From 2382e259c5028cc9cb88bd56f33ad36194b8e3cd Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Mon, 4 Nov 2024 11:19:52 -0500 Subject: [PATCH] Add kv-read policy verification --- app/lib/clients/vault/key_value.rb | 3 ++- app/lib/clients/vault/policy.rb | 9 +++++++++ test/lib/clients/vault_test.rb | 11 ++++++++++- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/app/lib/clients/vault/key_value.rb b/app/lib/clients/vault/key_value.rb index ac02d10..9f5b59e 100644 --- a/app/lib/clients/vault/key_value.rb +++ b/app/lib/clients/vault/key_value.rb @@ -4,6 +4,7 @@ module KeyValue extend Policy def kv_read(identity, path) + verify_policy(identity, policy_path(path)) client.kv(kv_mount).read(path) end @@ -14,6 +15,7 @@ def kv_write(identity, path, data) end def kv_delete(identity, path) + verify_policy(identity, policy_path(path)) client.logical.delete("#{kv_mount}/data/#{path}") end @@ -33,7 +35,6 @@ def kv_engine_type "kv-v2" end - def create_kv_policy(path) client.sys.put_policy(policy_path(path), kv_policy(path)) end diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index c3dd0ea..c14dbc4 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -18,6 +18,15 @@ def assign_policy(identity, policy_name) put_entity_alias(sub, email, "oidc") end + def verify_policy(identity, policy_name) + sub = identity.sub + email = identity.email + policies, _ = get_entity_data(sub) + unless policies.any? { |p| p == policy_name } + raise AuthError.new("Policy has not been granted to the identity") + end + end + private def create_astral_policy diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index cd23027..f34f5eb 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -98,6 +98,16 @@ class VaultTest < ActiveSupport::TestCase entity = @client.read_entity(@identity.sub) assert_equal "kv_policy/#{path}", entity.data[:policies][0] + # check kv_read denied to other identity + alt_identity = Identity.new + alt_identity.sub = SecureRandom.hex(4) + err = assert_raises { @client.kv_read(alt_identity, path) } + assert_kind_of AuthError, err + + # check kv_delete denied to other identity + err = assert_raises { @client.kv_delete(alt_identity, path) } + assert_kind_of AuthError, err + # check kv_delete del_secret = @client.kv_delete(@identity, path) assert del_secret @@ -105,7 +115,6 @@ class VaultTest < ActiveSupport::TestCase assert_nil read_secret end - test "entity_alias methods" do # confirm no entity yet err = assert_raises RuntimeError do