Implement credential change request review flow
This commit is contained in:
93
schemas/credential-change-request.schema.yaml
Normal file
93
schemas/credential-change-request.schema.yaml
Normal file
@@ -0,0 +1,93 @@
|
||||
schema_version: 1
|
||||
kind: credential-change-request-schema
|
||||
description: Non-secret schema contract for credential/security change requests.
|
||||
|
||||
required_top_level:
|
||||
- id
|
||||
- kind
|
||||
- schema_version
|
||||
- request_type
|
||||
- title
|
||||
- status
|
||||
- created
|
||||
- updated
|
||||
- requester
|
||||
- target
|
||||
- openbao
|
||||
- access_frontdoor
|
||||
- risk
|
||||
- verification
|
||||
- lifecycle
|
||||
|
||||
allowed_statuses:
|
||||
- draft
|
||||
- proposed
|
||||
- needs_changes
|
||||
- approved
|
||||
- denied
|
||||
- apply_pending
|
||||
- applied
|
||||
- verified
|
||||
- active
|
||||
- deactivated
|
||||
- rotated
|
||||
- compromised
|
||||
- superseded
|
||||
- cancelled
|
||||
|
||||
allowed_request_types:
|
||||
- workload-kv-read
|
||||
|
||||
secret_markers_rejected:
|
||||
- AGE-SECRET-KEY-1
|
||||
- "-----BEGIN PRIVATE KEY-----"
|
||||
- "-----BEGIN OPENSSH PRIVATE KEY-----"
|
||||
- OPENBAO_ROOT_TOKEN=
|
||||
- VAULT_TOKEN=
|
||||
- BAO_TOKEN=
|
||||
- hvb.
|
||||
- hvc.
|
||||
- hvs.
|
||||
- npm_
|
||||
- ghp_
|
||||
- sk-
|
||||
|
||||
workload_kv_read:
|
||||
required:
|
||||
openbao:
|
||||
- mount
|
||||
- kv_path
|
||||
- fields
|
||||
- policy_name
|
||||
- policy_file
|
||||
- auth
|
||||
openbao.auth:
|
||||
- method
|
||||
- mount
|
||||
- role
|
||||
- bound_claims
|
||||
- bound_claims_confirmed
|
||||
- policies
|
||||
access_frontdoor:
|
||||
- type
|
||||
- catalog_id
|
||||
verification:
|
||||
- positive
|
||||
- negative
|
||||
- activation_conditions
|
||||
lifecycle:
|
||||
- deactivate
|
||||
- rotate
|
||||
- compromised
|
||||
|
||||
guardrails:
|
||||
apply_plan_requires_status:
|
||||
- approved
|
||||
active_requires_status:
|
||||
- verified
|
||||
disallowed_policy_names:
|
||||
- root
|
||||
- platform-admin
|
||||
disallowed_path_fragments:
|
||||
- "*"
|
||||
- ".."
|
||||
Reference in New Issue
Block a user