coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

FLEX-WP-0006: implement ops-warden signing gate policy
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-23 21:17:42 +02:00
parent 53e0d055c9
commit 0fde95a87c
25 changed files with 1796 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
examples/README.md
View File

@@ -13,6 +13,8 @@ examples/
# decision, registry, and audit fixtures (P2.1)
markitect/ # FlexAuthResourceManifest fixtures, decision
# fixtures, and Rego-in-Markdown policy packages
ops-warden/ # SSH certificate signing policy-gate fixtures
# for ops-warden policy.enabled smoke checks
topaz/ # docker-compose + sample directory and policy
# for the Topaz alignment spike (P5.4)
policies/ # generic Rego-in-Markdown packages used by

34
examples/ops-warden/README.md Normal file
View File

@@ -0,0 +1,34 @@
# Ops-Warden SSH Signing Policy Gate
This example is the flex-auth side of ops-warden's opt-in pre-sign gate.
When `policy.enabled: true`, ops-warden calls `POST /v1/check` before signing
or issuing an SSH certificate.
Files:
- `protected_system_manifest.yaml` declares the `ops-warden` protected system,
`ssh-certificate` resource type, and `sign` action.
- `resource_manifest.yaml` declares fixture SSH certificate actor resources and
non-secret policy attributes such as allowed principals and TTL maxima.
- `subject_manifest.yaml` declares non-secret fixture actors for `adm`, `agt`,
and `atm` signing paths.
- `registry_snapshot.json` is the combined local registry used by the CLI and
service examples.
- `policy_package.md` is the Rego-in-Markdown policy package.
- `policy_fixtures.yaml` contains allow and deny expectations for package
validation.
- `check_request_*.json` files are ops-warden-shaped `/v1/check` requests.
Run locally:
```bash
flex-auth validate --kind protected-system --file examples/ops-warden/protected_system_manifest.yaml
flex-auth validate --kind resource-manifest --file examples/ops-warden/resource_manifest.yaml
flex-auth validate --kind subject-manifest --file examples/ops-warden/subject_manifest.yaml
flex-auth load-registry --file examples/ops-warden/registry_snapshot.json
flex-auth test-policy --file examples/ops-warden/policy_package.md
flex-auth check --registry examples/ops-warden/registry_snapshot.json --policy examples/ops-warden/policy_package.md --request examples/ops-warden/check_request_allow_adm.json
```
The fixture public-key fingerprints are examples only. Do not put real keys,
OpenBao tokens, or private signing material in these files.

23
examples/ops-warden/check_request_allow_adm.json Normal file
View File

@@ -0,0 +1,23 @@
{
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {
"id": "platform-steward",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden"
},
"context": {
"principals": [
"platform",
"root"
],
"actor_type": "adm",
"ttl_hours": 4,
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
}
}

22
examples/ops-warden/check_request_allow_agt.json Normal file
View File

@@ -0,0 +1,22 @@
{
"id": "check:ops-warden-ci-deploy-agent-agt",
"tenant": "tenant:platform",
"subject": {
"id": "ci-deploy-agent",
"type": "agt"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/ci-deploy-agent",
"type": "ssh-certificate",
"system": "ops-warden"
},
"context": {
"principals": [
"deploy"
],
"actor_type": "agt",
"ttl_hours": 1,
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
}
}

22
examples/ops-warden/check_request_allow_atm.json Normal file
View File

@@ -0,0 +1,22 @@
{
"id": "check:ops-warden-backup-automation-atm",
"tenant": "tenant:platform",
"subject": {
"id": "backup-automation",
"type": "atm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/backup-automation",
"type": "ssh-certificate",
"system": "ops-warden"
},
"context": {
"principals": [
"backup"
],
"actor_type": "atm",
"ttl_hours": 1,
"pubkey_fingerprint": "SHA256:example-atm-fingerprint"
}
}

22
examples/ops-warden/check_request_deny_actor_type_mismatch.json Normal file
View File

@@ -0,0 +1,22 @@
{
"id": "check:ops-warden-ci-deploy-agent-agt",
"tenant": "tenant:platform",
"subject": {
"id": "ci-deploy-agent",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/ci-deploy-agent",
"type": "ssh-certificate",
"system": "ops-warden"
},
"context": {
"principals": [
"deploy"
],
"actor_type": "agt",
"ttl_hours": 1,
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
}
}

22
examples/ops-warden/check_request_deny_disallowed_principal.json Normal file
View File

@@ -0,0 +1,22 @@
{
"id": "check:ops-warden-ci-deploy-agent-agt",
"tenant": "tenant:platform",
"subject": {
"id": "ci-deploy-agent",
"type": "agt"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/ci-deploy-agent",
"type": "ssh-certificate",
"system": "ops-warden"
},
"context": {
"principals": [
"root"
],
"actor_type": "agt",
"ttl_hours": 1,
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
}
}

21
examples/ops-warden/check_request_deny_missing_fingerprint.json Normal file
View File

@@ -0,0 +1,21 @@
{
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {
"id": "platform-steward",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden"
},
"context": {
"principals": [
"platform"
],
"actor_type": "adm",
"ttl_hours": 4
}
}

22
examples/ops-warden/check_request_deny_ttl_above_max.json Normal file
View File

@@ -0,0 +1,22 @@
{
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {
"id": "platform-steward",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden"
},
"context": {
"principals": [
"platform"
],
"actor_type": "adm",
"ttl_hours": 12,
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
}
}

22
examples/ops-warden/check_request_deny_unknown_subject.json Normal file
View File

@@ -0,0 +1,22 @@
{
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {
"id": "unknown-actor",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden"
},
"context": {
"principals": [
"platform"
],
"actor_type": "adm",
"ttl_hours": 4,
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
}
}

337
examples/ops-warden/policy_fixtures.yaml Normal file
View File

@@ -0,0 +1,337 @@
[
{
"id": "fixture:ops-warden-adm-sign-allow",
"request": {
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {
"id": "platform-steward",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "platform-steward",
"actor_type": "adm",
"allowed_subjects": [
"platform-steward",
"iam:platform-steward"
],
"allowed_principals": [
"platform",
"root"
],
"max_ttl_hours": 8
}
},
"context": {
"principals": [
"platform",
"root"
],
"actor_type": "adm",
"ttl_hours": 4,
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
}
},
"expect": {
"effect": "allow",
"reason": "signing_policy_matched"
}
},
{
"id": "fixture:ops-warden-agt-sign-allow",
"request": {
"id": "check:ops-warden-ci-deploy-agent-agt",
"tenant": "tenant:platform",
"subject": {
"id": "ci-deploy-agent",
"type": "agt"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/ci-deploy-agent",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "ci-deploy-agent",
"actor_type": "agt",
"allowed_subjects": [
"ci-deploy-agent",
"iam:ci-deploy-agent"
],
"allowed_principals": [
"deploy",
"git"
],
"max_ttl_hours": 2
}
},
"context": {
"principals": [
"deploy"
],
"actor_type": "agt",
"ttl_hours": 1,
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
}
},
"expect": {
"effect": "allow",
"reason": "signing_policy_matched"
}
},
{
"id": "fixture:ops-warden-atm-sign-allow",
"request": {
"id": "check:ops-warden-backup-automation-atm",
"tenant": "tenant:platform",
"subject": {
"id": "backup-automation",
"type": "atm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/backup-automation",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "backup-automation",
"actor_type": "atm",
"allowed_subjects": [
"backup-automation",
"iam:backup-automation"
],
"allowed_principals": [
"backup"
],
"max_ttl_hours": 1
}
},
"context": {
"principals": [
"backup"
],
"actor_type": "atm",
"ttl_hours": 1,
"pubkey_fingerprint": "SHA256:example-atm-fingerprint"
}
},
"expect": {
"effect": "allow",
"reason": "signing_policy_matched"
}
},
{
"id": "fixture:ops-warden-unknown-subject-deny",
"request": {
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {
"id": "unknown-actor",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "platform-steward",
"actor_type": "adm",
"allowed_subjects": [
"platform-steward",
"iam:platform-steward"
],
"allowed_principals": [
"platform",
"root"
],
"max_ttl_hours": 8
}
},
"context": {
"principals": [
"platform"
],
"actor_type": "adm",
"ttl_hours": 4,
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
}
},
"expect": {
"effect": "deny",
"reason": "unknown_subject"
}
},
{
"id": "fixture:ops-warden-actor-type-mismatch-deny",
"request": {
"id": "check:ops-warden-ci-deploy-agent-agt",
"tenant": "tenant:platform",
"subject": {
"id": "ci-deploy-agent",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/ci-deploy-agent",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "ci-deploy-agent",
"actor_type": "agt",
"allowed_subjects": [
"ci-deploy-agent",
"iam:ci-deploy-agent"
],
"allowed_principals": [
"deploy",
"git"
],
"max_ttl_hours": 2
}
},
"context": {
"principals": [
"deploy"
],
"actor_type": "agt",
"ttl_hours": 1,
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
}
},
"expect": {
"effect": "deny",
"reason": "actor_type_mismatch"
}
},
{
"id": "fixture:ops-warden-ttl-above-max-deny",
"request": {
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {
"id": "platform-steward",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "platform-steward",
"actor_type": "adm",
"allowed_subjects": [
"platform-steward",
"iam:platform-steward"
],
"allowed_principals": [
"platform",
"root"
],
"max_ttl_hours": 8
}
},
"context": {
"principals": [
"platform"
],
"actor_type": "adm",
"ttl_hours": 12,
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
}
},
"expect": {
"effect": "deny",
"reason": "ttl_out_of_bounds"
}
},
{
"id": "fixture:ops-warden-disallowed-principal-deny",
"request": {
"id": "check:ops-warden-ci-deploy-agent-agt",
"tenant": "tenant:platform",
"subject": {
"id": "ci-deploy-agent",
"type": "agt"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/ci-deploy-agent",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "ci-deploy-agent",
"actor_type": "agt",
"allowed_subjects": [
"ci-deploy-agent",
"iam:ci-deploy-agent"
],
"allowed_principals": [
"deploy",
"git"
],
"max_ttl_hours": 2
}
},
"context": {
"principals": [
"root"
],
"actor_type": "agt",
"ttl_hours": 1,
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
}
},
"expect": {
"effect": "deny",
"reason": "disallowed_principal"
}
},
{
"id": "fixture:ops-warden-missing-fingerprint-deny",
"request": {
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {
"id": "platform-steward",
"type": "adm"
},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "platform-steward",
"actor_type": "adm",
"allowed_subjects": [
"platform-steward",
"iam:platform-steward"
],
"allowed_principals": [
"platform",
"root"
],
"max_ttl_hours": 8
}
},
"context": {
"principals": [
"platform"
],
"actor_type": "adm",
"ttl_hours": 4
}
},
"expect": {
"effect": "deny",
"reason": "missing_pubkey_fingerprint"
}
}
]

257
examples/ops-warden/policy_package.md Normal file
View File

@@ -0,0 +1,257 @@
---
id: ops-warden.ssh-certificate.sign
name: Ops-Warden SSH certificate signing
namespace: ops-warden:ssh-certificate
version: v1
status: ready
package: flexauth.ops_warden.ssh_signing
actions:
- sign
owner: team:platform-security
fixtures:
- policy_fixtures.yaml
caring:
profile: caring-0.4.0-rc2
enforce: false
canonical_roles:
- Operator
organization_relations:
- ServiceProvider
scopes:
- level: Platform
id: platform:ssh-signing
tenant: tenant:platform
planes:
- Identity
- Secret
- Audit
capabilities:
- Use
- Operate
- Audit
exposure_modes:
- Metadata
conditions:
- TimeLimited
- Logged
restrictions:
- PrivilegeEscalationBlocked
- SecretAccessBlocked
activation:
mode: local
metadata:
source: examples/ops-warden/policy_package.md
ops_warden_policy_gate: v2
---
# Ops-Warden SSH Certificate Signing
This package authorizes ops-warden's opt-in pre-sign policy gate. The caller
keeps SSH CA custody, actor inventory, and OpenBao signing; flex-auth decides
whether a specific `sign` request is allowed now.
## Rules
```rego
import future.keywords.contains
import future.keywords.if
import future.keywords.in
actor_types := {"adm", "agt", "atm"}
decision := {"effect": "allow", "reason": "signing_policy_matched"} if {
allowed
} else := {"effect": "deny", "reason": first_denial} if {
true
}
allowed if {
input.action == "sign"
input.resource.system == "ops-warden"
input.resource.type == "ssh-certificate"
effective_tenant == "tenant:platform"
valid_actor_type
subject_type_matches_context
actor_type_matches_resource
resource_id_matches_actor
subject_id_allowed
valid_ttl
has_pubkey_fingerprint
principals_allowed
}
default effective_tenant := ""
effective_tenant := input.tenant if {
is_string(input.tenant)
input.tenant != ""
} else := input.resource.tenant if {
is_string(input.resource.tenant)
input.resource.tenant != ""
} else := input.subject.tenant if {
is_string(input.subject.tenant)
input.subject.tenant != ""
}
default first_denial := "no_matching_rule"
first_denial := "wrong_action" if {
input.action != "sign"
} else := "wrong_system" if {
input.resource.system != "ops-warden"
} else := "wrong_resource_type" if {
input.resource.type != "ssh-certificate"
} else := "wrong_tenant" if {
effective_tenant != "tenant:platform"
} else := "unknown_actor_resource" if {
not has_actor_resource
} else := "unknown_subject" if {
not subject_id_allowed
} else := "actor_type_mismatch" if {
not valid_actor_type
} else := "actor_type_mismatch" if {
not subject_type_matches_context
} else := "actor_type_mismatch" if {
not actor_type_matches_resource
} else := "actor_resource_mismatch" if {
not resource_id_matches_actor
} else := "ttl_out_of_bounds" if {
not valid_ttl
} else := "missing_pubkey_fingerprint" if {
not has_pubkey_fingerprint
} else := "missing_principal" if {
not has_principals
} else := "disallowed_principal" if {
count(disallowed_principals) > 0
}
has_actor_resource if {
is_string(input.resource.attributes.actor_id)
input.resource.attributes.actor_id != ""
}
valid_actor_type if {
is_string(input.context.actor_type)
input.context.actor_type in actor_types
}
subject_type_matches_context if {
input.subject.type == input.context.actor_type
}
subject_type_matches_context if {
input.subject.attributes.actor_type == input.context.actor_type
}
actor_type_matches_resource if {
input.context.actor_type == input.resource.attributes.actor_type
}
resource_id_matches_actor if {
input.resource.id == sprintf("ssh-cert:actor/%s", [input.resource.attributes.actor_id])
}
subject_id_allowed if {
input.subject.id in input.resource.attributes.allowed_subjects
}
has_ttl if {
is_number(input.context.ttl_hours)
}
valid_ttl if {
has_ttl
input.context.ttl_hours > 0
input.context.ttl_hours <= input.resource.attributes.max_ttl_hours
}
has_pubkey_fingerprint if {
is_string(input.context.pubkey_fingerprint)
input.context.pubkey_fingerprint != ""
}
has_principals if {
count(input.context.principals) > 0
}
principals_allowed if {
has_principals
count(disallowed_principals) == 0
}
allowed_principal(principal) if {
principal in input.resource.attributes.allowed_principals
}
disallowed_principals contains principal if {
principal := input.context.principals[_]
not allowed_principal(principal)
}
```
## Tests
```rego test
package flexauth.ops_warden.ssh_signing_test
import future.keywords.if
import data.flexauth.ops_warden.ssh_signing
adm_request := {
"id": "check:ops-warden-platform-steward-adm",
"tenant": "tenant:platform",
"subject": {"id": "platform-steward", "type": "adm"},
"action": "sign",
"resource": {
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"system": "ops-warden",
"attributes": {
"actor_id": "platform-steward",
"actor_type": "adm",
"allowed_subjects": ["platform-steward", "iam:platform-steward"],
"allowed_principals": ["platform", "root"],
"max_ttl_hours": 8
}
},
"context": {
"actor_type": "adm",
"principals": ["platform"],
"pubkey_fingerprint": "SHA256:example-adm-fingerprint",
"ttl_hours": 4
}
}
test_adm_sign_allowed if {
ssh_signing.decision.effect == "allow" with input as adm_request
}
test_high_ttl_denied if {
ssh_signing.decision.reason == "ttl_out_of_bounds" with input as {
"tenant": "tenant:platform",
"subject": {"id": "platform-steward", "type": "adm"},
"action": "sign",
"resource": adm_request.resource,
"context": {
"actor_type": "adm",
"principals": ["platform"],
"pubkey_fingerprint": "SHA256:example-adm-fingerprint",
"ttl_hours": 12
}
}
}
test_missing_fingerprint_denied if {
ssh_signing.decision.reason == "missing_pubkey_fingerprint" with input as {
"tenant": "tenant:platform",
"subject": {"id": "platform-steward", "type": "adm"},
"action": "sign",
"resource": adm_request.resource,
"context": {
"actor_type": "adm",
"principals": ["platform"],
"ttl_hours": 4
}
}
}
```

36
examples/ops-warden/protected_system_manifest.yaml Normal file
View File

@@ -0,0 +1,36 @@
id: ops-warden
name: Ops Warden
resource_types:
- name: ssh-certificate
scope_level: Resource
planes:
- Identity
- Secret
- Audit
metadata:
description: Short-lived SSH certificate signing request.
actions:
- name: sign
capabilities:
- Use
- Operate
- Audit
planes:
- Identity
- Secret
- Audit
exposure_modes:
- Metadata
metadata:
required_context:
- principals
- actor_type
- pubkey_fingerprint
- ttl_hours
caring_profiles:
- caring-0.4.0-rc2
metadata:
flex_auth_contract: protected-system-v0
ops_warden_policy_gate: v2
policy_enabled_config: policy.enabled
tenant: tenant:platform

366
examples/ops-warden/registry_snapshot.json Normal file
View File

@@ -0,0 +1,366 @@
{
"systems": [
{
"id": "ops-warden",
"name": "Ops Warden",
"resource_types": [
{
"name": "ssh-certificate",
"scope_level": "Resource",
"planes": [
"Identity",
"Secret",
"Audit"
],
"metadata": {
"description": "Short-lived SSH certificate signing request."
}
}
],
"actions": [
{
"name": "sign",
"capabilities": [
"Use",
"Operate",
"Audit"
],
"planes": [
"Identity",
"Secret",
"Audit"
],
"exposure_modes": [
"Metadata"
],
"metadata": {
"required_context": [
"principals",
"actor_type",
"pubkey_fingerprint",
"ttl_hours"
]
}
}
],
"caring_profiles": [
"caring-0.4.0-rc2"
],
"metadata": {
"flex_auth_contract": "protected-system-v0",
"ops_warden_policy_gate": "v2",
"policy_enabled_config": "policy.enabled",
"tenant": "tenant:platform"
}
}
],
"resource_manifests": [
{
"id": "ops-warden-ssh-certificates",
"system": "ops-warden",
"resources": [
{
"id": "ssh-cert:actor/platform-steward",
"type": "ssh-certificate",
"labels": [
"ssh-signing",
"adm"
],
"trust_zone": "platform",
"owner": "team:platform-security",
"attributes": {
"actor_id": "platform-steward",
"actor_type": "adm",
"allowed_subjects": [
"platform-steward",
"iam:platform-steward"
],
"allowed_principals": [
"platform",
"root"
],
"max_ttl_hours": 8
}
},
{
"id": "ssh-cert:actor/ci-deploy-agent",
"type": "ssh-certificate",
"labels": [
"ssh-signing",
"agt"
],
"trust_zone": "platform",
"owner": "team:platform-security",
"attributes": {
"actor_id": "ci-deploy-agent",
"actor_type": "agt",
"allowed_subjects": [
"ci-deploy-agent",
"iam:ci-deploy-agent"
],
"allowed_principals": [
"deploy",
"git"
],
"max_ttl_hours": 2
}
},
{
"id": "ssh-cert:actor/backup-automation",
"type": "ssh-certificate",
"labels": [
"ssh-signing",
"atm"
],
"trust_zone": "platform",
"owner": "team:platform-security",
"attributes": {
"actor_id": "backup-automation",
"actor_type": "atm",
"allowed_subjects": [
"backup-automation",
"iam:backup-automation"
],
"allowed_principals": [
"backup"
],
"max_ttl_hours": 1
}
}
],
"actions": [
"sign"
],
"caring_profile": "caring-0.4.0-rc2",
"metadata": {
"flex_auth_contract": "resource-registration-v0",
"tenant": "tenant:platform"
}
}
],
"tenants": [
{
"id": "tenant:platform",
"name": "Platform Tenant"
}
],
"subjects": [
{
"id": "platform-steward",
"type": "Agent",
"display_name": "Platform Steward",
"organization_relation": "ServiceProvider",
"roles": [
"Operator"
],
"groups": [
"group:ops-warden-admins"
],
"tenant": "tenant:platform",
"metadata": {
"actor_type": "adm"
}
},
{
"id": "ci-deploy-agent",
"type": "Agent",
"display_name": "CI Deploy Agent",
"organization_relation": "ServiceProvider",
"roles": [
"Operator"
],
"groups": [
"group:ops-warden-agents"
],
"tenant": "tenant:platform",
"metadata": {
"actor_type": "agt"
}
},
{
"id": "backup-automation",
"type": "Automation",
"display_name": "Backup Automation",
"organization_relation": "ServiceProvider",
"roles": [
"Operator"
],
"groups": [
"group:ops-warden-automations"
],
"tenant": "tenant:platform",
"metadata": {
"actor_type": "atm"
}
}
],
"groups": [
{
"id": "group:ops-warden-admins",
"display_name": "Ops Warden Admin Actors",
"members": [
"platform-steward"
],
"tenant": "tenant:platform"
},
{
"id": "group:ops-warden-agents",
"display_name": "Ops Warden Agent Actors",
"members": [
"ci-deploy-agent"
],
"tenant": "tenant:platform"
},
{
"id": "group:ops-warden-automations",
"display_name": "Ops Warden Automation Actors",
"members": [
"backup-automation"
],
"tenant": "tenant:platform"
}
],
"relationships": [
{
"id": "rel:platform-steward-sign-platform-steward",
"system": "ops-warden",
"subject": "group:ops-warden-admins",
"relation": "signer",
"object": "ssh-cert:actor/platform-steward",
"tenant": "tenant:platform",
"conditions": [
"TimeLimited",
"Logged"
],
"caring": {
"id": "descriptor:ops-warden-adm-signer",
"profile": "caring-0.4.0-rc2",
"subject_type": "Group",
"organization_relation": "ServiceProvider",
"canonical_role": "Operator",
"scope": {
"level": "Resource",
"id": "ssh-cert:actor/platform-steward",
"tenant": "tenant:platform",
"resource": "ssh-cert:actor/platform-steward"
},
"planes": [
"Identity",
"Secret",
"Audit"
],
"capabilities": [
"Use",
"Operate",
"Audit"
],
"exposure_modes": [
"Metadata"
],
"conditions": [
"TimeLimited",
"Logged"
],
"restrictions": [
"PrivilegeEscalationBlocked",
"SecretAccessBlocked"
],
"access_path": "mediated"
}
},
{
"id": "rel:ci-deploy-agent-sign-ci-deploy-agent",
"system": "ops-warden",
"subject": "group:ops-warden-agents",
"relation": "signer",
"object": "ssh-cert:actor/ci-deploy-agent",
"tenant": "tenant:platform",
"conditions": [
"TimeLimited",
"Logged"
],
"caring": {
"id": "descriptor:ops-warden-agt-signer",
"profile": "caring-0.4.0-rc2",
"subject_type": "Group",
"organization_relation": "ServiceProvider",
"canonical_role": "Operator",
"scope": {
"level": "Resource",
"id": "ssh-cert:actor/ci-deploy-agent",
"tenant": "tenant:platform",
"resource": "ssh-cert:actor/ci-deploy-agent"
},
"planes": [
"Identity",
"Secret",
"Audit"
],
"capabilities": [
"Use",
"Operate",
"Audit"
],
"exposure_modes": [
"Metadata"
],
"conditions": [
"TimeLimited",
"Logged"
],
"restrictions": [
"PrivilegeEscalationBlocked",
"SecretAccessBlocked"
],
"access_path": "mediated"
}
},
{
"id": "rel:backup-automation-sign-backup-automation",
"system": "ops-warden",
"subject": "group:ops-warden-automations",
"relation": "signer",
"object": "ssh-cert:actor/backup-automation",
"tenant": "tenant:platform",
"conditions": [
"TimeLimited",
"Logged"
],
"caring": {
"id": "descriptor:ops-warden-atm-signer",
"profile": "caring-0.4.0-rc2",
"subject_type": "Group",
"organization_relation": "ServiceProvider",
"canonical_role": "Operator",
"scope": {
"level": "Resource",
"id": "ssh-cert:actor/backup-automation",
"tenant": "tenant:platform",
"resource": "ssh-cert:actor/backup-automation"
},
"planes": [
"Identity",
"Secret",
"Audit"
],
"capabilities": [
"Use",
"Operate",
"Audit"
],
"exposure_modes": [
"Metadata"
],
"conditions": [
"TimeLimited",
"Logged"
],
"restrictions": [
"PrivilegeEscalationBlocked",
"SecretAccessBlocked"
],
"access_path": "mediated"
}
}
]
}

59
examples/ops-warden/resource_manifest.yaml Normal file
View File

@@ -0,0 +1,59 @@
id: ops-warden-ssh-certificates
system: ops-warden
resources:
- id: ssh-cert:actor/platform-steward
type: ssh-certificate
labels:
- ssh-signing
- adm
trust_zone: platform
owner: team:platform-security
attributes:
actor_id: platform-steward
actor_type: adm
allowed_subjects:
- platform-steward
- iam:platform-steward
allowed_principals:
- platform
- root
max_ttl_hours: 8
- id: ssh-cert:actor/ci-deploy-agent
type: ssh-certificate
labels:
- ssh-signing
- agt
trust_zone: platform
owner: team:platform-security
attributes:
actor_id: ci-deploy-agent
actor_type: agt
allowed_subjects:
- ci-deploy-agent
- iam:ci-deploy-agent
allowed_principals:
- deploy
- git
max_ttl_hours: 2
- id: ssh-cert:actor/backup-automation
type: ssh-certificate
labels:
- ssh-signing
- atm
trust_zone: platform
owner: team:platform-security
attributes:
actor_id: backup-automation
actor_type: atm
allowed_subjects:
- backup-automation
- iam:backup-automation
allowed_principals:
- backup
max_ttl_hours: 1
actions:
- sign
caring_profile: caring-0.4.0-rc2
metadata:
flex_auth_contract: resource-registration-v0
tenant: tenant:platform

54
examples/ops-warden/subject_manifest.yaml Normal file
View File

@@ -0,0 +1,54 @@
id: subjects:ops-warden-platform
tenants:
- id: tenant:platform
name: Platform Tenant
subjects:
- id: platform-steward
type: Agent
display_name: Platform Steward
organization_relation: ServiceProvider
roles:
- Operator
groups:
- group:ops-warden-admins
tenant: tenant:platform
metadata:
actor_type: adm
- id: ci-deploy-agent
type: Agent
display_name: CI Deploy Agent
organization_relation: ServiceProvider
roles:
- Operator
groups:
- group:ops-warden-agents
tenant: tenant:platform
metadata:
actor_type: agt
- id: backup-automation
type: Automation
display_name: Backup Automation
organization_relation: ServiceProvider
roles:
- Operator
groups:
- group:ops-warden-automations
tenant: tenant:platform
metadata:
actor_type: atm
groups:
- id: group:ops-warden-admins
display_name: Ops Warden Admin Actors
members:
- platform-steward
tenant: tenant:platform
- id: group:ops-warden-agents
display_name: Ops Warden Agent Actors
members:
- ci-deploy-agent
tenant: tenant:platform
- id: group:ops-warden-automations
display_name: Ops Warden Automation Actors
members:
- backup-automation
tenant: tenant:platform