`0566c90`

S30: org suspension policy gate — block writes on suspended-org repos

Authored by

espadonne 5 days ago

SHA: 0566c9023de3c4ef14e2f11f17dc04258cd32f52
Parents: d95d5f2
Tree: b39593c

2 changed files

Status	File	+	-
M	`internal/auth/policy/org_owner_test.go`	54	0
M	`internal/auth/policy/policy.go`	23	0

internal/auth/policy/org_owner_test.gomodified

  		t.Fatalf("plain org member should NOT have implicit read on private repo: %+v", got)
+ 	}
+ }
++
 +// TestOrgSuspended_BlocksWrites pins the S30 contract: when an org
 +// is suspended, every write action against an org-owned repo is
 +// denied — even for the org owner. Reads still allow.
 +func TestOrgSuspended_BlocksWrites(t *testing.T) {
 +	pool := dbtest.NewTestDB(t)
 +	ctx := context.Background()
++
 +	creator, err := usersdb.New().CreateUser(ctx, pool, usersdb.CreateUserParams{
 +		Username: "alice", DisplayName: "Alice", PasswordHash: fixtureHash,
 +	})
 +	if err != nil {
 +		t.Fatalf("create user: %v", err)
 +	}
 +	deps := orgs.Deps{Pool: pool}
 +	org, err := orgs.Create(ctx, deps, orgs.CreateParams{
 +		Slug: "acme", DisplayName: "Acme", CreatedByUserID: creator.ID,
 +	})
 +	if err != nil {
 +		t.Fatalf("create org: %v", err)
 +	}
 +	repo, err := reposdb.New().CreateRepo(ctx, pool, reposdb.CreateRepoParams{
 +		OwnerUserID:   pgtype.Int8{Valid: false},
 +		OwnerOrgID:    pgtype.Int8{Int64: org.ID, Valid: true},
 +		Name:          "demo",
 +		DefaultBranch: "trunk",
 +		Visibility:    reposdb.RepoVisibilityPublic,
 +	})
 +	if err != nil {
 +		t.Fatalf("create repo: %v", err)
 +	}
 +	// Suspend the org via raw UPDATE (mirrors what the admin
 +	// surface will eventually do).
 +	if _, err := pool.Exec(ctx, `UPDATE orgs SET suspended_at=now() WHERE id=$1`, org.ID); err != nil {
 +		t.Fatalf("suspend org: %v", err)
 +	}
++
 +	ref := policy.NewRepoRefFromRepo(repo)
 +	actor := policy.UserActor(creator.ID, "alice", false, false)
 +	pdeps := policy.Deps{Pool: pool}
++
 +	// Reads still allowed.
 +	if got := policy.Can(ctx, pdeps, actor, policy.ActionRepoRead, ref); !got.Allow {
 +		t.Fatalf("reads on suspended-org repo should allow: %+v", got)
 +	}
 +	// Writes denied with the typed code.
 +	got := policy.Can(ctx, pdeps, actor, policy.ActionRepoWrite, ref)
 +	if got.Allow {
 +		t.Fatal("write on suspended-org repo should deny")
 +	}
 +	if got.Code != policy.DenyOrgSuspended {
 +		t.Fatalf("want DenyOrgSuspended code, got %v (reason=%q)", got.Code, got.Reason)
 +	}
 +}

internal/auth/policy/policy.gomodified

  	DenyRoleTooLow    // logged-in but role insufficient
  	DenyAnonymous     // login required (e.g. star/fork)
  	DenyDBError
 +	// DenyOrgSuspended is returned for write actions on a repo whose
 +	// owning org is currently suspended. Reads stay allowed (the spec
 +	// preserves visibility into suspended-org content); writes flip
 +	// off uniformly.
 +	DenyOrgSuspended
+ )
  // Decision is the verdict from Can. Allow is the only field handlers
  		return deny(DenyArchived, "repo archived")
+ 	}
 +	// 7b. Org suspension (S30): writes against any repo owned by a
 +	//     suspended org are denied uniformly. Reads stay allowed (the
 +	//     org's contributions to the broader graph aren't erased).
 +	//     The check is gated on a write action AND a non-zero
 +	//     OwnerOrgID so user-owned repos pay nothing for it.
 +	if repo.OwnerOrgID != 0 && isWriteAction(action) {
 +		if d.Pool != nil {
 +			var suspended bool
 +			err := d.Pool.QueryRow(ctx,
 +				`SELECT suspended_at IS NOT NULL FROM orgs WHERE id = $1`,
 +				repo.OwnerOrgID,
 +			).Scan(&suspended)
 +			if err == nil && suspended {
 +				return deny(DenyOrgSuspended, "owning org suspended")
 +			}
 +		}
 +	}
++
  	// 8. Map action → minimum required role; check.
  	want := minRoleFor(action)
  	if want != RoleNone && !RoleAtLeast(role, want) {