ZDDC
ee67b9e596
Two related routing fixes:
1. /<project>/archive/<party>/mdl[/] now follows the slash/no-slash
convention uniformly with the rest of the system:
- mdl (no slash) → tables app (default tool for mdl/)
- mdl/ (slash) → browse (ServeDirectory empty-listing fallback)
Previously the slash form auto-redirected to mdl/table.html, which
forced the user into the table view from any party-folder click and
produced a confusing "Unrecognized table URL" error when the
redirect race-conditioned. tableRowsRedirect now only redirects
when a real on-disk table.yaml exists; the default-MDL virtual case
stays in browse via the convention.
New zddc.IsArchivePartyMdlDir helper recognises the canonical
<project>/archive/<party>/mdl pattern at depth 4 (relative path).
fs.ListDirectory uses it to return [] for the missing-on-disk case
so browse renders the empty workspace cleanly. Test updated
(TestServeDirectoryRedirectsDefaultMdl → TestServeDirectoryDefaultMdlNoRedirect).
2. <dir>/.zddc URLs now work at every directory depth.
The dispatcher previously 404'd anything beginning with a dot
(except /.archive and /<dir>/.zddc.html). New IsZddcFileRequest +
ServeZddcFile handlers carve out the raw .zddc leaf so an operator
can navigate to /Project-1/archive/PartyA/mdl/.zddc and inspect
the rules effective at that depth.
Semantics:
- Method: GET / HEAD only. Writes go through the existing admin-
gated form at <dir>/.zddc.html (unchanged).
- ACL: parent directory's read permission gates access; 404
(not 403) is returned to non-readers so existence isn't leaked.
- On disk: file bytes served verbatim with
Content-Type: application/yaml and X-ZDDC-Source: file:<rel>.
- Virtual: when no file exists at this level, a synthetic
placeholder body is returned with a YAML-comment cascade
summary so the reader sees exactly what rules apply here from
ancestors. X-ZDDC-Source: virtual:zddc distinguishes it.
The virtual body parses as valid YAML (`{}` after the comments) so
downstream tooling that consumes the URL isn't confused.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
239 lines
8.6 KiB
Go
239 lines
8.6 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
|
|
)
|
|
|
|
// TestServeDirectoryRootIsPublic asserts that the landing page (the root
|
|
// directory listing) is reachable by anyone, including anonymous callers
|
|
// whose email is empty AND whose access would be denied by a restrictive
|
|
// root .zddc. Per-project filtering inside fs.ListDirectory still hides
|
|
// directories the caller can't reach (separately verified below).
|
|
//
|
|
// The behavior was changed when "Everyone needs to have access to the
|
|
// landing page" became the explicit requirement; this test is the
|
|
// regression guard.
|
|
func TestServeDirectoryRootIsPublic(t *testing.T) {
|
|
root := t.TempDir()
|
|
|
|
// Restrictive root .zddc — only admin@example.com is allowed by ACL,
|
|
// nothing else. A user without that email would have been 403'd before
|
|
// the bypass.
|
|
if err := os.WriteFile(filepath.Join(root, ".zddc"),
|
|
[]byte("admins:\n - admin@example.com\nacl:\n allow:\n - admin@example.com\n"),
|
|
0o644); err != nil {
|
|
t.Fatalf("write root .zddc: %v", err)
|
|
}
|
|
|
|
// One project visible to everyone, one only to admin.
|
|
for _, name := range []string{"PublicProj", "PrivateProj"} {
|
|
if err := os.MkdirAll(filepath.Join(root, name), 0o755); err != nil {
|
|
t.Fatalf("mkdir %s: %v", name, err)
|
|
}
|
|
}
|
|
if err := os.WriteFile(filepath.Join(root, "PublicProj", ".zddc"),
|
|
[]byte("acl:\n allow: [\"*\"]\n"), 0o644); err != nil {
|
|
t.Fatalf("write PublicProj .zddc: %v", err)
|
|
}
|
|
if err := os.WriteFile(filepath.Join(root, "PrivateProj", ".zddc"),
|
|
[]byte("acl:\n allow: [admin@example.com]\n"), 0o644); err != nil {
|
|
t.Fatalf("write PrivateProj .zddc: %v", err)
|
|
}
|
|
|
|
cfg := config.Config{Root: root, EmailHeader: "X-Auth-Request-Email"}
|
|
|
|
t.Run("anonymous JSON GET / does not 403", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
// Anonymous: empty email in context.
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, nil, rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want 200 (root is public); body = %s",
|
|
rec.Code, rec.Body.String())
|
|
}
|
|
})
|
|
|
|
t.Run("anonymous JSON GET / hides private projects", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, nil, rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want 200; body = %s", rec.Code, rec.Body.String())
|
|
}
|
|
|
|
var entries []map[string]any
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
|
|
t.Fatalf("invalid JSON: %v\n%s", err, rec.Body.String())
|
|
}
|
|
|
|
names := map[string]bool{}
|
|
for _, e := range entries {
|
|
if n, ok := e["name"].(string); ok {
|
|
names[n] = true
|
|
}
|
|
}
|
|
if !names["PublicProj/"] {
|
|
t.Errorf("PublicProj missing from anonymous listing: %v", names)
|
|
}
|
|
if names["PrivateProj/"] {
|
|
t.Errorf("PrivateProj leaked to anonymous listing: %v", names)
|
|
}
|
|
})
|
|
|
|
t.Run("admin JSON GET / sees both projects", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, "admin@example.com"))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, nil, rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("admin status = %d, want 200", rec.Code)
|
|
}
|
|
|
|
var entries []map[string]any
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
|
|
t.Fatalf("invalid JSON: %v", err)
|
|
}
|
|
if len(entries) != 2 {
|
|
t.Errorf("admin should see both projects; got %d", len(entries))
|
|
}
|
|
})
|
|
|
|
t.Run("anonymous still gets 403 on private subdirectory", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/PrivateProj/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, nil, rec, req)
|
|
|
|
if rec.Code != http.StatusForbidden {
|
|
t.Errorf("private subdir for anonymous: status = %d, want 403", rec.Code)
|
|
}
|
|
})
|
|
}
|
|
|
|
// TestServeDirectoryRedirectsTableRowsDir asserts that an HTML GET on a
|
|
// directory containing a table.yaml bounces to that dir's table.html URL
|
|
// (in-dir convention: /<dir>/table.html serves the table view, the row
|
|
// YAMLs are siblings of table.yaml). JSON GETs fall through to the
|
|
// listing so the table client can still enumerate row files.
|
|
func TestServeDirectoryRedirectsTableRowsDir(t *testing.T) {
|
|
root := t.TempDir()
|
|
mdlDir := filepath.Join(root, "Working", "MDL")
|
|
if err := os.MkdirAll(mdlDir, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := os.WriteFile(filepath.Join(mdlDir, "table.yaml"),
|
|
[]byte(sampleTableSpec), 0o644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := os.WriteFile(filepath.Join(mdlDir, "form.yaml"),
|
|
[]byte(sampleRowFormSpec), 0o644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := os.WriteFile(filepath.Join(root, "Working", ".zddc"), []byte(`acl:
|
|
permissions:
|
|
"*@example.com": rwcda
|
|
`), 0o644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
zddc.InvalidateCache(root)
|
|
|
|
cfg := config.Config{Root: root, EmailHeader: "X-Auth-Request-Email"}
|
|
|
|
t.Run("HTML GET on dir with table.yaml redirects to table.html", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/Working/MDL/", nil)
|
|
req.Header.Set("Accept", "text/html")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, "casey@example.com"))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, nil, rec, req)
|
|
|
|
if rec.Code != http.StatusFound {
|
|
t.Fatalf("status = %d, want 302; body = %s", rec.Code, rec.Body.String())
|
|
}
|
|
if got, want := rec.Header().Get("Location"), "/Working/MDL/table.html"; got != want {
|
|
t.Errorf("Location = %q, want %q", got, want)
|
|
}
|
|
})
|
|
|
|
t.Run("JSON GET on dir with table.yaml falls through to listing", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/Working/MDL/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, "casey@example.com"))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, nil, rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want 200; body = %s", rec.Code, rec.Body.String())
|
|
}
|
|
if ct := rec.Header().Get("Content-Type"); ct != "application/json" {
|
|
t.Errorf("Content-Type = %q, want application/json", ct)
|
|
}
|
|
})
|
|
|
|
t.Run("HTML GET on plain dir is not redirected", func(t *testing.T) {
|
|
// Sibling dir without a table.yaml — no redirect.
|
|
if err := os.MkdirAll(filepath.Join(root, "Working", "Other"), 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
req := httptest.NewRequest(http.MethodGet, "/Working/Other/", nil)
|
|
req.Header.Set("Accept", "text/html")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, "casey@example.com"))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, nil, rec, req)
|
|
|
|
if rec.Code == http.StatusFound {
|
|
t.Fatalf("got 302 to %q for non-table dir", rec.Header().Get("Location"))
|
|
}
|
|
})
|
|
}
|
|
|
|
// TestServeDirectoryDefaultMdlNoRedirect covers the default-MDL case:
|
|
// when no on-disk table.yaml exists, archive/<party>/mdl/ (slash form)
|
|
// no longer redirects to mdl/table.html. Per the slash/no-slash
|
|
// convention, the slash form is the browse view; the no-slash form
|
|
// /Project/archive/Acme/mdl serves the tables app via the dispatcher.
|
|
// User-declared tables with a real table.yaml on disk DO still
|
|
// redirect (see TestServeDirectoryRedirectsRealTable).
|
|
func TestServeDirectoryDefaultMdlNoRedirect(t *testing.T) {
|
|
root := t.TempDir()
|
|
if err := os.WriteFile(filepath.Join(root, ".zddc"),
|
|
[]byte("acl:\n permissions:\n \"*@example.com\": rwcda\n"), 0o644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
mdlDir := filepath.Join(root, "Project", "archive", "Acme", "mdl")
|
|
if err := os.MkdirAll(mdlDir, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
zddc.InvalidateCache(root)
|
|
|
|
cfg := config.Config{Root: root, EmailHeader: "X-Auth-Request-Email"}
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/Project/archive/Acme/mdl/", nil)
|
|
req.Header.Set("Accept", "text/html")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, "casey@example.com"))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, nil, rec, req)
|
|
|
|
// Should NOT redirect to /table.html — slash form is browse, not tables.
|
|
if rec.Code == http.StatusFound {
|
|
t.Fatalf("got 302 redirect to %q, want browse view (200)",
|
|
rec.Header().Get("Location"))
|
|
}
|
|
}
|