ZDDC
3115e388fc
Replaces the binary acl.allow/deny model with five permission verbs
(r/w/c/d/a) and first-class roles, and adds an authenticated file API
(PUT/DELETE/POST move/mkdir) so the HTML tools can edit-in-place over
HTTP. Closes the AC-3(7) and AC-6 federal-readiness gaps.
File API (zddc/internal/handler/fileapi.go)
- PUT <new> → action c
- PUT <existing> → action w
- PUT <.zddc> → action a (CanEditZddc strict-ancestor rule)
- DELETE → action d
- POST mkdir → action c (auto-writes creator-owned .zddc when the
parent is Incoming/Working/Staging)
- POST move → action w on src + c on dst, atomic via os.Rename
- Optional If-Match for optimistic concurrency, --max-write-bytes cap,
audit log emits a structured file_write event per operation.
Permission model (zddc/internal/zddc/{acl,file,roles,cascade_mode}.go)
- acl.permissions: { principal → verb-set } map; principals are email
patterns or role names. Empty verb set is an explicit deny.
- roles: { name → members } definitions, available at the level they
declare and all descendants. Closer-to-leaf shadows ancestor.
- Legacy acl.allow/deny still work; they fold into permissions at
parse time (allow → "rwcd", deny → "").
- Cascade walks leaf→root; first level with any matching entry wins;
the union of matching verb sets at that level decides.
- --cascade-mode=strict adds a root→leaf ancestor-deny pre-pass so an
ancestor explicit-deny is absolute (NIST AC-6). Default delegated
preserves the existing commercial behavior.
Special folders (zddc/internal/zddc/special.go)
- Incoming / Working / Staging: mkdir auto-writes a .zddc into the new
subdir granting created_by + that email rwcda directly. Same form
operators write by hand; creator can edit it later to add others.
- Issued / Received: server-enforced WORM split. Cascade grants
inherited from above the WORM folder are masked to r only; grants
placed at-or-below the WORM folder retain r,c. Operators grant
write-once (cr) to the doc controller via an explicit .zddc at the
Issued/Received folder. Admins exempt — only escape hatch.
Browser polyfill (shared/zddc-source.js)
- HttpDirectoryHandle + HttpFileHandle implement the FS Access API
surface (values, getFileHandle, createWritable, removeEntry,
queryPermission/requestPermission) over zddc-server's listing JSON
and file API. Existing tools written against showDirectoryPicker
work unchanged.
- detectServerRoot() returns { handle, status }: tools auto-load on
HTTP, surface a clear "no permission to list" message on 403, and
fall back to the welcome screen on 0.
- classifier renames take the atomic POST move path on HTTP-backed
handles; mdedit and transmittal route reads/writes through the
polyfill so prior FS-API code paths cover both modes.
Tests
- zddc/internal/zddc/{cascade_mode,roles,special,acl}_test.go cover
delegated vs strict, role membership / shadowing / legacy fallback,
WORM split semantics, verb-set parser round-trip.
- zddc/internal/handler/fileapi_test.go now also covers role-based
vendor scenarios, WORM blocking vendor & doc controller writes,
explicit Issued .zddc unlocking the cr drop-box, admin bypass,
auto-ownership on mkdir, and strict-mode lockouts.
Docs
- ARCHITECTURE.md + zddc/README.md document the verb model, role
syntax, special-folder behaviors, cascade-mode flag, and full file
API surface. Federal-readiness gap analysis strikes AC-3(7) and
AC-6.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
140 lines
6 KiB
Go
140 lines
6 KiB
Go
package zddc
|
|
|
|
import (
|
|
"os"
|
|
|
|
"gopkg.in/yaml.v3"
|
|
)
|
|
|
|
// ACLRules holds the access-control rules at one cascade level.
|
|
//
|
|
// Three input forms, all merged at parse time into a single map keyed
|
|
// by principal (Permissions):
|
|
//
|
|
// - acl.permissions: { principal → verb-set } — the canonical form.
|
|
// Principal is an email pattern (contains "@") or a role name
|
|
// (no "@"); roles are looked up via ZddcFile.Roles in this file
|
|
// or any ancestor. Verb-set is a string drawn from {r,w,c,d,a};
|
|
// empty string is an explicit deny.
|
|
//
|
|
// - acl.allow: [pattern, ...] — legacy. Each pattern becomes
|
|
// Permissions[pattern] = "rwcd" at parse time.
|
|
//
|
|
// - acl.deny: [pattern, ...] — legacy. Each pattern becomes
|
|
// Permissions[pattern] = "" at parse time (explicit deny).
|
|
//
|
|
// Allow and Deny are retained on the struct for round-trip fidelity
|
|
// (and so existing operator-authored .zddc files render unchanged in
|
|
// the admin UI); the cascade evaluator reads only Permissions.
|
|
//
|
|
// JSON tags are present so this type round-trips cleanly when included
|
|
// in the external-OPA input body (see internal/policy). The canonical
|
|
// in-repo serialization is YAML; JSON is only used for OPA queries.
|
|
type ACLRules struct {
|
|
Allow []string `yaml:"allow,omitempty" json:"allow,omitempty"`
|
|
Deny []string `yaml:"deny,omitempty" json:"deny,omitempty"`
|
|
Permissions map[string]string `yaml:"permissions,omitempty" json:"permissions,omitempty"`
|
|
}
|
|
|
|
// Role is the named principal-grouping primitive. Members are email
|
|
// patterns (same syntax as the legacy allow/deny entries — see
|
|
// MatchesPattern). A role defined at level L is in scope at L and all
|
|
// descendants; a level closer to the leaf may shadow an ancestor's
|
|
// role definition by redefining the same name.
|
|
type Role struct {
|
|
Members []string `yaml:"members,omitempty" json:"members,omitempty"`
|
|
}
|
|
|
|
// ZddcFile represents the parsed contents of a .zddc configuration file.
|
|
//
|
|
// Admins is honored only in the root .zddc file (<ZDDC_ROOT>/.zddc); subdir
|
|
// .zddc files have their Admins entry ignored by IsAdmin so that someone who
|
|
// can write into a subtree cannot grant themselves admin access. ACL on the
|
|
// other hand cascades — see EffectivePolicy / AllowedWithChain.
|
|
//
|
|
// Title is read only from per-project .zddc files (the file directly inside
|
|
// each project root) by ServeProjectList; it surfaces a human-readable name
|
|
// for the project on the landing-page picker. Optional — projects without a
|
|
// title fall back to displaying the directory name.
|
|
//
|
|
// Apps is a per-directory cascade override mapping app name → source spec.
|
|
// The spec is one of: "stable" / "beta" / "alpha" (channel on the canonical
|
|
// upstream), "v0.0.4" / "v0.0" / "v0" (version pin on the canonical
|
|
// upstream), an absolute "https://..." URL (custom mirror), or a relative
|
|
// or absolute filesystem path (./local.html, /opt/zddc/foo.html).
|
|
//
|
|
// On a request for a tool HTML, zddc-server walks .zddc files leaf→root
|
|
// looking for an Apps entry; first match wins. With no entry anywhere, the
|
|
// server serves the version baked into the binary at compile time (//go:embed).
|
|
// Fetched URL sources are cached in <ZDDC_ROOT>/_app/; the cache is fetch-once
|
|
// and never re-validates — operators delete the file to force a refetch.
|
|
//
|
|
// AppsPubKey is the inline PEM of the Ed25519 public key used to verify
|
|
// signatures on URL-fetched apps artifacts. Honored only at the root
|
|
// .zddc file (same root-only treatment as Admins, for the same reason:
|
|
// it's a trust anchor; subtree write authority must not be able to
|
|
// re-anchor it). Lower priority than --apps-pubkey / ZDDC_APPS_PUBKEY:
|
|
// when both are set, the env/flag (file path) wins. Empty in either
|
|
// place = URL-fetched apps refused (only embedded + local-path apps
|
|
// work). See zddc-server's setupApps.
|
|
type ZddcFile struct {
|
|
ACL ACLRules `yaml:"acl" json:"acl"`
|
|
Admins []string `yaml:"admins" json:"admins,omitempty"`
|
|
Title string `yaml:"title" json:"title,omitempty"`
|
|
Apps map[string]string `yaml:"apps,omitempty" json:"apps,omitempty"`
|
|
AppsPubKey string `yaml:"apps_pubkey,omitempty" json:"apps_pubkey,omitempty"`
|
|
|
|
// Roles are named principal groups available at this level and below.
|
|
// See Role for member syntax.
|
|
Roles map[string]Role `yaml:"roles,omitempty" json:"roles,omitempty"`
|
|
|
|
// CreatedBy records the email of the user who triggered the .zddc's
|
|
// creation via the file API's mkdir post-hook (Incoming/Working/Staging
|
|
// only). It is an audit field; the cascade evaluator does not consult
|
|
// it. The auto-generated .zddc grants the creator's email directly via
|
|
// ACL.Permissions, the same way operators grant access to anyone else.
|
|
CreatedBy string `yaml:"created_by,omitempty" json:"created_by,omitempty"`
|
|
}
|
|
|
|
// ParseFile reads and parses a .zddc YAML file.
|
|
// Returns an empty ZddcFile (no rules) if the file does not exist.
|
|
func ParseFile(path string) (ZddcFile, error) {
|
|
data, err := os.ReadFile(path)
|
|
if os.IsNotExist(err) {
|
|
return ZddcFile{}, nil
|
|
}
|
|
if err != nil {
|
|
return ZddcFile{}, err
|
|
}
|
|
|
|
var zf ZddcFile
|
|
if err := yaml.Unmarshal(data, &zf); err != nil {
|
|
return ZddcFile{}, err
|
|
}
|
|
mergeLegacyACL(&zf.ACL)
|
|
return zf, nil
|
|
}
|
|
|
|
// mergeLegacyACL folds legacy acl.allow / acl.deny lists into the
|
|
// canonical ACL.Permissions map so cascade evaluators only need to
|
|
// consult one place. Existing entries in Permissions take precedence
|
|
// (operators who specified both forms get the new form's value);
|
|
// allow entries become "rwcd" grants, deny entries become "" denies.
|
|
func mergeLegacyACL(rules *ACLRules) {
|
|
if len(rules.Allow) == 0 && len(rules.Deny) == 0 {
|
|
return
|
|
}
|
|
if rules.Permissions == nil {
|
|
rules.Permissions = make(map[string]string, len(rules.Allow)+len(rules.Deny))
|
|
}
|
|
for _, pat := range rules.Allow {
|
|
if _, present := rules.Permissions[pat]; !present {
|
|
rules.Permissions[pat] = "rwcd"
|
|
}
|
|
}
|
|
for _, pat := range rules.Deny {
|
|
if _, present := rules.Permissions[pat]; !present {
|
|
rules.Permissions[pat] = ""
|
|
}
|
|
}
|
|
}
|