ZDDC
f196205622
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.
Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
instead of allow/deny lists.
Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
own their own .zddc; the policy decider's IsActiveAdmin short-circuit
is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
true after the retirement). Profile page renders AdminSubtrees
directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
IsAdminForChain — no production caller passed true.
Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).
ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
/.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
"deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
is the parent-deny-is-absolute variant. The in-process Go evaluator
implements only the commercial cascade.
Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
.zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.
.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
.zddc out of the dot-prefix guard so PUT/DELETE/POST reach
ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
(matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
body is designed to materialize on PUT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
54 lines
2.4 KiB
Go
54 lines
2.4 KiB
Go
package handler
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
|
|
)
|
|
|
|
// AuthPathPrefix is the URL prefix at which machine-only auth-check
|
|
// endpoints live. Mirrors ProfilePathPrefix's dot-prefix convention so
|
|
// the dispatch's reserved-prefix guard sees it as an internal namespace
|
|
// rather than user content.
|
|
const AuthPathPrefix = "/.auth"
|
|
|
|
// ServeAuthAdmin is a forward_auth target for upstream proxies (e.g. the
|
|
// dev-shell pod's Caddy in front of code-server). It returns:
|
|
//
|
|
// - 200 OK — caller's resolved email is in the root .zddc's
|
|
// admins: list, per zddc.IsAdmin.
|
|
// - 403 Forbidden — anonymous, or email not in the admins: list, or
|
|
// no root .zddc exists. Also covers the case where
|
|
// the admins: field is empty/missing.
|
|
//
|
|
// The endpoint produces no body and does not redirect — it's a pure
|
|
// authorization decision intended to be polled by Caddy's forward_auth
|
|
// directive (or any equivalent in nginx, Traefik, oauth2-proxy, etc.).
|
|
//
|
|
// Performance: zddc.IsAdmin is a single map lookup against a cached
|
|
// PolicyChain; the .zddc file is parsed once and re-read only when the
|
|
// fsnotify watcher fires. Suitable to call on every request without
|
|
// noticeable overhead.
|
|
//
|
|
// Scope: gates ON ROOT-ADMIN STATUS ONLY. This is intentionally
|
|
// stricter than the regular acl.permissions chain — admin-only
|
|
// endpoints (the dev-shell IDE, future maintenance routes) shouldn't
|
|
// fall through to subtree-level allowances. For per-route ACL, callers
|
|
// continue using the existing handlers (archive, profile, etc.) which
|
|
// consult the policy decider.
|
|
func ServeAuthAdmin(cfg config.Config, w http.ResponseWriter, r *http.Request) {
|
|
email := EmailFromContext(r)
|
|
// Elevation-independent gate. Upstream proxies (Caddy forward_auth
|
|
// for the dev-shell IDE) call this from a different cookie scope
|
|
// than the zddc-server origin, so the elevation cookie can't reach
|
|
// here even when the user has it set. This is a coarse "is this
|
|
// email a root admin?" check, not a per-action authority decision —
|
|
// construct a synthetically-elevated Principal so the underlying
|
|
// admin check evaluates the admins: list as usual.
|
|
if email == "" || !zddc.IsAdmin(cfg.Root, zddc.Principal{Email: email, Elevated: true}) {
|
|
http.Error(w, "Forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
}
|