Checkpoint: password reset, rule expiry, migrations
- Self-service and admin password-change endpoints
(PUT /v1/auth/password, PUT /v1/accounts/{id}/password)
- Policy rule time-scoped expiry (not_before / expires_at)
with migration 000006 and engine filtering
- golang-migrate integration; embedded SQL migrations
- PolicyRecord fieldalignment lint fix
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -2,6 +2,7 @@ package policy
|
||||
|
||||
import (
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
// adminInput is a convenience helper for building admin PolicyInputs.
|
||||
@@ -378,3 +379,131 @@ func TestEvaluate_AccountTypeGating(t *testing.T) {
|
||||
t.Error("human account should not match system-only rule")
|
||||
}
|
||||
}
|
||||
|
||||
// ---- Engine.SetRules time-filtering tests ----
|
||||
|
||||
func TestSetRules_SkipsExpiredRule(t *testing.T) {
|
||||
engine := NewEngine()
|
||||
past := time.Now().Add(-1 * time.Hour)
|
||||
|
||||
err := engine.SetRules([]PolicyRecord{
|
||||
{
|
||||
ID: 1,
|
||||
Description: "expired",
|
||||
Priority: 100,
|
||||
RuleJSON: `{"effect":"allow","actions":["accounts:list"]}`,
|
||||
Enabled: true,
|
||||
ExpiresAt: &past,
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("SetRules: %v", err)
|
||||
}
|
||||
|
||||
// The expired rule should not be in the cache; evaluation should deny.
|
||||
input := PolicyInput{
|
||||
Subject: "user-uuid",
|
||||
AccountType: "human",
|
||||
Roles: []string{},
|
||||
Action: ActionListAccounts,
|
||||
Resource: Resource{Type: ResourceAccount},
|
||||
}
|
||||
effect, _ := engine.Evaluate(input)
|
||||
if effect != Deny {
|
||||
t.Error("expired rule should not match; expected Deny")
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetRules_SkipsNotYetActiveRule(t *testing.T) {
|
||||
engine := NewEngine()
|
||||
future := time.Now().Add(1 * time.Hour)
|
||||
|
||||
err := engine.SetRules([]PolicyRecord{
|
||||
{
|
||||
ID: 2,
|
||||
Description: "not yet active",
|
||||
Priority: 100,
|
||||
RuleJSON: `{"effect":"allow","actions":["accounts:list"]}`,
|
||||
Enabled: true,
|
||||
NotBefore: &future,
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("SetRules: %v", err)
|
||||
}
|
||||
|
||||
input := PolicyInput{
|
||||
Subject: "user-uuid",
|
||||
AccountType: "human",
|
||||
Roles: []string{},
|
||||
Action: ActionListAccounts,
|
||||
Resource: Resource{Type: ResourceAccount},
|
||||
}
|
||||
effect, _ := engine.Evaluate(input)
|
||||
if effect != Deny {
|
||||
t.Error("future not_before rule should not match; expected Deny")
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetRules_IncludesActiveWindowRule(t *testing.T) {
|
||||
engine := NewEngine()
|
||||
past := time.Now().Add(-1 * time.Hour)
|
||||
future := time.Now().Add(1 * time.Hour)
|
||||
|
||||
err := engine.SetRules([]PolicyRecord{
|
||||
{
|
||||
ID: 3,
|
||||
Description: "currently active",
|
||||
Priority: 100,
|
||||
RuleJSON: `{"effect":"allow","actions":["accounts:list"]}`,
|
||||
Enabled: true,
|
||||
NotBefore: &past,
|
||||
ExpiresAt: &future,
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("SetRules: %v", err)
|
||||
}
|
||||
|
||||
input := PolicyInput{
|
||||
Subject: "user-uuid",
|
||||
AccountType: "human",
|
||||
Roles: []string{},
|
||||
Action: ActionListAccounts,
|
||||
Resource: Resource{Type: ResourceAccount},
|
||||
}
|
||||
effect, _ := engine.Evaluate(input)
|
||||
if effect != Allow {
|
||||
t.Error("rule within its active window should match; expected Allow")
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetRules_NilTimesAlwaysActive(t *testing.T) {
|
||||
engine := NewEngine()
|
||||
|
||||
err := engine.SetRules([]PolicyRecord{
|
||||
{
|
||||
ID: 4,
|
||||
Description: "no time constraints",
|
||||
Priority: 100,
|
||||
RuleJSON: `{"effect":"allow","actions":["accounts:list"]}`,
|
||||
Enabled: true,
|
||||
// NotBefore and ExpiresAt are both nil.
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("SetRules: %v", err)
|
||||
}
|
||||
|
||||
input := PolicyInput{
|
||||
Subject: "user-uuid",
|
||||
AccountType: "human",
|
||||
Roles: []string{},
|
||||
Action: ActionListAccounts,
|
||||
Resource: Resource{Type: ResourceAccount},
|
||||
}
|
||||
effect, _ := engine.Evaluate(input)
|
||||
if effect != Allow {
|
||||
t.Error("nil time fields mean always active; expected Allow")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@ import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
// Engine wraps the stateless Evaluate function with an in-memory cache of
|
||||
@@ -31,11 +32,19 @@ func NewEngine() *Engine {
|
||||
// into a Rule. This prevents the database from injecting values into the ID or
|
||||
// Description fields that are stored as dedicated columns.
|
||||
func (e *Engine) SetRules(records []PolicyRecord) error {
|
||||
now := time.Now()
|
||||
rules := make([]Rule, 0, len(records))
|
||||
for _, rec := range records {
|
||||
if !rec.Enabled {
|
||||
continue
|
||||
}
|
||||
// Skip rules outside their validity window.
|
||||
if rec.NotBefore != nil && now.Before(*rec.NotBefore) {
|
||||
continue
|
||||
}
|
||||
if rec.ExpiresAt != nil && now.After(*rec.ExpiresAt) {
|
||||
continue
|
||||
}
|
||||
var body RuleBody
|
||||
if err := json.Unmarshal([]byte(rec.RuleJSON), &body); err != nil {
|
||||
return fmt.Errorf("policy: decode rule %d %q: %w", rec.ID, rec.Description, err)
|
||||
@@ -75,6 +84,8 @@ func (e *Engine) Evaluate(input PolicyInput) (Effect, *Rule) {
|
||||
// Using a local struct avoids importing the db or model packages from policy,
|
||||
// which would create a dependency cycle.
|
||||
type PolicyRecord struct {
|
||||
NotBefore *time.Time
|
||||
ExpiresAt *time.Time
|
||||
Description string
|
||||
RuleJSON string
|
||||
ID int64
|
||||
|
||||
Reference in New Issue
Block a user