VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/zddc/roles_test.go
ZDDC f196205622 refactor(audit): pre-release cleanup pass 
Single audit pass that removes pre-release back-compat, consolidates the
admin-policy decider, and fixes the .zddc write path.

Field removal — acl.allow / acl.deny:
- Drop ACLRules.Allow / Deny struct fields and mergeLegacyACL().
- Remove walker / lookups / validate / decider branches that read them.
- Migrate every test fixture (YAML strings and ACLRules struct literals)
  to acl.permissions: { principal → verb-set }.
- Rewrite both bundled Rego policies (access.rego, access_federal.rego)
  to traverse level.acl.permissions; rewrite parity-test helpers.
- Update create-project form (profile page) to collect permissions
  instead of allow/deny lists.

Admin decider consolidation:
- Delete zddc.CanEditZddc — strict-ancestor rule retired. Subtree admins
  own their own .zddc; the policy decider's IsActiveAdmin short-circuit
  is the single bypass site.
- Migrate tablehandler.ServeTable to AllowActionFromChainP — closes the
  same Forbidden bug already fixed for /browse.html.
- Drop AccessView.EditableParentChoices and treeEntry.CanEdit (always
  true after the retirement). Profile page renders AdminSubtrees
  directly for both lists.
- Drop the excludeLeaf parameter from AdminLevelInChain /
  IsAdminForChain — no production caller passed true.

Dead code removed:
- policy.AllowWriteFromChain (zero production callers, zero tests).
- zddc.AllowedWithChain (zero production callers; tests deleted).

ModeStrict retirement — federal posture is OPA-only:
- Delete cascade_mode.go / cascade_mode_test.go and the ModeStrict
  branches in cascade.go and acl.go.
- Drop --cascade-mode flag, CascadeMode config field, and the
  InternalDecider.Mode field.
- Drop the mode parameter from every cascade helper:
  GrantedVerbsAtLevel, AllowedAction, EffectiveVerbs,
  EffectiveVerbsRange, RoleMembers, MatchesPrincipal,
  MatchingPrincipals, WormZoneGrant, PolicyChain.VisibleStart.
- Strip cascade_mode from /.profile/config and
  /.profile/effective-policy responses.
- Refresh README / ARCHITECTURE.md to describe federal posture as
  "deploy OPA with access_federal.rego" (NIST AC-6); the bundled Rego
  is the parent-deny-is-absolute variant. The in-process Go evaluator
  implements only the commercial cascade.

Legacy redirects + .admin.css fallback:
- Drop /<dir>/.zddc.html → ?file=.zddc redirect and its test.
- Drop ?zip=1 retired comment + legacy test (handled by the
  .zip virtual-URL path; covered by TestServeSubtreeZip).
- Drop .admin.css fallback in profile_assets.go — only .profile.css now.
- Refresh stale "retired" / "back-compat" / "legacy" comment markers.

.zddc write path fix:
- Dispatcher: route only GET/HEAD on .zddc URLs to ServeZddcFile; carve
  .zddc out of the dot-prefix guard so PUT/DELETE/POST reach
  ServeFileAPI. Before this, .zddc writes 405'd at ServeZddcFile and
  the YAML editor's save flow had no live path.
- ServeFileAPI.resolveTargetPath: same .zddc-leaf carve-out so the file
  API accepts the path; intermediate dot dirs (.zddc.d/) stay reserved.
- Listing: compute Writable per-file with ActionAdmin for .zddc
  (matches the file API's gate) instead of ActionWrite for everything.
- Virtual .zddc placeholder: compute Writable via the same
  parentActiveAdmin || ActionAdmin path. Was always false before.
- browse YAML editor canSave: exempt virtual .zddc — the synthetic
  body is designed to materialize on PUT.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 16:28:07 -05:00

165 lines
4.4 KiB
Go
Raw Blame History

package zddc
import "testing"
func TestParseVerbSetRoundTrip(t *testing.T) {
cases := []struct {
in string
out string
}{
{"", ""},
{"r", "r"},
{"rw", "rw"},
{"wr", "rw"}, // canonical reorder
{"rwcd", "rwcd"},
{"adcwr", "rwcda"}, // canonical reorder
{"RWCDA", "rwcda"}, // case-insensitive
{" r w c ", "rwc"}, // whitespace tolerated
}
for _, tc := range cases {
v, ok := ParseVerbSet(tc.in)
if !ok {
t.Errorf("ParseVerbSet(%q) ok=false", tc.in)
continue
}
if got := v.String(); got != tc.out {
t.Errorf("ParseVerbSet(%q).String() = %q, want %q", tc.in, got, tc.out)
}
}
}
func TestParseVerbSetUnknownLetter(t *testing.T) {
if _, ok := ParseVerbSet("rwx"); ok {
t.Errorf("ParseVerbSet(\"rwx\") = ok=true, want false")
}
}
func TestVerbSetHasAndUnion(t *testing.T) {
rw, _ := ParseVerbSet("rw")
cd, _ := ParseVerbSet("cd")
if !rw.Has(VerbR) {
t.Errorf("rw should have R")
}
if rw.Has(VerbC) {
t.Errorf("rw should not have C")
}
if got := rw.Union(cd).String(); got != "rwcd" {
t.Errorf("rw|cd = %q, want rwcd", got)
}
}
func TestIsPrincipalRole(t *testing.T) {
cases := map[string]bool{
"alice@example.com": false,
"*@example.com": false,
"alice@*": false,
"_doc_controller": true,
"vendor_acme": true,
"*": true, // legacy bare wildcard — treated as role-or-pattern
}
for in, want := range cases {
if got := IsPrincipalRole(in); got != want {
t.Errorf("IsPrincipalRole(%q) = %v, want %v", in, got, want)
}
}
}
func TestRoleMembersUnionAcrossCascade(t *testing.T) {
chain := PolicyChain{
Levels: []ZddcFile{
// root: role defined with one member
{Roles: map[string]Role{
"editors": {Members: []string{"alice@example.com"}},
}},
// child: ADDS a member (union, not shadow)
{Roles: map[string]Role{
"editors": {Members: []string{"bob@example.com"}},
}},
},
HasAnyFile: true,
}
got := RoleMembers(chain, 1, "editors")
if len(got) != 2 {
t.Fatalf("union: got %v, want both alice + bob", got)
}
has := func(s string) bool {
for _, g := range got {
if g == s {
return true
}
}
return false
}
if !has("alice@example.com") || !has("bob@example.com") {
t.Errorf("union: got %v, want alice + bob", got)
}
// At root level, only the root definition is in the visible chain.
got = RoleMembers(chain, 0, "editors")
if len(got) != 1 || got[0] != "alice@example.com" {
t.Errorf("root visibility: got %v, want [alice]", got)
}
}
func TestRoleMembersResetBreaksUnion(t *testing.T) {
chain := PolicyChain{
Levels: []ZddcFile{
// root
{Roles: map[string]Role{
"editors": {Members: []string{"alice@example.com"}},
}},
// mid: reset — ancestors above this are excluded for editors
{Roles: map[string]Role{
"editors": {Members: []string{"carol@example.com"}, Reset: true},
}},
// leaf: still unions on top of the reset level
{Roles: map[string]Role{
"editors": {Members: []string{"dave@example.com"}},
}},
},
HasAnyFile: true,
}
got := RoleMembers(chain, 2, "editors")
// Expect carol (reset level) + dave (leaf), NOT alice (excluded by reset).
if len(got) != 2 {
t.Fatalf("reset: got %v, want carol + dave only", got)
}
for _, g := range got {
if g == "alice@example.com" {
t.Errorf("reset should have excluded alice; got %v", got)
}
}
}
func TestMatchesPrincipalLegacyPatternFallback(t *testing.T) {
// No roles defined; bare "*" and "*example.com" must still match
// via legacy email-pattern semantics.
chain := PolicyChain{
Levels: []ZddcFile{{}},
HasAnyFile: true,
}
if !MatchesPrincipal("*", "alice@example.com", chain, 0) {
t.Errorf("bare * should match any email via legacy fallback")
}
if !MatchesPrincipal("*example.com", "alice@example.com", chain, 0) {
t.Errorf("*example.com should match alice@example.com via legacy fallback")
}
}
func TestMatchesPrincipalRoleNamePrefersRole(t *testing.T) {
// When a role is defined, the role match wins; legacy fallback is
// not consulted.
chain := PolicyChain{
Levels: []ZddcFile{{
Roles: map[string]Role{
"vendor_acme": {Members: []string{"*@acme.com"}},
},
}},
HasAnyFile: true,
}
if !MatchesPrincipal("vendor_acme", "rep@acme.com", chain, 0) {
t.Errorf("rep@acme.com should match role vendor_acme")
}
if MatchesPrincipal("vendor_acme", "rep@other.com", chain, 0) {
t.Errorf("rep@other.com should NOT match role vendor_acme — fallback to pattern would wrongly succeed")
}
}
Reference in a new issue View git blame Copy permalink