From 72ae6dc639a55df5e7c005f76d59b9d58821191f Mon Sep 17 00:00:00 2001
From: Ishan Arya <ishanarya0@gmail.com>
Date: Thu, 7 Mar 2024 16:19:46 +0530
Subject: [PATCH] feat: allow by default if none of the permission is evaluated
 (#32)

* feat: allow by default if none of the permission is evaluated"

* feat: should return error when no permission configured

* feat: add ns and path

* feat: change error label
---
 internal/proxy/middleware/authz/authz.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/internal/proxy/middleware/authz/authz.go b/internal/proxy/middleware/authz/authz.go
index 5f321f142..fcd85d15d 100644
--- a/internal/proxy/middleware/authz/authz.go
+++ b/internal/proxy/middleware/authz/authz.go
@@ -115,6 +115,12 @@ func (c *Authz) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
+	if valid, err := config.validate(); !valid {
+		c.log.Error("middleware", c.Info().Name, "path", rule.Frontend.URLRx, "backend", rule.Backend.Namespace, "err", err)
+		c.notAllowed(rw, nil)
+		return
+	}
+
 	permissionAttributes := map[string]interface{}{}
 
 	permissionAttributes["namespace"] = rule.Backend.Namespace
@@ -219,7 +225,7 @@ func (c *Authz) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		permissionAttributes[key] = value
 	}
 
-	isAuthorized := false
+	isAuthorized := true
 	for _, permission := range config.Permissions {
 		c.log.Info("checking permission", "permission", permission.Name)
 		if !permission.Expression.IsEmpty() {
@@ -297,6 +303,14 @@ func (w Authz) notAllowed(rw http.ResponseWriter, err error) {
 	rw.WriteHeader(http.StatusUnauthorized)
 }
 
+func (cg Config) validate() (bool, error) {
+	if len(cg.Permissions) == 0 {
+		return false, errors.New("no permissions configured")
+	}
+
+	return true, nil
+}
+
 func enrichExpression(exp expression.Expression, attributes map[string]interface{}) expression.Expression {
 	if val, ok := attributes[exp.Attribute.(string)]; ok {
 		exp.Attribute = val