generated from coulomb/repo-seed
35 lines
1.7 KiB
Markdown
35 lines
1.7 KiB
Markdown
# Ops-Warden SSH Signing Policy Gate
|
|
|
|
This example is the flex-auth side of ops-warden's opt-in pre-sign gate.
|
|
When `policy.enabled: true`, ops-warden calls `POST /v1/check` before signing
|
|
or issuing an SSH certificate.
|
|
|
|
Files:
|
|
|
|
- `protected_system_manifest.yaml` declares the `ops-warden` protected system,
|
|
`ssh-certificate` resource type, and `sign` action.
|
|
- `resource_manifest.yaml` declares fixture SSH certificate actor resources and
|
|
non-secret policy attributes such as allowed principals and TTL maxima.
|
|
- `subject_manifest.yaml` declares non-secret fixture actors for `adm`, `agt`,
|
|
and `atm` signing paths.
|
|
- `registry_snapshot.json` is the combined local registry used by the CLI and
|
|
service examples.
|
|
- `policy_package.md` is the Rego-in-Markdown policy package.
|
|
- `policy_fixtures.yaml` contains allow and deny expectations for package
|
|
validation.
|
|
- `check_request_*.json` files are ops-warden-shaped `/v1/check` requests.
|
|
|
|
Run locally:
|
|
|
|
```bash
|
|
flex-auth validate --kind protected-system --file examples/ops-warden/protected_system_manifest.yaml
|
|
flex-auth validate --kind resource-manifest --file examples/ops-warden/resource_manifest.yaml
|
|
flex-auth validate --kind subject-manifest --file examples/ops-warden/subject_manifest.yaml
|
|
flex-auth load-registry --file examples/ops-warden/registry_snapshot.json
|
|
flex-auth test-policy --file examples/ops-warden/policy_package.md
|
|
flex-auth check --registry examples/ops-warden/registry_snapshot.json --policy examples/ops-warden/policy_package.md --request examples/ops-warden/check_request_allow_adm.json
|
|
```
|
|
|
|
The fixture public-key fingerprints are examples only. Do not put real keys,
|
|
OpenBao tokens, or private signing material in these files.
|