Allow empty policies at startup

2025-08-03 00:40:25 +02:00 · 2019-07-01 21:23:14 -04:00 · 2019-07-01 21:23:14 -04:00 · 989062db8e
commit 989062db8e
parent b8463e30c1
9 changed files with 30 additions and 11 deletions
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -2,7 +2,6 @@ package authorize // import "github.com/pomerium/pomerium/authorize"

 import (
 	"encoding/base64"
-	"errors"
 	"fmt"

 	"github.com/pomerium/pomerium/internal/log"
@ -22,9 +21,6 @@ func ValidateOptions(o config.Options) error {
 	if len(decoded) != 32 {
 		return fmt.Errorf("authorize: `SHARED_SECRET` want 32 but got %d bytes", len(decoded))
 	}
-	if len(o.Policies) == 0 {
-		return errors.New("missing setting: no policies defined")
-	}

 	return nil
 }
--- a/authorize/authorize_test.go
+++ b/authorize/authorize_test.go
@ -22,8 +22,8 @@ func TestNew(t *testing.T) {
 		{"bad shared secret", "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==", policies, true},
 		{"really bad shared secret", "sup", policies, true},
 		{"validation error, short secret", "AZA85podM73CjLCjViDNz1EUvvejKpWp7Hysr0knXA==", policies, true},
-		{"empty options", "", []policy.Policy{}, true},                                                // special case
-		{"missing policies", "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=", []policy.Policy{}, true}, // special case
+		{"empty options", "", []policy.Policy{}, true},                                                 // special case
+		{"missing policies", "gXK6ggrlIW2HyKyUF9rUO4azrDgxhDPWqw9y+lJU7B8=", []policy.Policy{}, false}, // special case
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/authorize/identity.go
+++ b/authorize/identity.go
@ -56,6 +56,13 @@ type whitelist struct {
 // newIdentityWhitelistMap takes a slice of policies and creates a hashmap of identity
 // authorizations per-route for each allowed group, domain, and email.
 func newIdentityWhitelistMap(policies []policy.Policy, admins []string) *whitelist {
+
+	policyCount := len(policies)
+	if policyCount == 0 {
+		log.Warn().Msg("authorize: loaded configuration with no policies specified")
+	}
+	log.Info().Int("policy-count", policyCount).Msg("authorize: updated policies")
+
 	var wl whitelist
 	wl.access = make(map[string]bool, len(policies)*3)
 	for _, p := range policies {
--- a/authorize/identity_test.go
+++ b/authorize/identity_test.go
@ -50,6 +50,7 @@ func Test_IdentityWhitelistMap(t *testing.T) {
 		{"valid user email", []policy.Policy{{From: "example.com", AllowedEmails: []string{"user@example.com"}}}, "example.com", &Identity{Email: "user@example.com"}, nil, true},
 		{"invalid user email", []policy.Policy{{From: "example.com", AllowedEmails: []string{"user@example.com"}}}, "example.com", &Identity{Email: "user2@example.com"}, nil, false},
 		{"empty everything", []policy.Policy{{From: "example.com"}}, "example.com", &Identity{Email: "user2@example.com"}, nil, false},
+		{"empty policy", []policy.Policy{}, "example.com", &Identity{Email: "user@example.com"}, nil, false},
 		// impersonation related
 		{"admin not impersonating allowed", []policy.Policy{{From: "example.com", AllowedDomains: []string{"example.com"}}}, "example.com", &Identity{Email: "admin@example.com"}, []string{"admin@example.com"}, true},
 		{"admin not impersonating denied", []policy.Policy{{From: "example.com", AllowedDomains: []string{"example.com"}}}, "example.com", &Identity{Email: "admin@admin-domain.com"}, []string{"admin@admin-domain.com"}, false},