Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OKTA-649266 - update security policy for GA features #115

Merged
merged 8 commits into from
Nov 13, 2023
Merged

OKTA-649266 - update security policy for GA features #115

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
70de240
OKTA-649266 - update security policy for GA features
SajanAlexander-okta Nov 9, 2023
8d2fd5f
fix test
SajanAlexander-okta Nov 9, 2023
057105a
doc update
SajanAlexander-okta Nov 9, 2023
5aeafe5
sort incoming list
SajanAlexander-okta Nov 10, 2023
57e91ee
Doc updates
SajanAlexander-okta Nov 10, 2023
00a3b14
constrain conditions
SajanAlexander-okta Nov 10, 2023
e2d4cd0
doc generation
SajanAlexander-okta Nov 10, 2023
64e1185
constrain to one secret or secret folder in rule
SajanAlexander-okta Nov 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions docs/data-sources/security_policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ Read-Only:

- `access_request` (List of Object) (see [below for nested schema](#nestedobjatt--rule--conditions--access_request))
- `gateway` (List of Object) (see [below for nested schema](#nestedobjatt--rule--conditions--gateway))
- `mfa` (List of Object) (see [below for nested schema](#nestedobjatt--rule--conditions--mfa))

<a id="nestedobjatt--rule--conditions--access_request"></a>
### Nested Schema for `rule.conditions.access_request`
Expand All @@ -69,6 +70,15 @@ Read-Only:
- `traffic_forwarding` (Boolean)


<a id="nestedobjatt--rule--conditions--mfa"></a>
### Nested Schema for `rule.conditions.mfa`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's hard for me to tell - does this allow them to try to set up MFA conditions on secret rules? That's not currently supported. I suppose the same question would apply to gateway conditions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We constrain gateways, but not MFA - the main reason is that while this is not currently supported, we don't want to have to roll another version of the TF provider and migrate people when support is added.


Read-Only:

- `acr_values` (String)
- `reauth_frequency_in_seconds` (Number)



<a id="nestedobjatt--rule--privileges"></a>
### Nested Schema for `rule.privileges`
Expand All @@ -79,6 +89,7 @@ Read-Only:
- `password_checkout_ssh` (List of Object) (see [below for nested schema](#nestedobjatt--rule--privileges--password_checkout_ssh))
- `principal_account_rdp` (List of Object) (see [below for nested schema](#nestedobjatt--rule--privileges--principal_account_rdp))
- `principal_account_ssh` (List of Object) (see [below for nested schema](#nestedobjatt--rule--privileges--principal_account_ssh))
- `secret` (List of Object) (see [below for nested schema](#nestedobjatt--rule--privileges--secret))

<a id="nestedobjatt--rule--privileges--password_checkout_rdp"></a>
### Nested Schema for `rule.privileges.password_checkout_rdp`
Expand Down Expand Up @@ -114,14 +125,55 @@ Read-Only:
- `enabled` (Boolean)


<a id="nestedobjatt--rule--privileges--secret"></a>
### Nested Schema for `rule.privileges.secret`

Read-Only:

- `folder_create` (Boolean)
- `folder_delete` (Boolean)
- `folder_update` (Boolean)
- `list` (Boolean)
- `secret_create` (Boolean)
- `secret_delete` (Boolean)
- `secret_reveal` (Boolean)
- `secret_update` (Boolean)



<a id="nestedobjatt--rule--resources"></a>
### Nested Schema for `rule.resources`

Read-Only:

- `secrets` (List of Object) (see [below for nested schema](#nestedobjatt--rule--resources--secrets))
- `servers` (List of Object) (see [below for nested schema](#nestedobjatt--rule--resources--servers))

<a id="nestedobjatt--rule--resources--secrets"></a>
### Nested Schema for `rule.resources.secrets`

Read-Only:

- `secret` (List of Object) (see [below for nested schema](#nestedobjatt--rule--resources--secrets--secret))
- `secret_folder` (List of Object) (see [below for nested schema](#nestedobjatt--rule--resources--secrets--secret_folder))

<a id="nestedobjatt--rule--resources--secrets--secret"></a>
### Nested Schema for `rule.resources.secrets.secret_folder`

Read-Only:

- `secret_id` (String)


<a id="nestedobjatt--rule--resources--secrets--secret_folder"></a>
### Nested Schema for `rule.resources.secrets.secret_folder`

Read-Only:

- `secret_folder_id` (String)



<a id="nestedobjatt--rule--resources--servers"></a>
### Nested Schema for `rule.resources.servers`

Expand Down
57 changes: 55 additions & 2 deletions docs/resources/security_policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,12 @@ Limited Early Access Feature: A policy which defines how users can gain access t
- `active` (Boolean) If true, indicates that the Security Policy is active.
- `name` (String) The human-readable name of the resource. Values are case-sensitive.
- `principals` (Block List, Min: 1, Max: 1) Defines the users bound to the Security Policy. (see [below for nested schema](#nestedblock--principals))
- `rule` (Block List, Min: 1, Max: 20) Defines the privileges available to resources matched to the Security Policy. (see [below for nested schema](#nestedblock--rule))
- `rule` (Block Set, Min: 1, Max: 20) Defines the privileges available to resources matched to the Security Policy. (see [below for nested schema](#nestedblock--rule))

### Optional

- `description` (String) The human-readable description of the resource.
- `resource_group` (String) The UUID of a specific Resource Group associated with the Security Policy. If undefined, the Security Policy applies to all resources for your Team. This value must be defined if the current user has the Delegated Security Admin role.

### Read-Only

Expand Down Expand Up @@ -60,6 +61,7 @@ Optional:
- `password_checkout_ssh` (Block List, Max: 1) Defines the privilege to make SSH connections to a server with a vaulted password. (see [below for nested schema](#nestedblock--rule--privileges--password_checkout_ssh))
- `principal_account_rdp` (Block List, Max: 1) Defines the privilege to make RDP connections to a server with the user's principal account. (see [below for nested schema](#nestedblock--rule--privileges--principal_account_rdp))
- `principal_account_ssh` (Block List, Max: 1) Defines the privilege to make SSH connections to a server with the user's principal account. (see [below for nested schema](#nestedblock--rule--privileges--principal_account_ssh))
- `secret` (Block List, Max: 1) Defines the privilege to operate on Secrets and Secret Folders. (see [below for nested schema](#nestedblock--rule--privileges--secret))

<a id="nestedblock--rule--privileges--password_checkout_rdp"></a>
### Nested Schema for `rule.privileges.password_checkout_rdp`
Expand Down Expand Up @@ -101,13 +103,54 @@ Optional:
- `admin_level_permissions` (Boolean) Provides coarse grain (full admin) access to the user.


<a id="nestedblock--rule--privileges--secret"></a>
### Nested Schema for `rule.privileges.secret`

Required:

- `folder_create` (Boolean) Defines the privilege to create a Secret Folder.
- `folder_delete` (Boolean) Defines the privilege to delete a Secret Folder and its contents.
- `folder_update` (Boolean) Defines the privilege to update the metadata of a Secret Folder.
- `list` (Boolean) Defines the privilege to list the contents of a Secret Folder.
- `secret_create` (Boolean) Defines the privilege to create a Secret.
- `secret_delete` (Boolean) Defines the privilege to delete a Secret.
- `secret_reveal` (Boolean) Defines the privilege to reveal the plaintext contents of a Secret.
- `secret_update` (Boolean) Defines the privilege to update a Secret and its metadata.



<a id="nestedblock--rule--resources"></a>
### Nested Schema for `rule.resources`

Optional:

- `secrets` (Block List, Max: 1) Defines the secret-based resources targeted by the Security Policy. (see [below for nested schema](#nestedblock--rule--resources--secrets))
- `servers` (Block List, Max: 1) Defines the server-based resources targeted by the Security Policy. (see [below for nested schema](#nestedblock--rule--resources--servers))

<a id="nestedblock--rule--resources--secrets"></a>
### Nested Schema for `rule.resources.secrets`

Optional:

- `secret` (Block List, Max: 1) Defines a specific Secret targeted by the Security Policy. (see [below for nested schema](#nestedblock--rule--resources--secrets--secret))
- `secret_folder` (Block List, Max: 1) Defines a specific Secret Folder targeted by the Security Policy. (see [below for nested schema](#nestedblock--rule--resources--secrets--secret_folder))

<a id="nestedblock--rule--resources--secrets--secret"></a>
### Nested Schema for `rule.resources.secrets.secret_folder`

Required:

- `servers` (Block List, Min: 1, Max: 1) Defines the server-based resources targeted by the Security Policy. (see [below for nested schema](#nestedblock--rule--resources--servers))
- `secret_id` (String) The UUID of the Secret.


<a id="nestedblock--rule--resources--secrets--secret_folder"></a>
### Nested Schema for `rule.resources.secrets.secret_folder`

Required:

- `secret_folder_id` (String) The UUID of the Secret Folder.



<a id="nestedblock--rule--resources--servers"></a>
### Nested Schema for `rule.resources.servers`
Expand Down Expand Up @@ -156,6 +199,7 @@ Optional:

- `access_request` (Block List) Identifies an existing Request Type in Access Requests. (see [below for nested schema](#nestedblock--rule--conditions--access_request))
- `gateway` (Block List, Max: 1) Configures traffic settings for an existing Gateway. (see [below for nested schema](#nestedblock--rule--conditions--gateway))
- `mfa` (Block List) Configures multifactor auth settings required to access the resource. (see [below for nested schema](#nestedblock--rule--conditions--mfa))

<a id="nestedblock--rule--conditions--access_request"></a>
### Nested Schema for `rule.conditions.access_request`
Expand All @@ -179,3 +223,12 @@ Required:
- `traffic_forwarding` (Boolean) Whether to forward traffic through a Gateway.


<a id="nestedblock--rule--conditions--mfa"></a>
### Nested Schema for `rule.conditions.mfa`

Required:

- `acr_values` (String) The authentication context class reference (ACR) for this policy. This defines a specific set of assurance level requirements required by a protected resource.
- `reauth_frequency_in_seconds` (Number) The number of seconds an MFA verification remains valid. After this time users need to reauthenticate before they can open new connections to resources. Defining a value of `0` requires users to authenticate for every connection.


9 changes: 6 additions & 3 deletions oktapam/client/named_object.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,12 @@ package client
type NamedObjectType string

const (
UserNamedObjectType NamedObjectType = "user"
UserGroupNamedObjectType NamedObjectType = "user_group"
ServerNamedObjectType NamedObjectType = "server"
UserNamedObjectType NamedObjectType = "user"
UserGroupNamedObjectType NamedObjectType = "user_group"
SecretNamedObjectType NamedObjectType = "secret"
SecretFolderNamedObjectType NamedObjectType = "secret_folder"
ServerNamedObjectType NamedObjectType = "server"
ResourceGroupNamedObjectType NamedObjectType = "resource_group"
)

type NamedObject struct {
Expand Down
Loading
Loading