mleku/next.orly.dev
1
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor event handling and testing utilities
Some checks failed
Go / build (push) Has been cancelled
Details
Go / release (push) Has been cancelled
Details

Browse Source 
- Updated the HandleReq function to improve event filtering logic, ensuring that privileged events are consistently checked against user access levels.
- Refactored event deduplication to utilize filtered events instead of all events, enhancing performance and clarity.
- Enhanced test utilities by generating keypairs for event creation, ensuring proper signing and validation in tests.
- Updated various test cases to use the new event creation methods, improving reliability and maintainability of tests.
- Bumped version to reflect changes made.
This commit is contained in:
mleku
2025-10-30 15:53:02 +00:00
parent 88ebf6eccc
commit 62f244d114
3 changed files with 343 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
app/handle-req.go
View File

@@ -283,13 +283,13 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
if !authorized { if !authorized {
continue // not authorized to see this private event continue // not authorized to see this private event
} }
// Event has private tag and user is authorized - continue to privileged check
tmp = append(tmp, ev)
continue
} }
if l.Config.ACLMode != "none" && // Always filter privileged events based on kind, regardless of ACLMode
kind.IsPrivileged(ev.Kind) && accessLevel != "admin" { // admins can see all events // Privileged events should only be sent to users who are authenticated and
// are either the event author or listed in p tags
if kind.IsPrivileged(ev.Kind) && accessLevel != "admin" { // admins can see all events
log.T.C( log.T.C(
func() string { func() string {
return fmt.Sprintf( return fmt.Sprintf(
@@ -384,27 +384,28 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
} }
// Deduplicate events (in case chunk processing returned duplicates) // Deduplicate events (in case chunk processing returned duplicates)
if len(allEvents) > 0 { // Use events (already filtered for privileged/policy) instead of allEvents
if len(events) > 0 {
seen := make(map[string]struct{}) seen := make(map[string]struct{})
var deduplicatedEvents event.S var deduplicatedEvents event.S
originalCount := len(allEvents) originalCount := len(events)
for _, ev := range allEvents { for _, ev := range events {
eventID := hexenc.Enc(ev.ID) eventID := hexenc.Enc(ev.ID)
if _, exists := seen[eventID]; !exists { if _, exists := seen[eventID]; !exists {
seen[eventID] = struct{}{} seen[eventID] = struct{}{}
deduplicatedEvents = append(deduplicatedEvents, ev) deduplicatedEvents = append(deduplicatedEvents, ev)
} }
} }
allEvents = deduplicatedEvents events = deduplicatedEvents
if originalCount != len(allEvents) { if originalCount != len(events) {
log.T.F("REQ %s: deduplicated %d events to %d unique events", env.Subscription, originalCount, len(allEvents)) log.T.F("REQ %s: deduplicated %d events to %d unique events", env.Subscription, originalCount, len(events))
} }
} }
// Apply managed ACL filtering for read access if managed ACL is active // Apply managed ACL filtering for read access if managed ACL is active
if acl.Registry.Active.Load() == "managed" { if acl.Registry.Active.Load() == "managed" {
var aclFilteredEvents event.S var aclFilteredEvents event.S
for _, ev := range allEvents { for _, ev := range events {
// Check if event is banned // Check if event is banned
eventID := hex.EncodeToString(ev.ID) eventID := hex.EncodeToString(ev.ID)
if banned, err := l.getManagedACL().IsEventBanned(eventID); err == nil && banned { if banned, err := l.getManagedACL().IsEventBanned(eventID); err == nil && banned {
@@ -430,13 +431,13 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
aclFilteredEvents = append(aclFilteredEvents, ev) aclFilteredEvents = append(aclFilteredEvents, ev)
} }
allEvents = aclFilteredEvents events = aclFilteredEvents
} }
// Apply private tag filtering - only show events with "private" tags to authorized users // Apply private tag filtering - only show events with "private" tags to authorized users
var privateFilteredEvents event.S var privateFilteredEvents event.S
authedPubkey := l.authedPubkey.Load() authedPubkey := l.authedPubkey.Load()
for _, ev := range allEvents { for _, ev := range events {
// Check if event has private tags // Check if event has private tags
hasPrivateTag := false hasPrivateTag := false
var privatePubkey []byte var privatePubkey []byte
@@ -469,10 +470,10 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
log.D.F("private tag: filtering out event %s from unauthorized user", hexenc.Enc(ev.ID)) log.D.F("private tag: filtering out event %s from unauthorized user", hexenc.Enc(ev.ID))
} }
} }
allEvents = privateFilteredEvents events = privateFilteredEvents
seen := make(map[string]struct{}) seen := make(map[string]struct{})
for _, ev := range allEvents { for _, ev := range events {
log.T.C( log.T.C(
func() string { func() string {
return fmt.Sprintf( return fmt.Sprintf(

87
pkg/policy/benchmark_test.go
View File

@@ -8,20 +8,27 @@ import (
"testing" "testing"
"time" "time"
"lol.mleku.dev/chk"
"next.orly.dev/pkg/crypto/p256k"
"next.orly.dev/pkg/encoders/event" "next.orly.dev/pkg/encoders/event"
"next.orly.dev/pkg/encoders/hex"
"next.orly.dev/pkg/encoders/tag" "next.orly.dev/pkg/encoders/tag"
) )
// Helper function to create test event // Helper function to create test event for benchmarks (reuses signer)
func createTestEventBench(id, pubkey, content string, kind uint16) *event.E { func createTestEventBench(b *testing.B, signer *p256k.Signer, content string, kind uint16) *event.E {
return &event.E{ ev := event.New()
ID: []byte(id), ev.CreatedAt = time.Now().Unix()
Kind: kind, ev.Kind = kind
Pubkey: []byte(pubkey), ev.Content = []byte(content)
Content: []byte(content), ev.Tags = tag.NewS()
Tags: &tag.S{},
CreatedAt: time.Now().Unix(), // Sign the event properly
if err := ev.Sign(signer); chk.E(err) {
b.Fatalf("Failed to sign test event: %v", err)
} }
return ev
} }
func BenchmarkCheckKindsPolicy(b *testing.B) { func BenchmarkCheckKindsPolicy(b *testing.B) {
@@ -38,12 +45,13 @@ func BenchmarkCheckKindsPolicy(b *testing.B) {
} }
func BenchmarkCheckRulePolicy(b *testing.B) { func BenchmarkCheckRulePolicy(b *testing.B) {
// Create test event // Generate keypair once for all events
testEvent := createTestEventBench("test-event-id", "test-pubkey", "test content", 1) signer, pubkey := generateTestKeypairB(b)
testEvent := createTestEventBench(b, signer, "test content", 1)
rule := Rule{ rule := Rule{
Description: "test rule", Description: "test rule",
WriteAllow: []string{"test-pubkey"}, WriteAllow: []string{hex.Enc(pubkey)},
SizeLimit: int64Ptr(10000), SizeLimit: int64Ptr(10000),
ContentLimit: int64Ptr(1000), ContentLimit: int64Ptr(1000),
MustHaveTags: []string{"p"}, MustHaveTags: []string{"p"},
@@ -53,13 +61,14 @@ func BenchmarkCheckRulePolicy(b *testing.B) {
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
policy.checkRulePolicy("write", testEvent, rule, []byte("test-pubkey")) policy.checkRulePolicy("write", testEvent, rule, pubkey)
} }
} }
func BenchmarkCheckPolicy(b *testing.B) { func BenchmarkCheckPolicy(b *testing.B) {
// Create test event // Generate keypair once for all events
testEvent := createTestEventBench("test-event-id", "test-pubkey", "test content", 1) signer, pubkey := generateTestKeypairB(b)
testEvent := createTestEventBench(b, signer, "test content", 1)
policy := &P{ policy := &P{
Kind: Kinds{ Kind: Kinds{
@@ -68,14 +77,14 @@ func BenchmarkCheckPolicy(b *testing.B) {
Rules: map[int]Rule{ Rules: map[int]Rule{
1: { 1: {
Description: "test rule", Description: "test rule",
WriteAllow: []string{"test-pubkey"}, WriteAllow: []string{hex.Enc(pubkey)},
}, },
}, },
} }
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") policy.CheckPolicy("write", testEvent, pubkey, "127.0.0.1")
} }
} }
@@ -114,8 +123,9 @@ done
// Give the script time to start // Give the script time to start
time.Sleep(100 * time.Millisecond) time.Sleep(100 * time.Millisecond)
// Create test event // Generate keypair once for all events
testEvent := createTestEventBench("test-event-id", "test-pubkey", "test content", 1) signer, pubkey := generateTestKeypairB(b)
testEvent := createTestEventBench(b, signer, "test content", 1)
policy := &P{ policy := &P{
Manager: manager, Manager: manager,
@@ -130,7 +140,7 @@ done
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") policy.CheckPolicy("write", testEvent, pubkey, "127.0.0.1")
} }
} }
@@ -190,16 +200,19 @@ func BenchmarkCheckPolicyMultipleKinds(b *testing.B) {
Rules: rules, Rules: rules,
} }
// Generate keypair once for all events
signer, pubkey := generateTestKeypairB(b)
// Create test events with different kinds // Create test events with different kinds
events := make([]*event.E, 100) events := make([]*event.E, 100)
for i := 0; i < 100; i++ { for i := 0; i < 100; i++ {
events[i] = createTestEvent("test-event-id", "test-pubkey", "test content", uint16(i+1)) events[i] = createTestEventBench(b, signer, "test content", uint16(i+1))
} }
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
event := events[i%100] event := events[i%100]
policy.CheckPolicy("write", event, []byte("test-pubkey"), "127.0.0.1") policy.CheckPolicy("write", event, pubkey, "127.0.0.1")
} }
} }
@@ -217,11 +230,13 @@ func BenchmarkCheckPolicyLargeWhitelist(b *testing.B) {
Rules: map[int]Rule{}, Rules: map[int]Rule{},
} }
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 500) // Kind in the middle of the whitelist // Generate keypair once for all events
signer, pubkey := generateTestKeypairB(b)
testEvent := createTestEventBench(b, signer, "test content", 500) // Kind in the middle of the whitelist
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") policy.CheckPolicy("write", testEvent, pubkey, "127.0.0.1")
} }
} }
@@ -239,22 +254,25 @@ func BenchmarkCheckPolicyLargeBlacklist(b *testing.B) {
Rules: map[int]Rule{}, Rules: map[int]Rule{},
} }
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1500) // Kind not in blacklist // Generate keypair once for all events
signer, pubkey := generateTestKeypairB(b)
testEvent := createTestEventBench(b, signer, "test content", 1500) // Kind not in blacklist
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") policy.CheckPolicy("write", testEvent, pubkey, "127.0.0.1")
} }
} }
func BenchmarkCheckPolicyComplexRule(b *testing.B) { func BenchmarkCheckPolicyComplexRule(b *testing.B) {
// Create test event with many tags // Generate keypair once for all events
testEvent := createTestEventBench("test-event-id", "test-pubkey", "test content", 1) signer, pubkey := generateTestKeypairB(b)
testEvent := createTestEventBench(b, signer, "test content", 1)
// Add many tags // Add many tags
for i := 0; i < 100; i++ { for i := 0; i < 100; i++ {
tagItem1 := tag.New() tagItem1 := tag.New()
tagItem1.T = append(tagItem1.T, []byte("p"), []byte("test-pubkey")) tagItem1.T = append(tagItem1.T, []byte("p"), []byte(hex.Enc(pubkey)))
*testEvent.Tags = append(*testEvent.Tags, tagItem1) *testEvent.Tags = append(*testEvent.Tags, tagItem1)
tagItem2 := tag.New() tagItem2 := tag.New()
@@ -264,7 +282,7 @@ func BenchmarkCheckPolicyComplexRule(b *testing.B) {
rule := Rule{ rule := Rule{
Description: "complex rule", Description: "complex rule",
WriteAllow: []string{"test-pubkey"}, WriteAllow: []string{hex.Enc(pubkey)},
SizeLimit: int64Ptr(100000), SizeLimit: int64Ptr(100000),
ContentLimit: int64Ptr(10000), ContentLimit: int64Ptr(10000),
MustHaveTags: []string{"p", "e"}, MustHaveTags: []string{"p", "e"},
@@ -275,7 +293,7 @@ func BenchmarkCheckPolicyComplexRule(b *testing.B) {
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
policy.checkRulePolicy("write", testEvent, rule, []byte("test-pubkey")) policy.checkRulePolicy("write", testEvent, rule, pubkey)
} }
} }
@@ -294,11 +312,12 @@ func BenchmarkCheckPolicyLargeEvent(b *testing.B) {
}, },
} }
// Create test event with large content // Generate keypair once for all events
testEvent := createTestEvent("test-event-id", "test-pubkey", largeContent, 1) signer, pubkey := generateTestKeypairB(b)
testEvent := createTestEventBench(b, signer, largeContent, 1)
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") policy.CheckPolicy("write", testEvent, pubkey, "127.0.0.1")
} }
} }

387
pkg/policy/policy_test.go
View File

@@ -9,6 +9,8 @@ import (
"testing" "testing"
"time" "time"
"lol.mleku.dev/chk"
"next.orly.dev/pkg/crypto/p256k"
"next.orly.dev/pkg/encoders/event" "next.orly.dev/pkg/encoders/event"
"next.orly.dev/pkg/encoders/hex" "next.orly.dev/pkg/encoders/hex"
"next.orly.dev/pkg/encoders/tag" "next.orly.dev/pkg/encoders/tag"
@@ -19,23 +21,68 @@ func int64Ptr(i int64) *int64 {
return &i return &i
} }
// Helper function to create test event // Helper function to generate a keypair for testing
func createTestEvent(id, pubkey, content string, kind uint16) *event.E { func generateTestKeypair(t *testing.T) (signer *p256k.Signer, pubkey []byte) {
return &event.E{ signer = &p256k.Signer{}
ID: []byte(id), if err := signer.Generate(); chk.E(err) {
Kind: kind, t.Fatalf("Failed to generate test keypair: %v", err)
Pubkey: []byte(pubkey),
Content: []byte(content),
Tags: &tag.S{},
CreatedAt: time.Now().Unix(),
} }
pubkey = signer.Pub()
return
} }
// Helper function to add tags to event // Helper function to generate a keypair for benchmarks
func generateTestKeypairB(b *testing.B) (signer *p256k.Signer, pubkey []byte) {
signer = &p256k.Signer{}
if err := signer.Generate(); chk.E(err) {
b.Fatalf("Failed to generate test keypair: %v", err)
}
pubkey = signer.Pub()
return
}
// Helper function to create a real test event with proper signing
func createTestEvent(t *testing.T, signer *p256k.Signer, content string, kind uint16) *event.E {
ev := event.New()
ev.CreatedAt = time.Now().Unix()
ev.Kind = kind
ev.Content = []byte(content)
ev.Tags = tag.NewS()
// Sign the event properly
if err := ev.Sign(signer); chk.E(err) {
t.Fatalf("Failed to sign test event: %v", err)
}
return ev
}
// Helper function to create a test event with a specific pubkey (for unauthorized tests)
func createTestEventWithPubkey(t *testing.T, signer *p256k.Signer, content string, kind uint16) *event.E {
ev := event.New()
ev.CreatedAt = time.Now().Unix()
ev.Kind = kind
ev.Content = []byte(content)
ev.Tags = tag.NewS()
// Sign the event properly
if err := ev.Sign(signer); chk.E(err) {
t.Fatalf("Failed to sign test event: %v", err)
}
return ev
}
// Helper function to add p tag with hex-encoded pubkey to event
func addPTag(ev *event.E, pubkey []byte) {
pTag := tag.NewFromAny("p", hex.Enc(pubkey))
ev.Tags.Append(pTag)
}
// Helper function to add other tags to event
func addTag(ev *event.E, key, value string) { func addTag(ev *event.E, key, value string) {
tagItem := tag.New() tagItem := tag.NewFromAny(key, value)
tagItem.T = append(tagItem.T, []byte(key), []byte(value)) ev.Tags.Append(tagItem)
*ev.Tags = append(*ev.Tags, tagItem)
} }
func TestNew(t *testing.T) { func TestNew(t *testing.T) {
@@ -174,10 +221,15 @@ func TestCheckKindsPolicy(t *testing.T) {
} }
func TestCheckRulePolicy(t *testing.T) { func TestCheckRulePolicy(t *testing.T) {
// Create test event // Generate real keypairs for testing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) eventSigner, eventPubkey := generateTestKeypair(t)
_, pTagPubkey := generateTestKeypair(t)
_, unauthorizedPubkey := generateTestKeypair(t)
// Create real test event with proper signing
testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Add p tag with hex-encoded pubkey // Add p tag with hex-encoded pubkey
addTag(testEvent, "p", hex.Enc([]byte("test-pubkey-2"))) addPTag(testEvent, pTagPubkey)
addTag(testEvent, "expiration", "1234567890") addTag(testEvent, "expiration", "1234567890")
tests := []struct { tests := []struct {
@@ -195,7 +247,7 @@ func TestCheckRulePolicy(t *testing.T) {
rule: Rule{ rule: Rule{
Description: "no restrictions", Description: "no restrictions",
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: true, expected: true,
}, },
{ {
@@ -206,7 +258,7 @@ func TestCheckRulePolicy(t *testing.T) {
Description: "pubkey allowed", Description: "pubkey allowed",
WriteAllow: []string{hex.Enc(testEvent.Pubkey)}, WriteAllow: []string{hex.Enc(testEvent.Pubkey)},
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: true, expected: true,
}, },
{ {
@@ -215,9 +267,9 @@ func TestCheckRulePolicy(t *testing.T) {
event: testEvent, event: testEvent,
rule: Rule{ rule: Rule{
Description: "pubkey not allowed", Description: "pubkey not allowed",
WriteAllow: []string{"other-pubkey"}, WriteAllow: []string{hex.Enc(pTagPubkey)}, // Different pubkey
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: false, expected: false,
}, },
{ {
@@ -228,7 +280,7 @@ func TestCheckRulePolicy(t *testing.T) {
Description: "size limit", Description: "size limit",
SizeLimit: int64Ptr(10000), SizeLimit: int64Ptr(10000),
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: true, expected: true,
}, },
{ {
@@ -239,7 +291,7 @@ func TestCheckRulePolicy(t *testing.T) {
Description: "size limit exceeded", Description: "size limit exceeded",
SizeLimit: int64Ptr(10), SizeLimit: int64Ptr(10),
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: false, expected: false,
}, },
{ {
@@ -250,7 +302,7 @@ func TestCheckRulePolicy(t *testing.T) {
Description: "content limit", Description: "content limit",
ContentLimit: int64Ptr(1000), ContentLimit: int64Ptr(1000),
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: true, expected: true,
}, },
{ {
@@ -261,7 +313,7 @@ func TestCheckRulePolicy(t *testing.T) {
Description: "content limit exceeded", Description: "content limit exceeded",
ContentLimit: int64Ptr(5), ContentLimit: int64Ptr(5),
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: false, expected: false,
}, },
{ {
@@ -272,7 +324,7 @@ func TestCheckRulePolicy(t *testing.T) {
Description: "required tags", Description: "required tags",
MustHaveTags: []string{"p"}, MustHaveTags: []string{"p"},
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: true, expected: true,
}, },
{ {
@@ -283,7 +335,7 @@ func TestCheckRulePolicy(t *testing.T) {
Description: "required tags missing", Description: "required tags missing",
MustHaveTags: []string{"e"}, MustHaveTags: []string{"e"},
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
expected: false, expected: false,
}, },
{ {
@@ -305,7 +357,7 @@ func TestCheckRulePolicy(t *testing.T) {
Description: "privileged event with p tag", Description: "privileged event with p tag",
Privileged: true, Privileged: true,
}, },
loggedInPubkey: []byte("test-pubkey-2"), loggedInPubkey: pTagPubkey,
expected: true, expected: true,
}, },
{ {
@@ -319,6 +371,61 @@ func TestCheckRulePolicy(t *testing.T) {
loggedInPubkey: nil, loggedInPubkey: nil,
expected: false, expected: false,
}, },
{
name: "privileged - authenticated but not authorized (different pubkey, not in p tags)",
access: "write",
event: testEvent,
rule: Rule{
Description: "privileged event unauthorized user",
Privileged: true,
},
loggedInPubkey: unauthorizedPubkey,
expected: false,
},
{
name: "privileged read - event authored by logged in user",
access: "read",
event: testEvent,
rule: Rule{
Description: "privileged event read access",
Privileged: true,
},
loggedInPubkey: testEvent.Pubkey,
expected: true,
},
{
name: "privileged read - event contains logged in user in p tag",
access: "read",
event: testEvent,
rule: Rule{
Description: "privileged event read access with p tag",
Privileged: true,
},
loggedInPubkey: pTagPubkey,
expected: true,
},
{
name: "privileged read - not authenticated",
access: "read",
event: testEvent,
rule: Rule{
Description: "privileged event read access not authenticated",
Privileged: true,
},
loggedInPubkey: nil,
expected: false,
},
{
name: "privileged read - authenticated but not authorized (different pubkey, not in p tags)",
access: "read",
event: testEvent,
rule: Rule{
Description: "privileged event read access unauthorized user",
Privileged: true,
},
loggedInPubkey: unauthorizedPubkey,
expected: false,
},
} }
for _, tt := range tests { for _, tt := range tests {
@@ -337,8 +444,11 @@ func TestCheckRulePolicy(t *testing.T) {
} }
func TestCheckPolicy(t *testing.T) { func TestCheckPolicy(t *testing.T) {
// Create test event // Generate real keypair for testing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) eventSigner, eventPubkey := generateTestKeypair(t)
// Create real test event with proper signing
testEvent := createTestEvent(t, eventSigner, "test content", 1)
tests := []struct { tests := []struct {
name string name string
@@ -358,7 +468,7 @@ func TestCheckPolicy(t *testing.T) {
Kind: Kinds{}, Kind: Kinds{},
Rules: map[int]Rule{}, Rules: map[int]Rule{},
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
ipAddress: "127.0.0.1", ipAddress: "127.0.0.1",
expected: true, expected: true,
expectError: false, expectError: false,
@@ -373,7 +483,7 @@ func TestCheckPolicy(t *testing.T) {
}, },
Rules: map[int]Rule{}, Rules: map[int]Rule{},
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
ipAddress: "127.0.0.1", ipAddress: "127.0.0.1",
expected: false, expected: false,
expectError: false, expectError: false,
@@ -391,7 +501,7 @@ func TestCheckPolicy(t *testing.T) {
}, },
}, },
}, },
loggedInPubkey: []byte("test-pubkey"), loggedInPubkey: eventPubkey,
ipAddress: "127.0.0.1", ipAddress: "127.0.0.1",
expected: false, expected: false,
expectError: false, expectError: false,
@@ -488,13 +598,16 @@ func TestLoadFromFile(t *testing.T) {
} }
func TestPolicyEventSerialization(t *testing.T) { func TestPolicyEventSerialization(t *testing.T) {
// Create test event // Generate real keypair for testing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) eventSigner, eventPubkey := generateTestKeypair(t)
// Create real test event with proper signing
testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Create policy event // Create policy event
policyEvent := &PolicyEvent{ policyEvent := &PolicyEvent{
E: testEvent, E: testEvent,
LoggedInPubkey: "test-logged-in-pubkey", LoggedInPubkey: hex.Enc(eventPubkey),
IPAddress: "127.0.0.1", IPAddress: "127.0.0.1",
} }
@@ -508,13 +621,13 @@ func TestPolicyEventSerialization(t *testing.T) {
jsonStr := string(jsonData) jsonStr := string(jsonData)
t.Logf("Generated JSON: %s", jsonStr) t.Logf("Generated JSON: %s", jsonStr)
if !strings.Contains(jsonStr, "test-logged-in-pubkey") { if !strings.Contains(jsonStr, hex.Enc(eventPubkey)) {
t.Error("JSON should contain logged_in_pubkey field") t.Error("JSON should contain logged_in_pubkey field")
} }
if !strings.Contains(jsonStr, "127.0.0.1") { if !strings.Contains(jsonStr, "127.0.0.1") {
t.Error("JSON should contain ip_address field") t.Error("JSON should contain ip_address field")
} }
if !strings.Contains(jsonStr, "746573742d6576656e742d6964") { // hex encoded "test-event-id" if !strings.Contains(jsonStr, hex.Enc(testEvent.ID)) {
t.Error("JSON should contain event id field (hex encoded)") t.Error("JSON should contain event id field (hex encoded)")
} }
@@ -646,13 +759,16 @@ func TestPolicyManagerProcessEvent(t *testing.T) {
responseChan: make(chan PolicyResponse, 100), responseChan: make(chan PolicyResponse, 100),
} }
// Create test event // Generate real keypair for testing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) eventSigner, eventPubkey := generateTestKeypair(t)
// Create real test event with proper signing
testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Create policy event // Create policy event
policyEvent := &PolicyEvent{ policyEvent := &PolicyEvent{
E: testEvent, E: testEvent,
LoggedInPubkey: "test-logged-in-pubkey", LoggedInPubkey: hex.Enc(eventPubkey),
IPAddress: "127.0.0.1", IPAddress: "127.0.0.1",
} }
@@ -666,11 +782,14 @@ func TestPolicyManagerProcessEvent(t *testing.T) {
func TestEdgeCasesEmptyPolicy(t *testing.T) { func TestEdgeCasesEmptyPolicy(t *testing.T) {
policy := &P{} policy := &P{}
// Create test event // Generate real keypair for testing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) eventSigner, eventPubkey := generateTestKeypair(t)
// Create real test event with proper signing
testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Should allow all events when policy is empty // Should allow all events when policy is empty
allowed, err := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -712,11 +831,14 @@ func TestEdgeCasesLargeEvent(t *testing.T) {
}, },
} }
// Create test event with large content // Generate real keypair for testing
testEvent := createTestEvent("test-event-id", "test-pubkey", largeContent, 1) eventSigner, eventPubkey := generateTestKeypair(t)
// Create real test event with large content
testEvent := createTestEvent(t, eventSigner, largeContent, 1)
// Should block large event // Should block large event
allowed, err := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -805,6 +927,10 @@ func TestEdgeCasesManagerDoubleStart(t *testing.T) {
} }
func TestCheckGlobalRulePolicy(t *testing.T) { func TestCheckGlobalRulePolicy(t *testing.T) {
// Generate real keypairs for testing
eventSigner, eventPubkey := generateTestKeypair(t)
_, loggedInPubkey := generateTestKeypair(t)
tests := []struct { tests := []struct {
name string name string
globalRule Rule globalRule Rule
@@ -815,19 +941,19 @@ func TestCheckGlobalRulePolicy(t *testing.T) {
{ {
name: "global rule with write allow - event allowed", name: "global rule with write allow - event allowed",
globalRule: Rule{ globalRule: Rule{
WriteAllow: []string{"746573742d7075626b6579"}, WriteAllow: []string{hex.Enc(eventPubkey)},
}, },
event: createTestEvent("test-id", "test-pubkey", "test content", 1), event: createTestEvent(t, eventSigner, "test content", 1),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: true, expected: true,
}, },
{ {
name: "global rule with write deny - event denied", name: "global rule with write deny - event denied",
globalRule: Rule{ globalRule: Rule{
WriteDeny: []string{"746573742d7075626b6579"}, WriteDeny: []string{hex.Enc(eventPubkey)},
}, },
event: createTestEvent("test-id", "test-pubkey", "test content", 1), event: createTestEvent(t, eventSigner, "test content", 1),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: false, expected: false,
}, },
{ {
@@ -835,8 +961,8 @@ func TestCheckGlobalRulePolicy(t *testing.T) {
globalRule: Rule{ globalRule: Rule{
SizeLimit: func() *int64 { v := int64(10); return &v }(), SizeLimit: func() *int64 { v := int64(10); return &v }(),
}, },
event: createTestEvent("test-id", "test-pubkey", "this is a very long content that exceeds the size limit", 1), event: createTestEvent(t, eventSigner, "this is a very long content that exceeds the size limit", 1),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: false, expected: false,
}, },
{ {
@@ -845,11 +971,11 @@ func TestCheckGlobalRulePolicy(t *testing.T) {
MaxAgeOfEvent: func() *int64 { v := int64(3600); return &v }(), // 1 hour MaxAgeOfEvent: func() *int64 { v := int64(3600); return &v }(), // 1 hour
}, },
event: func() *event.E { event: func() *event.E {
ev := createTestEvent("test-id", "test-pubkey", "test content", 1) ev := createTestEvent(t, eventSigner, "test content", 1)
ev.CreatedAt = time.Now().Unix() - 7200 // 2 hours ago ev.CreatedAt = time.Now().Unix() - 7200 // 2 hours ago
return ev return ev
}(), }(),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: false, expected: false,
}, },
{ {
@@ -858,11 +984,11 @@ func TestCheckGlobalRulePolicy(t *testing.T) {
MaxAgeEventInFuture: func() *int64 { v := int64(3600); return &v }(), // 1 hour MaxAgeEventInFuture: func() *int64 { v := int64(3600); return &v }(), // 1 hour
}, },
event: func() *event.E { event: func() *event.E {
ev := createTestEvent("test-id", "test-pubkey", "test content", 1) ev := createTestEvent(t, eventSigner, "test content", 1)
ev.CreatedAt = time.Now().Unix() + 7200 // 2 hours in future ev.CreatedAt = time.Now().Unix() + 7200 // 2 hours in future
return ev return ev
}(), }(),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: false, expected: false,
}, },
} }
@@ -882,23 +1008,26 @@ func TestCheckGlobalRulePolicy(t *testing.T) {
} }
func TestCheckPolicyWithGlobalRule(t *testing.T) { func TestCheckPolicyWithGlobalRule(t *testing.T) {
// Generate real keypairs for testing
eventSigner, eventPubkey := generateTestKeypair(t)
_, loggedInPubkey := generateTestKeypair(t)
// Test that global rule is applied first // Test that global rule is applied first
policy := &P{ policy := &P{
Global: Rule{ Global: Rule{
WriteDeny: []string{"746573742d7075626b6579"}, // Deny test-pubkey globally WriteDeny: []string{hex.Enc(eventPubkey)}, // Deny event pubkey globally
}, },
Kind: Kinds{ Kind: Kinds{
Whitelist: []int{1}, // Allow kind 1 Whitelist: []int{1}, // Allow kind 1
}, },
Rules: map[int]Rule{ Rules: map[int]Rule{
1: { 1: {
WriteAllow: []string{"746573742d7075626b6579"}, // Allow test-pubkey for kind 1 WriteAllow: []string{hex.Enc(eventPubkey)}, // Allow event pubkey for kind 1
}, },
}, },
} }
event := createTestEvent("test-id", "test-pubkey", "test content", 1) event := createTestEvent(t, eventSigner, "test content", 1)
loggedInPubkey := []byte("test-logged-in-pubkey")
// Global rule should deny this event even though kind-specific rule would allow it // Global rule should deny this event even though kind-specific rule would allow it
allowed, err := policy.CheckPolicy("write", event, loggedInPubkey, "127.0.0.1") allowed, err := policy.CheckPolicy("write", event, loggedInPubkey, "127.0.0.1")
@@ -912,6 +1041,10 @@ func TestCheckPolicyWithGlobalRule(t *testing.T) {
} }
func TestMaxAgeChecks(t *testing.T) { func TestMaxAgeChecks(t *testing.T) {
// Generate real keypairs for testing
eventSigner, _ := generateTestKeypair(t)
_, loggedInPubkey := generateTestKeypair(t)
tests := []struct { tests := []struct {
name string name string
rule Rule rule Rule
@@ -925,11 +1058,11 @@ func TestMaxAgeChecks(t *testing.T) {
MaxAgeOfEvent: func() *int64 { v := int64(3600); return &v }(), // 1 hour MaxAgeOfEvent: func() *int64 { v := int64(3600); return &v }(), // 1 hour
}, },
event: func() *event.E { event: func() *event.E {
ev := createTestEvent("test-id", "test-pubkey", "test content", 1) ev := createTestEvent(t, eventSigner, "test content", 1)
ev.CreatedAt = time.Now().Unix() - 1800 // 30 minutes ago ev.CreatedAt = time.Now().Unix() - 1800 // 30 minutes ago
return ev return ev
}(), }(),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: true, expected: true,
}, },
{ {
@@ -938,11 +1071,11 @@ func TestMaxAgeChecks(t *testing.T) {
MaxAgeOfEvent: func() *int64 { v := int64(3600); return &v }(), // 1 hour MaxAgeOfEvent: func() *int64 { v := int64(3600); return &v }(), // 1 hour
}, },
event: func() *event.E { event: func() *event.E {
ev := createTestEvent("test-id", "test-pubkey", "test content", 1) ev := createTestEvent(t, eventSigner, "test content", 1)
ev.CreatedAt = time.Now().Unix() - 7200 // 2 hours ago ev.CreatedAt = time.Now().Unix() - 7200 // 2 hours ago
return ev return ev
}(), }(),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: false, expected: false,
}, },
{ {
@@ -951,11 +1084,11 @@ func TestMaxAgeChecks(t *testing.T) {
MaxAgeEventInFuture: func() *int64 { v := int64(3600); return &v }(), // 1 hour MaxAgeEventInFuture: func() *int64 { v := int64(3600); return &v }(), // 1 hour
}, },
event: func() *event.E { event: func() *event.E {
ev := createTestEvent("test-id", "test-pubkey", "test content", 1) ev := createTestEvent(t, eventSigner, "test content", 1)
ev.CreatedAt = time.Now().Unix() + 1800 // 30 minutes in future ev.CreatedAt = time.Now().Unix() + 1800 // 30 minutes in future
return ev return ev
}(), }(),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: true, expected: true,
}, },
{ {
@@ -964,11 +1097,11 @@ func TestMaxAgeChecks(t *testing.T) {
MaxAgeEventInFuture: func() *int64 { v := int64(3600); return &v }(), // 1 hour MaxAgeEventInFuture: func() *int64 { v := int64(3600); return &v }(), // 1 hour
}, },
event: func() *event.E { event: func() *event.E {
ev := createTestEvent("test-id", "test-pubkey", "test content", 1) ev := createTestEvent(t, eventSigner, "test content", 1)
ev.CreatedAt = time.Now().Unix() + 7200 // 2 hours in future ev.CreatedAt = time.Now().Unix() + 7200 // 2 hours in future
return ev return ev
}(), }(),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: false, expected: false,
}, },
{ {
@@ -978,11 +1111,11 @@ func TestMaxAgeChecks(t *testing.T) {
MaxAgeEventInFuture: func() *int64 { v := int64(1800); return &v }(), // 30 minutes MaxAgeEventInFuture: func() *int64 { v := int64(1800); return &v }(), // 30 minutes
}, },
event: func() *event.E { event: func() *event.E {
ev := createTestEvent("test-id", "test-pubkey", "test content", 1) ev := createTestEvent(t, eventSigner, "test content", 1)
ev.CreatedAt = time.Now().Unix() + 900 // 15 minutes in future ev.CreatedAt = time.Now().Unix() + 900 // 15 minutes in future
return ev return ev
}(), }(),
loggedInPubkey: []byte("test-logged-in-pubkey"), loggedInPubkey: loggedInPubkey,
expected: true, expected: true,
}, },
} }
@@ -1004,6 +1137,9 @@ func TestMaxAgeChecks(t *testing.T) {
} }
func TestScriptPolicyNotRunningFallsBackToDefault(t *testing.T) { func TestScriptPolicyNotRunningFallsBackToDefault(t *testing.T) {
// Generate real keypair for testing
eventSigner, eventPubkey := generateTestKeypair(t)
// Create a policy with a script rule but no running manager, default policy is "allow" // Create a policy with a script rule but no running manager, default policy is "allow"
policy := &P{ policy := &P{
DefaultPolicy: "allow", DefaultPolicy: "allow",
@@ -1019,11 +1155,11 @@ func TestScriptPolicyNotRunningFallsBackToDefault(t *testing.T) {
}, },
} }
// Create test event // Create real test event with proper signing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Should allow the event when script is configured but not running (falls back to default "allow") // Should allow the event when script is configured but not running (falls back to default "allow")
allowed, err := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -1033,7 +1169,7 @@ func TestScriptPolicyNotRunningFallsBackToDefault(t *testing.T) {
// Test with default policy "deny" // Test with default policy "deny"
policy.DefaultPolicy = "deny" policy.DefaultPolicy = "deny"
allowed2, err2 := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed2, err2 := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err2 != nil { if err2 != nil {
t.Errorf("Unexpected error: %v", err2) t.Errorf("Unexpected error: %v", err2)
} }
@@ -1043,6 +1179,9 @@ func TestScriptPolicyNotRunningFallsBackToDefault(t *testing.T) {
} }
func TestDefaultPolicyAllow(t *testing.T) { func TestDefaultPolicyAllow(t *testing.T) {
// Generate real keypair for testing
eventSigner, eventPubkey := generateTestKeypair(t)
// Test default policy "allow" behavior // Test default policy "allow" behavior
policy := &P{ policy := &P{
DefaultPolicy: "allow", DefaultPolicy: "allow",
@@ -1050,11 +1189,11 @@ func TestDefaultPolicyAllow(t *testing.T) {
Rules: map[int]Rule{}, // No specific rules Rules: map[int]Rule{}, // No specific rules
} }
// Create test event for kind 1 (no specific rule exists) // Create real test event with proper signing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Should allow the event with default policy "allow" // Should allow the event with default policy "allow"
allowed, err := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -1064,6 +1203,9 @@ func TestDefaultPolicyAllow(t *testing.T) {
} }
func TestDefaultPolicyDeny(t *testing.T) { func TestDefaultPolicyDeny(t *testing.T) {
// Generate real keypair for testing
eventSigner, eventPubkey := generateTestKeypair(t)
// Test default policy "deny" behavior // Test default policy "deny" behavior
policy := &P{ policy := &P{
DefaultPolicy: "deny", DefaultPolicy: "deny",
@@ -1071,11 +1213,11 @@ func TestDefaultPolicyDeny(t *testing.T) {
Rules: map[int]Rule{}, // No specific rules Rules: map[int]Rule{}, // No specific rules
} }
// Create test event for kind 1 (no specific rule exists) // Create real test event with proper signing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Should deny the event with default policy "deny" // Should deny the event with default policy "deny"
allowed, err := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -1085,6 +1227,9 @@ func TestDefaultPolicyDeny(t *testing.T) {
} }
func TestDefaultPolicyEmpty(t *testing.T) { func TestDefaultPolicyEmpty(t *testing.T) {
// Generate real keypair for testing
eventSigner, eventPubkey := generateTestKeypair(t)
// Test empty default policy (should default to "allow") // Test empty default policy (should default to "allow")
policy := &P{ policy := &P{
DefaultPolicy: "", DefaultPolicy: "",
@@ -1092,11 +1237,11 @@ func TestDefaultPolicyEmpty(t *testing.T) {
Rules: map[int]Rule{}, // No specific rules Rules: map[int]Rule{}, // No specific rules
} }
// Create test event for kind 1 (no specific rule exists) // Create real test event with proper signing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Should allow the event with empty default policy (defaults to "allow") // Should allow the event with empty default policy (defaults to "allow")
allowed, err := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -1106,6 +1251,9 @@ func TestDefaultPolicyEmpty(t *testing.T) {
} }
func TestDefaultPolicyInvalid(t *testing.T) { func TestDefaultPolicyInvalid(t *testing.T) {
// Generate real keypair for testing
eventSigner, eventPubkey := generateTestKeypair(t)
// Test invalid default policy (should default to "allow") // Test invalid default policy (should default to "allow")
policy := &P{ policy := &P{
DefaultPolicy: "invalid", DefaultPolicy: "invalid",
@@ -1113,11 +1261,11 @@ func TestDefaultPolicyInvalid(t *testing.T) {
Rules: map[int]Rule{}, // No specific rules Rules: map[int]Rule{}, // No specific rules
} }
// Create test event for kind 1 (no specific rule exists) // Create real test event with proper signing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Should allow the event with invalid default policy (defaults to "allow") // Should allow the event with invalid default policy (defaults to "allow")
allowed, err := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -1127,6 +1275,9 @@ func TestDefaultPolicyInvalid(t *testing.T) {
} }
func TestDefaultPolicyWithSpecificRule(t *testing.T) { func TestDefaultPolicyWithSpecificRule(t *testing.T) {
// Generate real keypair for testing
eventSigner, eventPubkey := generateTestKeypair(t)
// Test that specific rules override default policy // Test that specific rules override default policy
policy := &P{ policy := &P{
DefaultPolicy: "deny", // Default is deny DefaultPolicy: "deny", // Default is deny
@@ -1139,11 +1290,11 @@ func TestDefaultPolicyWithSpecificRule(t *testing.T) {
}, },
} }
// Create test event for kind 1 (has specific rule) // Create real test event with proper signing for kind 1 (has specific rule)
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Should allow the event because specific rule allows it, despite default policy being "deny" // Should allow the event because specific rule allows it, despite default policy being "deny"
allowed, err := policy.CheckPolicy("write", testEvent, []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.CheckPolicy("write", testEvent, eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -1151,11 +1302,11 @@ func TestDefaultPolicyWithSpecificRule(t *testing.T) {
t.Error("Expected event to be allowed by specific rule, despite default_policy 'deny'") t.Error("Expected event to be allowed by specific rule, despite default_policy 'deny'")
} }
// Create test event for kind 2 (no specific rule exists) // Create real test event with proper signing for kind 2 (no specific rule exists)
testEvent2 := createTestEvent("test-event-id-2", "test-pubkey", "test content", 2) testEvent2 := createTestEvent(t, eventSigner, "test content", 2)
// Should deny the event because no specific rule and default policy is "deny" // Should deny the event because no specific rule and default policy is "deny"
allowed2, err2 := policy.CheckPolicy("write", testEvent2, []byte("test-pubkey"), "127.0.0.1") allowed2, err2 := policy.CheckPolicy("write", testEvent2, eventPubkey, "127.0.0.1")
if err2 != nil { if err2 != nil {
t.Errorf("Unexpected error: %v", err2) t.Errorf("Unexpected error: %v", err2)
} }
@@ -1190,6 +1341,9 @@ func TestNewPolicyWithDefaultPolicyJSON(t *testing.T) {
} }
func TestScriptProcessingFailureFallsBackToDefault(t *testing.T) { func TestScriptProcessingFailureFallsBackToDefault(t *testing.T) {
// Generate real keypair for testing
eventSigner, eventPubkey := generateTestKeypair(t)
// Test that script processing failures fall back to default policy // Test that script processing failures fall back to default policy
// We'll test this by using a manager that's not running (simulating failure) // We'll test this by using a manager that's not running (simulating failure)
policy := &P{ policy := &P{
@@ -1206,11 +1360,11 @@ func TestScriptProcessingFailureFallsBackToDefault(t *testing.T) {
}, },
} }
// Create test event // Create real test event with proper signing
testEvent := createTestEvent("test-event-id", "test-pubkey", "test content", 1) testEvent := createTestEvent(t, eventSigner, "test content", 1)
// Should allow the event when script is not running (falls back to default "allow") // Should allow the event when script is not running (falls back to default "allow")
allowed, err := policy.checkScriptPolicy("write", testEvent, "policy.sh", []byte("test-pubkey"), "127.0.0.1") allowed, err := policy.checkScriptPolicy("write", testEvent, "policy.sh", eventPubkey, "127.0.0.1")
if err != nil { if err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
@@ -1220,7 +1374,7 @@ func TestScriptProcessingFailureFallsBackToDefault(t *testing.T) {
// Test with default policy "deny" // Test with default policy "deny"
policy.DefaultPolicy = "deny" policy.DefaultPolicy = "deny"
allowed2, err2 := policy.checkScriptPolicy("write", testEvent, "policy.sh", []byte("test-pubkey"), "127.0.0.1") allowed2, err2 := policy.checkScriptPolicy("write", testEvent, "policy.sh", eventPubkey, "127.0.0.1")
if err2 != nil { if err2 != nil {
t.Errorf("Unexpected error: %v", err2) t.Errorf("Unexpected error: %v", err2)
} }
@@ -1230,6 +1384,11 @@ func TestScriptProcessingFailureFallsBackToDefault(t *testing.T) {
} }
func TestDefaultPolicyLogicWithRules(t *testing.T) { func TestDefaultPolicyLogicWithRules(t *testing.T) {
// Generate real keypairs for testing
testSigner, _ := generateTestKeypair(t)
deniedSigner, deniedPubkey := generateTestKeypair(t)
_, loggedInPubkey := generateTestKeypair(t)
// Test that default policy logic works correctly with rules // Test that default policy logic works correctly with rules
// Test 1: default_policy "deny" - should only allow if rule explicitly allows // Test 1: default_policy "deny" - should only allow if rule explicitly allows
@@ -1245,15 +1404,15 @@ func TestDefaultPolicyLogicWithRules(t *testing.T) {
}, },
2: { 2: {
Description: "deny specific pubkey for kind 2", Description: "deny specific pubkey for kind 2",
WriteDeny: []string{"64656e6965642d7075626b6579"}, // hex of "denied-pubkey" WriteDeny: []string{hex.Enc(deniedPubkey)},
}, },
// No rule for kind 3 // No rule for kind 3
}, },
} }
// Kind 1: has rule that allows all - should be allowed // Kind 1: has rule that allows all - should be allowed
event1 := createTestEvent("test-1", "test-pubkey", "content", 1) event1 := createTestEvent(t, testSigner, "content", 1)
allowed1, err1 := policy1.CheckPolicy("write", event1, []byte("test-pubkey"), "127.0.0.1") allowed1, err1 := policy1.CheckPolicy("write", event1, loggedInPubkey, "127.0.0.1")
if err1 != nil { if err1 != nil {
t.Errorf("Unexpected error for kind 1: %v", err1) t.Errorf("Unexpected error for kind 1: %v", err1)
} }
@@ -1262,8 +1421,8 @@ func TestDefaultPolicyLogicWithRules(t *testing.T) {
} }
// Kind 2: has rule that denies specific pubkey - should be allowed for other pubkeys // Kind 2: has rule that denies specific pubkey - should be allowed for other pubkeys
event2 := createTestEvent("test-2", "test-pubkey", "content", 2) event2 := createTestEvent(t, testSigner, "content", 2)
allowed2, err2 := policy1.CheckPolicy("write", event2, []byte("test-pubkey"), "127.0.0.1") allowed2, err2 := policy1.CheckPolicy("write", event2, loggedInPubkey, "127.0.0.1")
if err2 != nil { if err2 != nil {
t.Errorf("Unexpected error for kind 2: %v", err2) t.Errorf("Unexpected error for kind 2: %v", err2)
} }
@@ -1272,8 +1431,8 @@ func TestDefaultPolicyLogicWithRules(t *testing.T) {
} }
// Kind 2: denied pubkey should be denied // Kind 2: denied pubkey should be denied
event2Denied := createTestEvent("test-2-denied", "denied-pubkey", "content", 2) event2Denied := createTestEvent(t, deniedSigner, "content", 2)
allowed2Denied, err2Denied := policy1.CheckPolicy("write", event2Denied, []byte("test-pubkey"), "127.0.0.1") allowed2Denied, err2Denied := policy1.CheckPolicy("write", event2Denied, loggedInPubkey, "127.0.0.1")
if err2Denied != nil { if err2Denied != nil {
t.Errorf("Unexpected error for kind 2 denied: %v", err2Denied) t.Errorf("Unexpected error for kind 2 denied: %v", err2Denied)
} }
@@ -1282,8 +1441,8 @@ func TestDefaultPolicyLogicWithRules(t *testing.T) {
} }
// Kind 3: whitelisted but no rule - should follow default policy (deny) // Kind 3: whitelisted but no rule - should follow default policy (deny)
event3 := createTestEvent("test-3", "test-pubkey", "content", 3) event3 := createTestEvent(t, testSigner, "content", 3)
allowed3, err3 := policy1.CheckPolicy("write", event3, []byte("test-pubkey"), "127.0.0.1") allowed3, err3 := policy1.CheckPolicy("write", event3, loggedInPubkey, "127.0.0.1")
if err3 != nil { if err3 != nil {
t.Errorf("Unexpected error for kind 3: %v", err3) t.Errorf("Unexpected error for kind 3: %v", err3)
} }
@@ -1300,15 +1459,15 @@ func TestDefaultPolicyLogicWithRules(t *testing.T) {
Rules: map[int]Rule{ Rules: map[int]Rule{
1: { 1: {
Description: "deny specific pubkey for kind 1", Description: "deny specific pubkey for kind 1",
WriteDeny: []string{"64656e6965642d7075626b6579"}, // hex of "denied-pubkey" WriteDeny: []string{hex.Enc(deniedPubkey)},
}, },
// No rules for kind 2, 3 // No rules for kind 2, 3
}, },
} }
// Kind 1: has rule that denies specific pubkey - should be allowed for other pubkeys // Kind 1: has rule that denies specific pubkey - should be allowed for other pubkeys
event1Allow := createTestEvent("test-1-allow", "test-pubkey", "content", 1) event1Allow := createTestEvent(t, testSigner, "content", 1)
allowed1Allow, err1Allow := policy2.CheckPolicy("write", event1Allow, []byte("test-pubkey"), "127.0.0.1") allowed1Allow, err1Allow := policy2.CheckPolicy("write", event1Allow, loggedInPubkey, "127.0.0.1")
if err1Allow != nil { if err1Allow != nil {
t.Errorf("Unexpected error for kind 1 allow: %v", err1Allow) t.Errorf("Unexpected error for kind 1 allow: %v", err1Allow)
} }
@@ -1317,8 +1476,8 @@ func TestDefaultPolicyLogicWithRules(t *testing.T) {
} }
// Kind 1: denied pubkey should be denied // Kind 1: denied pubkey should be denied
event1Deny := createTestEvent("test-1-deny", "denied-pubkey", "content", 1) event1Deny := createTestEvent(t, deniedSigner, "content", 1)
allowed1Deny, err1Deny := policy2.CheckPolicy("write", event1Deny, []byte("test-pubkey"), "127.0.0.1") allowed1Deny, err1Deny := policy2.CheckPolicy("write", event1Deny, loggedInPubkey, "127.0.0.1")
if err1Deny != nil { if err1Deny != nil {
t.Errorf("Unexpected error for kind 1 deny: %v", err1Deny) t.Errorf("Unexpected error for kind 1 deny: %v", err1Deny)
} }
@@ -1327,8 +1486,8 @@ func TestDefaultPolicyLogicWithRules(t *testing.T) {
} }
// Kind 2: whitelisted but no rule - should follow default policy (allow) // Kind 2: whitelisted but no rule - should follow default policy (allow)
event2Allow := createTestEvent("test-2-allow", "test-pubkey", "content", 2) event2Allow := createTestEvent(t, testSigner, "content", 2)
allowed2Allow, err2Allow := policy2.CheckPolicy("write", event2Allow, []byte("test-pubkey"), "127.0.0.1") allowed2Allow, err2Allow := policy2.CheckPolicy("write", event2Allow, loggedInPubkey, "127.0.0.1")
if err2Allow != nil { if err2Allow != nil {
t.Errorf("Unexpected error for kind 2 allow: %v", err2Allow) t.Errorf("Unexpected error for kind 2 allow: %v", err2Allow)
} }