added test vault policies

Signed-off-by: Rod Anami <rod.anami@kyndryl.com>

Author: rod4n4m1

CHANGELOG.md

@@ -3,7 +3,7 @@
 ## Change Log
 
 * `0.4.5a` (**latest**)
-  * Updated Axios dependency to `1.7.4` (CVE-2024-39338)
+  * Updated Axios dependency to `1.7.4` [#51](CVE-2024-39338)
   * Upgraded development env to Vault server `1.17.3`
 
 * `0.4.15`

container/setup/policies/admin-policy.hcl

@@ -0,0 +1,53 @@
+# Manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth"
+{
+  capabilities = ["read"]
+}
+
+# List existing policies
+path "sys/policies/acl"
+{
+  capabilities = ["list"]
+}
+
+# Create and manage ACL policies
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List, create, update, and delete key/value secrets
+path "secret/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Manage secrets engines
+path "sys/mounts/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List existing secrets engines.
+path "sys/mounts"
+{
+  capabilities = ["read"]
+}
+
+# Read health checks
+path "sys/health"
+{
+  capabilities = ["read", "sudo"]
+}

container/setup/policies/cert-policy.hcl

@@ -0,0 +1,54 @@
+path "pki_int/issue/*"
+{
+  capabilities = ["create", "update"]
+}
+
+path "pki_int/certs"
+{
+  capabilities = ["list"]
+}
+
+path "pki_int/revoke"
+{
+  capabilities = ["create", "update"]
+}
+
+path "pki_int/tidy"
+{
+  capabilities = ["create", "update"]
+}
+
+path "pki/cert/ca"
+{
+  capabilities = ["read"]
+}
+
+path "auth/token/renew"
+{
+  capabilities = ["update"]
+}
+
+path "auth/token/renew-self"
+{
+  capabilities = ["update"]
+}
+
+# Roles to create, update secrets
+path "/sys/mounts" {
+  capabilities = ["read", "update", "list"]
+}
+
+path "/sys/mounts/*"
+{
+  capabilities = ["update", "create"]
+}
+
+path "sys/policies/acl"
+{
+  capabilities = ["read"]
+}
+
+path "secret/*"
+{
+  capabilities = ["read", "create", "update", "delete"]
+}

container/setup/policies/knight-policy.hcl

@@ -0,0 +1,50 @@
+path "knight/*" {
+  capabilities = ["create","read","update","delete","list"]
+}
+
+path "knight/data/*" {
+  capabilities = ["create","read","update","delete"]
+}
+
+path "knight/delete/*" {
+  capabilities = ["update"]
+}
+
+path "knight/undelete/*" {
+    capabilities = ["update"]
+}
+
+path "knight/destroy/*" {
+    capabilities = ["update"]
+}
+
+path "knight/metadata/*" {
+    capabilities = ["create","update","delete","list","read"]
+}
+
+path "auth/approle/login" {
+  capabilities = ["create"]
+}
+
+path "/auth/approle/role/knight" {
+capabilities = ["update"]
+  allowed_parameters = {
+        "token_ttl" = []
+  }
+}
+
+path "/auth/approle/role/knight/secret-id" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "/auth/approle/role/knight/secret-id/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "/auth/approle/role/knight/secret-id-accessor" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "/auth/approle/role/knight/secret-id-accessor/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}

container/setup/policies/provisioner-policy.hcl

@@ -0,0 +1,35 @@
+# Manage auth methods broadly across Vault
+path "auth/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# Create, update, and delete auth methods
+path "sys/auth/*"
+{
+  capabilities = ["create", "update", "delete", "sudo"]
+}
+
+# List auth methods
+path "sys/auth"
+{
+  capabilities = ["read"]
+}
+
+# List existing policies
+path "sys/policies/acl"
+{
+  capabilities = ["list"]
+}
+
+# Create and manage ACL policies via API & UI
+path "sys/policies/acl/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# List, create, update, and delete key/value secrets
+path "secret/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list"]
+}

container/setup/vault-config.sh

@@ -64,10 +64,10 @@ max_ttl="87600h"
 vault write pki_int/issue/chatopsknight common_name="vault.chatopsknight.kyndryl.net" ttl="87500h"
 
 # Create a policy
-vault policy write knight-vault ./policies/chatops-knight-vault.hcl
+vault policy write knight-vault ./policies/knight-vault.hcl
 
 # Apply policy to role for AppRole auth method
-vault write auth/approle/role/knight secret_id_ttl="720h"  token_ttl="12h"  token_max_tll="12h"  policies="knight-vault"
+vault write auth/approle/role/knight secret_id_ttl="720h"  token_ttl="12h"  token_max_tll="12h"  policies="knight-policy"
 
 # Apply policy to role for Token auth method
 vault write auth/token/roles/knight token_explicit_max_ttl=43200  allowed_policies="knight-vault"
@@ -79,7 +79,7 @@ vault read auth/approle/role/knight/role-id
 vault write -f auth/approle/role/knight/secret-id
 
 # Check if pair role-id and secret-id are working
-vault write auth/approle/login -field=token role_id=${ROLE_ID} secret_id=${SECRET_ID}
+vault write auth/approle/login role_id=${ROLE_ID} secret_id=${SECRET_ID} -field=token
 
 # Update issuing and clr points to use https
 vault write pki/config/urls \