mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 10:26:29 +02:00
ppl: fix empty/no-op allow block added in some cases to converted PPL policies (#5289)
Fix empty/no-op allow block added in some cases to converted PPL policies
This commit is contained in:
Joe Kralicky
GitHub
parent
6171c09596
commit
d06a101f79
2 changed files with 76 additions and 2 deletions
|
|
@ -77,10 +77,14 @@ func (p *Policy) ToPPL() *parser.Policy {
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
ppl.Rules = append(ppl.Rules, allowRule)
|
|
||||||
|
|
||||||
|
hasEmbeddedPolicy := (p.Policy != nil && p.Policy.Policy != nil)
|
||||||
|
// omit the default allow rule if it is empty and there is an embedded policy
|
||||||
|
if len(allowRule.Or) > 0 || !hasEmbeddedPolicy {
|
||||||
|
ppl.Rules = append(ppl.Rules, allowRule)
|
||||||
|
}
|
||||||
// append embedded PPL policy rules
|
// append embedded PPL policy rules
|
||||||
if p.Policy != nil && p.Policy.Policy != nil {
|
if hasEmbeddedPolicy {
|
||||||
ppl.Rules = append(ppl.Rules, p.Policy.Policy.Rules...)
|
ppl.Rules = append(ppl.Rules, p.Policy.Policy.Rules...)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -533,3 +533,73 @@ else := value if {
|
||||||
}
|
}
|
||||||
`, str)
|
`, str)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestPolicy_ToPPL_Embedded(t *testing.T) {
|
||||||
|
policy := Policy{
|
||||||
|
Policy: &PPLPolicy{
|
||||||
|
Policy: &parser.Policy{
|
||||||
|
Rules: []parser.Rule{
|
||||||
|
{
|
||||||
|
Action: parser.ActionAllow,
|
||||||
|
Or: []parser.Criterion{
|
||||||
|
{
|
||||||
|
Name: "foo",
|
||||||
|
Data: parser.Number("5"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
assert.Equal(t, policy.Policy.Policy, policy.ToPPL())
|
||||||
|
|
||||||
|
policy2 := Policy{
|
||||||
|
AllowedUsers: []string{"test"},
|
||||||
|
Policy: &PPLPolicy{
|
||||||
|
Policy: &parser.Policy{
|
||||||
|
Rules: []parser.Rule{
|
||||||
|
{
|
||||||
|
Action: parser.ActionAllow,
|
||||||
|
Or: []parser.Criterion{
|
||||||
|
{
|
||||||
|
Name: "foo",
|
||||||
|
Data: parser.Number("5"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
assert.Equal(t, &parser.Policy{
|
||||||
|
Rules: []parser.Rule{
|
||||||
|
{
|
||||||
|
Action: parser.ActionAllow,
|
||||||
|
Or: []parser.Criterion{
|
||||||
|
{
|
||||||
|
Name: "user",
|
||||||
|
Data: parser.Object{
|
||||||
|
"is": parser.String("test"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "email",
|
||||||
|
Data: parser.Object{
|
||||||
|
"is": parser.String("test"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Action: parser.ActionAllow,
|
||||||
|
Or: []parser.Criterion{
|
||||||
|
{
|
||||||
|
Name: "foo",
|
||||||
|
Data: parser.Number("5"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, policy2.ToPPL())
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue