validate_root_aws_keys.sentinel

# Policy that validates AWS keys provided to AWS secrets engine
#   This is intended to be used against paths of form <path>/config/root
#     where <path> is the path selected for the AWS secrets engine
#   However, because EGP policies can only use wildcard (*) at the end of paths,
#     We apply this policy to all paths that have both the access_key and secret_key keys
# EGP Policy, paths = *

# Function that validates AWS keys
validate_aws_keys = func() {
  
  # Booleans indicating whether keys are valid
  access_key = true
  secret_key = true
  
  # Print some information about the request
  # Note that these messages will only be printed when the policy is violated
  print("Namespace path:", namespace.path)
  print("Request path:", request.path)
  print("Request data:", request.data)
  
  # Validate access_key key of all secrets that have both access_key and secret_key
  if "access_key" in keys(request.data) and "secret_key" in keys(request.data) {
  	if request.data.access_key not matches "^[A-Z0-9]{20}$" {
      print("Invalid AWS access key")
    	access_key = false
    }
  }
    
  # Validate secret_key key of all secrets that have both
  if "access_key" in keys(request.data) and "secret_key" in keys(request.data) {
  	if request.data.secret_key not matches "^[A-Za-z0-9/+=]{40}$" {
      print("Invalid AWS secret key")
    	secret_key = false
    }
  }
   
  # Return combined booleans
  return access_key and secret_key
    
}
    
# Main Rule
main = rule {
  validate_aws_keys()
}