generated from coulomb/repo-seed
feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
This commit is contained in:
@@ -13,6 +13,16 @@ class ConfigError(Exception):
|
||||
"""Raised when config is invalid or missing."""
|
||||
|
||||
|
||||
@dataclass
|
||||
class PolicyConfig:
|
||||
enabled: bool = False
|
||||
flex_auth_url: str = "http://127.0.0.1:8080"
|
||||
fail_closed: bool = True
|
||||
tenant: str = "tenant:platform"
|
||||
subject_env: str = "WARDEN_POLICY_SUBJECT"
|
||||
system: str = "ops-warden"
|
||||
|
||||
|
||||
@dataclass
|
||||
class VaultConfig:
|
||||
addr: str
|
||||
@@ -32,6 +42,7 @@ class WardenConfig:
|
||||
state_dir: Path = field(
|
||||
default_factory=lambda: Path.home() / ".local" / "state" / "warden"
|
||||
)
|
||||
policy: PolicyConfig = field(default_factory=PolicyConfig)
|
||||
|
||||
|
||||
def _default_config_path() -> Path:
|
||||
@@ -105,10 +116,21 @@ def load_config(path: Optional[Path] = None) -> WardenConfig:
|
||||
)
|
||||
)
|
||||
|
||||
policy_raw = raw.get("policy") or {}
|
||||
policy_cfg = PolicyConfig(
|
||||
enabled=bool(policy_raw.get("enabled", False)),
|
||||
flex_auth_url=str(policy_raw.get("flex_auth_url", "http://127.0.0.1:8080")),
|
||||
fail_closed=bool(policy_raw.get("fail_closed", True)),
|
||||
tenant=str(policy_raw.get("tenant", "tenant:platform")),
|
||||
subject_env=str(policy_raw.get("subject_env", "WARDEN_POLICY_SUBJECT")),
|
||||
system=str(policy_raw.get("system", "ops-warden")),
|
||||
)
|
||||
|
||||
return WardenConfig(
|
||||
backend=backend,
|
||||
ca_key=ca_key,
|
||||
vault=vault_cfg,
|
||||
inventory_path=inventory_path,
|
||||
state_dir=state_dir,
|
||||
policy=policy_cfg,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user