Skip to content

Commit

Permalink
Add policy cleanup to kv delete
Browse files Browse the repository at this point in the history
  • Loading branch information
suprjinx committed Nov 7, 2024
1 parent 01dc025 commit 7137c65
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 3 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,6 @@

# Ignore master key for decrypting credentials and more.
/config/master.key

# Ignore lock files
/.lock-*
1 change: 1 addition & 0 deletions app/lib/clients/vault/key_value.rb
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ def kv_write(identity, path, data)
def kv_delete(identity, path)
verify_policy(identity, policy_path(path))
client.logical.delete("#{kv_mount}/data/#{path}")
remove_policy(identity, policy_path(path))
end

def configure_kv
Expand Down
10 changes: 10 additions & 0 deletions app/lib/clients/vault/policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,16 @@ def verify_policy(identity, policy_name)
end
end

def remove_policy(identity, policy_name)
sub = identity.sub
Domain.with_advisory_lock(sub) do
policies, metadata = get_entity_data(sub)
policies.reject! { |p| p == policy_name }
put_entity(sub, policies, metadata)
end
client.sys.delete_policy(policy_name)
end

private

def create_astral_policy
Expand Down
9 changes: 6 additions & 3 deletions test/lib/clients/vault_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ class VaultTest < ActiveSupport::TestCase

# check policy is created
entity = @client.read_entity(@identity.sub)
assert_equal "kv_policy/#{path}", entity.data[:policies][0]
assert_includes entity.data[:policies], "kv_policy/#{path}"

# check kv_read denied to other identity
alt_identity = Identity.new
Expand All @@ -111,8 +111,11 @@ class VaultTest < ActiveSupport::TestCase
# check kv_delete
del_secret = @client.kv_delete(@identity, path)
assert del_secret
read_secret = @client.kv_read(@identity, path)
assert_nil read_secret
# check policy is removed
entity = @client.read_entity(@identity.sub)
assert_not_includes entity.data[:policies], "kv_policy/#{path}"
err = assert_raises { @client.kv_read(@identity, path) }
assert_kind_of AuthError, err
end

test "entity_alias methods" do
Expand Down

0 comments on commit 7137c65

Please sign in to comment.