2

嘿伙计们,我遇到了一个障碍,试图弄清楚如何搜索我们所有人service/policy_names以确保他们具有某些能力。

假设我有一个类似于以下的保险库政策

bash-4.4$ vault policy read service/admin
# Token policies
path "/auth/token/create" {
    capabilities = ["create", "update", "sudo"]
}

path "/auth/token/lookup" {
    capabilities = ["create", "update"]
}

path "/auth/token/renew" {
    capabilities = ["create", "update"]
}

path "/auth/token/revoke" {
    capabilities = ["create", "update"]
}

# View system policies
path "/sys/policy" {
    capabilities = ["read"]
}

# Allow full access to interact with all secrets
path "secret/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

我正在尝试扫描每个策略,如果路径没有正确的功能,请创建一个具有正确功能的新文件并保存它。我被困在试图扫描每条路径并且有点被淘汰了。希望有人可以帮助或推荐一种更明智的方法。以上将被保存到一个新文件service_admin.hcl中,如下所示

bash-4.4$ less service_admin.hcl
# Token policies
path "/auth/token/create" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

path "/auth/token/lookup" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

path "/auth/token/renew" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

path "/auth/token/revoke" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

# View system policies
path "/sys/policy" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

# Allow full access to interact with all secrets
path "secret/*" {
    capabilities = ["create", "read", "update", "delete", "list"]
}

到目前为止我的代码如下,我选择 go 是因为我认为 HCL 库会帮助我,但我很难使用它。

package main

import (
   "github.com/hashicorp/vault/api"
   "log"
   "regexp"
)

func main() {
   cfg := api.DefaultConfig()
   cfg.Address = "http://localhost:8200"

   client, err := api.NewClient(cfg)
   if err != nil {
      log.Fatal(err)
   }

   client.SetToken("xxx")

   policies, err := client.Sys().ListPolicies()
   if err != nil {
      log.Fatal(err)
   }


   var listPolicies []string
   for _, policy := range policies {
      matched, _ := regexp.MatchString("^service", policy)
      if matched {
         listPolicies = append(listPolicies, policy)
      }
   }

   for _, policy := range listPolicies {
      policyContents, _ := client.Sys().GetPolicy(policy)

      // parse := hcl.Parse(policyContents) // ????
      // Does each `path` have `capabilities = ["create", "read", "update", "delete", "list"]`
      log.Println(policyContents)

      break
   }
}
4

0 回答 0