ZDDC
2ccd72fa35
A .zddc may now declare `acl.inherit: false` to fence off ancestor
grants and roles from the descendant subtree — the "complete reset
plus add back" pattern operators want for vendor folders and other
narrowly-scoped subtrees. The cascade walker honors the deepest fence
in [0, toIdx] when evaluating any level at-or-below it, both for
GrantedVerbsAtLevel/EffectiveVerbsRange and for role lookup
(RoleMembers / lookupRoleMembers).
Federal/strict cascade mode IGNORES the fence — required by
NIST AC-6 ("ancestor deny is absolute; no leaf-level override"). So
inherit:false has no effect under strict mode and ancestor grants
remain visible. Operators running the federal Rego preset get the
same behaviour from external policy enforcement.
API surface: ACLRules.Inherit (*bool, nil = unset = inherit-true);
ACLRules.InheritsAncestors() bool; PolicyChain.VisibleStart(toIdx,
mode) int. The mode parameter is now threaded through
GrantedVerbsAtLevel, MatchesPrincipal, MatchingPrincipals,
RoleMembers, and lookupRoleMembers so role resolution is fence-aware.
Tests:
- file_test.go: parser round-trip for absent / true / false inherit
- inherit_test.go: VisibleStart (no fence, fence clamps, nested fences,
strict-mode override), EffectiveVerbs (fence hides ancestor grants,
strict-mode keeps them), RoleMembers (ancestor roles hidden by fence,
local redefinition still works)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
152 lines
5.8 KiB
Go
152 lines
5.8 KiB
Go
package zddc
|
|
|
|
import "testing"
|
|
|
|
// helper: build a chain from levels (root-to-leaf), HasAnyFile=true.
|
|
func buildChain(levels ...ZddcFile) PolicyChain {
|
|
return PolicyChain{Levels: levels, HasAnyFile: true}
|
|
}
|
|
|
|
// helper: ACL with a permissions map and an explicit inherit setting.
|
|
func aclFenced(perms map[string]string, inherit bool) ACLRules {
|
|
return ACLRules{Permissions: perms, Inherit: &inherit}
|
|
}
|
|
|
|
func aclOpen(perms map[string]string) ACLRules {
|
|
return ACLRules{Permissions: perms}
|
|
}
|
|
|
|
func TestVisibleStart_NoFence(t *testing.T) {
|
|
chain := buildChain(
|
|
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "r"})},
|
|
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "rwcd"})},
|
|
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "rwcda"})},
|
|
)
|
|
if got := chain.VisibleStart(2, ModeDelegated); got != 0 {
|
|
t.Errorf("no fence: VisibleStart = %d, want 0", got)
|
|
}
|
|
}
|
|
|
|
func TestVisibleStart_FenceClampsToFence(t *testing.T) {
|
|
chain := buildChain(
|
|
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "r"})},
|
|
ZddcFile{ACL: aclFenced(map[string]string{"*@vendor.com": "rwcd"}, false)},
|
|
ZddcFile{ACL: aclOpen(map[string]string{})},
|
|
)
|
|
if got := chain.VisibleStart(2, ModeDelegated); got != 1 {
|
|
t.Errorf("fence at 1: VisibleStart(2) = %d, want 1", got)
|
|
}
|
|
if got := chain.VisibleStart(1, ModeDelegated); got != 1 {
|
|
t.Errorf("fence at 1: VisibleStart(1) = %d, want 1", got)
|
|
}
|
|
// Fence above toIdx is irrelevant.
|
|
if got := chain.VisibleStart(0, ModeDelegated); got != 0 {
|
|
t.Errorf("fence at 1: VisibleStart(0) = %d, want 0 (fence not yet in scope)", got)
|
|
}
|
|
}
|
|
|
|
func TestVisibleStart_NestedFencesDeepestWins(t *testing.T) {
|
|
chain := buildChain(
|
|
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "r"})},
|
|
ZddcFile{ACL: aclFenced(map[string]string{"*@a.com": "r"}, false)},
|
|
ZddcFile{ACL: aclFenced(map[string]string{"*@b.com": "rwcd"}, false)},
|
|
ZddcFile{ACL: aclOpen(map[string]string{})},
|
|
)
|
|
if got := chain.VisibleStart(3, ModeDelegated); got != 2 {
|
|
t.Errorf("nested fence: deepest wins, got %d want 2", got)
|
|
}
|
|
}
|
|
|
|
func TestVisibleStart_StrictModeIgnoresFence(t *testing.T) {
|
|
chain := buildChain(
|
|
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "r"})},
|
|
ZddcFile{ACL: aclFenced(map[string]string{"*@vendor.com": "rwcd"}, false)},
|
|
ZddcFile{ACL: aclOpen(map[string]string{})},
|
|
)
|
|
if got := chain.VisibleStart(2, ModeStrict); got != 0 {
|
|
t.Errorf("strict mode must ignore fence: got %d, want 0", got)
|
|
}
|
|
}
|
|
|
|
// End-to-end: a fence at the vendor folder hides root-level grants for
|
|
// users who don't match the vendor-folder grants.
|
|
func TestEffectiveVerbs_FenceHidesAncestorGrants(t *testing.T) {
|
|
chain := buildChain(
|
|
// Root: everyone-at-example reads everywhere.
|
|
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "rwcd"})},
|
|
// Vendor folder: deny everyone-at-example, allow vendor explicitly,
|
|
// AND fence — so the root grant doesn't sneak through.
|
|
ZddcFile{ACL: aclFenced(map[string]string{
|
|
"*@vendor.com": "rwcd",
|
|
"_doc_controller": "rwcda",
|
|
}, false)},
|
|
)
|
|
|
|
// alice@example.com used to inherit root rwcd; with the fence she has
|
|
// no grant in the vendor folder → 0 verbs.
|
|
if got := EffectiveVerbs(chain, "alice@example.com", ModeDelegated); got != 0 {
|
|
t.Errorf("alice should be denied by fence; got %s", got)
|
|
}
|
|
// rep@vendor.com matches the local rule.
|
|
if got := EffectiveVerbs(chain, "rep@vendor.com", ModeDelegated); got != VerbsRWCD {
|
|
t.Errorf("vendor should have rwcd; got %s", got)
|
|
}
|
|
}
|
|
|
|
// In strict mode the fence is ignored: alice keeps her root grant
|
|
// because ancestor grants ARE absolute under AC-6 / strict cascade.
|
|
func TestEffectiveVerbs_StrictModeKeepsAncestorGrants(t *testing.T) {
|
|
chain := buildChain(
|
|
ZddcFile{ACL: aclOpen(map[string]string{"*@example.com": "rwcd"})},
|
|
ZddcFile{ACL: aclFenced(map[string]string{
|
|
"*@vendor.com": "rwcd",
|
|
}, false)},
|
|
)
|
|
|
|
// In strict mode, alice's root rwcd is visible — fence ignored.
|
|
// She doesn't match anything in the vendor folder, so leaf walk
|
|
// continues to root, finds rwcd, and returns it.
|
|
if got := EffectiveVerbs(chain, "alice@example.com", ModeStrict); got != VerbsRWCD {
|
|
t.Errorf("strict mode: alice should retain root rwcd; got %s", got)
|
|
}
|
|
}
|
|
|
|
// Roles defined above the fence are invisible to descendants — operators
|
|
// who fence must redefine roles locally if they want to use them.
|
|
func TestRoleMembers_FenceHidesAncestorRoles(t *testing.T) {
|
|
rootLevel := ZddcFile{
|
|
Roles: map[string]Role{"_doc_controller": {Members: []string{"dc@example.com"}}},
|
|
ACL: aclOpen(map[string]string{"*@example.com": "r"}),
|
|
}
|
|
fencedLevel := ZddcFile{
|
|
ACL: aclFenced(map[string]string{"*@vendor.com": "rwcd"}, false),
|
|
}
|
|
chain := buildChain(rootLevel, fencedLevel)
|
|
|
|
// Below the fence, the role from root is invisible.
|
|
if got := RoleMembers(chain, 1, "_doc_controller", ModeDelegated); got != nil {
|
|
t.Errorf("role above fence should be invisible; got %v", got)
|
|
}
|
|
// In strict mode, the fence is ignored and the role is visible.
|
|
if got := RoleMembers(chain, 1, "_doc_controller", ModeStrict); len(got) != 1 || got[0] != "dc@example.com" {
|
|
t.Errorf("strict mode: role should be visible; got %v", got)
|
|
}
|
|
}
|
|
|
|
// A role redefined locally below the fence shadows correctly because
|
|
// the redefinition is at-or-below the fence (visible).
|
|
func TestRoleMembers_LocalRedefinitionWorks(t *testing.T) {
|
|
chain := buildChain(
|
|
ZddcFile{
|
|
Roles: map[string]Role{"_doc_controller": {Members: []string{"dc@example.com"}}},
|
|
},
|
|
ZddcFile{
|
|
ACL: aclFenced(map[string]string{"_doc_controller": "rwcda"}, false),
|
|
Roles: map[string]Role{"_doc_controller": {Members: []string{"vendor-dc@example.com"}}},
|
|
},
|
|
)
|
|
got := RoleMembers(chain, 1, "_doc_controller", ModeDelegated)
|
|
if len(got) != 1 || got[0] != "vendor-dc@example.com" {
|
|
t.Errorf("local redefinition should win; got %v", got)
|
|
}
|
|
}
|