generated from coulomb/repo-seed
feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
This commit is contained in:
@@ -12,6 +12,7 @@ from rich.table import Table
|
||||
|
||||
from warden.ca import CAError, LocalCA, parse_cert_metadata
|
||||
from warden.config import ConfigError, WardenConfig, load_config
|
||||
from warden.policy import check_sign_policy
|
||||
from warden.inventory import ActorEntry, InventoryError, PrincipalsInventory, load_inventory, save_inventory
|
||||
from warden.models import ActorType, CertSpec, DEFAULT_TTL_HOURS, validate_actor_name
|
||||
from warden.scorecard import run_scorecard
|
||||
@@ -54,6 +55,13 @@ def _get_ca(cfg: WardenConfig):
|
||||
return LocalCA(cfg.ca_key, cfg.state_dir)
|
||||
|
||||
|
||||
def _apply_policy_gate(cfg: WardenConfig, spec: CertSpec) -> None:
|
||||
"""Run flex-auth check when policy.enabled; sets spec.policy_decision_id."""
|
||||
decision_id = check_sign_policy(cfg.policy, spec)
|
||||
if decision_id:
|
||||
spec.policy_decision_id = decision_id
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# warden sign
|
||||
# ---------------------------------------------------------------------------
|
||||
@@ -91,6 +99,7 @@ def sign(
|
||||
|
||||
ca = _get_ca(cfg)
|
||||
try:
|
||||
_apply_policy_gate(cfg, spec)
|
||||
record = ca.sign(spec)
|
||||
except CAError as e:
|
||||
err.print(f"[red]Signing failed:[/red] {e}")
|
||||
@@ -142,6 +151,7 @@ def issue(
|
||||
identity=actor_name,
|
||||
)
|
||||
try:
|
||||
_apply_policy_gate(cfg, spec)
|
||||
record = ca.sign(spec)
|
||||
except CAError as e:
|
||||
err.print(f"[red]Signing failed:[/red] {e}")
|
||||
|
||||
Reference in New Issue
Block a user