From 120068d5e4c425aeafcefa99c15ec0f9fe5914d3 Mon Sep 17 00:00:00 2001
From: Andrew Klaas <aklaas@hashicorp.com>
Date: Thu, 6 Dec 2018 12:01:17 -0600
Subject: [PATCH] adding sentinel policy to enforce username for ssh secret
 engine

---
 .../enforce-ad-username-ssh-engine.json       | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 governance/sentinel/enforce-ad-username-ssh-engine.json

diff --git a/governance/sentinel/enforce-ad-username-ssh-engine.json b/governance/sentinel/enforce-ad-username-ssh-engine.json
new file mode 100644
index 00000000..df530eee
--- /dev/null
+++ b/governance/sentinel/enforce-ad-username-ssh-engine.json
@@ -0,0 +1,25 @@
+import "strings"
+import "strings"
+
+username_match = func() {
+    # Make sure there is request data
+    if length(request.data else 0) is 0 {
+        return false
+    }
+
+    # Make sure request data includes username
+    if length(request.data.username else 0) is 0 {
+        return false
+    }
+
+    # Make sure the supplied username matches the user's name
+    if request.data.username != identity.entity.aliases[0].name {
+        return false
+    }
+
+    return true
+}
+
+main = rule {
+    strings.has_prefix(request.path, "ssh-client-signer/sign/my-role") and username_match()
+}