Skip to content

fix: reject unknown recipient BaseType in BuildPolicyJson#20

Merged
rubenhensen merged 1 commit into
mainfrom
fix/issue-13-recipient-basetype-enum
May 17, 2026
Merged

fix: reject unknown recipient BaseType in BuildPolicyJson#20
rubenhensen merged 1 commit into
mainfrom
fix/issue-13-recipient-basetype-enum

Conversation

@dobby-coder
Copy link
Copy Markdown
Contributor

@dobby-coder dobby-coder Bot commented May 17, 2026

Summary

BuildPolicyJson only handled BaseType == "email" and "emailDomain"; any other value silently produced a policy entry with an empty con (only the recipient's Extras). Today this is unreachable but represents a footgun — adding a new builder without updating BuildPolicyJson would yield broken/permissive encryption policies.

This PR converts BaseType from a stringly-typed field to an internal RecipientBaseType enum, rewrites BuildPolicyJson as a switch expression with an explicit default arm that throws ArgumentException, and adds a regression-test suite.

Changes

  • src/Models/Recipients.cs — new internal enum RecipientBaseType { Email, EmailDomain }; BaseType is now that enum.
  • src/PostGuard.csRecipientBuilders.Email/EmailDomain factories pass enum values.
  • src/Crypto/SealPipeline.cs — exhaustive switch with _ => throw new ArgumentException(...) default.
  • src/E4A.PostGuard.csprojInternalsVisibleTo("E4A.PostGuard.Tests") so tests can call BuildPolicyJson directly.
  • tests/E4A.PostGuard.Tests/BuildPolicyJsonTests.cs — six tests covering both known base types, the EmailDomain no-@ fallback, ExtraAttribute appending, multi-recipient construction, and the new guard against an unknown enum value.

No public API change — BaseType is internal.

Test plan

  • dotnet build E4A.PostGuard.slnx -c Release — green
  • dotnet test --no-build --framework net10.0 — 19/19 pass (net8.0 runtime not installed locally; CI covers it)
  • CI green on the PR

Reviewer quickstart

git fetch origin && git checkout fix/issue-13-recipient-basetype-enum && dotnet test E4A.PostGuard.slnx -c Release

Closes #13.

@dobby-coder
fix: reject unknown recipient BaseType in BuildPolicyJson
8335928 
Convert internal BaseType from string to a RecipientBaseType enum and
switch BuildPolicyJson to an exhaustive switch expression with a default
arm that throws ArgumentException. Previously, any BaseType value other
than "email" or "emailDomain" silently fell through both branches and
produced a policy entry whose con array contained only the recipient's
Extras — a security-sensitive failure mode if a new builder were ever
added without updating BuildPolicyJson.

Add InternalsVisibleTo for the test project and unit tests covering the
two known base types, ExtraAttribute appending, multi-recipient
construction, the EmailDomain no-at fallback, and the new guard.

Closes #13.
@dobby-coder dobby-coder Bot requested a review from rubenhensen May 17, 2026 16:55
@dobby-coder dobby-coder Bot mentioned this pull request May 17, 2026
Closed
dobby-coder[bot]
dobby-coder Bot commented May 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@dobby-coder dobby-coder Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Self-review (cannot formally approve own PR):

What I verified:

  • Built and ran the full test suite locally on net10.0: 19/19 pass (6 new + existing).
  • CI is green.
  • BaseType becoming an internal enum is non-breaking (no public API touched).
  • Switch expression with _ => throw new ArgumentException(...) is the right shape: the compiler will not enforce exhaustiveness on enums, but the runtime guard plus the new UnknownBaseType_Throws test catches a future builder being added without updating SealPipeline.BuildPolicyJson.
  • Test coverage is sensible: both base types, the no-@ fallback for EmailDomain, ExtraAttribute ordering, multi-recipient, and the new guard.

Minor nits (non-blocking):

  • SealPipeline.cs:84nameof(recipients) as the param name is technically accurate but the offending value is r.BaseType; either is fine.
  • The new enum could live in its own file for tidiness, but co-locating with RecipientBuilder is reasonable given it's internal-only.

Ready for human review. Closes #13.

@rubenhensen rubenhensen merged commit 8128f92 into main May 17, 2026
1 check passed
@rubenhensen rubenhensen deleted the fix/issue-13-recipient-basetype-enum branch May 17, 2026 20:33
@github-actions github-actions Bot mentioned this pull request May 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rubenhensen rubenhensen rubenhensen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BuildPolicyJson silently produces empty policy entry for unknown recipient BaseType

1 participant

@rubenhensen