6a59d34bb1
Update configuration files, templates, and internal documentation for the provisioning repository system. Configuration Updates: - KMS configuration modernization - Plugin system settings - Service port mappings - Test cluster topologies - Installation configuration examples - VM configuration defaults - Cedar authorization policies Documentation Updates: - Library module documentation - Extension API guides - AI system documentation - Service management guides - Test environment setup - Plugin usage guides - Validator configuration documentation All changes are backward compatible.
315 lines
9.9 KiB
Plaintext
315 lines
9.9 KiB
Plaintext
// Cedar Policies for Secrets Management
|
|
// Defines authorization rules for secret access, rotation, and management
|
|
// Based on environment, workspace, domain, and secret type
|
|
|
|
// ============================================================================
|
|
// DEVELOPMENT ENVIRONMENT: Relaxed Access
|
|
// ============================================================================
|
|
|
|
// Developers can access their workspace secrets in development
|
|
@id("dev-secret-access-developers")
|
|
permit (
|
|
principal in Provisioning::Team::"developers",
|
|
action in [Provisioning::Action::"access", Provisioning::Action::"read"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
// Only allow access to development workspace secrets
|
|
resource.workspace in Provisioning::Environment::"development"
|
|
};
|
|
|
|
// Developers can create and update secrets in development (with MFA preferred)
|
|
@id("dev-secret-create-developers")
|
|
permit (
|
|
principal in Provisioning::Team::"developers",
|
|
action in [Provisioning::Action::"create", Provisioning::Action::"update"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.workspace in Provisioning::Environment::"development"
|
|
};
|
|
|
|
// Developers can rotate secrets in development
|
|
@id("dev-secret-rotate-developers")
|
|
permit (
|
|
principal in Provisioning::Team::"developers",
|
|
action == Provisioning::Action::"rotate",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.workspace in Provisioning::Environment::"development"
|
|
};
|
|
|
|
// ============================================================================
|
|
// PRODUCTION ENVIRONMENT: Strict Requirements
|
|
// ============================================================================
|
|
|
|
// Production secret access requires MFA verification
|
|
@id("prod-secret-access-mfa-required")
|
|
permit (
|
|
principal,
|
|
action == Provisioning::Action::"access",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
// Enforce MFA for all production secret access
|
|
context.mfa_verified == true &&
|
|
// Secret must not be expired
|
|
resource.is_expired == false &&
|
|
// Check environment context
|
|
resource.workspace in Provisioning::Environment::"production"
|
|
};
|
|
|
|
// Production list operations require authentication (no MFA needed)
|
|
@id("prod-secret-list-authenticated")
|
|
permit (
|
|
principal,
|
|
action == Provisioning::Action::"list",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.workspace in Provisioning::Environment::"production"
|
|
};
|
|
|
|
// Production secret creation requires approval and MFA
|
|
@id("prod-secret-create-approval")
|
|
permit (
|
|
principal,
|
|
action == Provisioning::Action::"create",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
// Require MFA and approval for production secrets
|
|
context.mfa_verified == true &&
|
|
context.approval_id != "" &&
|
|
resource.workspace in Provisioning::Environment::"production"
|
|
};
|
|
|
|
// Production secret updates require MFA
|
|
@id("prod-secret-update-mfa")
|
|
permit (
|
|
principal,
|
|
action == Provisioning::Action::"update",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
context.mfa_verified == true &&
|
|
resource.workspace in Provisioning::Environment::"production"
|
|
};
|
|
|
|
// Production secret deletion requires strong approval workflow
|
|
@id("prod-secret-delete-restricted")
|
|
permit (
|
|
principal in Provisioning::Role::"admin",
|
|
action == Provisioning::Action::"delete",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
context.mfa_verified == true &&
|
|
context.approval_id != "" &&
|
|
resource.workspace in Provisioning::Environment::"production"
|
|
};
|
|
|
|
// ============================================================================
|
|
// TTL CONSTRAINTS
|
|
// ============================================================================
|
|
|
|
// Prevent long-lived secrets in production
|
|
@id("prod-secret-ttl-limit")
|
|
forbid (
|
|
principal,
|
|
action == Provisioning::Action::"create",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
// Maximum 7 days (168 hours) for production secrets
|
|
resource.ttl_hours > 168 &&
|
|
resource.workspace in Provisioning::Environment::"production"
|
|
};
|
|
|
|
// ============================================================================
|
|
// DOMAIN-BASED ACCESS CONTROL
|
|
// ============================================================================
|
|
|
|
// Database administrators can access database secrets
|
|
@id("database-access-dba")
|
|
permit (
|
|
principal in Provisioning::Role::"database_admin",
|
|
action in [Provisioning::Action::"access", Provisioning::Action::"rotate"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
// Match database-related domains
|
|
resource.domain in ["postgres", "mysql", "redis", "mongodb", "elasticsearch"]
|
|
};
|
|
|
|
// Infrastructure team can access SSH secrets
|
|
@id("ssh-access-infra")
|
|
permit (
|
|
principal in Provisioning::Role::"infrastructure",
|
|
action in [Provisioning::Action::"access", Provisioning::Action::"rotate"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.domain == "ssh"
|
|
};
|
|
|
|
// API owners can access application secrets for their domain
|
|
@id("app-secret-access-owner")
|
|
permit (
|
|
principal,
|
|
action in [Provisioning::Action::"access", Provisioning::Action::"rotate"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
// Check if user is a team member with app management role
|
|
principal in Provisioning::Team::"app_developers" &&
|
|
resource.domain in ["web-api", "backend", "mobile-api", "integration-api"]
|
|
};
|
|
|
|
// ============================================================================
|
|
// TAG-BASED POLICIES
|
|
// ============================================================================
|
|
|
|
// Only security admins can access secrets tagged "critical"
|
|
@id("critical-secrets-admin-only")
|
|
permit (
|
|
principal in Provisioning::Role::"security_admin",
|
|
action,
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.tags.contains("critical")
|
|
};
|
|
|
|
// Restrict "legacy" tagged secrets to specific team
|
|
@id("legacy-secrets-restricted")
|
|
permit (
|
|
principal in Provisioning::Team::"legacy_support",
|
|
action in [Provisioning::Action::"access", Provisioning::Action::"read"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.tags.contains("legacy")
|
|
};
|
|
|
|
// Deny access to "deprecated" secrets
|
|
@id("deprecated-secrets-deny")
|
|
forbid (
|
|
principal,
|
|
action == Provisioning::Action::"access",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.tags.contains("deprecated")
|
|
};
|
|
|
|
// ============================================================================
|
|
// ROTATION POLICIES
|
|
// ============================================================================
|
|
|
|
// Auto-rotated secrets can be rotated by automation
|
|
@id("auto-rotate-permitted")
|
|
permit (
|
|
principal in Provisioning::Team::"automation",
|
|
action == Provisioning::Action::"rotate",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.auto_rotate == true
|
|
};
|
|
|
|
// Manual rotation of production secrets requires approval
|
|
@id("prod-rotate-approval")
|
|
permit (
|
|
principal,
|
|
action == Provisioning::Action::"rotate",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
context.approval_id != "" &&
|
|
context.mfa_verified == true &&
|
|
resource.workspace in Provisioning::Environment::"production" &&
|
|
resource.auto_rotate == false
|
|
};
|
|
|
|
// ============================================================================
|
|
// WORKSPACE ISOLATION
|
|
// ============================================================================
|
|
|
|
// Users cannot access secrets outside their workspace
|
|
// This is enforced at the API level through query filtering
|
|
// Cedar policy ensures defense-in-depth
|
|
|
|
// Only workspace members can access workspace secrets
|
|
@id("workspace-isolation-member")
|
|
permit (
|
|
principal,
|
|
action in [Provisioning::Action::"access", Provisioning::Action::"read", Provisioning::Action::"list"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
// Principal must be a member of the workspace
|
|
principal in resource.workspace
|
|
};
|
|
|
|
// ============================================================================
|
|
// ADMIN PRIVILEGES
|
|
// ============================================================================
|
|
|
|
// System administrators can perform any secret operation in any workspace
|
|
@id("admin-full-access")
|
|
permit (
|
|
principal in Provisioning::Role::"admin",
|
|
action,
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
context.mfa_verified == true
|
|
};
|
|
|
|
// Security admins can access all secrets for audit and compliance
|
|
@id("security-audit-access")
|
|
permit (
|
|
principal in Provisioning::Role::"security_admin",
|
|
action in [Provisioning::Action::"access", Provisioning::Action::"read", Provisioning::Action::"list"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
true // Full access for audit purposes (logged in audit trail)
|
|
};
|
|
|
|
// ============================================================================
|
|
// TYPE-SPECIFIC RULES
|
|
// ============================================================================
|
|
|
|
// SSH key access requires MFA in production
|
|
@id("ssh-key-mfa-prod")
|
|
permit (
|
|
principal,
|
|
action == Provisioning::Action::"access",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.secret_type == "ssh" &&
|
|
context.mfa_verified == true &&
|
|
resource.workspace in Provisioning::Environment::"production"
|
|
};
|
|
|
|
// Provider credential access requires strong authentication
|
|
@id("provider-cred-mfa")
|
|
permit (
|
|
principal,
|
|
action == Provisioning::Action::"access",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.secret_type == "provider" &&
|
|
context.mfa_verified == true
|
|
};
|
|
|
|
// Database secret access requires database admin role
|
|
@id("database-cred-admin")
|
|
permit (
|
|
principal in Provisioning::Role::"database_admin",
|
|
action == Provisioning::Action::"access",
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.secret_type == "database"
|
|
};
|
|
|
|
// Application secrets require development team membership
|
|
@id("app-secret-dev-team")
|
|
permit (
|
|
principal in Provisioning::Team::"app_developers",
|
|
action in [Provisioning::Action::"access", Provisioning::Action::"read"],
|
|
resource is Provisioning::Secret
|
|
) when {
|
|
resource.secret_type == "application"
|
|
};
|
|
|
|
// ============================================================================
|
|
// DEFAULT DENY (Most restrictive)
|
|
// ============================================================================
|
|
|
|
// Explicit deny as fallback (defense-in-depth)
|
|
// All access requires an explicit permit policy above
|