ZDDC
f196205622
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.
Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
instead of allow/deny lists.
Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
own their own .zddc; the policy decider's IsActiveAdmin short-circuit
is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
true after the retirement). Profile page renders AdminSubtrees
directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
IsAdminForChain — no production caller passed true.
Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).
ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
/.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
"deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
is the parent-deny-is-absolute variant. The in-process Go evaluator
implements only the commercial cascade.
Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
.zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.
.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
.zddc out of the dot-prefix guard so PUT/DELETE/POST reach
ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
(matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
body is designed to materialize on PUT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
251 lines
7.4 KiB
Go
251 lines
7.4 KiB
Go
package zddc
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
)
|
|
|
|
// resetCache empties the package-level policyCache so each test starts clean.
|
|
func resetCache() {
|
|
policyCache.Range(func(k, _ any) bool {
|
|
policyCache.Delete(k)
|
|
return true
|
|
})
|
|
}
|
|
|
|
func writeZddc(t *testing.T, dir, body string) {
|
|
t.Helper()
|
|
if err := os.WriteFile(filepath.Join(dir, ".zddc"), []byte(body), 0o644); err != nil {
|
|
t.Fatalf("write .zddc in %s: %v", dir, err)
|
|
}
|
|
}
|
|
|
|
func TestEffectivePolicy(t *testing.T) {
|
|
t.Run("no .zddc files anywhere: chain has no files", func(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
leaf := filepath.Join(root, "a", "b")
|
|
if err := os.MkdirAll(leaf, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
chain, err := EffectivePolicy(root, leaf)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if chain.HasAnyFile {
|
|
t.Errorf("HasAnyFile = true, want false")
|
|
}
|
|
// One level per directory (root, root/a, root/a/b) = 3
|
|
if got, want := len(chain.Levels), 3; got != want {
|
|
t.Errorf("len(Levels) = %d, want %d", got, want)
|
|
}
|
|
})
|
|
|
|
t.Run("cascade order is root → leaf", func(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
mid := filepath.Join(root, "a")
|
|
leaf := filepath.Join(mid, "b")
|
|
if err := os.MkdirAll(leaf, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
writeZddc(t, root, "acl:\n permissions:\n root@example.com: rwcd\n")
|
|
writeZddc(t, leaf, "acl:\n permissions:\n leaf@example.com: rwcd\n")
|
|
|
|
chain, err := EffectivePolicy(root, leaf)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if !chain.HasAnyFile {
|
|
t.Error("HasAnyFile = false, want true")
|
|
}
|
|
if len(chain.Levels) != 3 {
|
|
t.Fatalf("len(Levels) = %d, want 3", len(chain.Levels))
|
|
}
|
|
if got := chain.Levels[0].ACL.Permissions["root@example.com"]; got != "rwcd" {
|
|
t.Errorf("root level permissions[root] = %q, want %q", got, "rwcd")
|
|
}
|
|
// Middle level has no fixture-specific .zddc; the merge accumulator
|
|
// at this depth must not have grown a root@/leaf@ entry from
|
|
// somewhere unexpected.
|
|
if _, ok := chain.Levels[1].ACL.Permissions["root@example.com"]; ok {
|
|
t.Errorf("middle level unexpectedly carries root@example.com")
|
|
}
|
|
if _, ok := chain.Levels[1].ACL.Permissions["leaf@example.com"]; ok {
|
|
t.Errorf("middle level unexpectedly carries leaf@example.com")
|
|
}
|
|
if got := chain.Levels[2].ACL.Permissions["leaf@example.com"]; got != "rwcd" {
|
|
t.Errorf("leaf level permissions[leaf] = %q, want %q", got, "rwcd")
|
|
}
|
|
})
|
|
|
|
t.Run("dirPath outside fsRoot returns empty chain", func(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
other := t.TempDir() // unrelated tree
|
|
|
|
chain, err := EffectivePolicy(root, other)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if chain.HasAnyFile {
|
|
t.Error("HasAnyFile = true, want false for out-of-root path")
|
|
}
|
|
if len(chain.Levels) != 0 {
|
|
t.Errorf("len(Levels) = %d, want 0", len(chain.Levels))
|
|
}
|
|
})
|
|
|
|
t.Run("malformed .zddc yields empty level but does not abort the chain", func(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
leaf := filepath.Join(root, "a")
|
|
if err := os.MkdirAll(leaf, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
// Garbage YAML
|
|
writeZddc(t, root, "::: not yaml :::")
|
|
writeZddc(t, leaf, "acl:\n permissions:\n leaf@example.com: rwcd\n")
|
|
|
|
chain, err := EffectivePolicy(root, leaf)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if !chain.HasAnyFile {
|
|
t.Error("HasAnyFile = false, want true (malformed file still counts as present)")
|
|
}
|
|
// Root level parsed empty (parse error path), leaf level has the rule
|
|
if got := chain.Levels[0].ACL.Permissions; len(got) != 0 {
|
|
t.Errorf("root level permissions = %v, want empty (parse error)", got)
|
|
}
|
|
if got := chain.Levels[1].ACL.Permissions["leaf@example.com"]; got != "rwcd" {
|
|
t.Errorf("leaf level permissions[leaf] = %q, want %q", got, "rwcd")
|
|
}
|
|
})
|
|
|
|
t.Run("dirPath equal to fsRoot has single level", func(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
writeZddc(t, root, "acl:\n permissions:\n root@example.com: rwcd\n")
|
|
|
|
chain, err := EffectivePolicy(root, root)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if len(chain.Levels) != 1 {
|
|
t.Errorf("len(Levels) = %d, want 1", len(chain.Levels))
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestEffectivePolicyEndToEnd(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
pub := filepath.Join(root, "public")
|
|
priv := filepath.Join(root, "private")
|
|
for _, d := range []string{pub, priv} {
|
|
if err := os.MkdirAll(d, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
writeZddc(t, priv, "acl:\n permissions:\n \"alice@example.com\": r\n \"bob@example.com\": \"\"\n")
|
|
|
|
// public/: no .zddc on the chain → default allow for everyone
|
|
chainPub, _ := EffectivePolicy(root, pub)
|
|
if !AllowedAction(chainPub, "anyone@anywhere.com", VerbR) {
|
|
t.Error("public/ should be open when no .zddc files exist on the chain")
|
|
}
|
|
|
|
// private/: has rules → only alice gets in
|
|
chainPriv, _ := EffectivePolicy(root, priv)
|
|
if !AllowedAction(chainPriv, "alice@example.com", VerbR) {
|
|
t.Error("alice should be allowed in private/")
|
|
}
|
|
if AllowedAction(chainPriv, "bob@example.com", VerbR) {
|
|
t.Error("bob should be denied in private/")
|
|
}
|
|
if AllowedAction(chainPriv, "carol@example.com", VerbR) {
|
|
t.Error("carol (unlisted) should be denied in private/ when files exist")
|
|
}
|
|
}
|
|
|
|
func TestInvalidateCache(t *testing.T) {
|
|
t.Run("invalidates exact path", func(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
dir := filepath.Join(root, "a")
|
|
if err := os.MkdirAll(dir, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
_, _ = EffectivePolicy(root, dir)
|
|
if _, ok := policyCache.Load(dir); !ok {
|
|
t.Fatal("cache should contain entry after EffectivePolicy")
|
|
}
|
|
InvalidateCache(dir)
|
|
if _, ok := policyCache.Load(dir); ok {
|
|
t.Error("cache should not contain entry after InvalidateCache")
|
|
}
|
|
})
|
|
|
|
t.Run("invalidates descendants when parent changes", func(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
mid := filepath.Join(root, "a")
|
|
leaf := filepath.Join(mid, "b")
|
|
sibling := filepath.Join(root, "c")
|
|
for _, d := range []string{leaf, sibling} {
|
|
if err := os.MkdirAll(d, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
// Populate cache for mid, leaf, sibling
|
|
_, _ = EffectivePolicy(root, mid)
|
|
_, _ = EffectivePolicy(root, leaf)
|
|
_, _ = EffectivePolicy(root, sibling)
|
|
for _, p := range []string{mid, leaf, sibling} {
|
|
if _, ok := policyCache.Load(p); !ok {
|
|
t.Fatalf("cache missing %s", p)
|
|
}
|
|
}
|
|
|
|
// Change a .zddc in mid → InvalidateCache(mid) drops mid and leaf, keeps sibling
|
|
InvalidateCache(mid)
|
|
if _, ok := policyCache.Load(mid); ok {
|
|
t.Error("mid should be invalidated")
|
|
}
|
|
if _, ok := policyCache.Load(leaf); ok {
|
|
t.Error("leaf (descendant of mid) should be invalidated")
|
|
}
|
|
if _, ok := policyCache.Load(sibling); !ok {
|
|
t.Error("sibling should remain cached")
|
|
}
|
|
})
|
|
|
|
t.Run("invalidating a path does not invalidate string-prefix-but-not-path-prefix", func(t *testing.T) {
|
|
resetCache()
|
|
root := t.TempDir()
|
|
// "/tmp/foo" should not invalidate "/tmp/foobar" — the implementation guards
|
|
// this by appending the separator before HasPrefix.
|
|
foo := filepath.Join(root, "foo")
|
|
foobar := filepath.Join(root, "foobar")
|
|
for _, d := range []string{foo, foobar} {
|
|
if err := os.MkdirAll(d, 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
_, _ = EffectivePolicy(root, foo)
|
|
_, _ = EffectivePolicy(root, foobar)
|
|
|
|
InvalidateCache(foo)
|
|
if _, ok := policyCache.Load(foo); ok {
|
|
t.Error("foo should be invalidated")
|
|
}
|
|
if _, ok := policyCache.Load(foobar); !ok {
|
|
t.Error("foobar should NOT be invalidated by InvalidateCache(foo)")
|
|
}
|
|
})
|
|
}
|