Implement policy-based event filtering and add integration tests

- Enhanced the HandleReq function to incorporate policy checks for privileged events, ensuring only authorized users can access sensitive data.
- Introduced a new integration test suite for policy filtering, validating the behavior of event access based on user authentication and policy rules.
- Added a script to automate the policy filter integration tests, improving testing efficiency and reliability.
- Updated version to v0.20.2 to reflect the new features and improvements.

scripts/run-policy-filter-test.sh

@@ -0,0 +1,198 @@
+#!/bin/bash
+set -euo pipefail
+
+# Policy Filter Integration Test
+# This script runs the relay with the example policy and tests event filtering
+
+# Config
+PORT=${PORT:-34568}
+URL=${URL:-ws://127.0.0.1:${PORT}}
+LOG=/tmp/orly-policy-filter.out
+PID=/tmp/orly-policy-filter.pid
+DATADIR=$(mktemp -d)
+CONFIG_DIR="$HOME/.config/ORLY_POLICY_TEST"
+
+cleanup() {
+  trap - EXIT
+  if [[ -f "$PID" ]]; then
+    kill -INT "$(cat "$PID")" 2>/dev/null || true
+    rm -f "$PID"
+  fi
+  rm -rf "$DATADIR"
+  rm -rf "$CONFIG_DIR"
+}
+trap cleanup EXIT
+
+echo "🧪 Policy Filter Integration Test"
+echo "=================================="
+
+# Create config directory
+mkdir -p "$CONFIG_DIR"
+
+# Generate keys using Go helper
+echo "🔑 Generating test keys..."
+KEYGEN_TMP=$(mktemp)
+cat > "$KEYGEN_TMP.go" <<'EOF'
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/encoders/hex"
+)
+
+func main() {
+	// Generate allowed signer
+	allowedSigner := &p256k.Signer{}
+	if err := allowedSigner.Generate(); err != nil {
+		panic(err)
+	}
+	allowedPubkeyHex := hex.Enc(allowedSigner.Pub())
+	allowedSecHex := hex.Enc(allowedSigner.Sec())
+
+	// Generate unauthorized signer
+	unauthorizedSigner := &p256k.Signer{}
+	if err := unauthorizedSigner.Generate(); err != nil {
+		panic(err)
+	}
+	unauthorizedPubkeyHex := hex.Enc(unauthorizedSigner.Pub())
+	unauthorizedSecHex := hex.Enc(unauthorizedSigner.Sec())
+
+	result := map[string]string{
+		"allowedPubkey":      allowedPubkeyHex,
+		"allowedSec":         allowedSecHex,
+		"unauthorizedPubkey": unauthorizedPubkeyHex,
+		"unauthorizedSec":    unauthorizedSecHex,
+	}
+
+	jsonBytes, _ := json.Marshal(result)
+	fmt.Println(string(jsonBytes))
+}
+EOF
+
+# Run from the project root directory
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+cd "$PROJECT_ROOT"
+KEYS=$(go run -tags=cgo "$KEYGEN_TMP.go" 2>&1 | grep -E '^\{.*\}$' || true)
+rm -f "$KEYGEN_TMP.go"
+cd - > /dev/null
+
+ALLOWED_PUBKEY=$(echo "$KEYS" | jq -r '.allowedPubkey')
+ALLOWED_SEC=$(echo "$KEYS" | jq -r '.allowedSec')
+UNAUTHORIZED_PUBKEY=$(echo "$KEYS" | jq -r '.unauthorizedPubkey')
+UNAUTHORIZED_SEC=$(echo "$KEYS" | jq -r '.unauthorizedSec')
+
+echo "✅ Generated keys:"
+echo "   Allowed pubkey: $ALLOWED_PUBKEY"
+echo "   Unauthorized pubkey: $UNAUTHORIZED_PUBKEY"
+
+# Create policy JSON with generated keys
+echo "📝 Creating policy.json..."
+cat > "$CONFIG_DIR/policy.json" <<EOF
+{
+  "kind": {
+    "whitelist": [4678, 10306, 30520, 30919]
+  },
+  "rules": {
+    "4678": {
+      "description": "Zenotp message events",
+      "script": "$CONFIG_DIR/validate4678.js",
+      "privileged": true
+    },
+    "10306": {
+      "description": "End user whitelist changes",
+      "read_allow": [
+        "$ALLOWED_PUBKEY"
+      ],
+      "privileged": true
+    },
+    "30520": {
+      "description": "Zenotp events",
+      "write_allow": [
+        "$ALLOWED_PUBKEY"
+      ],
+      "privileged": true
+    },
+    "30919": {
+      "description": "Zenotp events",
+      "write_allow": [
+        "$ALLOWED_PUBKEY"
+      ],
+      "privileged": true
+    }
+  }
+}
+EOF
+
+echo "✅ Policy file created at: $CONFIG_DIR/policy.json"
+
+# Build relay and test client
+echo "🔨 Building relay..."
+go build -o orly .
+
+# Start relay
+echo "🚀 Starting relay on ${URL} with policy enabled..."
+ORLY_APP_NAME="ORLY_POLICY_TEST" \
+ORLY_DATA_DIR="$DATADIR" \
+ORLY_PORT=${PORT} \
+ORLY_POLICY_ENABLED=true \
+ORLY_ACL_MODE=none \
+ORLY_AUTH_TO_WRITE=true \
+ORLY_LOG_LEVEL=info \
+./orly >"$LOG" 2>&1 & echo $! >"$PID"
+
+# Wait for relay to start
+sleep 3
+if ! ps -p "$(cat "$PID")" >/dev/null 2>&1; then
+  echo "❌ Relay failed to start; logs:" >&2
+  sed -n '1,200p' "$LOG" >&2
+  exit 1
+fi
+
+echo "✅ Relay started (PID: $(cat "$PID"))"
+
+# Build test client
+echo "🔨 Building test client..."
+go build -o cmd/policyfiltertest/policyfiltertest ./cmd/policyfiltertest
+
+# Export keys for test client
+export ALLOWED_PUBKEY
+export ALLOWED_SEC
+export UNAUTHORIZED_PUBKEY
+export UNAUTHORIZED_SEC
+
+# Run tests
+echo "🧪 Running policy filter tests..."
+set +e
+cmd/policyfiltertest/policyfiltertest -url "${URL}" -allowed-pubkey "$ALLOWED_PUBKEY" -allowed-sec "$ALLOWED_SEC" -unauthorized-pubkey "$UNAUTHORIZED_PUBKEY" -unauthorized-sec "$UNAUTHORIZED_SEC"
+TEST_RESULT=$?
+set -e
+
+# Check logs for "policy rule is inactive" messages
+echo "📋 Checking logs for policy rule inactivity..."
+if grep -q "policy rule is inactive" "$LOG"; then
+  echo "⚠️  WARNING: Found 'policy rule is inactive' messages in logs"
+  grep "policy rule is inactive" "$LOG" | head -5
+else
+  echo "✅ No 'policy rule is inactive' messages found (good)"
+fi
+
+# Check logs for policy filtered events
+echo "📋 Checking logs for policy filtered events..."
+if grep -q "policy filtered out event" "$LOG"; then
+  echo "✅ Found policy filtered events (expected):"
+  grep "policy filtered out event" "$LOG" | head -5
+fi
+
+if [ $TEST_RESULT -eq 0 ]; then
+  echo "✅ All tests passed!"
+  exit 0
+else
+  echo "❌ Tests failed with exit code $TEST_RESULT"
+  echo "📋 Last 50 lines of relay log:"
+  tail -50 "$LOG"
+  exit $TEST_RESULT
+fi
+