VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	a01315fd00	feat(server): reference Rego, parity test, decision cache, listing ETags Phase 2 enhancements to the policy decider, plus listing-level ETags that benefit every deployment regardless of decider mode. Reference Rego policy --------------------- internal/policy/rego/access.rego mirrors InternalDecider's semantics exactly — bottom-up walk, deny-first within a level, default-deny when HasAnyFile=true, glob matching with @-boundary semantics (special-cased bare "" because OPA's glob.match treats empty delimiters inconsistently for that pattern). Embedded into the binary via go:embed; --print-rego dumps it to stdout so federal customers standing up an external OPA can use it as a parity-tested baseline: zddc-server --print-rego > /etc/opa/policies/zddc-access.rego Parity test runner ------------------ parity_test.go imports the OPA Go module as a TEST-ONLY dependency (github.com/open-policy-agent/opa@v0.70.0). Every fixture from the internal Go evaluator's test set runs through both implementations; any divergence fails CI. The test-only import means production binaries (built by `go build ./cmd/zddc-server`) stay OPA-free — release-flag binary size unchanged at ~13 MB. The parity test caught a real bug on first run: bare "" patterns didn't match through OPA's glob.match with empty delimiters. Fixed in access.rego with a special-case rule. This is exactly the kind of subtle drift the parity guard exists to catch. External-mode decision cache ---------------------------- HTTPDecider is now wrapped in a cachingDecider with a default 1s TTL. Bursty patterns like .archive listings (one OPA round-trip per entry before, one per (email, decision-input) tuple per TTL window after) amortize cleanly. Verified: 20 identical /D/ requests produce 1 OPA hit with cache, 40 hits without (each listing makes 2 ACL queries). ZDDC_OPA_CACHE_TTL knob (default 1s) lets operators tune. 0 disables. 1s matches the fsnotify watcher debounce window — staleness is bounded the same way other policy-edit propagation already is. Internal mode unchanged; the in-process Go evaluator is already cheaper than a cache lookup would be. Listing ETags ------------- GET / (project list) and GET /<dir>/ (directory listing JSON) now carry content-hash ETag + Cache-Control: private, max-age=0, must-revalidate. SHA-256 of the rendered JSON, truncated to 16 hex chars (64 bits — collision risk on a listing of any realistic size is vanishingly small). Server-side caching deliberately not added: it would require mtime-based invalidation, and Azure Files SMB mounts (a common deployment substrate) don't support fsnotify reliably. The content-hash ETag delivers the bandwidth savings (304 on identical fetches) without depending on watcher correctness — the hash is the actual response, so it can't lie about staleness regardless of underlying watcher behavior. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 17:46:24 -05:00

Author

SHA1

Message

Date

ZDDC

a01315fd00

feat(server): reference Rego, parity test, decision cache, listing ETags

Phase 2 enhancements to the policy decider, plus listing-level ETags
that benefit every deployment regardless of decider mode.

Reference Rego policy
---------------------
internal/policy/rego/access.rego mirrors InternalDecider's semantics
exactly — bottom-up walk, deny-first within a level, default-deny when
HasAnyFile=true, glob matching with @-boundary semantics (special-cased
bare "*" because OPA's glob.match treats empty delimiters
inconsistently for that pattern).

Embedded into the binary via go:embed; --print-rego dumps it to stdout
so federal customers standing up an external OPA can use it as a
parity-tested baseline:

    zddc-server --print-rego > /etc/opa/policies/zddc-access.rego

Parity test runner
------------------
parity_test.go imports the OPA Go module as a TEST-ONLY dependency
(github.com/open-policy-agent/opa@v0.70.0). Every fixture from the
internal Go evaluator's test set runs through both implementations;
any divergence fails CI. The test-only import means production
binaries (built by `go build ./cmd/zddc-server`) stay OPA-free —
release-flag binary size unchanged at ~13 MB.

The parity test caught a real bug on first run: bare "*" patterns
didn't match through OPA's glob.match with empty delimiters. Fixed
in access.rego with a special-case rule. This is exactly the kind of
subtle drift the parity guard exists to catch.

External-mode decision cache
----------------------------
HTTPDecider is now wrapped in a cachingDecider with a default 1s TTL.
Bursty patterns like .archive listings (one OPA round-trip per entry
before, one per (email, decision-input) tuple per TTL window after)
amortize cleanly. Verified: 20 identical /D/ requests produce 1 OPA
hit with cache, 40 hits without (each listing makes 2 ACL queries).

ZDDC_OPA_CACHE_TTL knob (default 1s) lets operators tune. 0 disables.
1s matches the fsnotify watcher debounce window — staleness is
bounded the same way other policy-edit propagation already is.
Internal mode unchanged; the in-process Go evaluator is already
cheaper than a cache lookup would be.

Listing ETags
-------------
GET / (project list) and GET /<dir>/ (directory listing JSON) now
carry content-hash ETag + Cache-Control: private, max-age=0,
must-revalidate. SHA-256 of the rendered JSON, truncated to 16 hex
chars (64 bits — collision risk on a listing of any realistic size
is vanishingly small).

Server-side caching deliberately not added: it would require
mtime-based invalidation, and Azure Files SMB mounts (a common
deployment substrate) don't support fsnotify reliably. The
content-hash ETag delivers the bandwidth savings (304 on identical
fetches) without depending on watcher correctness — the hash is the
actual response, so it can't lie about staleness regardless of
underlying watcher behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-04 17:46:24 -05:00

1 commit