ZDDC
f196205622
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.
Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
instead of allow/deny lists.
Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
own their own .zddc; the policy decider's IsActiveAdmin short-circuit
is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
true after the retirement). Profile page renders AdminSubtrees
directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
IsAdminForChain — no production caller passed true.
Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).
ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
/.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
"deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
is the parent-deny-is-absolute variant. The in-process Go evaluator
implements only the commercial cascade.
Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
.zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.
.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
.zddc out of the dot-prefix guard so PUT/DELETE/POST reach
ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
(matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
body is designed to materialize on PUT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
240 lines
6.1 KiB
Go
240 lines
6.1 KiB
Go
package zddc
|
|
|
|
import (
|
|
"testing"
|
|
)
|
|
|
|
func TestValidatePattern(t *testing.T) {
|
|
cases := []struct {
|
|
pattern string
|
|
ok bool
|
|
}{
|
|
{"alice@example.com", true},
|
|
{"*@example.com", true},
|
|
{"alice@*", true},
|
|
{"*", true},
|
|
{"", false},
|
|
{" alice@example.com", false},
|
|
{"alice@example.com ", false},
|
|
{"alice @example.com", false},
|
|
{"alice@ex ample.com", false},
|
|
{"alice@@example.com", false},
|
|
{"@example.com", false},
|
|
{"alice@", false},
|
|
{"@", false},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.pattern, func(t *testing.T) {
|
|
err := ValidatePattern(tc.pattern)
|
|
if tc.ok && err != nil {
|
|
t.Errorf("ValidatePattern(%q) = %v, want nil", tc.pattern, err)
|
|
}
|
|
if !tc.ok && err == nil {
|
|
t.Errorf("ValidatePattern(%q) = nil, want error", tc.pattern)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestValidateFile(t *testing.T) {
|
|
zf := ZddcFile{
|
|
Title: "ok",
|
|
ACL: ACLRules{Permissions: map[string]string{
|
|
"good@example.com": "rwcd",
|
|
"@bad": "rwcd",
|
|
"two@@ats": "",
|
|
}},
|
|
Admins: []string{"@nobody"},
|
|
}
|
|
errs := ValidateFile(zf)
|
|
// expect 3 errors
|
|
if len(errs) != 3 {
|
|
t.Fatalf("got %d errors, want 3: %+v", len(errs), errs)
|
|
}
|
|
wantFields := map[string]bool{
|
|
"acl.permissions[\"@bad\"]": false,
|
|
"acl.permissions[\"two@@ats\"]": false,
|
|
"admins[0]": false,
|
|
}
|
|
for _, e := range errs {
|
|
if _, ok := wantFields[e.Field]; !ok {
|
|
t.Errorf("unexpected error field: %q", e.Field)
|
|
continue
|
|
}
|
|
wantFields[e.Field] = true
|
|
}
|
|
for f, seen := range wantFields {
|
|
if !seen {
|
|
t.Errorf("missing error for field %q", f)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestValidateAppSourceSpec(t *testing.T) {
|
|
cases := []struct {
|
|
spec string
|
|
ok bool
|
|
}{
|
|
// Channel shorthand (with and without leading colon)
|
|
{"stable", true},
|
|
{"beta", true},
|
|
{"alpha", true},
|
|
{":stable", true},
|
|
{":beta", true},
|
|
{":alpha", true},
|
|
// Version pin shorthand (full, partial, with/without leading 'v')
|
|
{"v0.0.4", true},
|
|
{"0.0.4", true},
|
|
{"v0.0", true},
|
|
{"0.0", true},
|
|
{"v0", true},
|
|
{"0", true},
|
|
{"v1.2.3", true},
|
|
{":v0.0.4", true},
|
|
{":0.0.4", true},
|
|
// URLs
|
|
{"https://zddc.varasys.io/releases/archive_stable.html", true},
|
|
{"http://my-fork.example.com/archive.html", true},
|
|
{"https://my-mirror.example/releases", true}, // URL-prefix only
|
|
{"https://my-mirror.example/releases:stable", true}, // URL-prefix + channel
|
|
{"https://my-mirror.example/releases:v0.0.4", true}, // URL-prefix + version
|
|
{"https://my-mirror.example:8080/releases", true}, // URL with port
|
|
{"https://my-mirror.example:8080/releases:stable", true}, // URL with port + channel
|
|
// Paths
|
|
{"/abs/path.html", true},
|
|
{"./local.html", true},
|
|
{"../sibling.html", true},
|
|
// Errors
|
|
{"", false},
|
|
{" stable", false},
|
|
{"stable ", false},
|
|
{"with space", false},
|
|
{"https://", false},
|
|
{"https://host/path/file.html:stable", false}, // .html URL with suffix
|
|
{"random-thing", false},
|
|
{":", false},
|
|
{":random", false},
|
|
{"v", false},
|
|
{"v0.", false},
|
|
{".0.0", false},
|
|
{"v0.0.0.0", false},
|
|
{"v0.a.0", false},
|
|
{"https://my-mirror.example/releases:bogus", false}, // bad channel suffix
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.spec, func(t *testing.T) {
|
|
err := ValidateAppSourceSpec(tc.spec)
|
|
if tc.ok && err != nil {
|
|
t.Errorf("ValidateAppSourceSpec(%q) = %v, want nil", tc.spec, err)
|
|
}
|
|
if !tc.ok && err == nil {
|
|
t.Errorf("ValidateAppSourceSpec(%q) = nil, want error", tc.spec)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsValidAppsKey(t *testing.T) {
|
|
cases := []struct {
|
|
key string
|
|
ok bool
|
|
}{
|
|
{"default", true},
|
|
{"archive", true},
|
|
{"transmittal", true},
|
|
{"classifier", true},
|
|
{"browse", true},
|
|
{"landing", true},
|
|
{"unknown", false},
|
|
{"", false},
|
|
{"DEFAULT", false}, // case-sensitive
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.key, func(t *testing.T) {
|
|
if got := IsValidAppsKey(tc.key); got != tc.ok {
|
|
t.Errorf("IsValidAppsKey(%q) = %v, want %v", tc.key, got, tc.ok)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestValidateFile_Apps(t *testing.T) {
|
|
zf := ZddcFile{
|
|
Apps: map[string]string{
|
|
"archive": "stable", // ok
|
|
"classifier": "v0.0.4", // ok
|
|
"default": "https://zddc.varasys.io/releases:stable", // ok (default key + URL+channel)
|
|
"transmittal": ":beta", // ok (channel-only)
|
|
"browse": "https://my-mirror.example/releases", // ok (URL-prefix only)
|
|
"unknown": "stable", // unknown app
|
|
"landing": "what is this", // bad spec
|
|
},
|
|
}
|
|
errs := ValidateFile(zf)
|
|
want := map[string]bool{
|
|
"apps.unknown": false,
|
|
"apps.landing": false,
|
|
}
|
|
for _, e := range errs {
|
|
if _, ok := want[e.Field]; ok {
|
|
want[e.Field] = true
|
|
} else {
|
|
t.Errorf("unexpected error field: %q (%s)", e.Field, e.Message)
|
|
}
|
|
}
|
|
for f, seen := range want {
|
|
if !seen {
|
|
t.Errorf("missing error for field %q (got: %+v)", f, errs)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestValidateProjectName(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
ok bool
|
|
}{
|
|
{"alpha", true},
|
|
{"Alpha", true},
|
|
{"a", true},
|
|
{"a1", true},
|
|
{"a-1", true},
|
|
{"a_b", true},
|
|
{"123-project", true},
|
|
{"Site-3", true},
|
|
{"", false},
|
|
{".hidden", false},
|
|
{"_template", false},
|
|
{"-leading-dash", false},
|
|
{"foo bar", false},
|
|
{"foo/bar", false},
|
|
{"foo\\bar", false},
|
|
{"foo.bar", false},
|
|
{"..", false},
|
|
{".", false},
|
|
{string(make([]byte, 65)), false},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
err := ValidateProjectName(tc.name)
|
|
if tc.ok && err != nil {
|
|
t.Errorf("ValidateProjectName(%q) = %v, want nil", tc.name, err)
|
|
}
|
|
if !tc.ok && err == nil {
|
|
t.Errorf("ValidateProjectName(%q) = nil, want error", tc.name)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestValidateFileTitleLength(t *testing.T) {
|
|
long := make([]byte, 201)
|
|
for i := range long {
|
|
long[i] = 'a'
|
|
}
|
|
zf := ZddcFile{Title: string(long)}
|
|
errs := ValidateFile(zf)
|
|
if len(errs) != 1 || errs[0].Field != "title" {
|
|
t.Fatalf("expected one title-length error, got %+v", errs)
|
|
}
|
|
}
|