bump to v0.27.5

2025-11-11 14:38:05 +00:00
parent b2056b6636
commit cc99fcfab5
10 changed files with 474 additions and 47 deletions
--- a/scripts/docker-policy/README.md
+++ b/scripts/docker-policy/README.md
@@ -21,9 +21,10 @@ test-docker-policy/
 1. **Builds** an Ubuntu 22.04.5 Docker image with ORLY relay
 2. **Configures** the policy engine with `cs-policy.js`
 3. **Starts** the relay with policy engine enabled
-4. **Sends** a test event to the relay
-5. **Verifies** that `cs-policy.js` created `/home/orly/cs-policy-output.txt`
-6. **Reports** success or failure
+4. **Tests EVENT messages** (write control) using the `policytest` tool
+5. **Tests REQ messages** (read control) using the `policytest` tool
+6. **Verifies** that `cs-policy.js` created `/home/orly/cs-policy-output.txt`
+7. **Reports** success or failure

 ## How cs-policy.js Works

@@ -46,9 +47,31 @@ if (fs.existsSync(filePath)) {
 Run the automated test:

 ```bash
-./test-docker-policy/test-policy.sh
+./scripts/docker-policy/test-policy.sh
 ```

+## Policy Test Tool
+
+The `policytest` tool is a command-line utility for testing policy enforcement:
+
+```bash
+# Test write control (EVENT messages)
+./policytest -url ws://localhost:8777 -type event -kind 1
+
+# Test read control (REQ messages)
+./policytest -url ws://localhost:8777 -type req -kind 1
+
+# Test both write and read control
+./policytest -url ws://localhost:8777 -type both -kind 1
+```
+
+### Options
+
+- `-url` - Relay WebSocket URL (default: `ws://127.0.0.1:3334`)
+- `-type` - Test type: `event` for write control, `req` for read control, `both` for both (default: `event`)
+- `-kind` - Event kind to test (default: `4678`)
+- `-timeout` - Operation timeout (default: `20s`)
+
 ## Manual Testing

 ### 1. Build and Start Container
--- a/scripts/docker-policy/cs-policy-daemon.js
+++ b/scripts/docker-policy/cs-policy-daemon.js
@@ -24,8 +24,10 @@ rl.on('line', (line) => {
    // Parse the policy event
    const event = JSON.parse(line);

-    // Log event details
-    fs.appendFileSync(filePath, `${Date.now()}: Event ID: ${event.id || 'unknown'}\n`);
+    // Log event details including access type
+    const accessType = event.access_type || 'unknown';
+    const eventKind = event.kind || 'unknown';
+    fs.appendFileSync(filePath, `${Date.now()}: Event ID: ${event.id || 'unknown'}, Kind: ${eventKind}, Access: ${accessType}\n`);

    // Respond with "accept" to allow the event
    const response = {
--- a/scripts/docker-policy/environment.txt
+++ b/scripts/docker-policy/environment.txt
@@ -3,5 +3,5 @@ ORLY_APP_NAME="orly"
 ORLY_PUBLIC_READABLE=true
 ORLY_PRIVATE=false
 ORLY_OWNERS=4db2c42f3c02079dd6feae3f88f6c8693940a00ade3cc8e5d72050bd6e577cd5
-ORLY_LOG_LEVEL=debug
+ORLY_LOG_LEVEL=trace
 ORLY_POLICY_ENABLED=true
--- a/scripts/docker-policy/test-policy.sh
+++ b/scripts/docker-policy/test-policy.sh
@@ -49,17 +49,11 @@ echo -e "${YELLOW}Step 7: Checking relay logs...${NC}"
 docker logs orly-policy-test 2>&1 | tail -20

 echo ""
-echo -e "${YELLOW}Step 8: Sending test event to relay...${NC}"
+echo -e "${YELLOW}Step 8: Building policytest tool...${NC}"
+cd "$REPO_ROOT" && CGO_ENABLED=0 go build -o policytest ./cmd/policytest

-# Install websocat if not available
-if ! command -v websocat &> /dev/null; then
-    echo "websocat not found. Installing..."
-    wget -qO- https://github.com/vi/websocat/releases/download/v1.12.0/websocat.x86_64-unknown-linux-musl -O /tmp/websocat
-    chmod +x /tmp/websocat
-    WEBSOCAT="/tmp/websocat"
-else
-    WEBSOCAT="websocat"
-fi
+echo ""
+echo -e "${YELLOW}Step 9: Testing EVENT message (write control)...${NC}"

 # Check which port the relay is listening on
 RELAY_PORT=$(docker logs orly-policy-test 2>&1 | grep "starting listener" | grep -oP ':\K[0-9]+' | head -1)
@@ -68,20 +62,30 @@ if [ -z "$RELAY_PORT" ]; then
 fi
 echo "Relay is listening on port: $RELAY_PORT"

-# Generate a test event with a properly formatted (but invalid) signature
-# The policy script should still receive this event even if validation fails
-TIMESTAMP=$(date +%s)
-TEST_EVENT='["EVENT",{"id":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","pubkey":"4db2c42f3c02079dd6feae3f88f6c8693940a00ade3cc8e5d72050bd6e577cd5","created_at":'$TIMESTAMP',"kind":1,"tags":[],"content":"Test event for policy validation","sig":"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"}]'
-
-echo "Sending test event..."
-echo "$TEST_EVENT" | timeout 5 $WEBSOCAT ws://localhost:$RELAY_PORT 2>&1 || echo "Connection attempt completed"
+# Test EVENT message
+cd "$REPO_ROOT"
+./policytest -url "ws://localhost:$RELAY_PORT" -type event -kind 1 2>&1 || echo "EVENT test completed"

 echo ""
-echo -e "${YELLOW}Step 9: Waiting for policy script to execute (5 seconds)...${NC}"
+echo -e "${YELLOW}Relay logs after EVENT test:${NC}"
+docker logs orly-policy-test 2>&1 | tail -10
+
+echo ""
+echo -e "${YELLOW}Step 10: Testing REQ message (read control)...${NC}"
+
+# Test REQ message
+./policytest -url "ws://localhost:$RELAY_PORT" -type req -kind 1 2>&1 || echo "REQ test completed"
+
+echo ""
+echo -e "${YELLOW}Relay logs after REQ test:${NC}"
+docker logs orly-policy-test 2>&1 | tail -10
+
+echo ""
+echo -e "${YELLOW}Step 11: Waiting for policy script to execute (5 seconds)...${NC}"
 sleep 5

 echo ""
-echo -e "${YELLOW}Step 10: Checking if cs-policy.js created output file...${NC}"
+echo -e "${YELLOW}Step 12: Checking if cs-policy.js created output file...${NC}"

 # Check if the output file exists in the container
 if docker exec orly-policy-test test -f /home/orly/cs-policy-output.txt; then
@@ -90,8 +94,26 @@ if docker exec orly-policy-test test -f /home/orly/cs-policy-output.txt; then
    echo "Output file contents:"
    docker exec orly-policy-test cat /home/orly/cs-policy-output.txt
    echo ""
-    echo -e "${GREEN}✓ Policy script is working correctly!${NC}"
-    EXIT_CODE=0
+
+    # Check if we see both read and write access types
+    WRITE_COUNT=$(docker exec orly-policy-test cat /home/orly/cs-policy-output.txt | grep -c "Access: write" || echo "0")
+    READ_COUNT=$(docker exec orly-policy-test cat /home/orly/cs-policy-output.txt | grep -c "Access: read" || echo "0")
+
+    echo "Policy invocations:"
+    echo "  - Write operations: $WRITE_COUNT"
+    echo "  - Read operations: $READ_COUNT"
+    echo ""
+
+    if [ "$WRITE_COUNT" -gt 0 ] && [ "$READ_COUNT" -gt 0 ]; then
+        echo -e "${GREEN}✓ Policy script processed both write and read operations!${NC}"
+        EXIT_CODE=0
+    elif [ "$WRITE_COUNT" -gt 0 ]; then
+        echo -e "${YELLOW}⚠ Policy script only processed write operations (read operations may not have been tested)${NC}"
+        EXIT_CODE=0
+    else
+        echo -e "${YELLOW}⚠ Policy script is working but access types may not be logged correctly${NC}"
+        EXIT_CODE=0
+    fi
 else
    echo -e "${RED}✗ FAILURE: cs-policy-output.txt file not found!${NC}"
    echo ""
@@ -101,7 +123,7 @@ else
 fi

 echo ""
-echo -e "${YELLOW}Step 11: Additional debugging info...${NC}"
+echo -e "${YELLOW}Step 13: Additional debugging info...${NC}"
 echo "Files in /home/orly directory:"
 docker exec orly-policy-test ls -la /home/orly/