mleku/next.orly.dev
1
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
350b4eb393272c2f3ffa825953559f95b8fc6282
next.orly.dev/docs/POLICY_FIX_SUMMARY.md

3.3 KiB
Raw Blame History

Policy System Fix Summary

Issues Identified and Fixed

1. Test Compilation Issues

Problem: The comprehensive_test.go file had missing imports and couldn't compile. Fix: Added the necessary imports (time, event, tag) and helper functions.

2. Critical Evaluation Order Bug

Problem: The policy evaluation order didn't match user expectations, particularly around the interaction between privileged events and allow lists.

Original Behavior:

  • Privileged access always overrode allow lists
  • Allow lists didn't properly grant access when users were found

Fixed Behavior:

  • When BOTH privileged: true AND allow lists exist, allow lists are authoritative
  • Users in allow lists are properly granted access
  • Privileged access only applies when no allow lists are specified

3. Missing Return Statements

Problem: When users were found in allow lists, the code didn't return true immediately but continued to other checks. Fix: Added return true, nil statements after confirming user is in allow list.

Corrected Policy Evaluation Order

  1. Universal Constraints (size, tags, timestamps) - Apply to everyone
  2. Explicit Denials (deny lists) - Highest priority blacklist
  3. Privileged Access - Grants access ONLY if no allow lists exist
  4. Exclusive Allow Lists - When present, ONLY listed users get access
  5. Privileged Final Check - Deny non-involved users for privileged events
  6. Default Policy - Fallback when no rules apply

Key Behavioral Changes

Before Fix:

  • Privileged users (author, p-tagged) could access events even if not in allow lists
  • Allow lists were not properly returning true when users were found
  • Test inconsistencies due to missing binary cache population

After Fix:

  • Allow lists are authoritative when present (even over privileged access)
  • Proper immediate return when user is found in allow list
  • All tests pass including comprehensive requirements test

Test Results

All 5 requirements from Issue #5 are verified and passing:

  • Requirement 1: Kind whitelist enforcement
  • Scenario A: Write access control
  • Scenario B: Read access control
  • Scenario C: Privileged events (parties involved)
  • Scenario D: Script-based validation

Important Configuration Notes

When configuring policies:

  1. Allow lists are EXCLUSIVE: If you specify write_allow or read_allow, ONLY those users can access.

  2. Privileged + Allow Lists: If you use both privileged: true AND allow lists, the allow list wins - even the author must be in the allow list.

  3. Privileged Only: If you use privileged: true without allow lists, parties involved get automatic access.

  4. Deny Lists Trump All: Users in deny lists are always denied, regardless of other settings.

Files Modified

  1. /pkg/policy/policy.go - Fixed evaluation order and added proper returns
  2. /pkg/policy/comprehensive_test.go - Fixed imports and compilation
  3. /docs/POLICY_TROUBLESHOOTING.md - Updated documentation with correct behavior
  4. /docs/POLICY_FIX_SUMMARY.md - This summary document

Verification

Run tests to verify all fixes:

# Run comprehensive requirements test
CGO_ENABLED=0 go test -v -run TestPolicyDefinitionOfDone ./pkg/policy

# Run all policy tests
CGO_ENABLED=0 go test ./pkg/policy
Reference in New Issue View Git Blame Copy Permalink