3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-03 16:59:22 +02:00
Code Issues Projects Releases Packages Wiki Activity

ppl: fix empty/no-op allow block added in some cases to converted PPL policies (#5289)

Browse source 
Fix empty/no-op allow block added in some cases to converted PPL policies
This commit is contained in:
Joe Kralicky 2024-09-16 18:52:54 -04:00 committed by GitHub
parent 6171c09596
commit d06a101f79
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 76 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
config/policy_ppl.go
View file

@ -77,10 +77,14 @@ func (p *Policy) ToPPL() *parser.Policy {
},
})
}
ppl.Rules = append(ppl.Rules, allowRule)
hasEmbeddedPolicy := (p.Policy != nil && p.Policy.Policy != nil)
// omit the default allow rule if it is empty and there is an embedded policy
if len(allowRule.Or) > 0 || !hasEmbeddedPolicy {
ppl.Rules = append(ppl.Rules, allowRule)
}
// append embedded PPL policy rules
if p.Policy != nil && p.Policy.Policy != nil {
if hasEmbeddedPolicy {
ppl.Rules = append(ppl.Rules, p.Policy.Policy.Rules...)
}