config: fix JWT groups filter option (#5429)

When applying the settings proto, update the JWT groups filter option
only if the filter set is non-empty.

This is important when deploying Pomerium via the Ingress Controller in
combination with Pomerium Enterprise. In this scenario there is a
settings proto applied from both Ingress Controller and the Enterprise
console, and we want to make sure the one from Ingress Controller does
not overwrite the filter settings from Enterprise.

config/options.go

@@ -1516,7 +1516,9 @@ func (o *Options) ApplySettings(ctx context.Context, certsIndex *cryptutil.Certi
 	set(&o.SigningKey, settings.SigningKey)
 	setMap(&o.SetResponseHeaders, settings.SetResponseHeaders)
 	setMap(&o.JWTClaimsHeaders, settings.JwtClaimsHeaders)
-	o.JWTGroupsFilter = NewJWTGroupsFilter(settings.JwtGroupsFilter)
+	if len(settings.JwtGroupsFilter) > 0 {
+		o.JWTGroupsFilter = NewJWTGroupsFilter(settings.JwtGroupsFilter)
+	}
 	setDuration(&o.DefaultUpstreamTimeout, settings.DefaultUpstreamTimeout)
 	set(&o.MetricsAddr, settings.MetricsAddress)
 	set(&o.MetricsBasicAuth, settings.MetricsBasicAuth)

config/options_test.go

@@ -976,6 +976,19 @@ func TestOptions_ApplySettings(t *testing.T) {
 		})
 		assert.Equal(t, "#333333", options.BrandingOptions.GetPrimaryColor())
 	})
+
+	t.Run("jwt_groups_filter", func(t *testing.T) {
+		options := NewDefaultOptions()
+		options.ApplySettings(ctx, nil, &configpb.Settings{
+			JwtGroupsFilter: []string{"foo", "bar", "baz"},
+		})
+		options.ApplySettings(ctx, nil, &configpb.Settings{})
+		assert.Equal(t, NewJWTGroupsFilter([]string{"foo", "bar", "baz"}), options.JWTGroupsFilter)
+		options.ApplySettings(ctx, nil, &configpb.Settings{
+			JwtGroupsFilter: []string{"quux", "zulu"},
+		})
+		assert.Equal(t, NewJWTGroupsFilter([]string{"quux", "zulu"}), options.JWTGroupsFilter)
+	})
 }
 
 func TestXXX(t *testing.T) {