VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/policy/rego.go
ZDDC 6d132572d3 chore(server): drop the federal reference Rego (bring-your-own-policy) 
Decision: external OPA is a bring-your-own-policy escape hatch, not a
supported turnkey mode — so stop shipping access_federal.rego. A verb-blind
read-ACL policy under NIST AC-6 branding is a liability to hand a federal
evaluator, and (like access.rego before the fail-close) it over-granted writes
and ignored WORM. The HTTPDecider + Decider interface stay: operators who want
an AC-6 ancestor-deny-absolute posture write their own Rego.

- Delete rego/access_federal.rego, FederalRego, --print-rego=federal, and
  federal_parity_test.go; trim the federal cases from rego_failclosed_test.go.
- Reframe every doc reference (rego.go, main.go, file.go, ARCHITECTURE.md,
  README.md) to "operators write their own Rego"; rewrite the README
  "Reference Rego policy" section to describe the single fail-closed read-ACL
  skeleton accurately (it also still carried the now-removed "mirrors exactly"
  parity claim).

Out of scope (flagged): the broader federal-readiness narrative
(FedRAMP/FIPS/IdP) and the separate website page federal.html still discuss
federal posture — the OPA bring-your-own-Rego path stays valid, but a
deliberate review with the federal go-to-market in mind is warranted.

go vet + full go test ./... green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 08:45:21 -05:00

32 lines
1.4 KiB
Go
Raw Blame History

package policy
import _ "embed"
// ReferenceRego is a read-ACL Rego SKELETON bundled with zddc-server for
// external-OPA deployments. It models the read cascade ONLY and is NOT a
// semantic mirror of the InternalDecider: it does not implement per-verb
// authorization (write/create/delete/admin), WORM zones, roles, fences, or
// config-edit, so it is FAIL-CLOSED — every non-read action is denied except
// for an elevated admin (input.user.is_active_admin). The InternalDecider
// remains the production source of truth. parity_test.go (OPA as a test-only
// dependency, so the production binary stays OPA-free) checks the modelled
// read-cascade dimension only — it does NOT prove full parity.
//
// Operators running an external OPA can use this as a STARTING POINT — they
// must add the unmodelled write/WORM/role/admin semantics before relying on
// it for write authorization:
//
// zddc-server --print-rego > /etc/opa/policies/zddc-access.rego
//
// Customizations typical for federal deployments:
//
// - Flip the leaf-allow-overrides-parent-deny semantics so parent denies
// are absolute (NIST AC-6 least-privilege posture).
// - Add role-based access via additional input fields (input.user.roles
// populated by the upstream proxy from SAML/OIDC claims).
// - Add time-of-day or IP-range constraints.
// - Emit decision logs in a SIEM-friendly format via OPA's logging
// plugins.
//
//go:embed rego/access.rego
var ReferenceRego string
Reference in a new issue View git blame Copy permalink