ZDDC
20897fef6b
GET / and GET /index.html previously enforced the root .zddc's
top-level acl: gate before serving the landing page. On a deployment
where only specific emails are allowed at root, anonymous (and
unauthorized) callers got 403 — they couldn't even see the project
picker that would tell them which projects were available to them.
Make the landing page public:
- cmd/zddc-server: drop the AllowedWithChain gate from the
apps.Serve("landing") branch; drop it from the IsDir branch when
urlPath == "/".
- handler/directory.go: matching bypass for ServeDirectory at the
root path (covers Accept: application/json and the case where a
real /index.html exists on disk).
Per-project ACL is preserved end-to-end:
- fs.ListDirectory continues to filter sub-entries per email, so
anonymous callers see only projects whose .zddc allows them.
- Subdirectory requests still hit the ACL gate.
Regression test in handler/directory_test.go covers all four cases
(anonymous public, anonymous filters out private, admin sees both,
anonymous still 403 on private subdir). Full go test ./... passes.
128 lines
4.2 KiB
Go
128 lines
4.2 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
|
)
|
|
|
|
// TestServeDirectoryRootIsPublic asserts that the landing page (the root
|
|
// directory listing) is reachable by anyone, including anonymous callers
|
|
// whose email is empty AND whose access would be denied by a restrictive
|
|
// root .zddc. Per-project filtering inside fs.ListDirectory still hides
|
|
// directories the caller can't reach (separately verified below).
|
|
//
|
|
// The behavior was changed when "Everyone needs to have access to the
|
|
// landing page" became the explicit requirement; this test is the
|
|
// regression guard.
|
|
func TestServeDirectoryRootIsPublic(t *testing.T) {
|
|
root := t.TempDir()
|
|
|
|
// Restrictive root .zddc — only admin@example.com is allowed by ACL,
|
|
// nothing else. A user without that email would have been 403'd before
|
|
// the bypass.
|
|
if err := os.WriteFile(filepath.Join(root, ".zddc"),
|
|
[]byte("admins:\n - admin@example.com\nacl:\n allow:\n - admin@example.com\n"),
|
|
0o644); err != nil {
|
|
t.Fatalf("write root .zddc: %v", err)
|
|
}
|
|
|
|
// One project visible to everyone, one only to admin.
|
|
for _, name := range []string{"PublicProj", "PrivateProj"} {
|
|
if err := os.MkdirAll(filepath.Join(root, name), 0o755); err != nil {
|
|
t.Fatalf("mkdir %s: %v", name, err)
|
|
}
|
|
}
|
|
if err := os.WriteFile(filepath.Join(root, "PublicProj", ".zddc"),
|
|
[]byte("acl:\n allow: [\"*\"]\n"), 0o644); err != nil {
|
|
t.Fatalf("write PublicProj .zddc: %v", err)
|
|
}
|
|
if err := os.WriteFile(filepath.Join(root, "PrivateProj", ".zddc"),
|
|
[]byte("acl:\n allow: [admin@example.com]\n"), 0o644); err != nil {
|
|
t.Fatalf("write PrivateProj .zddc: %v", err)
|
|
}
|
|
|
|
cfg := config.Config{Root: root, EmailHeader: "X-Auth-Request-Email"}
|
|
|
|
t.Run("anonymous JSON GET / does not 403", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
// Anonymous: empty email in context.
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want 200 (root is public); body = %s",
|
|
rec.Code, rec.Body.String())
|
|
}
|
|
})
|
|
|
|
t.Run("anonymous JSON GET / hides private projects", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want 200; body = %s", rec.Code, rec.Body.String())
|
|
}
|
|
|
|
var entries []map[string]any
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
|
|
t.Fatalf("invalid JSON: %v\n%s", err, rec.Body.String())
|
|
}
|
|
|
|
names := map[string]bool{}
|
|
for _, e := range entries {
|
|
if n, ok := e["name"].(string); ok {
|
|
names[n] = true
|
|
}
|
|
}
|
|
if !names["PublicProj/"] {
|
|
t.Errorf("PublicProj missing from anonymous listing: %v", names)
|
|
}
|
|
if names["PrivateProj/"] {
|
|
t.Errorf("PrivateProj leaked to anonymous listing: %v", names)
|
|
}
|
|
})
|
|
|
|
t.Run("admin JSON GET / sees both projects", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, "admin@example.com"))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("admin status = %d, want 200", rec.Code)
|
|
}
|
|
|
|
var entries []map[string]any
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
|
|
t.Fatalf("invalid JSON: %v", err)
|
|
}
|
|
if len(entries) != 2 {
|
|
t.Errorf("admin should see both projects; got %d", len(entries))
|
|
}
|
|
})
|
|
|
|
t.Run("anonymous still gets 403 on private subdirectory", func(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/PrivateProj/", nil)
|
|
req.Header.Set("Accept", "application/json")
|
|
req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
|
|
rec := httptest.NewRecorder()
|
|
ServeDirectory(cfg, rec, req)
|
|
|
|
if rec.Code != http.StatusForbidden {
|
|
t.Errorf("private subdir for anonymous: status = %d, want 403", rec.Code)
|
|
}
|
|
})
|
|
}
|