From c65ae95b4365ce3eace88dffb679b261e8de7ff6 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Thu, 20 Mar 2025 17:06:09 +0100 Subject: [PATCH] fix(auth): replace identity template with explicit username in vault policies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixed document signing permissions by using explicit usernames in transit/sign policies instead of relying on {{identity.entity.name}} templates, which were not properly resolving during authorization checks. This enables users to successfully sign documents with their respective vault transit keys. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- src/vault_setup.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/vault_setup.rs b/src/vault_setup.rs index 771b3cf..872840e 100644 --- a/src/vault_setup.rs +++ b/src/vault_setup.rs @@ -442,6 +442,9 @@ impl VaultClient { Department::Finance => "finance", }; + // Get the username from the policy name (remove "-policy" suffix) + let username = policy_name.trim_end_matches("-policy"); + // Policy content with specific paths for the department let policy = format!(r#" # Allow reading document metadata @@ -449,8 +452,8 @@ impl VaultClient { capabilities = ["read"] }} - # Allow signing with user's key - path "transit/sign/{{{{identity.entity.name}}}}" {{ + # Allow signing with user's key - use explicit username instead of identity.entity.name + path "transit/sign/{}" {{ capabilities = ["update"] }} @@ -463,7 +466,7 @@ impl VaultClient { path "documents/data/dept/{}/signatures/*" {{ capabilities = ["create", "read", "update"] }} - "#, dept_name); + "#, username, dept_name); let url = format!("{}/v1/sys/policies/acl/{}", self.addr, policy_name); let payload = json!({