From 3a2e6ce10a12ddd823590d913072737cc07409a1 Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Thu, 16 Jan 2025 08:53:06 -0800
Subject: [PATCH] config: fix JWT groups filter option (#5429)

When applying the settings proto, update the JWT groups filter option
only if the filter set is non-empty.

This is important when deploying Pomerium via the Ingress Controller in
combination with Pomerium Enterprise. In this scenario there is a
settings proto applied from both Ingress Controller and the Enterprise
console, and we want to make sure the one from Ingress Controller does
not overwrite the filter settings from Enterprise.
---
 config/options.go      |  4 +++-
 config/options_test.go | 13 +++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/config/options.go b/config/options.go
index 612dcdbf6..b4a4494a7 100644
--- a/config/options.go
+++ b/config/options.go
@@ -1512,7 +1512,9 @@ func (o *Options) ApplySettings(ctx context.Context, certsIndex *cryptutil.Certi
 	set(&o.SigningKey, settings.SigningKey)
 	setMap(&o.SetResponseHeaders, settings.SetResponseHeaders)
 	setMap(&o.JWTClaimsHeaders, settings.JwtClaimsHeaders)
-	o.JWTGroupsFilter = NewJWTGroupsFilter(settings.JwtGroupsFilter)
+	if len(settings.JwtGroupsFilter) > 0 {
+		o.JWTGroupsFilter = NewJWTGroupsFilter(settings.JwtGroupsFilter)
+	}
 	setDuration(&o.DefaultUpstreamTimeout, settings.DefaultUpstreamTimeout)
 	set(&o.MetricsAddr, settings.MetricsAddress)
 	set(&o.MetricsBasicAuth, settings.MetricsBasicAuth)
diff --git a/config/options_test.go b/config/options_test.go
index c4c0271f5..03aa8a39e 100644
--- a/config/options_test.go
+++ b/config/options_test.go
@@ -976,6 +976,19 @@ func TestOptions_ApplySettings(t *testing.T) {
 		})
 		assert.Equal(t, "#333333", options.BrandingOptions.GetPrimaryColor())
 	})
+
+	t.Run("jwt_groups_filter", func(t *testing.T) {
+		options := NewDefaultOptions()
+		options.ApplySettings(ctx, nil, &configpb.Settings{
+			JwtGroupsFilter: []string{"foo", "bar", "baz"},
+		})
+		options.ApplySettings(ctx, nil, &configpb.Settings{})
+		assert.Equal(t, NewJWTGroupsFilter([]string{"foo", "bar", "baz"}), options.JWTGroupsFilter)
+		options.ApplySettings(ctx, nil, &configpb.Settings{
+			JwtGroupsFilter: []string{"quux", "zulu"},
+		})
+		assert.Equal(t, NewJWTGroupsFilter([]string{"quux", "zulu"}), options.JWTGroupsFilter)
+	})
 }
 
 func TestOptions_GetSetResponseHeaders(t *testing.T) {