tenseleyflow/shithub / 4c2a504

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	errHookSuspended  = errHookGate{"user suspended"}

+	errHookArchived   = errHookGate{"repo archived"}

+	errHookDeleted    = errHookGate{"repo deleted"}

+	errHookMissing    = errHookGate{"missing context"}

+	errHookPermDenied = errHookGate{"permission denied"}

+	case errors.Is(err, errHookPermDenied):

+		return "shithub: you do not have write access to this repository."

+	rq := reposdb.New()

+	repo, err := rq.GetRepoByID(ctx, h.pool, h.repoID)

+	if err != nil {

+

+	actor := policy.UserActor(user.ID, user.Username, user.SuspendedAt.Valid, false)

+	repoRef := policy.NewRepoRefFromRepo(repo)

+	decision := policy.Can(ctx, policy.Deps{Pool: h.pool}, actor, policy.ActionRepoWrite, repoRef)

+	if decision.Allow {

+		return nil

+	switch decision.Code {

+	case policy.DenyRepoDeleted:

+		return errHookDeleted

+	case policy.DenyActorSuspended:

+		return errHookSuspended

+	case policy.DenyArchived:

+	default:

+		return errHookPermDenied

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	// Authz via policy.Can. Map the policy decision back to the typed

+	// SSH errors so the friendly-message catalogue keeps working.

+	repoRef := policy.NewRepoRefFromRepo(repo)

+	actor := policy.UserActor(user.ID, user.Username, user.SuspendedAt.Valid, false)

+	action := policy.ActionRepoRead

+	if parsed.Service == ReceivePack {

+		action = policy.ActionRepoWrite

+	}

+	decision := policy.Can(ctx, policy.Deps{Pool: deps.Pool}, actor, action, repoRef)

+	if !decision.Allow {

+		switch decision.Code {

+		case policy.DenyActorSuspended:

+			return nil, parsed, ErrSSHSuspended

+		case policy.DenyArchived:

+		case policy.DenyVisibility, policy.DenyRepoDeleted:

+			// Existence-leak guard: pretend the repo doesn't exist.

+		default:

+			return nil, parsed, ErrSSHPermDenied

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package protocol_test

+

+import (

+	"context"

+	"errors"

+	"testing"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	policydb "github.com/tenseleyFlow/shithub/internal/auth/policy/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/git/protocol"

+)

+

+// TestDispatch_CollabWriteCanPushPrivate confirms that adding eve as a

+// 'write' collaborator on alice's private repo lets her push. Before

+// S15 this would have been ErrSSHPermDenied; after S15 the policy

+// package grants based on the role row.

+func TestDispatch_CollabWriteCanPushPrivate(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	pq := policydb.New()

+	if err := pq.UpsertCollabRole(context.Background(), env.pool, policydb.UpsertCollabRoleParams{

+		RepoID: repoIDFor(t, env, "alice", "private"),

+		UserID: env.eve,

+		Role:   policydb.CollabRoleWrite,

+	}); err != nil {

+		t.Fatalf("UpsertCollabRole: %v", err)

+	}

+

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-receive-pack 'alice/private'",

+		UserID:          env.eve,

+	})

+	if err != nil {

+		t.Fatalf("collab-write push denied: %v", err)

+	}

+}

+

+// TestDispatch_CollabReadCannotPush confirms that a 'read' grant lets

+// eve clone but not push.

+func TestDispatch_CollabReadCannotPush(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	pq := policydb.New()

+	if err := pq.UpsertCollabRole(context.Background(), env.pool, policydb.UpsertCollabRoleParams{

+		RepoID: repoIDFor(t, env, "alice", "private"),

+		UserID: env.eve,

+		Role:   policydb.CollabRoleRead,

+	}); err != nil {

+		t.Fatalf("UpsertCollabRole: %v", err)

+	}

+	// Pull: allowed.

+	if _, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-upload-pack 'alice/private'",

+		UserID:          env.eve,

+	}); err != nil {

+		t.Fatalf("collab-read pull denied: %v", err)

+	}

+	// Push: denied with permission-denied (not 404, eve has read so

+	// existence is no secret).

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-receive-pack 'alice/private'",

+		UserID:          env.eve,

+	})

+	if !errors.Is(err, protocol.ErrSSHPermDenied) {

+		t.Fatalf("collab-read push: err = %v, want ErrSSHPermDenied", err)

+	}

+}

+

+// TestDispatch_DemotedCollabLosesAccessNextRequest mirrors the spec's

+// definition-of-done bullet: dropping the role takes effect immediately

+// on the next request (no cross-request cache).

+func TestDispatch_DemotedCollabLosesAccessNextRequest(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	pq := policydb.New()

+	repoID := repoIDFor(t, env, "alice", "private")

+	if err := pq.UpsertCollabRole(context.Background(), env.pool, policydb.UpsertCollabRoleParams{

+		RepoID: repoID, UserID: env.eve, Role: policydb.CollabRoleAdmin,

+	}); err != nil {

+		t.Fatalf("UpsertCollabRole admin: %v", err)

+	}

+	// Eve as admin: push allowed.

+	if _, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-receive-pack 'alice/private'",

+		UserID:          env.eve,

+	}); err != nil {

+		t.Fatalf("admin push denied: %v", err)

+	}

+	// Demote to read.

+	if err := pq.UpsertCollabRole(context.Background(), env.pool, policydb.UpsertCollabRoleParams{

+		RepoID: repoID, UserID: env.eve, Role: policydb.CollabRoleRead,

+	}); err != nil {

+		t.Fatalf("UpsertCollabRole read: %v", err)

+	}

+	// Next request: push denied.

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-receive-pack 'alice/private'",

+		UserID:          env.eve,

+	})

+	if !errors.Is(err, protocol.ErrSSHPermDenied) {

+		t.Fatalf("demoted push: err = %v, want ErrSSHPermDenied", err)

+	}

+}

+

+// TestDispatch_RemovedCollabFallsBack404 confirms that fully removing

+// the row turns eve back into a stranger on a private repo: the

+// rejection is "repo not found" (existence-leak guard).

+func TestDispatch_RemovedCollabFallsBack404(t *testing.T) {

+	t.Parallel()

+	env := setupDispatch(t)

+	pq := policydb.New()

+	repoID := repoIDFor(t, env, "alice", "private")

+	if err := pq.UpsertCollabRole(context.Background(), env.pool, policydb.UpsertCollabRoleParams{

+		RepoID: repoID, UserID: env.eve, Role: policydb.CollabRoleRead,

+	}); err != nil {

+		t.Fatalf("UpsertCollabRole: %v", err)

+	}

+	if err := pq.RemoveCollab(context.Background(), env.pool, policydb.RemoveCollabParams{

+		RepoID: repoID, UserID: env.eve,

+	}); err != nil {

+		t.Fatalf("RemoveCollab: %v", err)

+	}

+	_, _, err := protocol.PrepareDispatch(context.Background(), env.deps, protocol.SSHDispatchInput{

+		OriginalCommand: "git-upload-pack 'alice/private'",

+		UserID:          env.eve,

+	})

+	if !errors.Is(err, protocol.ErrSSHRepoNotFound) {

+		t.Fatalf("removed collab pull: err = %v, want ErrSSHRepoNotFound", err)

+	}

+	// Sanity-check the policy decision separately.

+	_ = policy.ActionRepoRead

+}

+

+// repoIDFor looks up the bigserial id for a repo so the collab insert

+// references a real row. setupDispatch creates "public" and "private";

+// callers ask by name.

+func repoIDFor(t *testing.T, env *dispatchEnv, owner, name string) int64 {

+	t.Helper()

+	var id int64

+	err := env.pool.QueryRow(context.Background(),

+		`SELECT r.id FROM repos r JOIN users u ON u.id = r.owner_user_id

+         WHERE u.username = $1 AND r.name = $2`,

+		owner, name).Scan(&id)

+	if err != nil {

+		t.Fatalf("repoIDFor %s/%s: %v", owner, name, err)

+	}

+	return id

+}

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	repoRef := policy.NewRepoRefFromRepo(row)

+	requireAuth := svc == protocol.ReceivePack || repoRef.IsPrivate()

+	// Build the policy actor and ask Can(). Owner identity, collab role,

+	// archived/deleted gates all live in the policy package now.

+	var actor policy.Actor

+	if auth.Anonymous {

+		actor = policy.AnonymousActor()

+	} else {

+		actor = policy.UserActor(auth.UserID, auth.Username, false, false)

+	action := policy.ActionRepoRead

+		action = policy.ActionRepoWrite

+	}

+	decision := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, action, repoRef)

+	if !decision.Allow {

+		switch decision.Code {

+		case policy.DenyRepoDeleted:

+			http.Error(w, "gone", http.StatusGone)

+		case policy.DenyArchived:

+			// User sees this directly in their git client.

+		case policy.DenyVisibility:

+			http.Error(w, "not found", http.StatusNotFound)

+		default:

+			http.Error(w, "forbidden", http.StatusForbidden)

+		return reposdb.Repo{}, false

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	// Visibility decision delegated to policy.Can. We use ActionRepoRead;

+	// when the decision denies, return ErrNoRows so the caller can 404.

+	repoRef := policy.NewRepoRefFromRepo(row)

+	var actor policy.Actor

+	if viewerID == 0 {

+		actor = policy.AnonymousActor()

+	} else {

+		actor = policy.UserActor(viewerID, "", false, false)

+	}

+	if !policy.Can(ctx, policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoRead, repoRef).Allow {