ppl: fix empty/no-op allow block added in some cases to converted PPL policies (#5289)

Fix empty/no-op allow block added in some cases to converted PPL policies
2025-04-28 18:06:34 +02:00 · 2024-09-16 18:52:54 -04:00 · 2024-09-16 18:52:54 -04:00 · d06a101f79
commit d06a101f79
parent 6171c09596
2 changed files with 76 additions and 2 deletions
--- a/config/policy_ppl.go
+++ b/config/policy_ppl.go
@ -77,10 +77,14 @@ func (p *Policy) ToPPL() *parser.Policy {
 				},
 			})
 	}
-	ppl.Rules = append(ppl.Rules, allowRule)

+	hasEmbeddedPolicy := (p.Policy != nil && p.Policy.Policy != nil)
+	// omit the default allow rule if it is empty and there is an embedded policy
+	if len(allowRule.Or) > 0 || !hasEmbeddedPolicy {
+		ppl.Rules = append(ppl.Rules, allowRule)
+	}
 	// append embedded PPL policy rules
-	if p.Policy != nil && p.Policy.Policy != nil {
+	if hasEmbeddedPolicy {
 		ppl.Rules = append(ppl.Rules, p.Policy.Policy.Rules...)
 	}

--- a/config/policy_ppl_test.go
+++ b/config/policy_ppl_test.go
@ -533,3 +533,73 @@ else := value if {
 }
 `, str)
 }
+
+func TestPolicy_ToPPL_Embedded(t *testing.T) {
+	policy := Policy{
+		Policy: &PPLPolicy{
+			Policy: &parser.Policy{
+				Rules: []parser.Rule{
+					{
+						Action: parser.ActionAllow,
+						Or: []parser.Criterion{
+							{
+								Name: "foo",
+								Data: parser.Number("5"),
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	assert.Equal(t, policy.Policy.Policy, policy.ToPPL())
+
+	policy2 := Policy{
+		AllowedUsers: []string{"test"},
+		Policy: &PPLPolicy{
+			Policy: &parser.Policy{
+				Rules: []parser.Rule{
+					{
+						Action: parser.ActionAllow,
+						Or: []parser.Criterion{
+							{
+								Name: "foo",
+								Data: parser.Number("5"),
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	assert.Equal(t, &parser.Policy{
+		Rules: []parser.Rule{
+			{
+				Action: parser.ActionAllow,
+				Or: []parser.Criterion{
+					{
+						Name: "user",
+						Data: parser.Object{
+							"is": parser.String("test"),
+						},
+					},
+					{
+						Name: "email",
+						Data: parser.Object{
+							"is": parser.String("test"),
+						},
+					},
+				},
+			},
+			{
+				Action: parser.ActionAllow,
+				Or: []parser.Criterion{
+					{
+						Name: "foo",
+						Data: parser.Number("5"),
+					},
+				},
+			},
+		},
+	}, policy2.ToPPL())
+}