Policies: allow partial matches and globbing on parameters with composite data types

[markchalloner]

We are using templated policies to allow an app access to team secrets based on their metadata:

app:

  # Allow apps to read their own secrets e.g. secret/data/teams/foo/app-foo-bar/*.
  path "secret/data/teams/{{identity.entity.metadata.team}}/{{identity.entity.name}}/*" {
    capabilities = ["read"]
  }

To enforce that a team can only create entities with a team metadata value of their team (e.g. foo) we are using the policy:

team-foo:

  # Allow creation of an app-<team>-* entities.
  path "identity/entity" {
    capabilities = ["create", "update"]
    allowed_parameters = {
      "name" = ["app-foo-*"]
      # Policy order matters and Terraform sorts alphabetically.
      "policies" = [["app", "default"]]
      "metadata" = [{"team" = "foo"}}]
      "*" = []
    }
    required_parameters = ["metadata"]
  }

Unfortunately Vault doesn't allow wildcards in composite data type keys or values, due to the comparison been passed directly to reflect.DeepEquals.

This means that

1. policies can't use globs

2. policies have to be ordered the same as clients

3. dynamic metadata values (e.g. app = "*") can't be used:

   "metadata" = [{"app" = [], "team" = "foo"}}]
   

4. arbitrary metadata keys can't be used (e.g.

   "metadata" = [{"*" = [], "team" = "foo"}}]
   

Our current solution means

1. policies have to be fixed (and in the correct order)
2. teams can't add additional metadata (e.g. the app name bar) and so use a cleaner secret hierachy (or have arbitrary metadata):

policy-app.hcl: |-
  # Allow apps to read their own secrets e.g. secret/data/teams/foo/apps/bar/*.
  path "secret/data/teams/{{identity.entity.metadata.team}}/apps/{{identity.entity.metadata.app}}/*" {
    capabilities = ["read"]
  }