ZDDC
f196205622
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.
Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
instead of allow/deny lists.
Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
own their own .zddc; the policy decider's IsActiveAdmin short-circuit
is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
true after the retirement). Profile page renders AdminSubtrees
directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
IsAdminForChain — no production caller passed true.
Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).
ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
/.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
"deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
is the parent-deny-is-absolute variant. The in-process Go evaluator
implements only the commercial cascade.
Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
.zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.
.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
.zddc out of the dot-prefix guard so PUT/DELETE/POST reach
ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
(matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
body is designed to materialize on PUT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
166 lines
4.3 KiB
Go
166 lines
4.3 KiB
Go
package zddc
|
|
|
|
import "testing"
|
|
|
|
func TestGlobMatch(t *testing.T) {
|
|
cases := []struct {
|
|
pattern string
|
|
s string
|
|
want bool
|
|
}{
|
|
// Literal (no wildcard)
|
|
{"alice", "alice", true},
|
|
{"alice", "bob", false},
|
|
{"", "", true},
|
|
{"", "x", false},
|
|
|
|
// Lone wildcard
|
|
{"*", "anything", true},
|
|
{"*", "", true},
|
|
|
|
// Prefix wildcard
|
|
{"*@example.com", "@example.com", true},
|
|
{"*.com", "example.com", true},
|
|
{"*.com", "example.org", false},
|
|
|
|
// Suffix wildcard
|
|
{"alice*", "alice", true},
|
|
{"alice*", "alice@example.com", true},
|
|
{"alice*", "bob", false},
|
|
|
|
// Middle wildcard
|
|
{"a*b", "ab", true},
|
|
{"a*b", "axxxb", true},
|
|
{"a*b", "axxx", false},
|
|
{"a*b", "xxxb", false},
|
|
|
|
// Multiple wildcards
|
|
{"*-*-*", "a-b-c", true},
|
|
{"*-*-*", "ab-c", false},
|
|
|
|
// Anchored: no implicit leading wildcard
|
|
{"alice@*", "bob@example.com", false},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.pattern+"|"+tc.s, func(t *testing.T) {
|
|
if got := globMatch(tc.pattern, tc.s); got != tc.want {
|
|
t.Errorf("globMatch(%q, %q) = %v, want %v", tc.pattern, tc.s, got, tc.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestMatchesPattern(t *testing.T) {
|
|
cases := []struct {
|
|
pattern string
|
|
email string
|
|
want bool
|
|
}{
|
|
// Exact match
|
|
{"alice@example.com", "alice@example.com", true},
|
|
{"alice@example.com", "bob@example.com", false},
|
|
|
|
// Wildcard local part, fixed domain
|
|
{"*@example.com", "alice@example.com", true},
|
|
{"*@example.com", "anyone@example.com", true},
|
|
{"*@example.com", "alice@evil.com", false},
|
|
|
|
// Fixed local part, wildcard domain
|
|
{"alice@*", "alice@example.com", true},
|
|
{"alice@*", "alice@evil.com", true},
|
|
{"alice@*", "bob@example.com", false},
|
|
|
|
// @-boundary respected: * in local part does not eat the @
|
|
{"alice*", "alice@example.com", true}, // pattern has no @, matches against full email
|
|
// But splitting on @ for both sides:
|
|
{"*", "alice@example.com", true}, // lone * matches anything
|
|
{"*@*", "alice@example.com", true},
|
|
{"*@*", "no-at-sign", false}, // pattern has @, email doesn't
|
|
|
|
// Pattern with @, email without
|
|
{"alice@example.com", "alice", false},
|
|
|
|
// Empty email: lone "*" should still match per docstring? Actually globMatch("*", "") = true
|
|
// But MatchesPattern("*", "") splits "*" on @ → ["*"]. Then globMatch("*", "") = true.
|
|
// The docstring says "matches any non-empty email" but the implementation matches empty too.
|
|
// Document the actual behavior in the test.
|
|
{"*", "", true},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.pattern+"|"+tc.email, func(t *testing.T) {
|
|
if got := MatchesPattern(tc.pattern, tc.email); got != tc.want {
|
|
t.Errorf("MatchesPattern(%q, %q) = %v, want %v", tc.pattern, tc.email, got, tc.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAllowedAtLevel(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
level ZddcFile
|
|
email string
|
|
wantAllowed bool
|
|
wantMatched bool
|
|
}{
|
|
{
|
|
name: "no rules: not matched",
|
|
level: ZddcFile{},
|
|
email: "alice@example.com",
|
|
wantAllowed: false,
|
|
wantMatched: false,
|
|
},
|
|
{
|
|
name: "allow matched",
|
|
level: ZddcFile{ACL: ACLRules{
|
|
Permissions: map[string]string{"*@example.com": "rwcd"},
|
|
}},
|
|
email: "alice@example.com",
|
|
wantAllowed: true,
|
|
wantMatched: true,
|
|
},
|
|
{
|
|
name: "deny matched",
|
|
level: ZddcFile{ACL: ACLRules{
|
|
Permissions: map[string]string{"alice@example.com": ""},
|
|
}},
|
|
email: "alice@example.com",
|
|
wantAllowed: false,
|
|
wantMatched: true,
|
|
},
|
|
{
|
|
name: "deny wins over allow at the same level",
|
|
level: ZddcFile{ACL: ACLRules{
|
|
Permissions: map[string]string{
|
|
"*@example.com": "rwcd",
|
|
"alice@example.com": "",
|
|
},
|
|
}},
|
|
email: "alice@example.com",
|
|
wantAllowed: false,
|
|
wantMatched: true,
|
|
},
|
|
{
|
|
name: "neither rule matches",
|
|
level: ZddcFile{ACL: ACLRules{
|
|
Permissions: map[string]string{
|
|
"*@example.com": "rwcd",
|
|
"*@evil.com": "",
|
|
},
|
|
}},
|
|
email: "carol@other.org",
|
|
wantAllowed: false,
|
|
wantMatched: false,
|
|
},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
gotAllowed, gotMatched := AllowedAtLevel(tc.level, tc.email)
|
|
if gotAllowed != tc.wantAllowed || gotMatched != tc.wantMatched {
|
|
t.Errorf("AllowedAtLevel(%v, %q) = (%v, %v), want (%v, %v)",
|
|
tc.level, tc.email, gotAllowed, gotMatched, tc.wantAllowed, tc.wantMatched)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|