fix: review comments

2026-05-15 00:31:20 +00:00 · 2026-05-12 18:17:01 +03:00
parent 3fd56272d2
commit b9abab2f17
3 changed files with 17 additions and 15 deletions
@@ -24,7 +24,7 @@ func NewDefaultConfiguration() *Config {
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
-			ACLS: ACLSConfig{
+			ACLs: ACLsConfig{
 				Policy: "allow",
 			},
 		},
@@ -117,7 +117,7 @@ type AuthConfig struct {
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
-	ACLS               ACLSConfig                `description:"ACLs configuration." yaml:"acls"`
+	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }

 type UserAttributes struct {
@@ -227,8 +227,8 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }

-type ACLSConfig struct {
-	Policy string `description:"ACL policy for allow-by-default or deny-by-defaut, available options are allow and deny default is allow." yaml:"policy"`
+type ACLsConfig struct {
+	Policy string `description:"ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow." yaml:"policy"`
 }

 // ACLs
@@ -13,17 +13,17 @@ type AccessControlPolicy string

 const (
 	PolicyAllow AccessControlPolicy = "allow"
-	PolicyBlock AccessControlPolicy = "block"
+	PolicyDeny  AccessControlPolicy = "deny"
 )

 func accessControlPolicyFromString(s string) (AccessControlPolicy, bool) {
 	switch strings.ToLower(s) {
 	case "allow":
 		return PolicyAllow, true
-	case "block":
-		return PolicyBlock, true
+	case "deny":
+		return PolicyDeny, true
 	default:
-		return "", false
+		return PolicyAllow, false
 	}
 }

@@ -49,17 +49,16 @@ func NewAccessControlsService(
 		labelProvider: labelProvider,
 	}

-	policy, ok := accessControlPolicyFromString(config.Auth.ACLS.Policy)
+	policy, ok := accessControlPolicyFromString(config.Auth.ACLs.Policy)

 	if !ok {
-		log.App.Warn().Str("policy", config.Auth.ACLS.Policy).Msg("Invalid ACL policy in config, defaulting to 'allow'")
-		service.policy = PolicyAllow
+		log.App.Warn().Str("policy", config.Auth.ACLs.Policy).Msg("Invalid ACL policy in config, defaulting to 'allow'")
 	}

 	if policy == PolicyAllow {
 		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
 	} else {
-		log.App.Debug().Msg("Using 'block' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
 	}

 	service.policy = policy
@@ -121,7 +120,7 @@ func (service *AccessControlsService) IsUserAllowed(context model.UserContext, a
 	}

 	service.log.App.Debug().Msg("Checking users allow list")
-	return utils.CheckFilter(acls.Users.Allow, context.GetUsername())
+	return service.policyResult(utils.CheckFilter(acls.Users.Allow, context.GetUsername()))
 }

 func (service *AccessControlsService) IsInOAuthGroup(context model.UserContext, acls *model.App) bool {
@@ -211,8 +210,8 @@ func (service *AccessControlsService) IsIPAllowed(ip string, acls *model.App) bo
 	}

 	// Merge the global and app IP filter
-	blockedIps := append(service.config.Auth.IP.Block, acls.IP.Block...)
-	allowedIPs := append(service.config.Auth.IP.Allow, acls.IP.Allow...)
+	blockedIps := append(acls.IP.Block, service.config.Auth.IP.Block...)
+	allowedIPs := append(acls.IP.Allow, service.config.Auth.IP.Allow...)

 	for _, blocked := range blockedIps {
 		res, err := utils.FilterIP(blocked, ip)
@@ -40,6 +40,9 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 			SessionExpiry:   10,
 			LoginTimeout:    10,
 			LoginMaxRetries: 3,
+			ACLs: model.ACLsConfig{
+				Policy: "allow",
+			},
 		},
 		Database: model.DatabaseConfig{
 			Path: filepath.Join(tempDir, "test.db"),