ZDDC
f196205622
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.
Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
instead of allow/deny lists.
Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
own their own .zddc; the policy decider's IsActiveAdmin short-circuit
is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
true after the retirement). Profile page renders AdminSubtrees
directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
IsAdminForChain — no production caller passed true.
Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).
ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
/.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
"deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
is the parent-deny-is-absolute variant. The in-process Go evaluator
implements only the commercial cascade.
Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
.zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.
.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
.zddc out of the dot-prefix guard so PUT/DELETE/POST reach
ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
(matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
body is designed to materialize on PUT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
163 lines
5.4 KiB
Go
163 lines
5.4 KiB
Go
package handler
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/policy"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
|
|
)
|
|
|
|
// writeError is the JSON envelope used by admin-write endpoints to
|
|
// surface zddc.ValidateFile field errors back to the caller.
|
|
type writeError struct {
|
|
Errors []zddc.FieldError `json:"errors"`
|
|
}
|
|
|
|
// projectCreateRequest is the wire shape for POST /.profile/projects.
|
|
//
|
|
// All fields except parent and name are optional. The ACL/admins/title
|
|
// fields are bundled into a starter .zddc only if at least one is supplied;
|
|
// otherwise the new directory is left empty and inherits ACL from its
|
|
// ancestors.
|
|
type projectCreateRequest struct {
|
|
Parent string `json:"parent"`
|
|
Name string `json:"name"`
|
|
Title string `json:"title,omitempty"`
|
|
ACL *zddc.ACLRules `json:"acl,omitempty"`
|
|
Admins []string `json:"admins,omitempty"`
|
|
}
|
|
|
|
// projectCreateResponse is the success payload.
|
|
type projectCreateResponse struct {
|
|
Path string `json:"path"`
|
|
URL string `json:"url"`
|
|
}
|
|
|
|
// serveProfileProjectsCreate handles POST /.profile/projects.
|
|
//
|
|
// Authorization is the cascade's ActionCreate verb at the prospective
|
|
// parent directory — the same `c` permission used everywhere else.
|
|
// Super-admins pass via the decider's IsActiveAdmin bypass; explicitly
|
|
// granted principals (e.g., `*@example.com: c` on the root .zddc) pass
|
|
// via the normal ACL path. Non-authorized callers receive 404 to keep
|
|
// this endpoint's existence hidden alongside the rest of /.profile.
|
|
//
|
|
// The new project's .zddc is seeded with the creator's email in
|
|
// `admins:` (unless the request body supplied an explicit list). That
|
|
// makes them subtree admin of their own project from birth — they can
|
|
// manage deeper .zddc files, define roles, set per-stage ACLs. The
|
|
// strict-ancestor rule still applies to /<project>/.zddc itself; that
|
|
// stays editable only by ancestor admins (root super-admins).
|
|
func serveProfileProjectsCreate(cfg config.Config, w http.ResponseWriter, r *http.Request) {
|
|
p := PrincipalFromContext(r)
|
|
if r.Method != http.MethodPost {
|
|
w.Header().Set("Allow", "POST")
|
|
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
defer r.Body.Close()
|
|
dec := json.NewDecoder(r.Body)
|
|
dec.DisallowUnknownFields()
|
|
var req projectCreateRequest
|
|
if err := dec.Decode(&req); err != nil {
|
|
http.Error(w, "Bad Request: "+err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if err := zddc.ValidateProjectName(req.Name); err != nil {
|
|
writeFieldError(w, http.StatusBadRequest, "name", err.Error())
|
|
return
|
|
}
|
|
parentAbs, err := resolvePath(cfg.Root, req.Parent)
|
|
if err != nil {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
if pi, err := os.Stat(parentAbs); err != nil || !pi.IsDir() {
|
|
http.Error(w, "Parent directory not found", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Cascade-driven authorization: ActionCreate at the parent directory.
|
|
// 404 (not 403) on deny to match the rest of /.profile/'s existence-
|
|
// hiding policy.
|
|
parentChain, err := zddc.EffectivePolicy(cfg.Root, parentAbs)
|
|
if err != nil {
|
|
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
parentRel, _ := filepath.Rel(cfg.Root, parentAbs)
|
|
parentURL := "/"
|
|
if parentRel != "." && parentRel != "" {
|
|
parentURL = "/" + filepath.ToSlash(parentRel) + "/"
|
|
}
|
|
allowed, _ := policy.AllowActionFromChainP(r.Context(), DeciderFromContext(r), parentChain, p, parentURL, policy.ActionCreate)
|
|
if !allowed {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
|
|
newDir := filepath.Join(parentAbs, req.Name)
|
|
if _, err := os.Stat(newDir); err == nil {
|
|
http.Error(w, "Conflict: directory already exists", http.StatusConflict)
|
|
return
|
|
}
|
|
|
|
// Always seed a starter .zddc — the creator becomes subtree admin of
|
|
// their new project. Caller can also pass title / ACL / extra
|
|
// admins on top.
|
|
admins := req.Admins
|
|
if len(admins) == 0 && p.Email != "" {
|
|
admins = []string{p.Email}
|
|
}
|
|
var zf zddc.ZddcFile
|
|
zf.Title = req.Title
|
|
if req.ACL != nil {
|
|
zf.ACL = *req.ACL
|
|
}
|
|
zf.Admins = admins
|
|
wantsZddc := len(zf.Admins) > 0 || zf.Title != "" ||
|
|
(req.ACL != nil && len(req.ACL.Permissions) > 0)
|
|
if wantsZddc {
|
|
if errs := zddc.ValidateFile(zf); len(errs) > 0 {
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_ = json.NewEncoder(w).Encode(writeError{Errors: errs})
|
|
return
|
|
}
|
|
}
|
|
|
|
if err := os.MkdirAll(newDir, 0o755); err != nil {
|
|
http.Error(w, "Internal Server Error: "+err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if wantsZddc {
|
|
if err := zddc.WriteFile(newDir, zf); err != nil {
|
|
// Best-effort rollback: remove the empty dir we just created.
|
|
_ = os.Remove(newDir)
|
|
http.Error(w, "Internal Server Error: "+err.Error(), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
}
|
|
|
|
urlPath := urlPathOf(cfg.Root, newDir)
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
w.WriteHeader(http.StatusCreated)
|
|
_ = json.NewEncoder(w).Encode(projectCreateResponse{
|
|
Path: urlPath,
|
|
URL: urlPath + "/",
|
|
})
|
|
}
|
|
|
|
// writeFieldError emits a single-error writeError JSON body — used when
|
|
// validation fails for a top-level scalar field like `name`.
|
|
func writeFieldError(w http.ResponseWriter, status int, field, message string) {
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
w.WriteHeader(status)
|
|
_ = json.NewEncoder(w).Encode(writeError{Errors: []zddc.FieldError{{Field: field, Message: message}}})
|
|
}
|