feat(server): public landing page (root bypasses dir-level ACL)
GET / and GET /index.html previously enforced the root .zddc's
top-level acl: gate before serving the landing page. On a deployment
where only specific emails are allowed at root, anonymous (and
unauthorized) callers got 403 — they couldn't even see the project
picker that would tell them which projects were available to them.
Make the landing page public:
- cmd/zddc-server: drop the AllowedWithChain gate from the
apps.Serve("landing") branch; drop it from the IsDir branch when
urlPath == "/".
- handler/directory.go: matching bypass for ServeDirectory at the
root path (covers Accept: application/json and the case where a
real /index.html exists on disk).
Per-project ACL is preserved end-to-end:
- fs.ListDirectory continues to filter sub-entries per email, so
anonymous callers see only projects whose .zddc allows them.
- Subdirectory requests still hit the ACL gate.
Regression test in handler/directory_test.go covers all four cases
(anonymous public, anonymous filters out private, admin sees both,
anonymous still 403 on private subdir). Full go test ./... passes.
This commit is contained in:
parent
d1ff060d3d
commit
20897fef6b
3 changed files with 152 additions and 11 deletions
|
|
@ -297,14 +297,16 @@ func dispatch(cfg config.Config, idx *archive.Index, ring *handler.LogRing, apps
|
|||
// no real index.html on disk → serve via apps.Serve("landing"). The
|
||||
// other four apps are caught by the "stat fails → app HTML?" branch
|
||||
// below, which only triggers when no concrete file is at the URL path.
|
||||
//
|
||||
// The landing page is intentionally public (no ACL gate). It's a
|
||||
// project picker — the per-project ACL filtering done by
|
||||
// fs.ListDirectory still hides projects an anonymous (or unauthorized)
|
||||
// caller can't reach. See also handler.ServeDirectory's matching
|
||||
// root-path bypass.
|
||||
if appsSrv != nil && (urlPath == "/" || urlPath == "/index.html") {
|
||||
realIndex := filepath.Join(cfg.Root, "index.html")
|
||||
if _, err := os.Stat(realIndex); os.IsNotExist(err) {
|
||||
chain, _ := zddc.EffectivePolicy(cfg.Root, cfg.Root)
|
||||
if !zddc.AllowedWithChain(chain, email) {
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
if apps.AppAvailableAt(cfg.Root, cfg.Root, "landing") {
|
||||
appsSrv.Serve(w, r, "landing", chain, cfg.Root)
|
||||
return
|
||||
|
|
@ -353,12 +355,19 @@ func dispatch(cfg config.Config, idx *archive.Index, ring *handler.LogRing, apps
|
|||
}
|
||||
|
||||
if info.IsDir() {
|
||||
// ACL check
|
||||
// ACL check — bypassed at the root path so the landing page (the
|
||||
// project picker) is reachable by anyone, including anonymous.
|
||||
// Per-project filtering happens inside ServeDirectory →
|
||||
// fs.ListDirectory, which hides directories the caller can't
|
||||
// reach. Subdirectory requests still hit this gate.
|
||||
isRoot := urlPath == "/"
|
||||
if !isRoot {
|
||||
chain, _ := zddc.EffectivePolicy(cfg.Root, absPath)
|
||||
if !zddc.AllowedWithChain(chain, email) {
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
}
|
||||
if !strings.HasSuffix(urlPath, "/") {
|
||||
http.Redirect(w, r, urlPath+"/", http.StatusMovedPermanently)
|
||||
return
|
||||
|
|
|
|||
|
|
@ -40,7 +40,10 @@ func ServeDirectory(cfg config.Config, w http.ResponseWriter, r *http.Request) {
|
|||
dirPath := strings.TrimPrefix(urlPath, "/")
|
||||
dirPath = strings.TrimSuffix(dirPath, "/")
|
||||
|
||||
// ACL check on this directory itself
|
||||
// ACL check on this directory itself.
|
||||
// Bypassed at the root path: the landing page is a public project
|
||||
// picker. Per-project filtering inside fs.ListDirectory still hides
|
||||
// directories the caller can't reach.
|
||||
absDir, ok := safeJoin(cfg.Root, dirPath)
|
||||
if !ok {
|
||||
http.Error(w, "Not Found", http.StatusNotFound)
|
||||
|
|
@ -50,7 +53,8 @@ func ServeDirectory(cfg config.Config, w http.ResponseWriter, r *http.Request) {
|
|||
if err != nil {
|
||||
slog.Warn("ACL policy error", "path", absDir, "err", err)
|
||||
}
|
||||
if !zddc.AllowedWithChain(chain, email) {
|
||||
isRoot := dirPath == ""
|
||||
if !isRoot && !zddc.AllowedWithChain(chain, email) {
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
|
|
|||
128
zddc/internal/handler/directory_test.go
Normal file
128
zddc/internal/handler/directory_test.go
Normal file
|
|
@ -0,0 +1,128 @@
|
|||
package handler
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
||||
)
|
||||
|
||||
// TestServeDirectoryRootIsPublic asserts that the landing page (the root
|
||||
// directory listing) is reachable by anyone, including anonymous callers
|
||||
// whose email is empty AND whose access would be denied by a restrictive
|
||||
// root .zddc. Per-project filtering inside fs.ListDirectory still hides
|
||||
// directories the caller can't reach (separately verified below).
|
||||
//
|
||||
// The behavior was changed when "Everyone needs to have access to the
|
||||
// landing page" became the explicit requirement; this test is the
|
||||
// regression guard.
|
||||
func TestServeDirectoryRootIsPublic(t *testing.T) {
|
||||
root := t.TempDir()
|
||||
|
||||
// Restrictive root .zddc — only admin@example.com is allowed by ACL,
|
||||
// nothing else. A user without that email would have been 403'd before
|
||||
// the bypass.
|
||||
if err := os.WriteFile(filepath.Join(root, ".zddc"),
|
||||
[]byte("admins:\n - admin@example.com\nacl:\n allow:\n - admin@example.com\n"),
|
||||
0o644); err != nil {
|
||||
t.Fatalf("write root .zddc: %v", err)
|
||||
}
|
||||
|
||||
// One project visible to everyone, one only to admin.
|
||||
for _, name := range []string{"PublicProj", "PrivateProj"} {
|
||||
if err := os.MkdirAll(filepath.Join(root, name), 0o755); err != nil {
|
||||
t.Fatalf("mkdir %s: %v", name, err)
|
||||
}
|
||||
}
|
||||
if err := os.WriteFile(filepath.Join(root, "PublicProj", ".zddc"),
|
||||
[]byte("acl:\n allow: [\"*\"]\n"), 0o644); err != nil {
|
||||
t.Fatalf("write PublicProj .zddc: %v", err)
|
||||
}
|
||||
if err := os.WriteFile(filepath.Join(root, "PrivateProj", ".zddc"),
|
||||
[]byte("acl:\n allow: [admin@example.com]\n"), 0o644); err != nil {
|
||||
t.Fatalf("write PrivateProj .zddc: %v", err)
|
||||
}
|
||||
|
||||
cfg := config.Config{Root: root, EmailHeader: "X-Auth-Request-Email"}
|
||||
|
||||
t.Run("anonymous JSON GET / does not 403", func(t *testing.T) {
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
req.Header.Set("Accept", "application/json")
|
||||
// Anonymous: empty email in context.
|
||||
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
||||
rec := httptest.NewRecorder()
|
||||
ServeDirectory(cfg, rec, req)
|
||||
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("status = %d, want 200 (root is public); body = %s",
|
||||
rec.Code, rec.Body.String())
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("anonymous JSON GET / hides private projects", func(t *testing.T) {
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
req.Header.Set("Accept", "application/json")
|
||||
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
||||
rec := httptest.NewRecorder()
|
||||
ServeDirectory(cfg, rec, req)
|
||||
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("status = %d, want 200; body = %s", rec.Code, rec.Body.String())
|
||||
}
|
||||
|
||||
var entries []map[string]any
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
|
||||
t.Fatalf("invalid JSON: %v\n%s", err, rec.Body.String())
|
||||
}
|
||||
|
||||
names := map[string]bool{}
|
||||
for _, e := range entries {
|
||||
if n, ok := e["name"].(string); ok {
|
||||
names[n] = true
|
||||
}
|
||||
}
|
||||
if !names["PublicProj/"] {
|
||||
t.Errorf("PublicProj missing from anonymous listing: %v", names)
|
||||
}
|
||||
if names["PrivateProj/"] {
|
||||
t.Errorf("PrivateProj leaked to anonymous listing: %v", names)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("admin JSON GET / sees both projects", func(t *testing.T) {
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
req.Header.Set("Accept", "application/json")
|
||||
req = req.WithContext(context.WithValue(req.Context(), EmailKey, "admin@example.com"))
|
||||
rec := httptest.NewRecorder()
|
||||
ServeDirectory(cfg, rec, req)
|
||||
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Fatalf("admin status = %d, want 200", rec.Code)
|
||||
}
|
||||
|
||||
var entries []map[string]any
|
||||
if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
|
||||
t.Fatalf("invalid JSON: %v", err)
|
||||
}
|
||||
if len(entries) != 2 {
|
||||
t.Errorf("admin should see both projects; got %d", len(entries))
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("anonymous still gets 403 on private subdirectory", func(t *testing.T) {
|
||||
req := httptest.NewRequest(http.MethodGet, "/PrivateProj/", nil)
|
||||
req.Header.Set("Accept", "application/json")
|
||||
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
||||
rec := httptest.NewRecorder()
|
||||
ServeDirectory(cfg, rec, req)
|
||||
|
||||
if rec.Code != http.StatusForbidden {
|
||||
t.Errorf("private subdir for anonymous: status = %d, want 403", rec.Code)
|
||||
}
|
||||
})
|
||||
}
|
||||
Loading…
Reference in a new issue