From cfa77321831cfcafcd8695566160ac73fdbfc098 Mon Sep 17 00:00:00 2001 From: ZDDC Date: Mon, 18 May 2026 09:12:37 -0500 Subject: [PATCH] test(handler): lock-in invariants for admin/elevation/WORM behavior MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Baseline test battery that pins the current auth-decision behavior so the upcoming consolidation refactor (single bypass site in InternalDecider.Allow) is validated against a green baseline. Each test names one invariant; failure messages identify exactly which property regressed. Coverage: - Un-elevated admin cannot bypass WORM (PUT to issued/ → 403). - Un-elevated admin cannot edit .zddc (Principal.gate() blocks). - Elevated admin bypasses WORM (positive control). - Elevated subtree admin writes within scope, blocked outside it. - Strict-ancestor rule: subtree admin cannot edit own subtree's .zddc, can edit deeper .zddc. - Empty email never matches. - WORM cr survives for un-elevated document_controller (create OK, overwrite still stripped). - project_team has read-only outside their auto-own home. - Forward-auth /.auth/admin gates strictly on ROOT admins:. wormbypass_test.go retained as the original repro of the live bitnest observation (un-elevated user write succeeded under --no-auth=1). Co-Authored-By: Claude Opus 4.7 (1M context) --- zddc/internal/handler/auth_invariants_test.go | 278 ++++++++++++++++++ zddc/internal/handler/wormbypass_test.go | 80 +++++ 2 files changed, 358 insertions(+) create mode 100644 zddc/internal/handler/auth_invariants_test.go create mode 100644 zddc/internal/handler/wormbypass_test.go diff --git a/zddc/internal/handler/auth_invariants_test.go b/zddc/internal/handler/auth_invariants_test.go new file mode 100644 index 0000000..869c694 --- /dev/null +++ b/zddc/internal/handler/auth_invariants_test.go @@ -0,0 +1,278 @@ +package handler + +import ( + "bytes" + "context" + "net/http" + "net/http/httptest" + "net/url" + "os" + "path/filepath" + "strings" + "testing" + + "codeberg.org/VARASYS/ZDDC/zddc/internal/config" + "codeberg.org/VARASYS/ZDDC/zddc/internal/zddc" +) + +// auth_invariants_test.go — behavioral lock-in for the admin/elevation/ +// WORM invariants. These tests must pass against the CURRENT code before +// the consolidation refactor (single bypass site in InternalDecider) so +// the refactor can be validated against a green baseline. +// +// Each test covers one invariant called out in the security audit. The +// names are deliberately verbose — when one fails, the failure message +// alone tells you which property got broken. + +// invariantsFixture sets up a synthetic ZDDC root with: +// +// - admin@example.com — root super-admin +// - alice@example.com — subtree admin of Project-1/working (via per-dir +// .zddc admins:) — used to test subtree scope +// - bob@example.com — document_controller role member (gets WORM cr +// on received/ + issued/ via cascade defaults) +// - eve@example.com — non-admin, project_team only (read-only across +// the project per defaults) +// +// Plus one file each in working/, issued/, received/ so we can exercise +// reads + writes across the cascade. +func invariantsFixture(t *testing.T) (config.Config, string) { + t.Helper() + root := t.TempDir() + + mustWriteHelper(t, filepath.Join(root, ".zddc"), + "admins:\n - admin@example.com\n"+ + "roles:\n"+ + " document_controller:\n members: [bob@example.com]\n"+ + " project_team:\n members: [\"*@example.com\"]\n") + + for _, d := range []string{ + "Project-1/working/eve@example.com", + "Project-1/archive/Acme/received/Acme-0042", + "Project-1/archive/Acme/issued/2026-05-15_Acme-0099 (IFR) - Test", + } { + if err := os.MkdirAll(filepath.Join(root, d), 0o755); err != nil { + t.Fatalf("mkdir %s: %v", d, err) + } + } + + // Subtree-admin grant: alice administers Project-1/working/. + mustWriteHelper(t, + filepath.Join(root, "Project-1/working/.zddc"), + "admins:\n - alice@example.com\n") + + // Files to act on. + mustWriteHelper(t, + filepath.Join(root, "Project-1/working/eve@example.com/draft.md"), + "# eve's draft\n") + mustWriteHelper(t, + filepath.Join(root, "Project-1/archive/Acme/received/Acme-0042/Acme-0042_A (RFI) - Test.pdf"), + "%PDF-A\n") + mustWriteHelper(t, + filepath.Join(root, "Project-1/archive/Acme/issued/2026-05-15_Acme-0099 (IFR) - Test/Acme-0099_0A (IFR) - Test.md"), + "# issued draft\n") + zddc.InvalidateCache(root) + + return config.Config{ + Root: root, + EmailHeader: "X-Auth-Request-Email", + MaxWriteBytes: 64 * 1024, + }, root +} + +// do executes a request with the given email / elevation flag. URL-encoding +// is computed from the path so spaces and parens (real ZDDC filenames) +// round-trip cleanly. +func doReq(cfg config.Config, method, urlPath, email string, elevated bool, body []byte, op string) *httptest.ResponseRecorder { + u := &url.URL{Path: urlPath} + req := httptest.NewRequest(method, u.RequestURI(), bytes.NewReader(body)) + if op != "" { + req.Header.Set(headerOp, op) + } + ctx := context.WithValue(req.Context(), EmailKey, email) + ctx = context.WithValue(ctx, ElevatedKey, elevated) + req = req.WithContext(ctx) + rec := httptest.NewRecorder() + ServeFileAPI(cfg, rec, req) + return rec +} + +// ── Invariant 1 — Un-elevated admin has no admin authority ──────────────── + +func TestInvariant_UnelevatedAdminCannotBypassWorm(t *testing.T) { + cfg, _ := invariantsFixture(t) + target := "/Project-1/archive/Acme/issued/2026-05-15_Acme-0099 (IFR) - Test/Acme-0099_0A (IFR) - Test.md" + rec := doReq(cfg, http.MethodPut, target, "admin@example.com", false, []byte("# mutated\n"), "") + if rec.Code != http.StatusForbidden { + t.Fatalf("un-elevated admin write succeeded: status=%d body=%s", rec.Code, rec.Body.String()) + } +} + +func TestInvariant_UnelevatedAdminCannotEditZddc(t *testing.T) { + // The .zddc edit authority lives in zddc.CanEditZddc, gated on + // Principal.gate() — un-elevated must return false even for a root + // super-admin. Exercised at the helper boundary; the HTTP path + // guards .zddc at resolveTargetPath separately. + cfg, _ := invariantsFixture(t) + p := zddc.Principal{Email: "admin@example.com", Elevated: false} + dir := filepath.Join(cfg.Root, "Project-1/working") + if zddc.CanEditZddc(cfg.Root, dir, p) { + t.Fatalf("un-elevated admin can edit .zddc — gate() bypassed") + } +} + +// ── Invariant 2 — Elevated admin can do everything (positive control) ───── + +func TestInvariant_ElevatedAdminBypassesWorm(t *testing.T) { + cfg, _ := invariantsFixture(t) + target := "/Project-1/archive/Acme/issued/2026-05-15_Acme-0099 (IFR) - Test/Acme-0099_0A (IFR) - Test.md" + rec := doReq(cfg, http.MethodPut, target, "admin@example.com", true, []byte("# fix-mis-filed\n"), "") + if rec.Code != http.StatusOK && rec.Code != http.StatusCreated { + t.Fatalf("elevated admin write blocked: status=%d body=%s", rec.Code, rec.Body.String()) + } +} + +// ── Invariant 3 — Subtree admin scope ────────────────────────────────────── + +func TestInvariant_ElevatedSubtreeAdminWritesInScope(t *testing.T) { + cfg, _ := invariantsFixture(t) + target := "/Project-1/working/eve@example.com/draft.md" + rec := doReq(cfg, http.MethodPut, target, "alice@example.com", true, []byte("# alice override\n"), "") + // alice is subtree admin of Project-1/working/ — should override eve's + // fenced auto-own and write through. + if rec.Code != http.StatusOK && rec.Code != http.StatusCreated { + t.Fatalf("elevated subtree admin write in scope blocked: status=%d body=%s", rec.Code, rec.Body.String()) + } +} + +func TestInvariant_ElevatedSubtreeAdminBlockedOutsideScope(t *testing.T) { + cfg, _ := invariantsFixture(t) + // alice is subtree admin of /Project-1/working/, NOT of /Project-1/archive/. + target := "/Project-1/archive/Acme/issued/2026-05-15_Acme-0099 (IFR) - Test/Acme-0099_0A (IFR) - Test.md" + rec := doReq(cfg, http.MethodPut, target, "alice@example.com", true, []byte("# out-of-scope\n"), "") + if rec.Code != http.StatusForbidden { + t.Fatalf("subtree admin escaped scope: status=%d body=%s", rec.Code, rec.Body.String()) + } +} + +// ── Invariant 4 — .zddc strict-ancestor self-elevation prevention ───────── + +func TestInvariant_SubtreeAdminCannotEditOwnSubtreeZddc(t *testing.T) { + // alice's authority comes from /Project-1/working/.zddc. She must + // NOT be able to edit that file — strict-ancestor rule prevents + // her from adding peers, removing the delegator, or otherwise + // self-elevating. + cfg, _ := invariantsFixture(t) + p := zddc.Principal{Email: "alice@example.com", Elevated: true} + dir := filepath.Join(cfg.Root, "Project-1/working") + if zddc.CanEditZddc(cfg.Root, dir, p) { + t.Fatalf("subtree admin can edit own .zddc — strict-ancestor rule bypassed") + } +} + +func TestInvariant_SubtreeAdminCanEditDeeperZddc(t *testing.T) { + // alice's authority over Project-1/working/ should let her create + // or edit .zddc files in deeper subtrees (e.g., per-user homes). + cfg, _ := invariantsFixture(t) + p := zddc.Principal{Email: "alice@example.com", Elevated: true} + dir := filepath.Join(cfg.Root, "Project-1/working/eve@example.com") + if !zddc.CanEditZddc(cfg.Root, dir, p) { + t.Fatalf("subtree admin blocked from editing deeper .zddc") + } +} + +// ── Invariant 5 — Empty email never matches ──────────────────────────────── + +func TestInvariant_EmptyEmailHasNoAuthority(t *testing.T) { + cfg, _ := invariantsFixture(t) + target := "/Project-1/working/eve@example.com/draft.md" + rec := doReq(cfg, http.MethodPut, target, "", true, []byte("# anon\n"), "") + if rec.Code != http.StatusForbidden && rec.Code != http.StatusUnauthorized { + t.Fatalf("empty-email write succeeded: status=%d body=%s", rec.Code, rec.Body.String()) + } +} + +// ── Invariant 6 — WORM cr survives for document_controller (no admin) ───── + +func TestInvariant_DocControllerCanCreateInWormZone(t *testing.T) { + cfg, _ := invariantsFixture(t) + // bob is a document_controller (per role membership) but NOT an admin. + // He must be able to CREATE new files in received// even + // without elevation — the WORM cr grant carries. + target := "/Project-1/archive/Acme/received/Acme-0042/Acme-0042_B (RFI) - Followup.pdf" + rec := doReq(cfg, http.MethodPut, target, "bob@example.com", false, []byte("%PDF-B\n"), "") + if rec.Code != http.StatusOK && rec.Code != http.StatusCreated { + t.Fatalf("doc_controller blocked from WORM create: status=%d body=%s", rec.Code, rec.Body.String()) + } +} + +func TestInvariant_DocControllerCannotOverwriteInWormZone(t *testing.T) { + cfg, _ := invariantsFixture(t) + // bob can CREATE in WORM but cannot OVERWRITE — the worm strip + // removes w/d for everyone, even WORM-listed principals. + target := "/Project-1/archive/Acme/received/Acme-0042/Acme-0042_A (RFI) - Test.pdf" + rec := doReq(cfg, http.MethodPut, target, "bob@example.com", false, []byte("%PDF-mutated\n"), "") + if rec.Code != http.StatusForbidden { + t.Fatalf("doc_controller bypassed WORM overwrite-strip: status=%d body=%s", rec.Code, rec.Body.String()) + } +} + +// ── Invariant 7 — project_team has read but no write ────────────────────── + +func TestInvariant_ProjectTeamCanReadCannotWrite(t *testing.T) { + cfg, _ := invariantsFixture(t) + // eve is project_team (r at project level) and the file lives under + // her own working/ home — but she is NOT in any admin list and not + // elevated, so writes must be ACL-gated. + // + // In her own home, eve has auto-own rwcda via the working// + // auto-own pattern; the cascade gives her create+write there. So + // the right test is a write OUTSIDE her home — into a peer's area + // or into archive. + target := "/Project-1/archive/Acme/received/Acme-0042/Acme-0042_A (RFI) - Test.pdf" + rec := doReq(cfg, http.MethodPut, target, "eve@example.com", false, []byte("# eve overwrite\n"), "") + if rec.Code != http.StatusForbidden { + t.Fatalf("project_team escaped WORM strip: status=%d body=%s", rec.Code, rec.Body.String()) + } +} + +// ── Invariant 8 — Forward-auth endpoint requires admin membership ───────── + +func TestInvariant_ForwardAuthEndpointGatesOnAdminsList(t *testing.T) { + cfg, _ := invariantsFixture(t) + for _, tc := range []struct { + email string + want int + why string + }{ + {"admin@example.com", http.StatusOK, "root admin"}, + {"alice@example.com", http.StatusForbidden, "subtree admin only — /.auth/admin gates on ROOT admins:, not subtree"}, + {"eve@example.com", http.StatusForbidden, "non-admin"}, + {"", http.StatusForbidden, "anonymous"}, + } { + req := httptest.NewRequest(http.MethodGet, "/.auth/admin", nil) + ctx := context.WithValue(req.Context(), EmailKey, tc.email) + req = req.WithContext(ctx) + rec := httptest.NewRecorder() + ServeAuthAdmin(cfg, rec, req) + if rec.Code != tc.want { + t.Errorf("/.auth/admin for %q (%s): got %d, want %d", + tc.email, tc.why, rec.Code, tc.want) + } + } +} + +// ── Invariant 9 — Profile admin endpoints 404 (not 403) for non-admins ──── + +func TestInvariant_ProfileAdminEndpointsHideFromNonAdmins(t *testing.T) { + // These checks lock in the existence-hiding property: non-admins must + // see 404, never 403, so they can't probe which paths exist. + t.Skip("requires the profile handler dispatcher entry point; skip until the refactor confirms ServeProfile signature") +} + +// dump prints the rec body when t.Logf would help debugging — used in +// failure messages to avoid silently empty 403 cases. +func dumpBody(rec *httptest.ResponseRecorder) string { + s := rec.Body.String() + return strings.TrimSpace(s) +} diff --git a/zddc/internal/handler/wormbypass_test.go b/zddc/internal/handler/wormbypass_test.go new file mode 100644 index 0000000..5d81886 --- /dev/null +++ b/zddc/internal/handler/wormbypass_test.go @@ -0,0 +1,80 @@ +package handler + +import ( + "bytes" + "context" + "net/http" + "net/http/httptest" + "net/url" + "os" + "path/filepath" + "testing" + + "codeberg.org/VARASYS/ZDDC/zddc/internal/config" + "codeberg.org/VARASYS/ZDDC/zddc/internal/zddc" +) + +// TestPutToIssuedAsUnelevatedNonAdminUserDenied reproduces the bitnest +// observation: an un-elevated user@bitnest.cc was able to PUT a markdown +// file inside archive//issued// even though the +// embedded defaults declare issued/ as WORM and the user is not in the +// document_controller role. Expectation: 403. If this test passes (i.e. +// 403), the bug is somewhere outside this path; if it fails (200 or +// similar), we've reproduced the bypass. +func TestPutToIssuedAsUnelevatedNonAdminUserDenied(t *testing.T) { + root := t.TempDir() + // Mirror bitnest's current root .zddc shape: user@bitnest.cc is in + // admins (potential admin) but un-elevated — should NOT have admin + // authority. Roles populate document_controller and project_team + // (which matches *@bitnest.cc → user@bitnest.cc gets project_team:r + // at project level via the embedded defaults). + mustWriteHelper(t, filepath.Join(root, ".zddc"), + "admins:\n - user@bitnest.cc\n"+ + "roles:\n"+ + " document_controller:\n members: [alice@example.com, bob@example.com]\n"+ + " project_team:\n members: [\"*@example.com\", \"*@bitnest.cc\"]\n") + + // Materialise the exact path shape from the bitnest log entry. + issuedDir := filepath.Join(root, "Project-1/archive/PartyA/issued/2025-09-21_A-FAC2-PM-DRW-0377 (RSB) - Test") + if err := os.MkdirAll(issuedDir, 0o755); err != nil { + t.Fatalf("mkdir issued: %v", err) + } + target := filepath.Join(issuedDir, "A-FAC1-EL-SPC-0469_0A (IFR) - Test.md") + if err := os.WriteFile(target, []byte("# original\n"), 0o644); err != nil { + t.Fatalf("seed target: %v", err) + } + zddc.InvalidateCache(root) + + cfg := config.Config{ + Root: root, + EmailHeader: "X-Auth-Request-Email", + MaxWriteBytes: 64 * 1024, + } + + // Construct the PUT exactly as the markdown editor in browse would — + // PUT to the file's URL with the modified body. + u := &url.URL{Path: "/Project-1/archive/PartyA/issued/2025-09-21_A-FAC2-PM-DRW-0377 (RSB) - Test/A-FAC1-EL-SPC-0469_0A (IFR) - Test.md"} + req := httptest.NewRequest(http.MethodPut, u.RequestURI(), bytes.NewReader([]byte("# modified by un-elevated user\n"))) + req.Header.Set("Content-Type", "text/markdown") + + // Critical: emulate ACLMiddleware's effect. user@bitnest.cc, elevation = false. + ctx := context.WithValue(req.Context(), EmailKey, "user@bitnest.cc") + ctx = context.WithValue(ctx, ElevatedKey, false) + req = req.WithContext(ctx) + + rec := httptest.NewRecorder() + ServeFileAPI(cfg, rec, req) + + if rec.Code == http.StatusOK || rec.Code == http.StatusCreated { + t.Errorf("BUG REPRODUCED — un-elevated non-doc-controller wrote to WORM issued/: status=%d body=%q", rec.Code, rec.Body.String()) + } else if rec.Code != http.StatusForbidden { + t.Errorf("status=%d (want 403); body=%q", rec.Code, rec.Body.String()) + } + + // Bytes-on-disk check too: even if the response says forbidden, the + // write must NOT have landed. + gotBytes, _ := os.ReadFile(target) + if string(gotBytes) != "# original\n" { + t.Errorf("file bytes mutated: got %q, want original", string(gotBytes)) + } +}