VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/zddc/cascade_mode_test.go
ZDDC 3115e388fc feat(server): authenticated CRUD + verb-based RBAC with WORM archive folders 
Replaces the binary acl.allow/deny model with five permission verbs
(r/w/c/d/a) and first-class roles, and adds an authenticated file API
(PUT/DELETE/POST move/mkdir) so the HTML tools can edit-in-place over
HTTP. Closes the AC-3(7) and AC-6 federal-readiness gaps.

File API (zddc/internal/handler/fileapi.go)
  - PUT <new>      → action c
  - PUT <existing> → action w
  - PUT <.zddc>    → action a (CanEditZddc strict-ancestor rule)
  - DELETE         → action d
  - POST mkdir     → action c (auto-writes creator-owned .zddc when the
                     parent is Incoming/Working/Staging)
  - POST move      → action w on src + c on dst, atomic via os.Rename
  - Optional If-Match for optimistic concurrency, --max-write-bytes cap,
    audit log emits a structured file_write event per operation.

Permission model (zddc/internal/zddc/{acl,file,roles,cascade_mode}.go)
  - acl.permissions: { principal → verb-set } map; principals are email
    patterns or role names. Empty verb set is an explicit deny.
  - roles: { name → members } definitions, available at the level they
    declare and all descendants. Closer-to-leaf shadows ancestor.
  - Legacy acl.allow/deny still work; they fold into permissions at
    parse time (allow → "rwcd", deny → "").
  - Cascade walks leaf→root; first level with any matching entry wins;
    the union of matching verb sets at that level decides.
  - --cascade-mode=strict adds a root→leaf ancestor-deny pre-pass so an
    ancestor explicit-deny is absolute (NIST AC-6). Default delegated
    preserves the existing commercial behavior.

Special folders (zddc/internal/zddc/special.go)
  - Incoming / Working / Staging: mkdir auto-writes a .zddc into the new
    subdir granting created_by + that email rwcda directly. Same form
    operators write by hand; creator can edit it later to add others.
  - Issued / Received: server-enforced WORM split. Cascade grants
    inherited from above the WORM folder are masked to r only; grants
    placed at-or-below the WORM folder retain r,c. Operators grant
    write-once (cr) to the doc controller via an explicit .zddc at the
    Issued/Received folder. Admins exempt — only escape hatch.

Browser polyfill (shared/zddc-source.js)
  - HttpDirectoryHandle + HttpFileHandle implement the FS Access API
    surface (values, getFileHandle, createWritable, removeEntry,
    queryPermission/requestPermission) over zddc-server's listing JSON
    and file API. Existing tools written against showDirectoryPicker
    work unchanged.
  - detectServerRoot() returns { handle, status }: tools auto-load on
    HTTP, surface a clear "no permission to list" message on 403, and
    fall back to the welcome screen on 0.
  - classifier renames take the atomic POST move path on HTTP-backed
    handles; mdedit and transmittal route reads/writes through the
    polyfill so prior FS-API code paths cover both modes.

Tests
  - zddc/internal/zddc/{cascade_mode,roles,special,acl}_test.go cover
    delegated vs strict, role membership / shadowing / legacy fallback,
    WORM split semantics, verb-set parser round-trip.
  - zddc/internal/handler/fileapi_test.go now also covers role-based
    vendor scenarios, WORM blocking vendor & doc controller writes,
    explicit Issued .zddc unlocking the cr drop-box, admin bypass,
    auto-ownership on mkdir, and strict-mode lockouts.

Docs
  - ARCHITECTURE.md + zddc/README.md document the verb model, role
    syntax, special-folder behaviors, cascade-mode flag, and full file
    API surface. Federal-readiness gap analysis strikes AC-3(7) and
    AC-6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 15:58:04 -05:00

108 lines
3.5 KiB
Go
Raw Blame History

package zddc
import "testing"
// helpers
func chain(levels ...ZddcFile) PolicyChain {
return PolicyChain{Levels: levels, HasAnyFile: len(levels) > 0}
}
func perms(p map[string]string) ZddcFile {
return ZddcFile{ACL: ACLRules{Permissions: p}}
}
// TestDelegated_LeafGrantOverridesAncestorDeny verifies the historical
// commercial behavior preserved as ModeDelegated.
func TestDelegated_LeafGrantOverridesAncestorDeny(t *testing.T) {
c := chain(
perms(map[string]string{"vendor_acme": ""}), // root: deny
ZddcFile{ // mid: define the role
ACL: ACLRules{},
Roles: map[string]Role{"vendor_acme": {Members: []string{"*@acme.com"}}},
},
perms(map[string]string{"vendor_acme": "rwcd"}), // leaf: allow
)
// Need the role definition to flow up to root for the deny entry to
// match acme members. Add the role at root too.
c.Levels[0].Roles = map[string]Role{"vendor_acme": {Members: []string{"*@acme.com"}}}
if !AllowedAction(c, "rep@acme.com", VerbR, ModeDelegated) {
t.Errorf("delegated mode: leaf rwcd should override root deny for read")
}
if !AllowedAction(c, "rep@acme.com", VerbW, ModeDelegated) {
t.Errorf("delegated mode: leaf rwcd should override root deny for write")
}
}
func TestStrict_AncestorDenyAbsolute(t *testing.T) {
c := chain(
ZddcFile{
ACL: ACLRules{Permissions: map[string]string{"vendor_acme": ""}},
Roles: map[string]Role{"vendor_acme": {Members: []string{"*@acme.com"}}},
},
ZddcFile{
ACL: ACLRules{Permissions: map[string]string{"vendor_acme": "rwcd"}},
},
)
if AllowedAction(c, "rep@acme.com", VerbR, ModeStrict) {
t.Errorf("strict mode: root deny should not be overridable by leaf grant")
}
if AllowedAction(c, "rep@acme.com", VerbW, ModeStrict) {
t.Errorf("strict mode: root deny should not be overridable by leaf grant (write)")
}
}
func TestStrict_NoAncestorDenyMeansLeafDecides(t *testing.T) {
c := chain(
ZddcFile{
ACL: ACLRules{Permissions: map[string]string{"_company": "r"}},
Roles: map[string]Role{"_company": {Members: []string{"*@mycompany.com"}}},
},
perms(map[string]string{"alice@mycompany.com": "rwcd"}),
)
if !AllowedAction(c, "alice@mycompany.com", VerbW, ModeStrict) {
t.Errorf("strict: leaf grant should decide when no ancestor explicit-deny matches")
}
}
func TestStrict_AncestorDenyOnRoleSpecificEntryDoesNotBlockOthers(t *testing.T) {
// Root denies vendor_acme but grants _company. acme is locked out
// under strict; mycompany staff still see leaf grants.
c := chain(
ZddcFile{
ACL: ACLRules{Permissions: map[string]string{
"vendor_acme": "",
"_company": "r",
}},
Roles: map[string]Role{
"vendor_acme": {Members: []string{"*@acme.com"}},
"_company": {Members: []string{"*@mycompany.com"}},
},
},
perms(map[string]string{"_company": "rwcd"}),
)
if AllowedAction(c, "rep@acme.com", VerbR, ModeStrict) {
t.Errorf("strict: acme should be denied (root deny is absolute)")
}
if !AllowedAction(c, "alice@mycompany.com", VerbW, ModeStrict) {
t.Errorf("strict: mycompany's leaf grant should still apply (no matching ancestor deny)")
}
}
func TestParseCascadeMode(t *testing.T) {
cases := map[string]CascadeMode{
"": ModeDelegated,
"delegated": ModeDelegated,
"strict": ModeStrict,
}
for in, want := range cases {
got, ok := ParseCascadeMode(in)
if !ok || got != want {
t.Errorf("ParseCascadeMode(%q) = %v %v, want %v true", in, got, ok, want)
}
}
if _, ok := ParseCascadeMode("loose"); ok {
t.Errorf("ParseCascadeMode(\"loose\") should be ok=false")
}
}
Reference in a new issue View git blame Copy permalink