diff --git a/config/policy_ppl.go b/config/policy_ppl.go index 9826c7950..844dc774a 100644 --- a/config/policy_ppl.go +++ b/config/policy_ppl.go @@ -77,10 +77,14 @@ func (p *Policy) ToPPL() *parser.Policy { }, }) } - ppl.Rules = append(ppl.Rules, allowRule) + hasEmbeddedPolicy := (p.Policy != nil && p.Policy.Policy != nil) + // omit the default allow rule if it is empty and there is an embedded policy + if len(allowRule.Or) > 0 || !hasEmbeddedPolicy { + ppl.Rules = append(ppl.Rules, allowRule) + } // append embedded PPL policy rules - if p.Policy != nil && p.Policy.Policy != nil { + if hasEmbeddedPolicy { ppl.Rules = append(ppl.Rules, p.Policy.Policy.Rules...) } diff --git a/config/policy_ppl_test.go b/config/policy_ppl_test.go index 37cd322fa..f66e65d0f 100644 --- a/config/policy_ppl_test.go +++ b/config/policy_ppl_test.go @@ -533,3 +533,73 @@ else := value if { } `, str) } + +func TestPolicy_ToPPL_Embedded(t *testing.T) { + policy := Policy{ + Policy: &PPLPolicy{ + Policy: &parser.Policy{ + Rules: []parser.Rule{ + { + Action: parser.ActionAllow, + Or: []parser.Criterion{ + { + Name: "foo", + Data: parser.Number("5"), + }, + }, + }, + }, + }, + }, + } + assert.Equal(t, policy.Policy.Policy, policy.ToPPL()) + + policy2 := Policy{ + AllowedUsers: []string{"test"}, + Policy: &PPLPolicy{ + Policy: &parser.Policy{ + Rules: []parser.Rule{ + { + Action: parser.ActionAllow, + Or: []parser.Criterion{ + { + Name: "foo", + Data: parser.Number("5"), + }, + }, + }, + }, + }, + }, + } + assert.Equal(t, &parser.Policy{ + Rules: []parser.Rule{ + { + Action: parser.ActionAllow, + Or: []parser.Criterion{ + { + Name: "user", + Data: parser.Object{ + "is": parser.String("test"), + }, + }, + { + Name: "email", + Data: parser.Object{ + "is": parser.String("test"), + }, + }, + }, + }, + { + Action: parser.ActionAllow, + Or: []parser.Criterion{ + { + Name: "foo", + Data: parser.Number("5"), + }, + }, + }, + }, + }, policy2.ToPPL()) +}