fix policy to ignore all req/events without auth

2025-11-21 15:28:07 +00:00
parent 55add34ac1
commit 917bcf0348
15 changed files with 3154 additions and 153 deletions
--- a/docs/POLICY_FIX_SUMMARY.md
+++ b/docs/POLICY_FIX_SUMMARY.md
@@ -0,0 +1,83 @@
+# Policy System Fix Summary
+
+## Issues Identified and Fixed
+
+### 1. Test Compilation Issues
+**Problem**: The `comprehensive_test.go` file had missing imports and couldn't compile.
+**Fix**: Added the necessary imports (`time`, `event`, `tag`) and helper functions.
+
+### 2. Critical Evaluation Order Bug
+**Problem**: The policy evaluation order didn't match user expectations, particularly around the interaction between privileged events and allow lists.
+
+**Original Behavior**:
+- Privileged access always overrode allow lists
+- Allow lists didn't properly grant access when users were found
+
+**Fixed Behavior**:
+- When BOTH `privileged: true` AND allow lists exist, allow lists are authoritative
+- Users in allow lists are properly granted access
+- Privileged access only applies when no allow lists are specified
+
+### 3. Missing Return Statements
+**Problem**: When users were found in allow lists, the code didn't return `true` immediately but continued to other checks.
+**Fix**: Added `return true, nil` statements after confirming user is in allow list.
+
+## Corrected Policy Evaluation Order
+
+1. **Universal Constraints** (size, tags, timestamps) - Apply to everyone
+2. **Explicit Denials** (deny lists) - Highest priority blacklist
+3. **Privileged Access** - Grants access ONLY if no allow lists exist
+4. **Exclusive Allow Lists** - When present, ONLY listed users get access
+5. **Privileged Final Check** - Deny non-involved users for privileged events
+6. **Default Policy** - Fallback when no rules apply
+
+## Key Behavioral Changes
+
+### Before Fix:
+- Privileged users (author, p-tagged) could access events even if not in allow lists
+- Allow lists were not properly returning true when users were found
+- Test inconsistencies due to missing binary cache population
+
+### After Fix:
+- Allow lists are authoritative when present (even over privileged access)
+- Proper immediate return when user is found in allow list
+- All tests pass including comprehensive requirements test
+
+## Test Results
+
+All 5 requirements from Issue #5 are verified and passing:
+- ✅ Requirement 1: Kind whitelist enforcement
+- ✅ Scenario A: Write access control
+- ✅ Scenario B: Read access control
+- ✅ Scenario C: Privileged events (parties involved)
+- ✅ Scenario D: Script-based validation
+
+## Important Configuration Notes
+
+When configuring policies:
+
+1. **Allow lists are EXCLUSIVE**: If you specify `write_allow` or `read_allow`, ONLY those users can access.
+
+2. **Privileged + Allow Lists**: If you use both `privileged: true` AND allow lists, the allow list wins - even the author must be in the allow list.
+
+3. **Privileged Only**: If you use `privileged: true` without allow lists, parties involved get automatic access.
+
+4. **Deny Lists Trump All**: Users in deny lists are always denied, regardless of other settings.
+
+## Files Modified
+
+1. `/pkg/policy/policy.go` - Fixed evaluation order and added proper returns
+2. `/pkg/policy/comprehensive_test.go` - Fixed imports and compilation
+3. `/docs/POLICY_TROUBLESHOOTING.md` - Updated documentation with correct behavior
+4. `/docs/POLICY_FIX_SUMMARY.md` - This summary document
+
+## Verification
+
+Run tests to verify all fixes:
+```bash
+# Run comprehensive requirements test
+CGO_ENABLED=0 go test -v -run TestPolicyDefinitionOfDone ./pkg/policy
+
+# Run all policy tests
+CGO_ENABLED=0 go test ./pkg/policy
+```