diff --git a/internal/model/config.go b/internal/model/config.go index 1379a29a..36548e04 100644 --- a/internal/model/config.go +++ b/internal/model/config.go @@ -24,7 +24,7 @@ func NewDefaultConfiguration() *Config { SessionMaxLifetime: 0, // disabled LoginTimeout: 300, // 5 minutes LoginMaxRetries: 3, - ACLS: ACLSConfig{ + ACLs: ACLsConfig{ Policy: "allow", }, }, @@ -117,7 +117,7 @@ type AuthConfig struct { LoginTimeout int `description:"Login timeout in seconds." yaml:"loginTimeout"` LoginMaxRetries int `description:"Maximum login retries." yaml:"loginMaxRetries"` TrustedProxies []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"` - ACLS ACLSConfig `description:"ACLs configuration." yaml:"acls"` + ACLs ACLsConfig `description:"ACLs configuration." yaml:"acls"` } type UserAttributes struct { @@ -227,8 +227,8 @@ type OIDCClientConfig struct { Name string `description:"Client name in UI." yaml:"name"` } -type ACLSConfig struct { - Policy string `description:"ACL policy for allow-by-default or deny-by-defaut, available options are allow and deny default is allow." yaml:"policy"` +type ACLsConfig struct { + Policy string `description:"ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow." yaml:"policy"` } // ACLs diff --git a/internal/service/access_controls_service.go b/internal/service/access_controls_service.go index 992ed85a..4741fe11 100644 --- a/internal/service/access_controls_service.go +++ b/internal/service/access_controls_service.go @@ -13,17 +13,17 @@ type AccessControlPolicy string const ( PolicyAllow AccessControlPolicy = "allow" - PolicyBlock AccessControlPolicy = "block" + PolicyDeny AccessControlPolicy = "deny" ) func accessControlPolicyFromString(s string) (AccessControlPolicy, bool) { switch strings.ToLower(s) { case "allow": return PolicyAllow, true - case "block": - return PolicyBlock, true + case "deny": + return PolicyDeny, true default: - return "", false + return PolicyAllow, false } } @@ -49,17 +49,16 @@ func NewAccessControlsService( labelProvider: labelProvider, } - policy, ok := accessControlPolicyFromString(config.Auth.ACLS.Policy) + policy, ok := accessControlPolicyFromString(config.Auth.ACLs.Policy) if !ok { - log.App.Warn().Str("policy", config.Auth.ACLS.Policy).Msg("Invalid ACL policy in config, defaulting to 'allow'") - service.policy = PolicyAllow + log.App.Warn().Str("policy", config.Auth.ACLs.Policy).Msg("Invalid ACL policy in config, defaulting to 'allow'") } if policy == PolicyAllow { log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked") } else { - log.App.Debug().Msg("Using 'block' ACL policy: access to apps will be blocked by default unless explicitly allowed") + log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed") } service.policy = policy @@ -121,7 +120,7 @@ func (service *AccessControlsService) IsUserAllowed(context model.UserContext, a } service.log.App.Debug().Msg("Checking users allow list") - return utils.CheckFilter(acls.Users.Allow, context.GetUsername()) + return service.policyResult(utils.CheckFilter(acls.Users.Allow, context.GetUsername())) } func (service *AccessControlsService) IsInOAuthGroup(context model.UserContext, acls *model.App) bool { @@ -211,8 +210,8 @@ func (service *AccessControlsService) IsIPAllowed(ip string, acls *model.App) bo } // Merge the global and app IP filter - blockedIps := append(service.config.Auth.IP.Block, acls.IP.Block...) - allowedIPs := append(service.config.Auth.IP.Allow, acls.IP.Allow...) + blockedIps := append(acls.IP.Block, service.config.Auth.IP.Block...) + allowedIPs := append(acls.IP.Allow, service.config.Auth.IP.Allow...) for _, blocked := range blockedIps { res, err := utils.FilterIP(blocked, ip) diff --git a/internal/test/test.go b/internal/test/test.go index 51b482ff..415591fa 100644 --- a/internal/test/test.go +++ b/internal/test/test.go @@ -40,6 +40,9 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) { SessionExpiry: 10, LoginTimeout: 10, LoginMaxRetries: 3, + ACLs: model.ACLsConfig{ + Policy: "allow", + }, }, Database: model.DatabaseConfig{ Path: filepath.Join(tempDir, "test.db"),