From 589fe22138a7151f9732b3d8e3bc9f12b9f27191 Mon Sep 17 00:00:00 2001 From: Stavros Date: Thu, 16 Jul 2026 14:30:48 +0300 Subject: [PATCH] tests: add tests for abstain in oauth whitelist --- internal/service/access_controls_rules.go | 6 +++--- internal/service/access_controls_rules_test.go | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/internal/service/access_controls_rules.go b/internal/service/access_controls_rules.go index e506db12..318894d2 100644 --- a/internal/service/access_controls_rules.go +++ b/internal/service/access_controls_rules.go @@ -1,6 +1,7 @@ package service import ( + "errors" "regexp" "strings" @@ -43,8 +44,7 @@ func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect { rule.Log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist") match, err := utils.CheckFilter(ctx.ACLs.OAuth.Whitelist, ctx.UserContext.OAuth.Email) if err != nil { - // Empty whitelist means "not configured" — let OAuth group rules decide. - if err == utils.ErrFilterEmpty { + if errors.Is(err, utils.ErrFilterEmpty) { rule.Log.App.Debug().Msg("OAuth whitelist is empty, abstaining") return EffectAbstain } @@ -77,7 +77,7 @@ func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect { match, err := utils.CheckFilter(ctx.ACLs.Users.Allow, ctx.UserContext.GetUsername()) if err != nil { - if err == utils.ErrFilterEmpty { + if errors.Is(err, utils.ErrFilterEmpty) { return EffectAbstain } rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users allow list") diff --git a/internal/service/access_controls_rules_test.go b/internal/service/access_controls_rules_test.go index f3371801..7cb0f8ba 100644 --- a/internal/service/access_controls_rules_test.go +++ b/internal/service/access_controls_rules_test.go @@ -44,6 +44,21 @@ func TestUserAllowedRule(t *testing.T) { }, expected: EffectAbstain, }, + { + name: "abstains when filter is empty", + ctx: &ACLContext{ + ACLs: &model.App{ + OAuth: model.AppOAuth{Whitelist: ""}, + }, + UserContext: &model.UserContext{ + Provider: model.ProviderOAuth, + OAuth: &model.OAuthContext{ + BaseContext: model.BaseContext{Username: "alice"}, + }, + }, + }, + expected: EffectAbstain, + }, { name: "allows OAuth user when email matches whitelist", ctx: &ACLContext{