv-read policy verification
Browse files Browse the repository at this point in the history
  • Loading branch information
suprjinx committed Nov 4, 2024
1 parent 2a77c25 commit 2382e25
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 2 deletions.
3 changes: 2 additions & 1 deletion app/lib/clients/vault/key_value.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ module KeyValue
extend Policy

def kv_read(identity, path)
verify_policy(identity, policy_path(path))
client.kv(kv_mount).read(path)
end

Expand All @@ -14,6 +15,7 @@ def kv_write(identity, path, data)
end

def kv_delete(identity, path)
verify_policy(identity, policy_path(path))
client.logical.delete("#{kv_mount}/data/#{path}")
end

Expand All @@ -33,7 +35,6 @@ def kv_engine_type
"kv-v2"
end


def create_kv_policy(path)
client.sys.put_policy(policy_path(path), kv_policy(path))
end
Expand Down
9 changes: 9 additions & 0 deletions app/lib/clients/vault/policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,15 @@ def assign_policy(identity, policy_name)
put_entity_alias(sub, email, "oidc")
end

def verify_policy(identity, policy_name)
sub = identity.sub
email = identity.email
policies, _ = get_entity_data(sub)
unless policies.any? { |p| p == policy_name }
raise AuthError.new("Policy has not been granted to the identity")
end
end

private

def create_astral_policy
Expand Down
11 changes: 10 additions & 1 deletion test/lib/clients/vault_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,14 +98,23 @@ class VaultTest < ActiveSupport::TestCase
entity = @client.read_entity(@identity.sub)
assert_equal "kv_policy/#{path}", entity.data[:policies][0]

# check kv_read denied to other identity
alt_identity = Identity.new
alt_identity.sub = SecureRandom.hex(4)
err = assert_raises { @client.kv_read(alt_identity, path) }
assert_kind_of AuthError, err

# check kv_delete denied to other identity
err = assert_raises { @client.kv_delete(alt_identity, path) }
assert_kind_of AuthError, err

# check kv_delete
del_secret = @client.kv_delete(@identity, path)
assert del_secret
read_secret = @client.kv_read(@identity, path)
assert_nil read_secret
end


test "entity_alias methods" do
# confirm no entity yet
err = assert_raises RuntimeError do
Expand Down

0 comments on commit 2382e25

Please sign in to comment.