[ { "id": "fixture:ops-warden-adm-sign-allow", "request": { "id": "check:ops-warden-platform-steward-adm", "tenant": "tenant:platform", "subject": { "id": "platform-steward", "type": "adm" }, "action": "sign", "resource": { "id": "ssh-cert:actor/platform-steward", "type": "ssh-certificate", "system": "ops-warden", "attributes": { "actor_id": "platform-steward", "actor_type": "adm", "allowed_subjects": [ "platform-steward", "iam:platform-steward" ], "allowed_principals": [ "platform", "root" ], "max_ttl_hours": 8 } }, "context": { "principals": [ "platform", "root" ], "actor_type": "adm", "ttl_hours": 4, "pubkey_fingerprint": "SHA256:example-adm-fingerprint" } }, "expect": { "effect": "allow", "reason": "signing_policy_matched" } }, { "id": "fixture:ops-warden-agt-sign-allow", "request": { "id": "check:ops-warden-ci-deploy-agent-agt", "tenant": "tenant:platform", "subject": { "id": "ci-deploy-agent", "type": "agt" }, "action": "sign", "resource": { "id": "ssh-cert:actor/ci-deploy-agent", "type": "ssh-certificate", "system": "ops-warden", "attributes": { "actor_id": "ci-deploy-agent", "actor_type": "agt", "allowed_subjects": [ "ci-deploy-agent", "iam:ci-deploy-agent" ], "allowed_principals": [ "deploy", "git" ], "max_ttl_hours": 2 } }, "context": { "principals": [ "deploy" ], "actor_type": "agt", "ttl_hours": 1, "pubkey_fingerprint": "SHA256:example-agt-fingerprint" } }, "expect": { "effect": "allow", "reason": "signing_policy_matched" } }, { "id": "fixture:ops-warden-atm-sign-allow", "request": { "id": "check:ops-warden-backup-automation-atm", "tenant": "tenant:platform", "subject": { "id": "backup-automation", "type": "atm" }, "action": "sign", "resource": { "id": "ssh-cert:actor/backup-automation", "type": "ssh-certificate", "system": "ops-warden", "attributes": { "actor_id": "backup-automation", "actor_type": "atm", "allowed_subjects": [ "backup-automation", "iam:backup-automation" ], "allowed_principals": [ "backup" ], "max_ttl_hours": 1 } }, "context": { "principals": [ "backup" ], "actor_type": "atm", "ttl_hours": 1, "pubkey_fingerprint": "SHA256:example-atm-fingerprint" } }, "expect": { "effect": "allow", "reason": "signing_policy_matched" } }, { "id": "fixture:ops-warden-unknown-subject-deny", "request": { "id": "check:ops-warden-platform-steward-adm", "tenant": "tenant:platform", "subject": { "id": "unknown-actor", "type": "adm" }, "action": "sign", "resource": { "id": "ssh-cert:actor/platform-steward", "type": "ssh-certificate", "system": "ops-warden", "attributes": { "actor_id": "platform-steward", "actor_type": "adm", "allowed_subjects": [ "platform-steward", "iam:platform-steward" ], "allowed_principals": [ "platform", "root" ], "max_ttl_hours": 8 } }, "context": { "principals": [ "platform" ], "actor_type": "adm", "ttl_hours": 4, "pubkey_fingerprint": "SHA256:example-adm-fingerprint" } }, "expect": { "effect": "deny", "reason": "unknown_subject" } }, { "id": "fixture:ops-warden-actor-type-mismatch-deny", "request": { "id": "check:ops-warden-ci-deploy-agent-agt", "tenant": "tenant:platform", "subject": { "id": "ci-deploy-agent", "type": "adm" }, "action": "sign", "resource": { "id": "ssh-cert:actor/ci-deploy-agent", "type": "ssh-certificate", "system": "ops-warden", "attributes": { "actor_id": "ci-deploy-agent", "actor_type": "agt", "allowed_subjects": [ "ci-deploy-agent", "iam:ci-deploy-agent" ], "allowed_principals": [ "deploy", "git" ], "max_ttl_hours": 2 } }, "context": { "principals": [ "deploy" ], "actor_type": "agt", "ttl_hours": 1, "pubkey_fingerprint": "SHA256:example-agt-fingerprint" } }, "expect": { "effect": "deny", "reason": "actor_type_mismatch" } }, { "id": "fixture:ops-warden-ttl-above-max-deny", "request": { "id": "check:ops-warden-platform-steward-adm", "tenant": "tenant:platform", "subject": { "id": "platform-steward", "type": "adm" }, "action": "sign", "resource": { "id": "ssh-cert:actor/platform-steward", "type": "ssh-certificate", "system": "ops-warden", "attributes": { "actor_id": "platform-steward", "actor_type": "adm", "allowed_subjects": [ "platform-steward", "iam:platform-steward" ], "allowed_principals": [ "platform", "root" ], "max_ttl_hours": 8 } }, "context": { "principals": [ "platform" ], "actor_type": "adm", "ttl_hours": 12, "pubkey_fingerprint": "SHA256:example-adm-fingerprint" } }, "expect": { "effect": "deny", "reason": "ttl_out_of_bounds" } }, { "id": "fixture:ops-warden-disallowed-principal-deny", "request": { "id": "check:ops-warden-ci-deploy-agent-agt", "tenant": "tenant:platform", "subject": { "id": "ci-deploy-agent", "type": "agt" }, "action": "sign", "resource": { "id": "ssh-cert:actor/ci-deploy-agent", "type": "ssh-certificate", "system": "ops-warden", "attributes": { "actor_id": "ci-deploy-agent", "actor_type": "agt", "allowed_subjects": [ "ci-deploy-agent", "iam:ci-deploy-agent" ], "allowed_principals": [ "deploy", "git" ], "max_ttl_hours": 2 } }, "context": { "principals": [ "root" ], "actor_type": "agt", "ttl_hours": 1, "pubkey_fingerprint": "SHA256:example-agt-fingerprint" } }, "expect": { "effect": "deny", "reason": "disallowed_principal" } }, { "id": "fixture:ops-warden-missing-fingerprint-deny", "request": { "id": "check:ops-warden-platform-steward-adm", "tenant": "tenant:platform", "subject": { "id": "platform-steward", "type": "adm" }, "action": "sign", "resource": { "id": "ssh-cert:actor/platform-steward", "type": "ssh-certificate", "system": "ops-warden", "attributes": { "actor_id": "platform-steward", "actor_type": "adm", "allowed_subjects": [ "platform-steward", "iam:platform-steward" ], "allowed_principals": [ "platform", "root" ], "max_ttl_hours": 8 } }, "context": { "principals": [ "platform" ], "actor_type": "adm", "ttl_hours": 4 } }, "expect": { "effect": "deny", "reason": "missing_pubkey_fingerprint" } } ]