ZDDC
f196205622
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.
Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
instead of allow/deny lists.
Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
own their own .zddc; the policy decider's IsActiveAdmin short-circuit
is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
true after the retirement). Profile page renders AdminSubtrees
directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
IsAdminForChain — no production caller passed true.
Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).
ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
/.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
"deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
is the parent-deny-is-absolute variant. The in-process Go evaluator
implements only the commercial cascade.
Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
.zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.
.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
.zddc out of the dot-prefix guard so PUT/DELETE/POST reach
ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
(matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
body is designed to materialize on PUT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
99 lines
3.3 KiB
Rego
99 lines
3.3 KiB
Rego
# Federal-mode reference policy: parent-deny-is-absolute (NIST AC-6).
|
|
#
|
|
# This is a strict-least-privilege variant of access.rego. The two policies
|
|
# differ in exactly one rule, but the semantic difference is meaningful for
|
|
# federal evaluators:
|
|
#
|
|
# access.rego (commercial, default):
|
|
# "Bottom-up walk; first explicit match wins; deny-first within a level.
|
|
# A leaf-level allow CAN override an ancestor's deny."
|
|
# Test: cascade_test.go "leaf allows user that parent denies → leaf wins".
|
|
#
|
|
# access_federal.rego (federal):
|
|
# "Any deny anywhere along the chain is absolute. An allow only matters
|
|
# if no ancestor (or sibling level) has denied the same email. Leaf-
|
|
# level allows do NOT override ancestor denies."
|
|
# Required by NIST AC-6 (Least Privilege) default expectations: a
|
|
# central admin's deny at the root must be unbypassable by a tenant
|
|
# who controls a subtree's .zddc.
|
|
#
|
|
# Why ship two policies? The internal Go evaluator (in zddc/internal/zddc/
|
|
# acl.go) implements only the commercial cascade — it's the rule the
|
|
# default deployment exercises. Federal customers running their own OPA
|
|
# with this file get the strict variant without any zddc-server code
|
|
# change. They can also write a hybrid policy (e.g. "deny is absolute
|
|
# only for emails matching some pattern; cascade rules for everyone
|
|
# else") since once they're hosting their own OPA, the constraint is
|
|
# whatever they write.
|
|
#
|
|
# Input shape: identical to access.rego — see that file's docstring.
|
|
# acl.permissions maps principal patterns to verb strings; an empty
|
|
# verb string is an explicit deny.
|
|
|
|
package zddc.access_federal
|
|
|
|
import future.keywords.if
|
|
import future.keywords.in
|
|
|
|
default allow := false
|
|
|
|
# Allow when no .zddc files exist anywhere AND no rule matches.
|
|
# Same default-allow case as commercial; preserves the empty-tree
|
|
# behaviour. (zddc-server's --insecure check at startup makes this
|
|
# unreachable in any non-deliberately-public deployment.)
|
|
allow if {
|
|
not input.policy_chain.has_any_file
|
|
not any_deny_match
|
|
not any_allow_match
|
|
}
|
|
|
|
# Allow when files exist, no level (any depth) denies, and at least
|
|
# one level allows. The "any level" check is what makes parent denies
|
|
# absolute — there is no "deepest match wins" rule here.
|
|
allow if {
|
|
input.policy_chain.has_any_file
|
|
not any_deny_match
|
|
any_allow_match
|
|
}
|
|
|
|
# Any explicit-deny permission entry at ANY level matches the email.
|
|
any_deny_match if {
|
|
some level in input.policy_chain.levels
|
|
some pattern, verbs in level.acl.permissions
|
|
verbs == ""
|
|
email_matches(pattern, input.user.email)
|
|
}
|
|
|
|
# Any grant permission entry (non-empty verbs) at ANY level matches.
|
|
any_allow_match if {
|
|
some level in input.policy_chain.levels
|
|
some pattern, verbs in level.acl.permissions
|
|
verbs != ""
|
|
email_matches(pattern, input.user.email)
|
|
}
|
|
|
|
# email_matches: identical to access.rego — see that file for the
|
|
# rationale on the four cases. Duplicated rather than imported so this
|
|
# file is self-contained for operators who copy it as a starting point.
|
|
|
|
email_matches(pattern, email) if {
|
|
pattern == email
|
|
}
|
|
|
|
email_matches(pattern, email) if {
|
|
pattern == "*"
|
|
email != ""
|
|
}
|
|
|
|
email_matches(pattern, email) if {
|
|
contains(pattern, "*")
|
|
contains(pattern, "@")
|
|
glob.match(pattern, ["@"], email)
|
|
}
|
|
|
|
email_matches(pattern, email) if {
|
|
contains(pattern, "*")
|
|
not contains(pattern, "@")
|
|
pattern != "*"
|
|
glob.match(pattern, [], email)
|
|
}
|