VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	a01315fd00	feat(server): reference Rego, parity test, decision cache, listing ETags Phase 2 enhancements to the policy decider, plus listing-level ETags that benefit every deployment regardless of decider mode. Reference Rego policy --------------------- internal/policy/rego/access.rego mirrors InternalDecider's semantics exactly — bottom-up walk, deny-first within a level, default-deny when HasAnyFile=true, glob matching with @-boundary semantics (special-cased bare "" because OPA's glob.match treats empty delimiters inconsistently for that pattern). Embedded into the binary via go:embed; --print-rego dumps it to stdout so federal customers standing up an external OPA can use it as a parity-tested baseline: zddc-server --print-rego > /etc/opa/policies/zddc-access.rego Parity test runner ------------------ parity_test.go imports the OPA Go module as a TEST-ONLY dependency (github.com/open-policy-agent/opa@v0.70.0). Every fixture from the internal Go evaluator's test set runs through both implementations; any divergence fails CI. The test-only import means production binaries (built by `go build ./cmd/zddc-server`) stay OPA-free — release-flag binary size unchanged at ~13 MB. The parity test caught a real bug on first run: bare "" patterns didn't match through OPA's glob.match with empty delimiters. Fixed in access.rego with a special-case rule. This is exactly the kind of subtle drift the parity guard exists to catch. External-mode decision cache ---------------------------- HTTPDecider is now wrapped in a cachingDecider with a default 1s TTL. Bursty patterns like .archive listings (one OPA round-trip per entry before, one per (email, decision-input) tuple per TTL window after) amortize cleanly. Verified: 20 identical /D/ requests produce 1 OPA hit with cache, 40 hits without (each listing makes 2 ACL queries). ZDDC_OPA_CACHE_TTL knob (default 1s) lets operators tune. 0 disables. 1s matches the fsnotify watcher debounce window — staleness is bounded the same way other policy-edit propagation already is. Internal mode unchanged; the in-process Go evaluator is already cheaper than a cache lookup would be. Listing ETags ------------- GET / (project list) and GET /<dir>/ (directory listing JSON) now carry content-hash ETag + Cache-Control: private, max-age=0, must-revalidate. SHA-256 of the rendered JSON, truncated to 16 hex chars (64 bits — collision risk on a listing of any realistic size is vanishingly small). Server-side caching deliberately not added: it would require mtime-based invalidation, and Azure Files SMB mounts (a common deployment substrate) don't support fsnotify reliably. The content-hash ETag delivers the bandwidth savings (304 on identical fetches) without depending on watcher correctness — the hash is the actual response, so it can't lie about staleness regardless of underlying watcher behavior. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 17:46:24 -05:00
ZDDC	e911806eda	feat(server): pluggable OPA-compatible policy decider Add an internal access-decision boundary that all handlers go through instead of calling zddc.AllowedWithChain directly. Two implementations ship: * InternalDecider — wraps the existing zddc.AllowedWithChain. The default. No new dependencies, identical semantics to the legacy code path. ZDDC_OPA_URL=internal (or unset). * HTTPDecider — POSTs the canonical OPA wire format (POST /v1/data/zddc/access/allow with {"input": {...}}, response {"result": true\|false}) over HTTP, HTTPS, or a Unix-domain socket. For federal customers running their own audited Rego policies alongside zddc-server. ZDDC_OPA_URL=http(s)://… or unix:///…. External-mode failure semantics: unreachable / non-2xx / malformed response → fail closed (deny) by default with a WARN log. Operators who prefer availability over correctness flip with ZDDC_OPA_FAIL_OPEN=1. The decider is constructed once at startup, plumbed through ACLMiddleware into the request context. Handlers retrieve it via DeciderFromContext; non-request callers (fs.ListDirectory, EnumerateProjects, enumerateAccess) take it as an explicit parameter. zddc.ZddcFile and zddc.ACLRules gain JSON tags so external Rego authors get idiomatic input shape (acl.allow, admins, …) instead of Go field names (ACL.Allow, Admins, …). Test coverage: * InternalDecider parity tests against zddc.AllowedWithChain (every documented cascade scenario: empty chain, leaf-allow-wins, leaf- deny-beats-parent, leaf-allows-what-parent-denies, deepest-match- wins, etc.) * HTTPDecider happy-path test (canonical wire format) * Fail-closed / fail-open / malformed-response tests Production binary size unchanged (no new deps; HTTP transport is stdlib net/http). 11 ACL call sites migrated. End-to-end verified against the worked-example layout in zddc/README.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 17:45:07 -05:00

Author

SHA1

Message

Date

ZDDC

a01315fd00

feat(server): reference Rego, parity test, decision cache, listing ETags

Phase 2 enhancements to the policy decider, plus listing-level ETags
that benefit every deployment regardless of decider mode.

Reference Rego policy
---------------------
internal/policy/rego/access.rego mirrors InternalDecider's semantics
exactly — bottom-up walk, deny-first within a level, default-deny when
HasAnyFile=true, glob matching with @-boundary semantics (special-cased
bare "*" because OPA's glob.match treats empty delimiters
inconsistently for that pattern).

Embedded into the binary via go:embed; --print-rego dumps it to stdout
so federal customers standing up an external OPA can use it as a
parity-tested baseline:

    zddc-server --print-rego > /etc/opa/policies/zddc-access.rego

Parity test runner
------------------
parity_test.go imports the OPA Go module as a TEST-ONLY dependency
(github.com/open-policy-agent/opa@v0.70.0). Every fixture from the
internal Go evaluator's test set runs through both implementations;
any divergence fails CI. The test-only import means production
binaries (built by `go build ./cmd/zddc-server`) stay OPA-free —
release-flag binary size unchanged at ~13 MB.

The parity test caught a real bug on first run: bare "*" patterns
didn't match through OPA's glob.match with empty delimiters. Fixed
in access.rego with a special-case rule. This is exactly the kind of
subtle drift the parity guard exists to catch.

External-mode decision cache
----------------------------
HTTPDecider is now wrapped in a cachingDecider with a default 1s TTL.
Bursty patterns like .archive listings (one OPA round-trip per entry
before, one per (email, decision-input) tuple per TTL window after)
amortize cleanly. Verified: 20 identical /D/ requests produce 1 OPA
hit with cache, 40 hits without (each listing makes 2 ACL queries).

ZDDC_OPA_CACHE_TTL knob (default 1s) lets operators tune. 0 disables.
1s matches the fsnotify watcher debounce window — staleness is
bounded the same way other policy-edit propagation already is.
Internal mode unchanged; the in-process Go evaluator is already
cheaper than a cache lookup would be.

Listing ETags
-------------
GET / (project list) and GET /<dir>/ (directory listing JSON) now
carry content-hash ETag + Cache-Control: private, max-age=0,
must-revalidate. SHA-256 of the rendered JSON, truncated to 16 hex
chars (64 bits — collision risk on a listing of any realistic size
is vanishingly small).

Server-side caching deliberately not added: it would require
mtime-based invalidation, and Azure Files SMB mounts (a common
deployment substrate) don't support fsnotify reliably. The
content-hash ETag delivers the bandwidth savings (304 on identical
fetches) without depending on watcher correctness — the hash is the
actual response, so it can't lie about staleness regardless of
underlying watcher behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-04 17:46:24 -05:00

ZDDC

e911806eda

feat(server): pluggable OPA-compatible policy decider

Add an internal access-decision boundary that all handlers go through
instead of calling zddc.AllowedWithChain directly. Two implementations
ship:

  * InternalDecider — wraps the existing zddc.AllowedWithChain. The
    default. No new dependencies, identical semantics to the legacy
    code path. ZDDC_OPA_URL=internal (or unset).

  * HTTPDecider — POSTs the canonical OPA wire format
    (POST /v1/data/zddc/access/allow with {"input": {...}}, response
    {"result": true|false}) over HTTP, HTTPS, or a Unix-domain socket.
    For federal customers running their own audited Rego policies
    alongside zddc-server. ZDDC_OPA_URL=http(s)://… or unix:///….

External-mode failure semantics: unreachable / non-2xx / malformed
response → fail closed (deny) by default with a WARN log. Operators
who prefer availability over correctness flip with ZDDC_OPA_FAIL_OPEN=1.

The decider is constructed once at startup, plumbed through ACLMiddleware
into the request context. Handlers retrieve it via DeciderFromContext;
non-request callers (fs.ListDirectory, EnumerateProjects, enumerateAccess)
take it as an explicit parameter.

zddc.ZddcFile and zddc.ACLRules gain JSON tags so external Rego authors
get idiomatic input shape (acl.allow, admins, …) instead of Go field
names (ACL.Allow, Admins, …).

Test coverage:
  * InternalDecider parity tests against zddc.AllowedWithChain (every
    documented cascade scenario: empty chain, leaf-allow-wins, leaf-
    deny-beats-parent, leaf-allows-what-parent-denies, deepest-match-
    wins, etc.)
  * HTTPDecider happy-path test (canonical wire format)
  * Fail-closed / fail-open / malformed-response tests

Production binary size unchanged (no new deps; HTTP transport is
stdlib net/http). 11 ACL call sites migrated. End-to-end verified
against the worked-example layout in zddc/README.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-04 17:45:07 -05:00

2 commits