authorize: fix empty sub policy arrays (#2119)

authorize/evaluator/evaluator.go

@@ -97,6 +97,11 @@ func (e *Evaluator) Evaluate(ctx context.Context, req *Request) (*Result, error)
 	)
 
 	allow := getAllowVar(res[0].Bindings.WithoutWildcards())
+	log.Info(ctx).
+		Bool("ALLOW", allow).
+		Interface("SESSION", req.Session).
+		Interface("RESULT", res[0].Bindings.WithoutWildcards()).
+		Send()
 	// evaluate any custom policies
 	if allow {
 		for _, src := range req.CustomPolicies {

authorize/evaluator/opa/policy/authz.rego

@@ -394,16 +394,21 @@ element_in_list(list, elem) {
 }
 
 get_allowed_users(policy) = v {
-	sub_allowed_users = [sp.allowed_users | sp := policy.sub_policies[_]]
-	v := {x | x = array.concat(policy.allowed_users, [u | u := policy.sub_policies[_].allowed_users[_]])[_]}
+	sub_array := [x | x = policy.sub_policies[_].allowed_users[_]]
+	main_array := [x | x = policy.allowed_users[_]]
+	v := {x | x = array.concat(main_array, sub_array)[_]}
 }
 
 get_allowed_domains(policy) = v {
-	v := {x | x = array.concat(policy.allowed_domains, [u | u := policy.sub_policies[_].allowed_domains[_]])[_]}
+	sub_array := [x | x = policy.sub_policies[_].allowed_domains[_]]
+	main_array := [x | x = policy.allowed_domains[_]]
+	v := {x | x = array.concat(main_array, sub_array)[_]}
 }
 
 get_allowed_groups(policy) = v {
-	v := {x | x = array.concat(policy.allowed_groups, [u | u := policy.sub_policies[_].allowed_groups[_]])[_]}
+	sub_array := [x | x = policy.sub_policies[_].allowed_groups[_]]
+	main_array := [x | x = policy.allowed_groups[_]]
+	v := {x | x = array.concat(main_array, sub_array)[_]}
 }
 
 get_allowed_idp_claims(policy) = v {

authorize/evaluator/opa_test.go

@@ -278,6 +278,39 @@ func TestOPA(t *testing.T) {
 			}, true)
 			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
 		})
+		t.Run("allowed sub", func(t *testing.T) {
+			res := eval(t, []config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com:8000")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					SubPolicies: []config.SubPolicy{
+						{
+							AllowedUsers: []string{"a@example.com"},
+						},
+					},
+				},
+			}, []proto.Message{
+				&session.Session{
+					Id:     "session1",
+					UserId: "user1",
+				},
+				&user.User{
+					Id:    "user1",
+					Email: "a@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com:8000",
+				},
+			}, true)
+			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
 		t.Run("denied", func(t *testing.T) {
 			res := eval(t, []config.Policy{
 				{
@@ -430,6 +463,40 @@ func TestOPA(t *testing.T) {
 			}, true)
 			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
 		})
+		t.Run("allowed sub", func(t *testing.T) {
+			res := eval(t, []config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL("https://from.example.com")},
+					To: config.WeightedURLs{
+						{URL: *mustParseURL("https://to.example.com")},
+					},
+					SubPolicies: []config.SubPolicy{
+						{
+							AllowedDomains: []string{"example.com"},
+						},
+					},
+				},
+			}, []proto.Message{
+				&user.ServiceAccount{Id: "serviceaccount1"},
+				&session.Session{
+					Id:     "session1",
+					UserId: "example/user1",
+				},
+				&user.User{
+					Id:    "example/user1",
+					Email: "a@example.com",
+				},
+			}, &Request{
+				Session: RequestSession{
+					ID: "session1",
+				},
+				HTTP: RequestHTTP{
+					Method: "GET",
+					URL:    "https://from.example.com",
+				},
+			}, true)
+			assert.True(t, res.Bindings["result"].(M)["allow"].(bool))
+		})
 		t.Run("denied", func(t *testing.T) {
 			res := eval(t, []config.Policy{
 				{