CCR-2026-0007: binky IMAP on tenants/ mount + CCR allowlist
Enable tenant commercial secrets: applier accepts mount tenants/, apply policy and OIDC role for company-email IMAP (metadata only; values are founder Red provision). Extend agent-high-risk-boundary for the path.
This commit is contained in:
parent
347226eb36
commit
86209fa90c
6 changed files with 218 additions and 27 deletions
|
|
@ -591,10 +591,22 @@ def applier_policy_violations(ccr: dict[str, Any]) -> list[str]:
|
|||
policy_file = str(openbao.get("policy_file") or "")
|
||||
fields = openbao.get("fields") or []
|
||||
|
||||
if mount != "platform":
|
||||
violations.append(f"openbao.mount must be platform, got {mount}")
|
||||
if not kv_path.startswith("platform/workloads/"):
|
||||
violations.append("openbao.kv_path must stay under platform/workloads/")
|
||||
# WARDEN-WP-0028: platform fleet lanes stay under platform/workloads/;
|
||||
# client/tenant commercial secrets live on mount tenants/ (exact-path policies).
|
||||
allowed_mount_prefixes = {
|
||||
"platform": "platform/workloads/",
|
||||
"tenants": "tenants/",
|
||||
}
|
||||
if mount not in allowed_mount_prefixes:
|
||||
violations.append(
|
||||
f"openbao.mount must be one of {sorted(allowed_mount_prefixes)}, got {mount}"
|
||||
)
|
||||
else:
|
||||
prefix = allowed_mount_prefixes[mount]
|
||||
if not kv_path.startswith(prefix):
|
||||
violations.append(
|
||||
f"openbao.kv_path for mount {mount!r} must stay under {prefix}"
|
||||
)
|
||||
if any(fragment in kv_path for fragment in ("*", "..", "//")):
|
||||
violations.append("openbao.kv_path must not contain wildcard, parent, or empty segments")
|
||||
if "/data/" in kv_path or "/metadata/" in kv_path:
|
||||
|
|
@ -1600,7 +1612,7 @@ def decision_templates(ccr: dict[str, Any] | None = None) -> dict[str, str]:
|
|||
else:
|
||||
context = {
|
||||
"id": "<CCR-ID>",
|
||||
"kv_path": "<platform/workloads/...>",
|
||||
"kv_path": "<platform/workloads/...> or <tenants/<tenant>/...>",
|
||||
"policy_name": "<workload-kv-read-...>",
|
||||
"auth_role_path": "auth/<mount>/role/<role>",
|
||||
"decision_link": "<link State Hub decision>",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue