[#257] Support flag to deny access if policy rules not found

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2023-12-05 15:49:13 +03:00 · 2023-12-05 15:49:13 +03:00 · 43abf58068
commit 43abf58068
parent ca15acf1d3
8 changed files with 64 additions and 11 deletions
--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@ -18,6 +18,7 @@ import (

 type PolicySettings interface {
 	ResolveNamespaceAlias(ns string) string
+	PolicyDenyByDefault() bool
 }

 func PolicyCheck(storage engine.ChainRouter, settings PolicySettings, domains []string, log *zap.Logger) Func {
@ -27,7 +28,7 @@ func PolicyCheck(storage engine.ChainRouter, settings PolicySettings, domains []

 			st, err := policyCheck(storage, settings, domains, r)
 			if err == nil {
-				if st != chain.Allow && st != chain.NoRuleFound { // todo drop 'st != chain.NoRuleFound'
+				if st != chain.Allow && (st != chain.NoRuleFound || settings.PolicyDenyByDefault()) {
 					err = apiErr.GetAPIErrorWithError(apiErr.ErrAccessDenied, fmt.Errorf("policy check: %s", st.String()))
 				}
 			}