jesus/prvng_core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
prvng_core/nulib/break_glass/commands.nu
Jesús Pérez 1fe83246d6
feat: integrate enterprise security system into core libraries 
Adds KMS, secrets management, config encryption, and auth plugins to enable
zero-trust security architecture across the provisioning platform.
2025-10-09 16:36:27 +01:00

330 lines
11 KiB
Plaintext
Raw Permalink Blame History

# Break-Glass Emergency Access Commands
#
# Provides CLI interface for break-glass emergency access system
# Request emergency access
export def "break-glass request" [
reason: string # Emergency reason (brief)
--justification: string # Detailed justification (required)
--resources: list<string> = [] # Target resources
--permissions: list<string> = [] # Requested permissions
--duration: duration = 4hr # Maximum session duration
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> record {
if ($justification | is-empty) {
error make {msg: "Justification is required for break-glass requests"}
}
# Get current user info
let requester = {
id: (whoami)
email: $"(whoami)@example.com"
name: (whoami)
teams: ["operations"]
roles: ["Operator"]
}
# Convert permissions list to structured format
let structured_permissions = $permissions | each {|p|
let parts = ($p | split row ":")
{
resource: ($parts | get 0)
action: ($parts | get 1? | default "admin")
scope: null
}
}
# Convert duration to hours
let duration_hours = ($duration | into int) / (1hr | into int)
let payload = {
requester: $requester
reason: $reason
justification: $justification
target_resources: $resources
requested_permissions: $structured_permissions
duration_hours: $duration_hours
}
print $"🚨 Requesting emergency access..."
print $" Reason: ($reason)"
print $" Duration: ($duration)"
print $" Resources: ($resources | str join ', ')"
let response = (http post $"($orchestrator)/api/v1/break-glass/request" $payload)
print $"✅ Request created: ($response.request_id)"
print $" Status: ($response.status)"
print $" Expires: ($response.expires_at)"
print ""
print $"⏳ Waiting for approval from 2+ approvers..."
$response
}
# Approve emergency request
export def "break-glass approve" [
request_id: string # Request ID to approve
--reason: string = "Approved" # Approval reason
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> record {
# Get current user info
let approver = {
id: (whoami)
email: $"(whoami)@example.com"
name: (whoami)
teams: ["security"]
roles: ["SecurityOfficer"]
}
# Get IP address
let ip_address = "127.0.0.1"
let payload = {
approver: $approver
reason: $reason
ip_address: $ip_address
}
print $"✅ Approving request ($request_id)..."
let response = (http post $"($orchestrator)/api/v1/break-glass/requests/($request_id)/approve" $payload)
if $response.approved {
print $"✅ Request fully approved!"
print $" All required approvals received"
print $" Ready for activation"
} else {
print $"⏳ Approval recorded"
print $" ($response.message)"
}
$response
}
# Deny emergency request
export def "break-glass deny" [
request_id: string # Request ID to deny
--reason: string = "Denied" # Denial reason
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> nothing {
# Get current user info
let denier = {
id: (whoami)
email: $"(whoami)@example.com"
name: (whoami)
teams: ["security"]
roles: ["SecurityOfficer"]
}
let payload = {
denier: $denier
reason: $reason
}
print $"❌ Denying request ($request_id)..."
http post $"($orchestrator)/api/v1/break-glass/requests/($request_id)/deny" $payload | ignore
print $"✅ Request denied"
}
# Activate approved session
export def "break-glass activate" [
request_id: string # Request ID to activate
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> record {
print $"🔓 Activating emergency session for request ($request_id)..."
let token = (http post $"($orchestrator)/api/v1/break-glass/requests/($request_id)/activate" {})
print $"✅ Emergency session activated!"
print $" Session ID: ($token.session_id)"
print $" Expires: ($token.expires_at)"
print $" Token: ($token.access_token | str substring 0..50)..."
print ""
print $"⚠️ This session is logged and monitored"
print $"⚠️ All actions will be audited"
print ""
print $"Export token:"
print $" export EMERGENCY_TOKEN=($token.access_token)"
$token
}
# Revoke active session
export def "break-glass revoke" [
session_id: string # Session ID to revoke
--reason: string = "Manual revocation" # Revocation reason
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> nothing {
let payload = {
reason: $reason
}
print $"🔒 Revoking session ($session_id)..."
http post $"($orchestrator)/api/v1/break-glass/sessions/($session_id)/revoke" $payload | ignore
print $"✅ Session revoked"
}
# List pending requests
export def "break-glass list-requests" [
--status: string = "pending" # Filter by status (pending, all)
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> table {
let pending_only = ($status == "pending")
print $"📋 Listing break-glass requests..."
let requests = (http get $"($orchestrator)/api/v1/break-glass/requests?pending_only=($pending_only)")
if ($requests | is-empty) {
print "No requests found"
return []
}
$requests | select id status requester.email reason created_at expires_at
}
# List active sessions
export def "break-glass list-sessions" [
--active-only: bool = false # Show only active sessions
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> table {
print $"📋 Listing break-glass sessions..."
let sessions = (http get $"($orchestrator)/api/v1/break-glass/sessions?active_only=($active_only)")
if ($sessions | is-empty) {
print "No sessions found"
return []
}
$sessions | select id status request.requester.email activated_at expires_at
}
# Show session details
export def "break-glass show" [
session_id: string # Session ID to show
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> record {
print $"🔍 Fetching session details for ($session_id)..."
let session = (http get $"($orchestrator)/api/v1/break-glass/sessions/($session_id)")
print ""
print $"Session ID: ($session.id)"
print $"Status: ($session.status)"
print $"Requester: ($session.request.requester.email)"
print $"Reason: ($session.request.reason)"
print ""
print "Approvals:"
$session.approvals | each {|a|
print $" - ($a.approver.email) at ($a.approved_at)"
}
print ""
print $"Activated: ($session.activated_at)"
print $"Expires: ($session.expires_at)"
print ""
print $"Actions performed: ($session.actions | length)"
$session
}
# Query break-glass audit logs
export def "break-glass audit" [
--from: datetime # Start time
--to: datetime # End time
--session-id: string # Filter by session ID
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> table {
print $"📜 Querying break-glass audit logs..."
mut params = []
if not ($from | is-empty) {
$params = ($params | append $"from=($from | date to-record | get year)-($from | date to-record | get month)-($from | date to-record | get day)")
}
if not ($to | is-empty) {
$params = ($params | append $"to=($to | date to-record | get year)-($to | date to-record | get month)-($to | date to-record | get day)")
}
if not ($session_id | is-empty) {
$params = ($params | append $"session_id=($session_id)")
}
let query_string = if ($params | is-empty) { "" } else { $"?($params | str join '&')" }
let logs = (http get $"($orchestrator)/api/v1/break-glass/audit($query_string)")
if ($logs | is-empty) {
print "No audit logs found"
return []
}
$logs | select event_id event_type session_id user.email timestamp
}
# Show break-glass statistics
export def "break-glass stats" [
--orchestrator: string = "http://localhost:8080" # Orchestrator URL
]: nothing -> record {
print $"📊 Fetching break-glass statistics..."
let stats = (http get $"($orchestrator)/api/v1/break-glass/statistics")
print ""
print "Approval Statistics:"
print $" Total requests: ($stats.approval.total_requests)"
print $" Pending: ($stats.approval.pending_requests)"
print $" Approved: ($stats.approval.approved_requests)"
print $" Denied: ($stats.approval.denied_requests)"
print $" Expired: ($stats.approval.expired_requests)"
print ""
print "Session Statistics:"
print $" Total sessions: ($stats.session.total_sessions)"
print $" Active: ($stats.session.active_sessions)"
print $" Revoked: ($stats.session.revoked_sessions)"
print $" Expired: ($stats.session.expired_sessions)"
print $" Total actions: ($stats.session.total_actions)"
print ""
print "Revocation Monitoring:"
print $" Enabled: ($stats.revocation.monitoring_enabled)"
print $" Check interval: ($stats.revocation.check_interval_seconds)s"
$stats
}
# Break-glass help
export def "break-glass help" []: nothing -> nothing {
print "Break-Glass Emergency Access System"
print ""
print "Commands:"
print " request - Request emergency access"
print " approve - Approve emergency request"
print " deny - Deny emergency request"
print " activate - Activate approved session"
print " revoke - Revoke active session"
print " list-requests - List pending requests"
print " list-sessions - List active sessions"
print " show - Show session details"
print " audit - Query audit logs"
print " stats - Show statistics"
print ""
print "Examples:"
print " # Request emergency access"
print " break-glass request 'Production outage' --justification 'Database cluster down' --resources ['db/*'] --duration 2hr"
print ""
print " # Approve request"
print " break-glass approve <request_id> --reason 'Emergency confirmed'"
print ""
print " # Activate session"
print " break-glass activate <request_id>"
print ""
print " # Revoke session"
print " break-glass revoke <session_id> --reason 'Emergency resolved'"
}
Reference in New Issue View Git Blame Copy Permalink