policy: Allow duplicate statements with different effects (#8775)

This allows "Allow" and "Deny" conflicting statements, where we evaluate to implicit "Deny".
2025-11-20 01:50:24 -05:00 · 2020-01-08 23:00:54 -08:00
parent abc1c1070a
commit c2cde6beb5
4 changed files with 97 additions and 7 deletions
--- a/pkg/policy/policy.go
+++ b/pkg/policy/policy.go
@@ -88,6 +88,10 @@ func (policy Policy) isValid() error {

 	for i := range policy.Statements {
 		for _, statement := range policy.Statements[i+1:] {
+			if policy.Statements[i].Effect != statement.Effect {
+				continue
+			}
+
 			principals := policy.Statements[i].Principal.Intersection(statement.Principal)
 			if principals.IsEmpty() {
 				continue