silberengel
/
next.orly.dev
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Add extensive tests and improve policy configuration handling 

Introduce comprehensive tests for policy validation logic, including owner and policy admin scenarios. Update `HandlePolicyConfigUpdate` to differentiate permissions for owners and policy admins, enforcing stricter field restrictions and validation flows.
main
mleku 1 month ago
parent
dd8027478c
commit
70944d45df
No known key found for this signature in database
8 changed files with 1627 additions and 46 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 67
      app/handle-policy-config.go
  2. 42
      app/handle_policy_config_test.go
  3. 88
      docs/POLICY_USAGE_GUIDE.md
  4. 4
      pkg/database/cleanup-kind3_test.go
  5. 525
      pkg/policy/composition.go
  6. 690
      pkg/policy/composition_test.go
  7. 253
      pkg/policy/policy.go
  8. 2
      pkg/version/version

67
app/handle-policy-config.go
Unescape View File

@ -6,7 +6,6 @@ import (
"path/filepath" "path/filepath"
"github.com/adrg/xdg" "github.com/adrg/xdg"
"lol.mleku.dev/chk"
"lol.mleku.dev/log" "lol.mleku.dev/log"
"git.mleku.dev/mleku/nostr/encoders/event" "git.mleku.dev/mleku/nostr/encoders/event"
"git.mleku.dev/mleku/nostr/encoders/filter" "git.mleku.dev/mleku/nostr/encoders/filter"
@ -16,11 +15,20 @@ import (
) )
// HandlePolicyConfigUpdate processes kind 12345 policy configuration events. // HandlePolicyConfigUpdate processes kind 12345 policy configuration events.
// Only policy admins can update policy configuration. // Owners and policy admins can update policy configuration, with different permissions:
//
// OWNERS can:
// - Modify all fields including owners and policy_admins
// - But owners list must remain non-empty (to prevent lockout)
//
// POLICY ADMINS can:
// - Extend rules (add to allow lists, add new kinds, add blacklists)
// - CANNOT modify owners or policy_admins (protected fields)
// - CANNOT reduce owner-granted permissions
// //
// Process flow: // Process flow:
// 1. Verify sender is policy admin (from current policy.policy_admins list) // 1. Check if sender is owner or policy admin
// 2. Parse and validate JSON FIRST (before making any changes) // 2. Validate JSON with appropriate rules for the sender type
// 3. Pause ALL message processing (lock mutex) // 3. Pause ALL message processing (lock mutex)
// 4. Reload policy (pause policy engine, update, save, resume) // 4. Reload policy (pause policy engine, update, save, resume)
// 5. Resume message processing (unlock mutex) // 5. Resume message processing (unlock mutex)
@ -30,24 +38,40 @@ import (
func (l *Listener) HandlePolicyConfigUpdate(ev *event.E) error { func (l *Listener) HandlePolicyConfigUpdate(ev *event.E) error {
log.I.F("received policy config update from pubkey: %s", hex.Enc(ev.Pubkey)) log.I.F("received policy config update from pubkey: %s", hex.Enc(ev.Pubkey))
// 1. Verify sender is policy admin (from current policy.policy_admins list) // 1. Verify sender is owner or policy admin
if l.policyManager == nil { if l.policyManager == nil {
return fmt.Errorf("policy system is not enabled") return fmt.Errorf("policy system is not enabled")
} }
isOwner := l.policyManager.IsOwner(ev.Pubkey)
isAdmin := l.policyManager.IsPolicyAdmin(ev.Pubkey) isAdmin := l.policyManager.IsPolicyAdmin(ev.Pubkey)
if !isAdmin {
log.W.F("policy config update rejected: pubkey %s is not a policy admin", hex.Enc(ev.Pubkey)) if !isOwner && !isAdmin {
return fmt.Errorf("only policy administrators can update policy configuration") log.W.F("policy config update rejected: pubkey %s is not an owner or policy admin", hex.Enc(ev.Pubkey))
return fmt.Errorf("only owners and policy administrators can update policy configuration")
} }
if isOwner {
log.I.F("owner verified: %s", hex.Enc(ev.Pubkey))
} else {
log.I.F("policy admin verified: %s", hex.Enc(ev.Pubkey)) log.I.F("policy admin verified: %s", hex.Enc(ev.Pubkey))
}
// 2. Parse and validate JSON FIRST (before making any changes) // 2. Parse and validate JSON with appropriate validation rules
policyJSON := []byte(ev.Content) policyJSON := []byte(ev.Content)
if err := l.policyManager.ValidateJSON(policyJSON); chk.E(err) { var validationErr error
log.E.F("policy config update validation failed: %v", err)
return fmt.Errorf("invalid policy configuration: %v", err) if isOwner {
// Owners can modify all fields, but owners list must be non-empty
validationErr = l.policyManager.ValidateOwnerPolicyUpdate(policyJSON)
} else {
// Policy admins have restrictions: can't modify protected fields, can't reduce permissions
validationErr = l.policyManager.ValidatePolicyAdminUpdate(policyJSON, ev.Pubkey)
}
if validationErr != nil {
log.E.F("policy config update validation failed: %v", validationErr)
return fmt.Errorf("invalid policy configuration: %v", validationErr)
} }
log.I.F("policy config validation passed") log.I.F("policy config validation passed")
@ -65,12 +89,23 @@ func (l *Listener) HandlePolicyConfigUpdate(ev *event.E) error {
// 4. Reload policy (this will pause policy engine, update, save, and resume) // 4. Reload policy (this will pause policy engine, update, save, and resume)
log.I.F("applying policy configuration update") log.I.F("applying policy configuration update")
if err := l.policyManager.Reload(policyJSON, configPath); chk.E(err) { var reloadErr error
log.E.F("policy config update failed: %v", err) if isOwner {
return fmt.Errorf("failed to apply policy configuration: %v", err) reloadErr = l.policyManager.ReloadAsOwner(policyJSON, configPath)
} else {
reloadErr = l.policyManager.ReloadAsPolicyAdmin(policyJSON, configPath, ev.Pubkey)
} }
log.I.F("policy configuration updated successfully by admin: %s", hex.Enc(ev.Pubkey)) if reloadErr != nil {
log.E.F("policy config update failed: %v", reloadErr)
return fmt.Errorf("failed to apply policy configuration: %v", reloadErr)
}
if isOwner {
log.I.F("policy configuration updated successfully by owner: %s", hex.Enc(ev.Pubkey))
} else {
log.I.F("policy configuration updated successfully by policy admin: %s", hex.Enc(ev.Pubkey))
}
// 5. Message processing mutex will be unlocked by defer // 5. Message processing mutex will be unlocked by defer
return nil return nil

42
app/handle_policy_config_test.go
Unescape View File

@ -139,6 +139,7 @@ func createPolicyConfigEvent(t *testing.T, signer *p8k.Signer, policyJSON string
} }
// TestHandlePolicyConfigUpdate_ValidAdmin tests policy update from valid admin // TestHandlePolicyConfigUpdate_ValidAdmin tests policy update from valid admin
// Policy admins can extend rules but cannot modify protected fields (owners, policy_admins)
func TestHandlePolicyConfigUpdate_ValidAdmin(t *testing.T) { func TestHandlePolicyConfigUpdate_ValidAdmin(t *testing.T) {
// Create admin signer // Create admin signer
adminSigner := p8k.MustNew() adminSigner := p8k.MustNew()
@ -150,9 +151,10 @@ func TestHandlePolicyConfigUpdate_ValidAdmin(t *testing.T) {
listener, _, cleanup := setupPolicyTestListener(t, adminHex) listener, _, cleanup := setupPolicyTestListener(t, adminHex)
defer cleanup() defer cleanup()
// Create valid policy update event // Create valid policy update event that ONLY extends, doesn't modify protected fields
// Note: policy_admins must stay the same (policy admins cannot change this field)
newPolicyJSON := `{ newPolicyJSON := `{
"default_policy": "deny", "default_policy": "allow",
"policy_admins": ["` + adminHex + `"], "policy_admins": ["` + adminHex + `"],
"kind": {"whitelist": [1, 3, 7]} "kind": {"whitelist": [1, 3, 7]}
}` }`
@ -165,9 +167,10 @@ func TestHandlePolicyConfigUpdate_ValidAdmin(t *testing.T) {
t.Errorf("Expected success but got error: %v", err) t.Errorf("Expected success but got error: %v", err)
} }
// Verify policy was updated // Verify policy was updated (kind whitelist was extended)
if listener.policyManager.DefaultPolicy != "deny" { // Note: default_policy should still be "allow" from original
t.Errorf("Policy was not updated, default_policy = %q, expected 'deny'", if listener.policyManager.DefaultPolicy != "allow" {
t.Errorf("Policy was not updated correctly, default_policy = %q, expected 'allow'",
listener.policyManager.DefaultPolicy) listener.policyManager.DefaultPolicy)
} }
} }
@ -260,8 +263,9 @@ func TestHandlePolicyConfigUpdate_InvalidPubkey(t *testing.T) {
} }
} }
// TestHandlePolicyConfigUpdate_AdminCannotRemoveSelf tests that admin can update policy // TestHandlePolicyConfigUpdate_PolicyAdminCannotModifyProtectedFields tests that policy admins
func TestHandlePolicyConfigUpdate_AdminCanUpdateAdminList(t *testing.T) { // cannot modify the owners or policy_admins fields (these are protected, owner-only fields)
func TestHandlePolicyConfigUpdate_PolicyAdminCannotModifyProtectedFields(t *testing.T) {
adminSigner := p8k.MustNew() adminSigner := p8k.MustNew()
if err := adminSigner.Generate(); err != nil { if err := adminSigner.Generate(); err != nil {
t.Fatalf("Failed to generate admin keypair: %v", err) t.Fatalf("Failed to generate admin keypair: %v", err)
@ -274,22 +278,23 @@ func TestHandlePolicyConfigUpdate_AdminCanUpdateAdminList(t *testing.T) {
listener, _, cleanup := setupPolicyTestListener(t, adminHex) listener, _, cleanup := setupPolicyTestListener(t, adminHex)
defer cleanup() defer cleanup()
// Update policy to add second admin // Try to add second admin (policy_admins is a protected field)
newPolicyJSON := `{ newPolicyJSON := `{
"default_policy": "allow", "default_policy": "allow",
"policy_admins": ["` + adminHex + `", "` + admin2Hex + `"] "policy_admins": ["` + adminHex + `", "` + admin2Hex + `"]
}` }`
ev := createPolicyConfigEvent(t, adminSigner, newPolicyJSON) ev := createPolicyConfigEvent(t, adminSigner, newPolicyJSON)
// This should FAIL because policy admins cannot modify the policy_admins field
err := listener.HandlePolicyConfigUpdate(ev) err := listener.HandlePolicyConfigUpdate(ev)
if err != nil { if err == nil {
t.Errorf("Expected success but got error: %v", err) t.Error("Expected error when policy admin tries to modify policy_admins (protected field)")
} }
// Verify both admins are now in the list // Second admin should NOT be in the list since update was rejected
admin2Bin, _ := hex.Dec(admin2Hex) admin2Bin, _ := hex.Dec(admin2Hex)
if !listener.policyManager.IsPolicyAdmin(admin2Bin) { if listener.policyManager.IsPolicyAdmin(admin2Bin) {
t.Error("Second admin should have been added to admin list") t.Error("Second admin should NOT have been added - policy_admins is protected")
} }
} }
@ -446,10 +451,11 @@ func TestMessageProcessingPauseDuringPolicyUpdate(t *testing.T) {
// We can't easily mock the mutex, but we can verify the policy update succeeds // We can't easily mock the mutex, but we can verify the policy update succeeds
// which implies the pause/resume cycle completed // which implies the pause/resume cycle completed
// Note: policy_admins must stay the same (protected field)
newPolicyJSON := `{ newPolicyJSON := `{
"default_policy": "deny", "default_policy": "allow",
"policy_admins": ["` + adminHex + `"] "policy_admins": ["` + adminHex + `"],
"kind": {"whitelist": [1, 3, 5, 7]}
}` }`
ev := createPolicyConfigEvent(t, adminSigner, newPolicyJSON) ev := createPolicyConfigEvent(t, adminSigner, newPolicyJSON)
@ -462,8 +468,8 @@ func TestMessageProcessingPauseDuringPolicyUpdate(t *testing.T) {
_ = pauseCalled _ = pauseCalled
_ = resumeCalled _ = resumeCalled
// Verify policy was actually updated // Verify policy was actually updated (kind whitelist was extended)
if listener.policyManager.DefaultPolicy != "deny" { if listener.policyManager.DefaultPolicy != "allow" {
t.Error("Policy should have been updated") t.Error("Policy should have been updated")
} }
} }

88
docs/POLICY_USAGE_GUIDE.md
Unescape View File

@ -1111,20 +1111,62 @@ Check logs for policy decisions and errors.
## Dynamic Policy Configuration via Kind 12345 ## Dynamic Policy Configuration via Kind 12345
Policy administrators can update the relay policy dynamically by publishing kind 12345 events. This enables runtime policy changes without relay restarts. Both **owners** and **policy admins** can update the relay policy dynamically by publishing kind 12345 events. This enables runtime policy changes without relay restarts, with different permission levels for each role.
### Role Hierarchy and Permissions
ORLY uses a layered permission model for policy updates:
| Role | Source | Can Modify | Restrictions |
|------|--------|------------|--------------|
| **Owner** | `ORLY_OWNERS` env or `owners` in policy.json | All fields | Owners list must remain non-empty |
| **Policy Admin** | `policy_admins` in policy.json | Extend rules, add blacklists | Cannot modify `owners` or `policy_admins`, cannot reduce permissions |
### Composition Rules
Policy updates from owners and policy admins compose as follows:
1. **Owner policy is the base** - Defines minimum permissions and protected fields
2. **Policy admins can extend** - Add to allow lists, add new kinds, add blacklists
3. **Blacklists override whitelists** - Policy admins can ban users that owners allowed
4. **Protected fields are immutable** - Only owners can modify `owners` and `policy_admins`
#### What Policy Admins CAN Do:
- ✅ Add pubkeys to `write_allow` and `read_allow` lists
- ✅ Add entries to `write_deny` and `read_deny` lists to blacklist malicious users
- ✅ Blacklist any non-admin user, even if whitelisted by owners or other admins
- ✅ Add kinds to `kind.whitelist` and `kind.blacklist`
- ✅ Increase size limits (`size_limit`, `content_limit`, etc.)
- ✅ Add rules for new kinds not defined by owners
- ✅ Enable `write_allow_follows` for additional rules
#### What Policy Admins CANNOT Do:
- ❌ Modify the `owners` field
- ❌ Modify the `policy_admins` field
- ❌ Blacklist owners or other policy admins (protected users)
- ❌ Remove pubkeys from allow lists
- ❌ Remove kinds from whitelist
- ❌ Reduce size limits
- ❌ Remove rules defined by owners
- ❌ Add new required tags (restrictions)
### Enabling Dynamic Policy Updates ### Enabling Dynamic Policy Updates
1. Add yourself as a policy admin in the initial policy.json: 1. Set yourself as both owner and policy admin in the initial policy.json:
```json ```json
{ {
"default_policy": "allow", "default_policy": "allow",
"policy_admins": ["YOUR_HEX_PUBKEY_HERE"], "owners": ["YOUR_HEX_PUBKEY_HERE"],
"policy_admins": ["ADMIN_HEX_PUBKEY_HERE"],
"policy_follow_whitelist_enabled": false "policy_follow_whitelist_enabled": false
} }
``` ```
**Important:** The `owners` list must contain at least one pubkey to prevent lockout.
2. Ensure policy is enabled: 2. Ensure policy is enabled:
```bash ```bash
@ -1135,15 +1177,28 @@ export ORLY_POLICY_ENABLED=true
Send a kind 12345 event with the new policy configuration as JSON content: Send a kind 12345 event with the new policy configuration as JSON content:
**As Owner (full control):**
```json
{
"kind": 12345,
"content": "{\"default_policy\": \"deny\", \"owners\": [\"OWNER_HEX\"], \"policy_admins\": [\"ADMIN_HEX\"], \"kind\": {\"whitelist\": [1,3,7]}}",
"tags": [],
"created_at": 1234567890
}
```
**As Policy Admin (extensions only):**
```json ```json
{ {
"kind": 12345, "kind": 12345,
"content": "{\"default_policy\": \"deny\", \"kind\": {\"whitelist\": [1,3,7]}, \"policy_admins\": [\"YOUR_HEX_PUBKEY\"]}", "content": "{\"default_policy\": \"deny\", \"owners\": [\"OWNER_HEX\"], \"policy_admins\": [\"ADMIN_HEX\"], \"kind\": {\"whitelist\": [1,3,7,30023], \"blacklist\": [4]}, \"rules\": {\"1\": {\"write_deny\": [\"BAD_ACTOR_HEX\"]}}}",
"tags": [], "tags": [],
"created_at": 1234567890 "created_at": 1234567890
} }
``` ```
Note: Policy admins must include the original `owners` and `policy_admins` values unchanged.
### Policy Admin Follow List Whitelisting ### Policy Admin Follow List Whitelisting
When `policy_follow_whitelist_enabled` is `true`, the relay automatically grants access to all pubkeys followed by policy admins. When `policy_follow_whitelist_enabled` is `true`, the relay automatically grants access to all pubkeys followed by policy admins.
@ -1161,10 +1216,27 @@ When `policy_follow_whitelist_enabled` is `true`, the relay automatically grants
### Security Considerations ### Security Considerations
- Only pubkeys listed in `policy_admins` can update the policy - **Privilege separation**: Only owners can add/remove owners and policy admins
- Policy updates are validated before applying (invalid JSON or pubkeys are rejected) - **Non-empty owners**: At least one owner must always exist to prevent lockout
- Failed updates preserve the existing policy (no corruption) - **Protected fields**: Policy admins cannot escalate their privileges by modifying `owners`
- All policy updates are logged for audit purposes - **Blacklist override**: Policy admins can block bad actors even if owners allowed them
- **Validation first**: Policy updates are validated before applying (invalid updates are rejected)
- **Atomic updates**: Failed updates preserve the existing policy (no corruption)
- **Audit logging**: All policy updates are logged with the submitter's pubkey
### Error Messages
Common validation errors:
| Error | Cause |
|-------|-------|
| `owners list cannot be empty` | Owner tried to remove all owners |
| `cannot modify the 'owners' field` | Policy admin tried to change owners |
| `cannot modify the 'policy_admins' field` | Policy admin tried to change admins |
| `cannot remove kind X from whitelist` | Policy admin tried to reduce permissions |
| `cannot reduce size_limit for kind X` | Policy admin tried to make limits stricter |
| `cannot blacklist owner X` | Policy admin tried to blacklist an owner |
| `cannot blacklist policy admin X` | Policy admin tried to blacklist another admin |
## Testing the Policy System ## Testing the Policy System

4
pkg/database/cleanup-kind3_test.go
Unescape View File

@ -37,7 +37,7 @@ func TestKind3TagRoundTrip(t *testing.T) {
// Verify all tags have key "p" // Verify all tags have key "p"
pTagCount := 0 pTagCount := 0
for _, tg := range *ev1.Tags { for _, tg := range *ev1.Tags {
if tag != nil && tag.Len() >= 2 { if tg != nil && tg.Len() >= 2 {
key := tg.Key() key := tg.Key()
if len(key) == 1 && key[0] == 'p' { if len(key) == 1 && key[0] == 'p' {
pTagCount++ pTagCount++
@ -63,7 +63,7 @@ func TestKind3TagRoundTrip(t *testing.T) {
// Verify all tags still have key "p" // Verify all tags still have key "p"
pTagCount2 := 0 pTagCount2 := 0
for _, tg := range *ev2.Tags { for _, tg := range *ev2.Tags {
if tag != nil && tag.Len() >= 2 { if tg != nil && tg.Len() >= 2 {
key := tg.Key() key := tg.Key()
if len(key) == 1 && key[0] == 'p' { if len(key) == 1 && key[0] == 'p' {
pTagCount2++ pTagCount2++

525
pkg/policy/composition.go
Unescape View File

@ -0,0 +1,525 @@
package policy
import (
"encoding/json"
"fmt"
"os"
"path/filepath"
"sort"
"sync"
"git.mleku.dev/mleku/nostr/encoders/hex"
"lol.mleku.dev/log"
"next.orly.dev/pkg/utils"
)
// =============================================================================
// Policy Composition Types
// =============================================================================
// PolicyAdminContribution represents extensions/additions from a policy admin.
// Policy admins can extend the base owner policy but cannot modify protected fields
// (owners, policy_admins) or reduce owner-granted permissions.
type PolicyAdminContribution struct {
// AdminPubkey is the hex-encoded pubkey of the policy admin who made this contribution
AdminPubkey string `json:"admin_pubkey"`
// CreatedAt is the Unix timestamp when this contribution was created
CreatedAt int64 `json:"created_at"`
// EventID is the Nostr event ID that created this contribution (for audit trail)
EventID string `json:"event_id,omitempty"`
// KindWhitelistAdd adds kinds to the whitelist (OR with owner's whitelist)
KindWhitelistAdd []int `json:"kind_whitelist_add,omitempty"`
// KindBlacklistAdd adds kinds to the blacklist (overrides whitelist)
KindBlacklistAdd []int `json:"kind_blacklist_add,omitempty"`
// RulesExtend extends existing rules defined by the owner
RulesExtend map[int]RuleExtension `json:"rules_extend,omitempty"`
// RulesAdd adds new rules for kinds not defined by the owner
RulesAdd map[int]Rule `json:"rules_add,omitempty"`
// GlobalExtend extends the global rule
GlobalExtend *RuleExtension `json:"global_extend,omitempty"`
}
// RuleExtension defines how a policy admin can extend an existing owner rule.
// All fields are additive - they extend, not replace, the owner's configuration.
type RuleExtension struct {
// WriteAllowAdd adds pubkeys to the write allow list
WriteAllowAdd []string `json:"write_allow_add,omitempty"`
// WriteDenyAdd adds pubkeys to the write deny list (overrides allow)
WriteDenyAdd []string `json:"write_deny_add,omitempty"`
// ReadAllowAdd adds pubkeys to the read allow list
ReadAllowAdd []string `json:"read_allow_add,omitempty"`
// ReadDenyAdd adds pubkeys to the read deny list (overrides allow)
ReadDenyAdd []string `json:"read_deny_add,omitempty"`
// SizeLimitOverride can only make the limit MORE permissive (larger)
SizeLimitOverride *int64 `json:"size_limit_override,omitempty"`
// ContentLimitOverride can only make the limit MORE permissive (larger)
ContentLimitOverride *int64 `json:"content_limit_override,omitempty"`
// MaxAgeOfEventOverride can only make the limit MORE permissive (older allowed)
MaxAgeOfEventOverride *int64 `json:"max_age_of_event_override,omitempty"`
// MaxAgeEventInFutureOverride can only make the limit MORE permissive (further future allowed)
MaxAgeEventInFutureOverride *int64 `json:"max_age_event_in_future_override,omitempty"`
// WriteAllowFollows extends the follow whitelist feature
WriteAllowFollows *bool `json:"write_allow_follows,omitempty"`
// FollowsWhitelistAdminsAdd adds admin pubkeys whose follows are whitelisted
FollowsWhitelistAdminsAdd []string `json:"follows_whitelist_admins_add,omitempty"`
}
// ComposedPolicy manages the base owner policy and policy admin contributions.
// It computes an effective merged policy at runtime.
type ComposedPolicy struct {
// OwnerPolicy is the base policy set by owners
OwnerPolicy *P
// Contributions is a map of event ID -> contribution for deduplication
Contributions map[string]*PolicyAdminContribution
// contributionsMx protects the contributions map
contributionsMx sync.RWMutex
// configDir is the directory where policy files are stored
configDir string
}
// =============================================================================
// Protected Field Validation
// =============================================================================
// ProtectedFields are fields that only owners can modify
var ProtectedFields = []string{"owners", "policy_admins"}
// ValidateOwnerPolicy validates a policy update from an owner.
// Ensures owners list is non-empty.
func ValidateOwnerPolicy(policy *P) error {
if len(policy.Owners) == 0 {
return fmt.Errorf("owners list cannot be empty: at least one owner must be defined")
}
// Validate all owner pubkeys are valid hex
for _, owner := range policy.Owners {
if len(owner) != 64 {
return fmt.Errorf("invalid owner pubkey length: %q (expected 64 hex characters)", owner)
}
if _, err := hex.Dec(owner); err != nil {
return fmt.Errorf("invalid owner pubkey format: %q: %v", owner, err)
}
}
// Validate all policy admin pubkeys are valid hex
for _, admin := range policy.PolicyAdmins {
if len(admin) != 64 {
return fmt.Errorf("invalid policy_admin pubkey length: %q (expected 64 hex characters)", admin)
}
if _, err := hex.Dec(admin); err != nil {
return fmt.Errorf("invalid policy_admin pubkey format: %q: %v", admin, err)
}
}
return nil
}
// ValidatePolicyAdminContribution validates a contribution from a policy admin.
// Ensures no protected fields are modified and extensions are valid.
func ValidatePolicyAdminContribution(
ownerPolicy *P,
contribution *PolicyAdminContribution,
existingContributions map[string]*PolicyAdminContribution,
) error {
// Validate the admin pubkey is valid
if len(contribution.AdminPubkey) != 64 {
return fmt.Errorf("invalid admin pubkey length")
}
// Validate kind additions don't conflict with owner blacklist
// (though PA can add to blacklist to override whitelist)
// Validate rule extensions
for kind, ext := range contribution.RulesExtend {
ownerRule, exists := ownerPolicy.rules[kind]
if !exists {
return fmt.Errorf("cannot extend rule for kind %d: not defined in owner policy (use rules_add instead)", kind)
}
// Validate size limit overrides are more permissive
if ext.SizeLimitOverride != nil && ownerRule.SizeLimit != nil {
if *ext.SizeLimitOverride < *ownerRule.SizeLimit {
return fmt.Errorf("size_limit_override for kind %d must be >= owner's limit (%d)", kind, *ownerRule.SizeLimit)
}
}
if ext.ContentLimitOverride != nil && ownerRule.ContentLimit != nil {
if *ext.ContentLimitOverride < *ownerRule.ContentLimit {
return fmt.Errorf("content_limit_override for kind %d must be >= owner's limit (%d)", kind, *ownerRule.ContentLimit)
}
}
if ext.MaxAgeOfEventOverride != nil && ownerRule.MaxAgeOfEvent != nil {
if *ext.MaxAgeOfEventOverride < *ownerRule.MaxAgeOfEvent {
return fmt.Errorf("max_age_of_event_override for kind %d must be >= owner's limit (%d)", kind, *ownerRule.MaxAgeOfEvent)
}
}
// Validate pubkey formats in allow/deny lists
for _, pk := range ext.WriteAllowAdd {
if len(pk) != 64 {
return fmt.Errorf("invalid pubkey in write_allow_add for kind %d: %q", kind, pk)
}
}
for _, pk := range ext.WriteDenyAdd {
if len(pk) != 64 {
return fmt.Errorf("invalid pubkey in write_deny_add for kind %d: %q", kind, pk)
}
}
for _, pk := range ext.ReadAllowAdd {
if len(pk) != 64 {
return fmt.Errorf("invalid pubkey in read_allow_add for kind %d: %q", kind, pk)
}
}
for _, pk := range ext.ReadDenyAdd {
if len(pk) != 64 {
return fmt.Errorf("invalid pubkey in read_deny_add for kind %d: %q", kind, pk)
}
}
}
// Validate rules_add are for kinds not already defined by owner
for kind := range contribution.RulesAdd {
if _, exists := ownerPolicy.rules[kind]; exists {
return fmt.Errorf("cannot add rule for kind %d: already defined in owner policy (use rules_extend instead)", kind)
}
}
return nil
}
// =============================================================================
// Policy Composition Logic
// =============================================================================
// NewComposedPolicy creates a new composed policy from an owner policy.
func NewComposedPolicy(ownerPolicy *P, configDir string) *ComposedPolicy {
return &ComposedPolicy{
OwnerPolicy: ownerPolicy,
Contributions: make(map[string]*PolicyAdminContribution),
configDir: configDir,
}
}
// AddContribution adds a policy admin contribution.
// Returns error if validation fails.
func (cp *ComposedPolicy) AddContribution(contribution *PolicyAdminContribution) error {
cp.contributionsMx.Lock()
defer cp.contributionsMx.Unlock()
// Validate the contribution
if err := ValidatePolicyAdminContribution(cp.OwnerPolicy, contribution, cp.Contributions); err != nil {
return err
}
// Store the contribution
cp.Contributions[contribution.EventID] = contribution
// Persist to disk
if err := cp.saveContribution(contribution); err != nil {
log.W.F("failed to persist contribution: %v", err)
}
return nil
}
// RemoveContribution removes a policy admin contribution by event ID.
func (cp *ComposedPolicy) RemoveContribution(eventID string) {
cp.contributionsMx.Lock()
defer cp.contributionsMx.Unlock()
delete(cp.Contributions, eventID)
// Remove from disk
if cp.configDir != "" {
contribPath := filepath.Join(cp.configDir, "policy-contributions", eventID+".json")
os.Remove(contribPath)
}
}
// GetEffectivePolicy computes the merged effective policy.
// Composition rules:
// - Whitelists are unioned (OR)
// - Blacklists are unioned and override whitelists
// - Limits use the most permissive value
// - Conflicts between PAs: oldest created_at wins (except deny always wins)
func (cp *ComposedPolicy) GetEffectivePolicy() *P {
cp.contributionsMx.RLock()
defer cp.contributionsMx.RUnlock()
// Clone the owner policy as base
effective := cp.cloneOwnerPolicy()
// Sort contributions by created_at (oldest first for conflict resolution)
sorted := cp.getSortedContributions()
// Apply each contribution
for _, contrib := range sorted {
cp.applyContribution(effective, contrib)
}
// Repopulate binary caches
effective.Global.populateBinaryCache()
for kind := range effective.rules {
rule := effective.rules[kind]
rule.populateBinaryCache()
effective.rules[kind] = rule
}
return effective
}
// cloneOwnerPolicy creates a deep copy of the owner policy.
func (cp *ComposedPolicy) cloneOwnerPolicy() *P {
// Marshal and unmarshal to create a deep copy
data, _ := json.Marshal(cp.OwnerPolicy)
var cloned P
json.Unmarshal(data, &cloned)
// Copy the manager reference (not cloned)
cloned.manager = cp.OwnerPolicy.manager
return &cloned
}
// getSortedContributions returns contributions sorted by created_at.
func (cp *ComposedPolicy) getSortedContributions() []*PolicyAdminContribution {
sorted := make([]*PolicyAdminContribution, 0, len(cp.Contributions))
for _, contrib := range cp.Contributions {
sorted = append(sorted, contrib)
}
sort.Slice(sorted, func(i, j int) bool {
return sorted[i].CreatedAt < sorted[j].CreatedAt
})
return sorted
}
// applyContribution applies a single contribution to the effective policy.
func (cp *ComposedPolicy) applyContribution(effective *P, contrib *PolicyAdminContribution) {
// Apply kind whitelist additions (OR)
for _, kind := range contrib.KindWhitelistAdd {
if !containsInt(effective.Kind.Whitelist, kind) {
effective.Kind.Whitelist = append(effective.Kind.Whitelist, kind)
}
}
// Apply kind blacklist additions (OR, overrides whitelist)
for _, kind := range contrib.KindBlacklistAdd {
if !containsInt(effective.Kind.Blacklist, kind) {
effective.Kind.Blacklist = append(effective.Kind.Blacklist, kind)
}
}
// Apply rule extensions
for kind, ext := range contrib.RulesExtend {
if rule, exists := effective.rules[kind]; exists {
cp.applyRuleExtension(&rule, &ext, contrib.CreatedAt)
effective.rules[kind] = rule
}
}
// Apply new rules
for kind, rule := range contrib.RulesAdd {
if _, exists := effective.rules[kind]; !exists {
if effective.rules == nil {
effective.rules = make(map[int]Rule)
}
effective.rules[kind] = rule
}
}
// Apply global rule extension
if contrib.GlobalExtend != nil {
cp.applyRuleExtension(&effective.Global, contrib.GlobalExtend, contrib.CreatedAt)
}
}
// applyRuleExtension applies a rule extension to an existing rule.
func (cp *ComposedPolicy) applyRuleExtension(rule *Rule, ext *RuleExtension, _ int64) {
// Add to allow lists (OR)
for _, pk := range ext.WriteAllowAdd {
if !containsString(rule.WriteAllow, pk) {
rule.WriteAllow = append(rule.WriteAllow, pk)
}
}
for _, pk := range ext.ReadAllowAdd {
if !containsString(rule.ReadAllow, pk) {
rule.ReadAllow = append(rule.ReadAllow, pk)
}
}
// Add to deny lists (OR, overrides allow) - deny always wins
for _, pk := range ext.WriteDenyAdd {
if !containsString(rule.WriteDeny, pk) {
rule.WriteDeny = append(rule.WriteDeny, pk)
}
}
for _, pk := range ext.ReadDenyAdd {
if !containsString(rule.ReadDeny, pk) {
rule.ReadDeny = append(rule.ReadDeny, pk)
}
}
// Apply limit overrides (most permissive wins)
if ext.SizeLimitOverride != nil {
if rule.SizeLimit == nil || *ext.SizeLimitOverride > *rule.SizeLimit {
rule.SizeLimit = ext.SizeLimitOverride
}
}
if ext.ContentLimitOverride != nil {
if rule.ContentLimit == nil || *ext.ContentLimitOverride > *rule.ContentLimit {
rule.ContentLimit = ext.ContentLimitOverride
}
}
if ext.MaxAgeOfEventOverride != nil {
if rule.MaxAgeOfEvent == nil || *ext.MaxAgeOfEventOverride > *rule.MaxAgeOfEvent {
rule.MaxAgeOfEvent = ext.MaxAgeOfEventOverride
}
}
if ext.MaxAgeEventInFutureOverride != nil {
if rule.MaxAgeEventInFuture == nil || *ext.MaxAgeEventInFutureOverride > *rule.MaxAgeEventInFuture {
rule.MaxAgeEventInFuture = ext.MaxAgeEventInFutureOverride
}
}
// Enable WriteAllowFollows if requested (OR logic)
if ext.WriteAllowFollows != nil && *ext.WriteAllowFollows {
rule.WriteAllowFollows = true
}
// Add to follows whitelist admins
for _, pk := range ext.FollowsWhitelistAdminsAdd {
if !containsString(rule.FollowsWhitelistAdmins, pk) {
rule.FollowsWhitelistAdmins = append(rule.FollowsWhitelistAdmins, pk)
}
}
}
// =============================================================================
// Persistence
// =============================================================================
// saveContribution persists a contribution to disk.
func (cp *ComposedPolicy) saveContribution(contrib *PolicyAdminContribution) error {
if cp.configDir == "" {
return nil
}
contribDir := filepath.Join(cp.configDir, "policy-contributions")
if err := os.MkdirAll(contribDir, 0755); err != nil {
return err
}
contribPath := filepath.Join(contribDir, contrib.EventID+".json")
data, err := json.MarshalIndent(contrib, "", " ")
if err != nil {
return err
}
return os.WriteFile(contribPath, data, 0644)
}
// LoadContributions loads all contributions from disk.
func (cp *ComposedPolicy) LoadContributions() error {
if cp.configDir == "" {
return nil
}
contribDir := filepath.Join(cp.configDir, "policy-contributions")
if _, err := os.Stat(contribDir); os.IsNotExist(err) {
return nil // No contributions yet
}
entries, err := os.ReadDir(contribDir)
if err != nil {
return err
}
cp.contributionsMx.Lock()
defer cp.contributionsMx.Unlock()
for _, entry := range entries {
if entry.IsDir() || filepath.Ext(entry.Name()) != ".json" {
continue
}
contribPath := filepath.Join(contribDir, entry.Name())
data, err := os.ReadFile(contribPath)
if err != nil {
log.W.F("failed to read contribution %s: %v", entry.Name(), err)
continue
}
var contrib PolicyAdminContribution
if err := json.Unmarshal(data, &contrib); err != nil {
log.W.F("failed to parse contribution %s: %v", entry.Name(), err)
continue
}
// Validate against current owner policy
if err := ValidatePolicyAdminContribution(cp.OwnerPolicy, &contrib, cp.Contributions); err != nil {
log.W.F("contribution %s is no longer valid: %v (skipping)", entry.Name(), err)
continue
}
cp.Contributions[contrib.EventID] = &contrib
}
log.I.F("loaded %d policy admin contributions", len(cp.Contributions))
return nil
}
// =============================================================================
// Owner Detection
// =============================================================================
// IsOwner checks if the given pubkey is an owner.
// The pubkey parameter should be binary ([]byte), not hex-encoded.
func (p *P) IsOwner(pubkey []byte) bool {
if len(pubkey) == 0 {
return false
}
p.policyFollowsMx.RLock()
defer p.policyFollowsMx.RUnlock()
for _, owner := range p.ownersBin {
if utils.FastEqual(owner, pubkey) {
return true
}
}
return false
}
// IsOwnerOrPolicyAdmin checks if the given pubkey is an owner or policy admin.
// The pubkey parameter should be binary ([]byte), not hex-encoded.
func (p *P) IsOwnerOrPolicyAdmin(pubkey []byte) bool {
return p.IsOwner(pubkey) || p.IsPolicyAdmin(pubkey)
}
// =============================================================================
// Helper Functions
// =============================================================================
func containsInt(slice []int, val int) bool {
for _, v := range slice {
if v == val {
return true
}
}
return false
}
func containsString(slice []string, val string) bool {
for _, v := range slice {
if v == val {
return true
}
}
return false
}

690
pkg/policy/composition_test.go
Unescape View File

@ -0,0 +1,690 @@
package policy
import (
"encoding/json"
"testing"
)
// TestValidateOwnerPolicyUpdate tests owner-specific validation
func TestValidateOwnerPolicyUpdate(t *testing.T) {
// Create a base policy
basePolicy := &P{
DefaultPolicy: "allow",
Owners: []string{"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
PolicyAdmins: []string{"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"},
}
tests := []struct {
name string
newPolicy string
expectError bool
errorMsg string
}{
{
name: "valid owner update with non-empty owners",
newPolicy: `{
"default_policy": "deny",
"owners": ["cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"],
"policy_admins": ["dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"]
}`,
expectError: false,
},
{
name: "invalid - empty owners list",
newPolicy: `{
"default_policy": "deny",
"owners": [],
"policy_admins": ["dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"]
}`,
expectError: true,
errorMsg: "owners list cannot be empty",
},
{
name: "invalid - missing owners field",
newPolicy: `{
"default_policy": "deny",
"policy_admins": ["dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"]
}`,
expectError: true,
errorMsg: "owners list cannot be empty",
},
{
name: "invalid - bad owner pubkey format",
newPolicy: `{
"default_policy": "deny",
"owners": ["not-a-valid-pubkey"]
}`,
expectError: true,
errorMsg: "invalid owner pubkey",
},
{
name: "valid - owner can add multiple owners",
newPolicy: `{
"default_policy": "deny",
"owners": [
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
]
}`,
expectError: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := basePolicy.ValidateOwnerPolicyUpdate([]byte(tt.newPolicy))
if tt.expectError {
if err == nil {
t.Errorf("expected error containing %q, got nil", tt.errorMsg)
} else if tt.errorMsg != "" && !containsSubstring(err.Error(), tt.errorMsg) {
t.Errorf("expected error containing %q, got %q", tt.errorMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
// TestValidatePolicyAdminUpdate tests policy admin validation
func TestValidatePolicyAdminUpdate(t *testing.T) {
// Create a base policy with known owners and admins
ownerPubkey := "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
adminPubkey := "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
allowedPubkey := "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
baseJSON := `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"size_limit": 10000
}
}
}`
basePolicy := &P{}
if err := json.Unmarshal([]byte(baseJSON), basePolicy); err != nil {
t.Fatalf("failed to create base policy: %v", err)
}
adminPubkeyBin := make([]byte, 32)
for i := range adminPubkeyBin {
adminPubkeyBin[i] = 0xbb
}
tests := []struct {
name string
newPolicy string
expectError bool
errorMsg string
}{
{
name: "valid - policy admin can extend write_allow",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `", "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"],
"size_limit": 10000
}
}
}`,
expectError: false,
},
{
name: "valid - policy admin can add to kind whitelist",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7, 30023]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"size_limit": 10000
}
}
}`,
expectError: false,
},
{
name: "valid - policy admin can increase size limit",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"size_limit": 20000
}
}
}`,
expectError: false,
},
{
name: "invalid - policy admin cannot modify owners",
newPolicy: `{
"default_policy": "allow",
"owners": ["dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"size_limit": 10000
}
}
}`,
expectError: true,
errorMsg: "cannot modify the 'owners' field",
},
{
name: "invalid - policy admin cannot modify policy_admins",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"size_limit": 10000
}
}
}`,
expectError: true,
errorMsg: "cannot modify the 'policy_admins' field",
},
{
name: "invalid - policy admin cannot remove from kind whitelist",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"size_limit": 10000
}
}
}`,
expectError: true,
errorMsg: "cannot remove kind 7 from whitelist",
},
{
name: "invalid - policy admin cannot remove from write_allow",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": [],
"size_limit": 10000
}
}
}`,
expectError: true,
errorMsg: "cannot remove pubkey",
},
{
name: "invalid - policy admin cannot reduce size limit",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"size_limit": 5000
}
}
}`,
expectError: true,
errorMsg: "cannot reduce size_limit",
},
{
name: "invalid - policy admin cannot remove rule",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {}
}`,
expectError: true,
errorMsg: "cannot remove rule for kind 1",
},
{
name: "valid - policy admin can add blacklist entries for non-admin users",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7],
"blacklist": [4]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"write_deny": ["eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"],
"size_limit": 10000
}
}
}`,
expectError: false,
},
{
name: "invalid - policy admin cannot blacklist owner in write_deny",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"write_deny": ["` + ownerPubkey + `"],
"size_limit": 10000
}
}
}`,
expectError: true,
errorMsg: "cannot blacklist owner",
},
{
name: "invalid - policy admin cannot blacklist other policy admin",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"write_deny": ["` + adminPubkey + `"],
"size_limit": 10000
}
}
}`,
expectError: true,
errorMsg: "cannot blacklist policy admin",
},
{
name: "valid - policy admin can blacklist whitelisted non-admin user",
newPolicy: `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"],
"policy_admins": ["` + adminPubkey + `"],
"kind": {
"whitelist": [1, 3, 7]
},
"rules": {
"1": {
"description": "Text notes",
"write_allow": ["` + allowedPubkey + `"],
"write_deny": ["` + allowedPubkey + `"],
"size_limit": 10000
}
}
}`,
expectError: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := basePolicy.ValidatePolicyAdminUpdate([]byte(tt.newPolicy), adminPubkeyBin)
if tt.expectError {
if err == nil {
t.Errorf("expected error containing %q, got nil", tt.errorMsg)
} else if tt.errorMsg != "" && !containsSubstring(err.Error(), tt.errorMsg) {
t.Errorf("expected error containing %q, got %q", tt.errorMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
// TestIsOwner tests the IsOwner method
func TestIsOwner(t *testing.T) {
ownerPubkey := "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
nonOwnerPubkey := "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
_ = nonOwnerPubkey // Silence unused variable warning
policyJSON := `{
"default_policy": "allow",
"owners": ["` + ownerPubkey + `"]
}`
policy, err := New([]byte(policyJSON))
if err != nil {
t.Fatalf("failed to create policy: %v", err)
}
// Create binary pubkeys
ownerBin := make([]byte, 32)
for i := range ownerBin {
ownerBin[i] = 0xaa
}
nonOwnerBin := make([]byte, 32)
for i := range nonOwnerBin {
nonOwnerBin[i] = 0xbb
}
tests := []struct {
name string
pubkey []byte
expected bool
}{
{
name: "owner is recognized",
pubkey: ownerBin,
expected: true,
},
{
name: "non-owner is not recognized",
pubkey: nonOwnerBin,
expected: false,
},
{
name: "nil pubkey returns false",
pubkey: nil,
expected: false,
},
{
name: "empty pubkey returns false",
pubkey: []byte{},
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := policy.IsOwner(tt.pubkey)
if result != tt.expected {
t.Errorf("expected %v, got %v", tt.expected, result)
}
})
}
}
// TestStringSliceEqual tests the helper function
func TestStringSliceEqual(t *testing.T) {
tests := []struct {
name string
a []string
b []string
expected bool
}{
{
name: "equal slices same order",
a: []string{"a", "b", "c"},
b: []string{"a", "b", "c"},
expected: true,
},
{
name: "equal slices different order",
a: []string{"a", "b", "c"},
b: []string{"c", "a", "b"},
expected: true,
},
{
name: "different lengths",
a: []string{"a", "b"},
b: []string{"a", "b", "c"},
expected: false,
},
{
name: "different contents",
a: []string{"a", "b", "c"},
b: []string{"a", "b", "d"},
expected: false,
},
{
name: "empty slices",
a: []string{},
b: []string{},
expected: true,
},
{
name: "nil slices",
a: nil,
b: nil,
expected: true,
},
{
name: "nil vs empty",
a: nil,
b: []string{},
expected: true,
},
{
name: "duplicates in both",
a: []string{"a", "a", "b"},
b: []string{"a", "b", "a"},
expected: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := stringSliceEqual(tt.a, tt.b)
if result != tt.expected {
t.Errorf("expected %v, got %v", tt.expected, result)
}
})
}
}
// TestPolicyAdminContributionValidation tests the contribution validation
func TestPolicyAdminContributionValidation(t *testing.T) {
ownerPubkey := "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
adminPubkey := "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
ownerPolicy := &P{
DefaultPolicy: "allow",
Owners: []string{ownerPubkey},
PolicyAdmins: []string{adminPubkey},
Kind: Kinds{
Whitelist: []int{1, 3, 7},
},
rules: map[int]Rule{
1: {
Description: "Text notes",
SizeLimit: ptr(int64(10000)),
},
},
}
tests := []struct {
name string
contribution *PolicyAdminContribution
expectError bool
errorMsg string
}{
{
name: "valid - add kinds to whitelist",
contribution: &PolicyAdminContribution{
AdminPubkey: adminPubkey,
CreatedAt: 1234567890,
EventID: "event123",
KindWhitelistAdd: []int{30023},
},
expectError: false,
},
{
name: "valid - add to blacklist",
contribution: &PolicyAdminContribution{
AdminPubkey: adminPubkey,
CreatedAt: 1234567890,
EventID: "event123",
KindBlacklistAdd: []int{4},
},
expectError: false,
},
{
name: "valid - extend existing rule with larger limit",
contribution: &PolicyAdminContribution{
AdminPubkey: adminPubkey,
CreatedAt: 1234567890,
EventID: "event123",
RulesExtend: map[int]RuleExtension{
1: {
SizeLimitOverride: ptr(int64(20000)),
},
},
},
expectError: false,
},
{
name: "invalid - extend non-existent rule",
contribution: &PolicyAdminContribution{
AdminPubkey: adminPubkey,
CreatedAt: 1234567890,
EventID: "event123",
RulesExtend: map[int]RuleExtension{
999: {
SizeLimitOverride: ptr(int64(20000)),
},
},
},
expectError: true,
errorMsg: "cannot extend rule for kind 999",
},
{
name: "invalid - size limit override smaller than owner's",
contribution: &PolicyAdminContribution{
AdminPubkey: adminPubkey,
CreatedAt: 1234567890,
EventID: "event123",
RulesExtend: map[int]RuleExtension{
1: {
SizeLimitOverride: ptr(int64(5000)),
},
},
},
expectError: true,
errorMsg: "size_limit_override for kind 1 must be >=",
},
{
name: "valid - add new rule for undefined kind",
contribution: &PolicyAdminContribution{
AdminPubkey: adminPubkey,
CreatedAt: 1234567890,
EventID: "event123",
RulesAdd: map[int]Rule{
30023: {
Description: "Long-form content",
SizeLimit: ptr(int64(100000)),
},
},
},
expectError: false,
},
{
name: "invalid - add rule for already-defined kind",
contribution: &PolicyAdminContribution{
AdminPubkey: adminPubkey,
CreatedAt: 1234567890,
EventID: "event123",
RulesAdd: map[int]Rule{
1: {
Description: "Trying to override",
},
},
},
expectError: true,
errorMsg: "cannot add rule for kind 1: already defined",
},
{
name: "invalid - bad pubkey length in extension",
contribution: &PolicyAdminContribution{
AdminPubkey: "short",
CreatedAt: 1234567890,
EventID: "event123",
},
expectError: true,
errorMsg: "invalid admin pubkey length",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidatePolicyAdminContribution(ownerPolicy, tt.contribution, nil)
if tt.expectError {
if err == nil {
t.Errorf("expected error containing %q, got nil", tt.errorMsg)
} else if tt.errorMsg != "" && !containsSubstring(err.Error(), tt.errorMsg) {
t.Errorf("expected error containing %q, got %q", tt.errorMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("unexpected error: %v", err)
}
}
})
}
}
// Helper function for generic pointer
func ptr[T any](v T) *T {
return &v
}

253
pkg/policy/policy.go
Unescape View File

@ -1766,6 +1766,8 @@ func (p *P) ValidateJSON(policyJSON []byte) error {
} }
} }
// Note: Owner-specific validation (non-empty owners) is done in ValidateOwnerPolicyUpdate
// Validate regex patterns in tag_validation rules and new fields // Validate regex patterns in tag_validation rules and new fields
for kind, rule := range tempPolicy.rules { for kind, rule := range tempPolicy.rules {
for tagName, pattern := range rule.TagValidation { for tagName, pattern := range rule.TagValidation {
@ -2177,3 +2179,254 @@ func (p *P) GetRulesKinds() []int {
} }
return kinds return kinds
} }
// =============================================================================
// Owner vs Policy Admin Update Validation
// =============================================================================
// ValidateOwnerPolicyUpdate validates a full policy update from an owner.
// Owners can modify all fields but the owners list must be non-empty.
func (p *P) ValidateOwnerPolicyUpdate(policyJSON []byte) error {
// First run standard validation
if err := p.ValidateJSON(policyJSON); err != nil {
return err
}
// Parse the new policy
tempPolicy := &P{}
if err := json.Unmarshal(policyJSON, tempPolicy); err != nil {
return fmt.Errorf("failed to parse policy JSON: %v", err)
}
// Owner-specific validation: owners list cannot be empty
if len(tempPolicy.Owners) == 0 {
return fmt.Errorf("owners list cannot be empty: at least one owner must be defined to prevent lockout")
}
return nil
}
// ValidatePolicyAdminUpdate validates a policy update from a policy admin.
// Policy admins CANNOT modify: owners, policy_admins
// Policy admins CAN: extend rules, add blacklists, add new kind rules
func (p *P) ValidatePolicyAdminUpdate(policyJSON []byte, adminPubkey []byte) error {
// First run standard validation
if err := p.ValidateJSON(policyJSON); err != nil {
return err
}
// Parse the new policy
tempPolicy := &P{}
if err := json.Unmarshal(policyJSON, tempPolicy); err != nil {
return fmt.Errorf("failed to parse policy JSON: %v", err)
}
// Protected field check: owners must match current
if !stringSliceEqual(tempPolicy.Owners, p.Owners) {
return fmt.Errorf("policy admins cannot modify the 'owners' field: this is a protected field that only owners can change")
}
// Protected field check: policy_admins must match current
if !stringSliceEqual(tempPolicy.PolicyAdmins, p.PolicyAdmins) {
return fmt.Errorf("policy admins cannot modify the 'policy_admins' field: this is a protected field that only owners can change")
}
// Validate that the admin is not reducing owner-granted permissions
// This check ensures policy admins can only extend, not restrict
if err := p.validateNoPermissionReduction(tempPolicy); err != nil {
return fmt.Errorf("policy admins cannot reduce owner-granted permissions: %v", err)
}
return nil
}
// validateNoPermissionReduction checks that the new policy doesn't reduce
// permissions that were granted in the current (owner) policy.
//
// Policy admins CAN:
// - ADD to allow lists (write_allow, read_allow)
// - ADD to deny lists (write_deny, read_deny) to blacklist non-admin users
// - INCREASE limits (size_limit, content_limit, max_age_of_event)
// - ADD new kinds to whitelist or blacklist
// - ADD new rules for kinds not defined by owner
//
// Policy admins CANNOT:
// - REMOVE from allow lists
// - DECREASE limits
// - REMOVE kinds from whitelist
// - REMOVE rules defined by owner
// - ADD new required tags (restrictions)
// - BLACKLIST owners or other policy admins
func (p *P) validateNoPermissionReduction(newPolicy *P) error {
// Check kind whitelist - new policy must include all current whitelisted kinds
for _, kind := range p.Kind.Whitelist {
found := false
for _, newKind := range newPolicy.Kind.Whitelist {
if kind == newKind {
found = true
break
}
}
if !found {
return fmt.Errorf("cannot remove kind %d from whitelist", kind)
}
}
// Check each rule in the current policy
for kind, currentRule := range p.rules {
newRule, exists := newPolicy.rules[kind]
if !exists {
return fmt.Errorf("cannot remove rule for kind %d", kind)
}
// Check write_allow - new rule must include all current pubkeys
for _, pk := range currentRule.WriteAllow {
if !containsString(newRule.WriteAllow, pk) {
return fmt.Errorf("cannot remove pubkey %s from write_allow for kind %d", pk, kind)
}
}
// Check read_allow - new rule must include all current pubkeys
for _, pk := range currentRule.ReadAllow {
if !containsString(newRule.ReadAllow, pk) {
return fmt.Errorf("cannot remove pubkey %s from read_allow for kind %d", pk, kind)
}
}
// Check write_deny - cannot blacklist owners or policy admins
for _, pk := range newRule.WriteDeny {
if containsString(p.Owners, pk) {
return fmt.Errorf("cannot blacklist owner %s in write_deny for kind %d", pk, kind)
}
if containsString(p.PolicyAdmins, pk) {
return fmt.Errorf("cannot blacklist policy admin %s in write_deny for kind %d", pk, kind)
}
}
// Check read_deny - cannot blacklist owners or policy admins
for _, pk := range newRule.ReadDeny {
if containsString(p.Owners, pk) {
return fmt.Errorf("cannot blacklist owner %s in read_deny for kind %d", pk, kind)
}
if containsString(p.PolicyAdmins, pk) {
return fmt.Errorf("cannot blacklist policy admin %s in read_deny for kind %d", pk, kind)
}
}
// Check size limits - new limit cannot be smaller
if currentRule.SizeLimit != nil && newRule.SizeLimit != nil {
if *newRule.SizeLimit < *currentRule.SizeLimit {
return fmt.Errorf("cannot reduce size_limit for kind %d from %d to %d", kind, *currentRule.SizeLimit, *newRule.SizeLimit)
}
}
// Check content limits - new limit cannot be smaller
if currentRule.ContentLimit != nil && newRule.ContentLimit != nil {
if *newRule.ContentLimit < *currentRule.ContentLimit {
return fmt.Errorf("cannot reduce content_limit for kind %d from %d to %d", kind, *currentRule.ContentLimit, *newRule.ContentLimit)
}
}
// Check max_age_of_event - new limit cannot be smaller (smaller = more restrictive)
if currentRule.MaxAgeOfEvent != nil && newRule.MaxAgeOfEvent != nil {
if *newRule.MaxAgeOfEvent < *currentRule.MaxAgeOfEvent {
return fmt.Errorf("cannot reduce max_age_of_event for kind %d from %d to %d", kind, *currentRule.MaxAgeOfEvent, *newRule.MaxAgeOfEvent)
}
}
// Check must_have_tags - cannot add new required tags (more restrictive)
for _, tag := range newRule.MustHaveTags {
found := false
for _, currentTag := range currentRule.MustHaveTags {
if tag == currentTag {
found = true
break
}
}
if !found {
return fmt.Errorf("cannot add required tag %q for kind %d (only owners can add restrictions)", tag, kind)
}
}
}
// Check global rule write_deny - cannot blacklist owners or policy admins
for _, pk := range newPolicy.Global.WriteDeny {
if containsString(p.Owners, pk) {
return fmt.Errorf("cannot blacklist owner %s in global write_deny", pk)
}
if containsString(p.PolicyAdmins, pk) {
return fmt.Errorf("cannot blacklist policy admin %s in global write_deny", pk)
}
}
// Check global rule read_deny - cannot blacklist owners or policy admins
for _, pk := range newPolicy.Global.ReadDeny {
if containsString(p.Owners, pk) {
return fmt.Errorf("cannot blacklist owner %s in global read_deny", pk)
}
if containsString(p.PolicyAdmins, pk) {
return fmt.Errorf("cannot blacklist policy admin %s in global read_deny", pk)
}
}
// Check global rule size limits
if p.Global.SizeLimit != nil && newPolicy.Global.SizeLimit != nil {
if *newPolicy.Global.SizeLimit < *p.Global.SizeLimit {
return fmt.Errorf("cannot reduce global size_limit from %d to %d", *p.Global.SizeLimit, *newPolicy.Global.SizeLimit)
}
}
return nil
}
// ReloadAsOwner reloads the policy from an owner's kind 12345 event.
// Owners can modify all fields but the owners list must be non-empty.
func (p *P) ReloadAsOwner(policyJSON []byte, configPath string) error {
// Validate as owner update
if err := p.ValidateOwnerPolicyUpdate(policyJSON); err != nil {
return fmt.Errorf("owner policy validation failed: %v", err)
}
// Use existing Reload logic
return p.Reload(policyJSON, configPath)
}
// ReloadAsPolicyAdmin reloads the policy from a policy admin's kind 12345 event.
// Policy admins cannot modify protected fields (owners, policy_admins) and
// cannot reduce owner-granted permissions.
func (p *P) ReloadAsPolicyAdmin(policyJSON []byte, configPath string, adminPubkey []byte) error {
// Validate as policy admin update
if err := p.ValidatePolicyAdminUpdate(policyJSON, adminPubkey); err != nil {
return fmt.Errorf("policy admin validation failed: %v", err)
}
// Use existing Reload logic
return p.Reload(policyJSON, configPath)
}
// stringSliceEqual checks if two string slices are equal (order-independent).
func stringSliceEqual(a, b []string) bool {
if len(a) != len(b) {
return false
}
// Create maps for comparison
aMap := make(map[string]int)
for _, v := range a {
aMap[v]++
}
bMap := make(map[string]int)
for _, v := range b {
bMap[v]++
}
// Compare maps
for k, v := range aMap {
if bMap[k] != v {
return false
}
}
return true
}

2
pkg/version/version
Unescape View File

@ -1 +1 @@
v0.31.3 v0.31.4
Write Preview
Loading…
Cancel
Save