generated from coulomb/repo-seed
FLEX-WP-0006: implement ops-warden signing gate policy
This commit is contained in:
337
examples/ops-warden/policy_fixtures.yaml
Normal file
337
examples/ops-warden/policy_fixtures.yaml
Normal file
@@ -0,0 +1,337 @@
|
||||
[
|
||||
{
|
||||
"id": "fixture:ops-warden-adm-sign-allow",
|
||||
"request": {
|
||||
"id": "check:ops-warden-platform-steward-adm",
|
||||
"tenant": "tenant:platform",
|
||||
"subject": {
|
||||
"id": "platform-steward",
|
||||
"type": "adm"
|
||||
},
|
||||
"action": "sign",
|
||||
"resource": {
|
||||
"id": "ssh-cert:actor/platform-steward",
|
||||
"type": "ssh-certificate",
|
||||
"system": "ops-warden",
|
||||
"attributes": {
|
||||
"actor_id": "platform-steward",
|
||||
"actor_type": "adm",
|
||||
"allowed_subjects": [
|
||||
"platform-steward",
|
||||
"iam:platform-steward"
|
||||
],
|
||||
"allowed_principals": [
|
||||
"platform",
|
||||
"root"
|
||||
],
|
||||
"max_ttl_hours": 8
|
||||
}
|
||||
},
|
||||
"context": {
|
||||
"principals": [
|
||||
"platform",
|
||||
"root"
|
||||
],
|
||||
"actor_type": "adm",
|
||||
"ttl_hours": 4,
|
||||
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
|
||||
}
|
||||
},
|
||||
"expect": {
|
||||
"effect": "allow",
|
||||
"reason": "signing_policy_matched"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "fixture:ops-warden-agt-sign-allow",
|
||||
"request": {
|
||||
"id": "check:ops-warden-ci-deploy-agent-agt",
|
||||
"tenant": "tenant:platform",
|
||||
"subject": {
|
||||
"id": "ci-deploy-agent",
|
||||
"type": "agt"
|
||||
},
|
||||
"action": "sign",
|
||||
"resource": {
|
||||
"id": "ssh-cert:actor/ci-deploy-agent",
|
||||
"type": "ssh-certificate",
|
||||
"system": "ops-warden",
|
||||
"attributes": {
|
||||
"actor_id": "ci-deploy-agent",
|
||||
"actor_type": "agt",
|
||||
"allowed_subjects": [
|
||||
"ci-deploy-agent",
|
||||
"iam:ci-deploy-agent"
|
||||
],
|
||||
"allowed_principals": [
|
||||
"deploy",
|
||||
"git"
|
||||
],
|
||||
"max_ttl_hours": 2
|
||||
}
|
||||
},
|
||||
"context": {
|
||||
"principals": [
|
||||
"deploy"
|
||||
],
|
||||
"actor_type": "agt",
|
||||
"ttl_hours": 1,
|
||||
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
|
||||
}
|
||||
},
|
||||
"expect": {
|
||||
"effect": "allow",
|
||||
"reason": "signing_policy_matched"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "fixture:ops-warden-atm-sign-allow",
|
||||
"request": {
|
||||
"id": "check:ops-warden-backup-automation-atm",
|
||||
"tenant": "tenant:platform",
|
||||
"subject": {
|
||||
"id": "backup-automation",
|
||||
"type": "atm"
|
||||
},
|
||||
"action": "sign",
|
||||
"resource": {
|
||||
"id": "ssh-cert:actor/backup-automation",
|
||||
"type": "ssh-certificate",
|
||||
"system": "ops-warden",
|
||||
"attributes": {
|
||||
"actor_id": "backup-automation",
|
||||
"actor_type": "atm",
|
||||
"allowed_subjects": [
|
||||
"backup-automation",
|
||||
"iam:backup-automation"
|
||||
],
|
||||
"allowed_principals": [
|
||||
"backup"
|
||||
],
|
||||
"max_ttl_hours": 1
|
||||
}
|
||||
},
|
||||
"context": {
|
||||
"principals": [
|
||||
"backup"
|
||||
],
|
||||
"actor_type": "atm",
|
||||
"ttl_hours": 1,
|
||||
"pubkey_fingerprint": "SHA256:example-atm-fingerprint"
|
||||
}
|
||||
},
|
||||
"expect": {
|
||||
"effect": "allow",
|
||||
"reason": "signing_policy_matched"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "fixture:ops-warden-unknown-subject-deny",
|
||||
"request": {
|
||||
"id": "check:ops-warden-platform-steward-adm",
|
||||
"tenant": "tenant:platform",
|
||||
"subject": {
|
||||
"id": "unknown-actor",
|
||||
"type": "adm"
|
||||
},
|
||||
"action": "sign",
|
||||
"resource": {
|
||||
"id": "ssh-cert:actor/platform-steward",
|
||||
"type": "ssh-certificate",
|
||||
"system": "ops-warden",
|
||||
"attributes": {
|
||||
"actor_id": "platform-steward",
|
||||
"actor_type": "adm",
|
||||
"allowed_subjects": [
|
||||
"platform-steward",
|
||||
"iam:platform-steward"
|
||||
],
|
||||
"allowed_principals": [
|
||||
"platform",
|
||||
"root"
|
||||
],
|
||||
"max_ttl_hours": 8
|
||||
}
|
||||
},
|
||||
"context": {
|
||||
"principals": [
|
||||
"platform"
|
||||
],
|
||||
"actor_type": "adm",
|
||||
"ttl_hours": 4,
|
||||
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
|
||||
}
|
||||
},
|
||||
"expect": {
|
||||
"effect": "deny",
|
||||
"reason": "unknown_subject"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "fixture:ops-warden-actor-type-mismatch-deny",
|
||||
"request": {
|
||||
"id": "check:ops-warden-ci-deploy-agent-agt",
|
||||
"tenant": "tenant:platform",
|
||||
"subject": {
|
||||
"id": "ci-deploy-agent",
|
||||
"type": "adm"
|
||||
},
|
||||
"action": "sign",
|
||||
"resource": {
|
||||
"id": "ssh-cert:actor/ci-deploy-agent",
|
||||
"type": "ssh-certificate",
|
||||
"system": "ops-warden",
|
||||
"attributes": {
|
||||
"actor_id": "ci-deploy-agent",
|
||||
"actor_type": "agt",
|
||||
"allowed_subjects": [
|
||||
"ci-deploy-agent",
|
||||
"iam:ci-deploy-agent"
|
||||
],
|
||||
"allowed_principals": [
|
||||
"deploy",
|
||||
"git"
|
||||
],
|
||||
"max_ttl_hours": 2
|
||||
}
|
||||
},
|
||||
"context": {
|
||||
"principals": [
|
||||
"deploy"
|
||||
],
|
||||
"actor_type": "agt",
|
||||
"ttl_hours": 1,
|
||||
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
|
||||
}
|
||||
},
|
||||
"expect": {
|
||||
"effect": "deny",
|
||||
"reason": "actor_type_mismatch"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "fixture:ops-warden-ttl-above-max-deny",
|
||||
"request": {
|
||||
"id": "check:ops-warden-platform-steward-adm",
|
||||
"tenant": "tenant:platform",
|
||||
"subject": {
|
||||
"id": "platform-steward",
|
||||
"type": "adm"
|
||||
},
|
||||
"action": "sign",
|
||||
"resource": {
|
||||
"id": "ssh-cert:actor/platform-steward",
|
||||
"type": "ssh-certificate",
|
||||
"system": "ops-warden",
|
||||
"attributes": {
|
||||
"actor_id": "platform-steward",
|
||||
"actor_type": "adm",
|
||||
"allowed_subjects": [
|
||||
"platform-steward",
|
||||
"iam:platform-steward"
|
||||
],
|
||||
"allowed_principals": [
|
||||
"platform",
|
||||
"root"
|
||||
],
|
||||
"max_ttl_hours": 8
|
||||
}
|
||||
},
|
||||
"context": {
|
||||
"principals": [
|
||||
"platform"
|
||||
],
|
||||
"actor_type": "adm",
|
||||
"ttl_hours": 12,
|
||||
"pubkey_fingerprint": "SHA256:example-adm-fingerprint"
|
||||
}
|
||||
},
|
||||
"expect": {
|
||||
"effect": "deny",
|
||||
"reason": "ttl_out_of_bounds"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "fixture:ops-warden-disallowed-principal-deny",
|
||||
"request": {
|
||||
"id": "check:ops-warden-ci-deploy-agent-agt",
|
||||
"tenant": "tenant:platform",
|
||||
"subject": {
|
||||
"id": "ci-deploy-agent",
|
||||
"type": "agt"
|
||||
},
|
||||
"action": "sign",
|
||||
"resource": {
|
||||
"id": "ssh-cert:actor/ci-deploy-agent",
|
||||
"type": "ssh-certificate",
|
||||
"system": "ops-warden",
|
||||
"attributes": {
|
||||
"actor_id": "ci-deploy-agent",
|
||||
"actor_type": "agt",
|
||||
"allowed_subjects": [
|
||||
"ci-deploy-agent",
|
||||
"iam:ci-deploy-agent"
|
||||
],
|
||||
"allowed_principals": [
|
||||
"deploy",
|
||||
"git"
|
||||
],
|
||||
"max_ttl_hours": 2
|
||||
}
|
||||
},
|
||||
"context": {
|
||||
"principals": [
|
||||
"root"
|
||||
],
|
||||
"actor_type": "agt",
|
||||
"ttl_hours": 1,
|
||||
"pubkey_fingerprint": "SHA256:example-agt-fingerprint"
|
||||
}
|
||||
},
|
||||
"expect": {
|
||||
"effect": "deny",
|
||||
"reason": "disallowed_principal"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "fixture:ops-warden-missing-fingerprint-deny",
|
||||
"request": {
|
||||
"id": "check:ops-warden-platform-steward-adm",
|
||||
"tenant": "tenant:platform",
|
||||
"subject": {
|
||||
"id": "platform-steward",
|
||||
"type": "adm"
|
||||
},
|
||||
"action": "sign",
|
||||
"resource": {
|
||||
"id": "ssh-cert:actor/platform-steward",
|
||||
"type": "ssh-certificate",
|
||||
"system": "ops-warden",
|
||||
"attributes": {
|
||||
"actor_id": "platform-steward",
|
||||
"actor_type": "adm",
|
||||
"allowed_subjects": [
|
||||
"platform-steward",
|
||||
"iam:platform-steward"
|
||||
],
|
||||
"allowed_principals": [
|
||||
"platform",
|
||||
"root"
|
||||
],
|
||||
"max_ttl_hours": 8
|
||||
}
|
||||
},
|
||||
"context": {
|
||||
"principals": [
|
||||
"platform"
|
||||
],
|
||||
"actor_type": "adm",
|
||||
"ttl_hours": 4
|
||||
}
|
||||
},
|
||||
"expect": {
|
||||
"effect": "deny",
|
||||
"reason": "missing_pubkey_fingerprint"
|
||||
}
|
||||
}
|
||||
]
|
||||
Reference in New Issue
Block a user