metacrypt/internal/policy/policy_test.go

package policy

import (
	"context"
	"path/filepath"
	"testing"

	"git.wntrmute.dev/kyle/metacrypt/internal/barrier"
	"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
	"git.wntrmute.dev/kyle/metacrypt/internal/db"
)

func setupPolicy(t *testing.T) (*Engine, func()) {
	t.Helper()
	dir := t.TempDir()
	database, err := db.Open(filepath.Join(dir, "test.db"))
	if err != nil {
		t.Fatalf("open db: %v", err)
	}
	if err := db.Migrate(database); err != nil {
		t.Fatalf("migrate: %v", err)
	}
	b := barrier.NewAESGCMBarrier(database)
	mek, _ := crypto.GenerateKey()
	_ = b.Unseal(mek)
	e := NewEngine(b)
	return e, func() { _ = database.Close() }
}

func TestAdminBypass(t *testing.T) {
	e, cleanup := setupPolicy(t)
	defer cleanup()

	effect, err := e.Evaluate(context.Background(), &Request{
		Username: "admin-user",
		Roles:    []string{"admin"},
		Resource: "engine/transit/default/encrypt",
		Action:   "write",
	})
	if err != nil {
		t.Fatalf("Evaluate: %v", err)
	}
	if effect != EffectAllow {
		t.Fatalf("admin should always be allowed, got: %s", effect)
	}
}

func TestDefaultDeny(t *testing.T) {
	e, cleanup := setupPolicy(t)
	defer cleanup()

	effect, err := e.Evaluate(context.Background(), &Request{
		Username: "user1",
		Roles:    []string{"viewer"},
		Resource: "engine/transit/default/encrypt",
		Action:   "write",
	})
	if err != nil {
		t.Fatalf("Evaluate: %v", err)
	}
	if effect != EffectDeny {
		t.Fatalf("default should deny, got: %s", effect)
	}
}

func TestPolicyRuleCRUD(t *testing.T) {
	e, cleanup := setupPolicy(t)
	defer cleanup()
	ctx := context.Background()

	rule := &Rule{
		ID:        "test-rule",
		Priority:  100,
		Effect:    EffectAllow,
		Roles:     []string{"operator"},
		Resources: []string{"engine/transit/*"},
		Actions:   []string{"read", "write"},
	}

	if err := e.CreateRule(ctx, rule); err != nil {
		t.Fatalf("CreateRule: %v", err)
	}

	got, err := e.GetRule(ctx, "test-rule")
	if err != nil {
		t.Fatalf("GetRule: %v", err)
	}
	if got.Priority != 100 {
		t.Errorf("priority: got %d, want 100", got.Priority)
	}

	rules, err := e.ListRules(ctx)
	if err != nil {
		t.Fatalf("ListRules: %v", err)
	}
	if len(rules) != 1 {
		t.Fatalf("ListRules: got %d rules, want 1", len(rules))
	}

	if err := e.DeleteRule(ctx, "test-rule"); err != nil {
		t.Fatalf("DeleteRule: %v", err)
	}

	rules, _ = e.ListRules(ctx)
	if len(rules) != 0 {
		t.Fatalf("after delete: got %d rules, want 0", len(rules))
	}
}

func TestPolicyPriorityOrder(t *testing.T) {
	e, cleanup := setupPolicy(t)
	defer cleanup()
	ctx := context.Background()

	// Lower priority number = higher priority. Deny should win.
	_ = e.CreateRule(ctx, &Rule{
		ID:        "allow-rule",
		Priority:  200,
		Effect:    EffectAllow,
		Roles:     []string{"operator"},
		Resources: []string{"engine/transit/*"},
		Actions:   []string{"write"},
	})
	_ = e.CreateRule(ctx, &Rule{
		ID:        "deny-rule",
		Priority:  100,
		Effect:    EffectDeny,
		Roles:     []string{"operator"},
		Resources: []string{"engine/transit/*"},
		Actions:   []string{"write"},
	})

	effect, _ := e.Evaluate(ctx, &Request{
		Username: "user1",
		Roles:    []string{"operator"},
		Resource: "engine/transit/default",
		Action:   "write",
	})
	if effect != EffectDeny {
		t.Fatalf("higher priority deny should win, got: %s", effect)
	}
}

func TestActionAnyMatchesNonAdmin(t *testing.T) {
	e, cleanup := setupPolicy(t)
	defer cleanup()
	ctx := context.Background()

	_ = e.CreateRule(ctx, &Rule{
		ID:        "any-rule",
		Priority:  100,
		Effect:    EffectAllow,
		Roles:     []string{"user"},
		Resources: []string{"transit/*"},
		Actions:   []string{ActionAny},
	})

	// "any" should match encrypt, decrypt, sign, verify, hmac, read, write.
	for _, action := range []string{ActionEncrypt, ActionDecrypt, ActionSign, ActionVerify, ActionHMAC, ActionRead, ActionWrite} {
		effect, _ := e.Evaluate(ctx, &Request{
			Username: "alice",
			Roles:    []string{"user"},
			Resource: "transit/default",
			Action:   action,
		})
		if effect != EffectAllow {
			t.Errorf("action %q should be allowed by 'any', got: %s", action, effect)
		}
	}

	// "any" must NOT match "admin".
	effect, _ := e.Evaluate(ctx, &Request{
		Username: "alice",
		Roles:    []string{"user"},
		Resource: "transit/default",
		Action:   ActionAdmin,
	})
	if effect != EffectDeny {
		t.Fatalf("action 'admin' should not be matched by 'any', got: %s", effect)
	}
}

func TestLintRule(t *testing.T) {
	// Valid rule.
	problems := LintRule(&Rule{
		ID:      "ok",
		Effect:  EffectAllow,
		Actions: []string{ActionAny, ActionEncrypt},
	})
	if len(problems) > 0 {
		t.Errorf("expected no problems, got: %v", problems)
	}

	// Missing ID.
	problems = LintRule(&Rule{Effect: EffectAllow})
	if len(problems) != 1 {
		t.Errorf("expected 1 problem for missing ID, got: %v", problems)
	}

	// Invalid effect.
	problems = LintRule(&Rule{ID: "bad-effect", Effect: "maybe"})
	if len(problems) != 1 {
		t.Errorf("expected 1 problem for bad effect, got: %v", problems)
	}

	// Invalid action.
	problems = LintRule(&Rule{ID: "bad-action", Effect: EffectAllow, Actions: []string{"destroy"}})
	if len(problems) != 1 {
		t.Errorf("expected 1 problem for bad action, got: %v", problems)
	}

	// Multiple problems.
	problems = LintRule(&Rule{Effect: "bogus", Actions: []string{"nope"}})
	if len(problems) != 3 { // missing ID + bad effect + bad action
		t.Errorf("expected 3 problems, got: %v", problems)
	}
}

func TestCreateRuleRejectsInvalid(t *testing.T) {
	e, cleanup := setupPolicy(t)
	defer cleanup()
	ctx := context.Background()

	err := e.CreateRule(ctx, &Rule{
		ID:      "bad",
		Effect:  EffectAllow,
		Actions: []string{"obliterate"},
	})
	if err == nil {
		t.Fatal("expected error for invalid action, got nil")
	}
}

func TestPolicyUsernameMatch(t *testing.T) {
	e, cleanup := setupPolicy(t)
	defer cleanup()
	ctx := context.Background()

	_ = e.CreateRule(ctx, &Rule{
		ID:        "user-specific",
		Priority:  100,
		Effect:    EffectAllow,
		Usernames: []string{"alice"},
		Resources: []string{"engine/*"},
		Actions:   []string{"read"},
	})

	effect, _ := e.Evaluate(ctx, &Request{
		Username: "alice",
		Roles:    []string{"user"},
		Resource: "engine/ca",
		Action:   "read",
	})
	if effect != EffectAllow {
		t.Fatalf("alice should be allowed, got: %s", effect)
	}

	effect, _ = e.Evaluate(ctx, &Request{
		Username: "bob",
		Roles:    []string{"user"},
		Resource: "engine/ca",
		Action:   "read",
	})
	if effect != EffectDeny {
		t.Fatalf("bob should be denied, got: %s", effect)
	}
}