ZDDC
a01315fd00
Phase 2 enhancements to the policy decider, plus listing-level ETags
that benefit every deployment regardless of decider mode.
Reference Rego policy
---------------------
internal/policy/rego/access.rego mirrors InternalDecider's semantics
exactly — bottom-up walk, deny-first within a level, default-deny when
HasAnyFile=true, glob matching with @-boundary semantics (special-cased
bare "*" because OPA's glob.match treats empty delimiters
inconsistently for that pattern).
Embedded into the binary via go:embed; --print-rego dumps it to stdout
so federal customers standing up an external OPA can use it as a
parity-tested baseline:
zddc-server --print-rego > /etc/opa/policies/zddc-access.rego
Parity test runner
------------------
parity_test.go imports the OPA Go module as a TEST-ONLY dependency
(github.com/open-policy-agent/opa@v0.70.0). Every fixture from the
internal Go evaluator's test set runs through both implementations;
any divergence fails CI. The test-only import means production
binaries (built by `go build ./cmd/zddc-server`) stay OPA-free —
release-flag binary size unchanged at ~13 MB.
The parity test caught a real bug on first run: bare "*" patterns
didn't match through OPA's glob.match with empty delimiters. Fixed
in access.rego with a special-case rule. This is exactly the kind of
subtle drift the parity guard exists to catch.
External-mode decision cache
----------------------------
HTTPDecider is now wrapped in a cachingDecider with a default 1s TTL.
Bursty patterns like .archive listings (one OPA round-trip per entry
before, one per (email, decision-input) tuple per TTL window after)
amortize cleanly. Verified: 20 identical /D/ requests produce 1 OPA
hit with cache, 40 hits without (each listing makes 2 ACL queries).
ZDDC_OPA_CACHE_TTL knob (default 1s) lets operators tune. 0 disables.
1s matches the fsnotify watcher debounce window — staleness is
bounded the same way other policy-edit propagation already is.
Internal mode unchanged; the in-process Go evaluator is already
cheaper than a cache lookup would be.
Listing ETags
-------------
GET / (project list) and GET /<dir>/ (directory listing JSON) now
carry content-hash ETag + Cache-Control: private, max-age=0,
must-revalidate. SHA-256 of the rendered JSON, truncated to 16 hex
chars (64 bits — collision risk on a listing of any realistic size
is vanishingly small).
Server-side caching deliberately not added: it would require
mtime-based invalidation, and Azure Files SMB mounts (a common
deployment substrate) don't support fsnotify reliably. The
content-hash ETag delivers the bandwidth savings (304 on identical
fetches) without depending on watcher correctness — the hash is the
actual response, so it can't lie about staleness regardless of
underlying watcher behavior.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
26 lines
1,020 B
Go
26 lines
1,020 B
Go
package policy
|
|
|
|
import _ "embed"
|
|
|
|
// ReferenceRego is the canonical Rego policy bundled with zddc-server.
|
|
// It mirrors the InternalDecider's semantics exactly — every release CI
|
|
// run validates parity via parity_test.go (which imports the OPA library
|
|
// as a test-only dependency, so the production binary stays OPA-free).
|
|
//
|
|
// Operators running an external OPA can use this as the starting point
|
|
// for their own policy bundle:
|
|
//
|
|
// zddc-server --print-rego > /etc/opa/policies/zddc-access.rego
|
|
//
|
|
// Customizations typical for federal deployments:
|
|
//
|
|
// - Flip the leaf-allow-overrides-parent-deny semantics so parent denies
|
|
// are absolute (NIST AC-6 least-privilege posture).
|
|
// - Add role-based access via additional input fields (input.user.roles
|
|
// populated by the upstream proxy from SAML/OIDC claims).
|
|
// - Add time-of-day or IP-range constraints.
|
|
// - Emit decision logs in a SIEM-friendly format via OPA's logging
|
|
// plugins.
|
|
//
|
|
//go:embed rego/access.rego
|
|
var ReferenceRego string
|