VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/zddc/inherit_test.go
ZDDC f196205622 refactor(audit): pre-release cleanup pass 
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.

Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
  to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
  to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
  instead of allow/deny lists.

Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
  own their own .zddc; the policy decider's IsActiveAdmin short-circuit
  is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
  same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
  true after the retirement). Profile page renders AdminSubtrees
  directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
  IsAdminForChain — no production caller passed true.

Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).

ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
  branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
  InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
  GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
  EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
  MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
  /.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
  "deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
  is the parent-deny-is-absolute variant. The in-process Go evaluator
  implements only the commercial cascade.

Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
  .zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.

.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
  .zddc out of the dot-prefix guard so PUT/DELETE/POST reach
  ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
  the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
  API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
  (matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
  parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
  body is designed to materialize on PUT.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 16:28:07 -05:00

119 lines
4.3 KiB
Go
Raw Blame History

package zddc
import "testing"
// helper: build a chain from levels (root-to-leaf), HasAnyFile=true.
func buildChain(levels ...ZddcFile) PolicyChain {
return PolicyChain{Levels: levels, HasAnyFile: true}
}
// helper: ACL with a permissions map and an explicit inherit setting.
func aclFenced(perms map[string]string, inherit bool) ACLRules {
return ACLRules{Permissions: perms, Inherit: &inherit}
}
func aclOpen(perms map[string]string) ACLRules {
return ACLRules{Permissions: perms}
}
func TestVisibleStart_NoFence(t *testing.T) {
chain := buildChain(
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "r"})},
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "rwcd"})},
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "rwcda"})},
)
if got := chain.VisibleStart(2); got != 0 {
t.Errorf("no fence: VisibleStart = %d, want 0", got)
}
}
func TestVisibleStart_FenceClampsToFence(t *testing.T) {
chain := buildChain(
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "r"})},
ZddcFile{ACL: aclFenced(map[string]string{"*@vendor.com": "rwcd"}, false)},
ZddcFile{ACL: aclOpen(map[string]string{})},
)
if got := chain.VisibleStart(2); got != 1 {
t.Errorf("fence at 1: VisibleStart(2) = %d, want 1", got)
}
if got := chain.VisibleStart(1); got != 1 {
t.Errorf("fence at 1: VisibleStart(1) = %d, want 1", got)
}
// Fence above toIdx is irrelevant.
if got := chain.VisibleStart(0); got != 0 {
t.Errorf("fence at 1: VisibleStart(0) = %d, want 0 (fence not yet in scope)", got)
}
}
func TestVisibleStart_NestedFencesDeepestWins(t *testing.T) {
chain := buildChain(
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "r"})},
ZddcFile{ACL: aclFenced(map[string]string{"*@a.com": "r"}, false)},
ZddcFile{ACL: aclFenced(map[string]string{"*@b.com": "rwcd"}, false)},
ZddcFile{ACL: aclOpen(map[string]string{})},
)
if got := chain.VisibleStart(3); got != 2 {
t.Errorf("nested fence: deepest wins, got %d want 2", got)
}
}
// End-to-end: a fence at the vendor folder hides root-level grants for
// users who don't match the vendor-folder grants.
func TestEffectiveVerbs_FenceHidesAncestorGrants(t *testing.T) {
chain := buildChain(
// Root: everyone-at-example reads everywhere.
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "rwcd"})},
// Vendor folder: deny everyone-at-example, allow vendor explicitly,
// AND fence — so the root grant doesn't sneak through.
ZddcFile{ACL: aclFenced(map[string]string{
"*@vendor.com": "rwcd",
"_doc_controller": "rwcda",
}, false)},
)
// alice@example.com used to inherit root rwcd; with the fence she has
// no grant in the vendor folder → 0 verbs.
if got := EffectiveVerbs(chain, "alice@example.com"); got != 0 {
t.Errorf("alice should be denied by fence; got %s", got)
}
// rep@vendor.com matches the local rule.
if got := EffectiveVerbs(chain, "rep@vendor.com"); got != VerbsRWCD {
t.Errorf("vendor should have rwcd; got %s", got)
}
}
// Roles defined above the fence are invisible to descendants — operators
// who fence must redefine roles locally if they want to use them.
func TestRoleMembers_FenceHidesAncestorRoles(t *testing.T) {
rootLevel := ZddcFile{
Roles: map[string]Role{"_doc_controller": {Members: []string{"dc@example.com"}}},
ACL: aclOpen(map[string]string{"*@example.com": "r"}),
}
fencedLevel := ZddcFile{
ACL: aclFenced(map[string]string{"*@vendor.com": "rwcd"}, false),
}
chain := buildChain(rootLevel, fencedLevel)
// Below the fence, the role from root is invisible.
if got := RoleMembers(chain, 1, "_doc_controller"); got != nil {
t.Errorf("role above fence should be invisible; got %v", got)
}
}
// A role redefined locally below the fence shadows correctly because
// the redefinition is at-or-below the fence (visible).
func TestRoleMembers_LocalRedefinitionWorks(t *testing.T) {
chain := buildChain(
ZddcFile{
Roles: map[string]Role{"_doc_controller": {Members: []string{"dc@example.com"}}},
},
ZddcFile{
ACL: aclFenced(map[string]string{"_doc_controller": "rwcda"}, false),
Roles: map[string]Role{"_doc_controller": {Members: []string{"vendor-dc@example.com"}}},
},
)
got := RoleMembers(chain, 1, "_doc_controller")
if len(got) != 1 || got[0] != "vendor-dc@example.com" {
t.Errorf("local redefinition should win; got %v", got)
}
}
Reference in a new issue View git blame Copy permalink