ZDDC
f196205622
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.
Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
instead of allow/deny lists.
Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
own their own .zddc; the policy decider's IsActiveAdmin short-circuit
is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
true after the retirement). Profile page renders AdminSubtrees
directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
IsAdminForChain — no production caller passed true.
Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).
ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
/.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
"deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
is the parent-deny-is-absolute variant. The in-process Go evaluator
implements only the commercial cascade.
Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
.zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.
.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
.zddc out of the dot-prefix guard so PUT/DELETE/POST reach
ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
(matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
body is designed to materialize on PUT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
191 lines
5.8 KiB
Go
191 lines
5.8 KiB
Go
package policy
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
|
|
|
|
"github.com/open-policy-agent/opa/rego"
|
|
)
|
|
|
|
// TestFederalRego_DivergencesFromStandard validates the federal-mode
|
|
// variant by asserting both that:
|
|
//
|
|
// (a) most cascade scenarios produce the same verdict as standard
|
|
// (the federal rule reduces to standard whenever no parent deny
|
|
// intersects a leaf allow), AND
|
|
//
|
|
// (b) the specific scenarios where the rules differ (a leaf-level
|
|
// allow overlaying an ancestor's deny) produce DIFFERENT verdicts:
|
|
// standard says allow (leaf wins); federal says deny (ancestor
|
|
// deny is absolute — NIST AC-6 default).
|
|
//
|
|
// Like the standard parity test, this imports the OPA library as a
|
|
// test-only dependency. The federal Rego is a deployable artifact
|
|
// (operators dump it via --print-rego=federal); the parity guard
|
|
// here proves the artifact behaves as documented.
|
|
func TestFederalRego_DivergencesFromStandard(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
standard, err := rego.New(
|
|
rego.Query("data.zddc.access.allow"),
|
|
rego.Module("access.rego", ReferenceRego),
|
|
).PrepareForEval(ctx)
|
|
if err != nil {
|
|
t.Fatalf("compile standard rego: %v", err)
|
|
}
|
|
federal, err := rego.New(
|
|
rego.Query("data.zddc.access_federal.allow"),
|
|
rego.Module("access_federal.rego", FederalRego),
|
|
).PrepareForEval(ctx)
|
|
if err != nil {
|
|
t.Fatalf("compile federal rego: %v", err)
|
|
}
|
|
|
|
allow := func(p ...string) zddc.ZddcFile {
|
|
m := make(map[string]string, len(p))
|
|
for _, x := range p {
|
|
m[x] = "rwcd"
|
|
}
|
|
return zddc.ZddcFile{ACL: zddc.ACLRules{Permissions: m}}
|
|
}
|
|
deny := func(p ...string) zddc.ZddcFile {
|
|
m := make(map[string]string, len(p))
|
|
for _, x := range p {
|
|
m[x] = ""
|
|
}
|
|
return zddc.ZddcFile{ACL: zddc.ACLRules{Permissions: m}}
|
|
}
|
|
empty := zddc.ZddcFile{}
|
|
|
|
cases := []struct {
|
|
name string
|
|
chain zddc.PolicyChain
|
|
email string
|
|
wantStandard bool
|
|
wantFederal bool
|
|
divergesByDesign bool // true if standard and federal must disagree here
|
|
}{
|
|
// ── Cases where the two policies must AGREE ────────────────
|
|
{
|
|
"empty chain, no files",
|
|
zddc.PolicyChain{HasAnyFile: false},
|
|
"alice@example.com",
|
|
true, true, false,
|
|
},
|
|
{
|
|
"files exist, no rule matches → both deny",
|
|
zddc.PolicyChain{Levels: []zddc.ZddcFile{allow("*@trusted.com")}, HasAnyFile: true},
|
|
"alice@example.com",
|
|
false, false, false,
|
|
},
|
|
{
|
|
"leaf allow with no ancestor deny → both allow",
|
|
zddc.PolicyChain{Levels: []zddc.ZddcFile{empty, allow("*@example.com")}, HasAnyFile: true},
|
|
"alice@example.com",
|
|
true, true, false,
|
|
},
|
|
{
|
|
"only deny anywhere → both deny",
|
|
zddc.PolicyChain{Levels: []zddc.ZddcFile{deny("alice@example.com")}, HasAnyFile: true},
|
|
"alice@example.com",
|
|
false, false, false,
|
|
},
|
|
{
|
|
"glob allow, no deny → both allow",
|
|
zddc.PolicyChain{Levels: []zddc.ZddcFile{allow("*@example.com")}, HasAnyFile: true},
|
|
"alice@example.com",
|
|
true, true, false,
|
|
},
|
|
|
|
// ── The signature divergence: leaf allow overlaying ancestor deny ──
|
|
{
|
|
"leaf allows what parent denied → standard allows, federal denies (AC-6)",
|
|
zddc.PolicyChain{Levels: []zddc.ZddcFile{
|
|
deny("alice@example.com"),
|
|
allow("alice@example.com"),
|
|
}, HasAnyFile: true},
|
|
"alice@example.com",
|
|
true, // standard: leaf wins
|
|
false, // federal: parent deny is absolute
|
|
true,
|
|
},
|
|
{
|
|
"deep leaf re-allows after middle deny → standard allows, federal denies",
|
|
zddc.PolicyChain{Levels: []zddc.ZddcFile{
|
|
allow("*@example.com"),
|
|
deny("alice@example.com"),
|
|
allow("alice@example.com"),
|
|
}, HasAnyFile: true},
|
|
"alice@example.com",
|
|
true,
|
|
false,
|
|
true,
|
|
},
|
|
{
|
|
"glob deny at root, specific allow at leaf → both differ",
|
|
zddc.PolicyChain{Levels: []zddc.ZddcFile{
|
|
deny("*@example.com"),
|
|
allow("alice@example.com"),
|
|
}, HasAnyFile: true},
|
|
"alice@example.com",
|
|
true,
|
|
false,
|
|
true,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
input := AllowInput{Path: "/test", PolicyChain: chainToSerializable(tc.chain)}
|
|
input.User.Email = tc.email
|
|
regoInput, err := canonicalInput(input)
|
|
if err != nil {
|
|
t.Fatalf("encode input: %v", err)
|
|
}
|
|
|
|
std, err := standard.Eval(ctx, rego.EvalInput(regoInput))
|
|
if err != nil {
|
|
t.Fatalf("standard eval: %v", err)
|
|
}
|
|
fed, err := federal.Eval(ctx, rego.EvalInput(regoInput))
|
|
if err != nil {
|
|
t.Fatalf("federal eval: %v", err)
|
|
}
|
|
if len(std) == 0 || len(fed) == 0 {
|
|
t.Fatal("rego returned empty result set")
|
|
}
|
|
stdAllow := std[0].Expressions[0].Value.(bool)
|
|
fedAllow := fed[0].Expressions[0].Value.(bool)
|
|
|
|
if stdAllow != tc.wantStandard {
|
|
t.Errorf("standard rego: got %v, want %v", stdAllow, tc.wantStandard)
|
|
}
|
|
if fedAllow != tc.wantFederal {
|
|
t.Errorf("federal rego: got %v, want %v", fedAllow, tc.wantFederal)
|
|
}
|
|
// Cross-check the divergence flag itself: if we said the cases
|
|
// must disagree, they must; if we said they agree, they must.
|
|
diverges := stdAllow != fedAllow
|
|
if diverges != tc.divergesByDesign {
|
|
t.Errorf("divergence = %v, want %v (standard=%v, federal=%v)",
|
|
diverges, tc.divergesByDesign, stdAllow, fedAllow)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestFederalRego_RegoCompiles is a sanity check that the embedded
|
|
// federal Rego file parses without error in OPA, separate from the
|
|
// behavior tests. Catches accidental syntax breakage in
|
|
// access_federal.rego before running the (slower) parity matrix.
|
|
func TestFederalRego_RegoCompiles(t *testing.T) {
|
|
_, err := rego.New(
|
|
rego.Query("data.zddc.access_federal.allow"),
|
|
rego.Module("access_federal.rego", FederalRego),
|
|
).PrepareForEval(context.Background())
|
|
if err != nil {
|
|
t.Fatalf("federal rego does not compile: %v", err)
|
|
}
|
|
}
|