From aca8206c306f4add234662aee4ddcc79f1f52282 Mon Sep 17 00:00:00 2001
From: Will Rouesnel <wrouesnel@wrouesnel.com>
Date: Thu, 31 Aug 2023 15:36:53 +1000
Subject: [PATCH] Fix IP access list control regression

IP access list control was implemented as default success for an
empty access control list - but this had the effect of an empty list
default allowing if "Satisfy Any" was set.

Fortunately this was bugged, so empty lists default failed - but this
broke empty lists for "Satisfy All".

This patch is the correct fix: lists now always default fail, but an
empty list removes the check from access control considerations.

This restores the original implementations behavior and fixes the bug.
---
 backend/templates/_access.conf | 11 +++++++++--
 backend/templates/access.conf  |  4 ----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/backend/templates/_access.conf b/backend/templates/_access.conf
index c06d8a6f..583322b3 100644
--- a/backend/templates/_access.conf
+++ b/backend/templates/_access.conf
@@ -2,17 +2,24 @@
     set $auth_basic "Authorization required";
     {% if access_list.satisfy_any == 1 %}
     # Satisfy Any - any check can succeed - so look for success
+        {% if access_list.clients.size != 0 %}
     if ( $access_list_{{ access_list_id }} = 1) {
-    set $auth_basic off;
+        set $auth_basic off;
     }
+        {% endif %}
     if ( $ssl_client_verify = "SUCCESS" ) {
-    set $auth_basic off;
+        set $auth_basic off;
     }
     {% else %}
     # Satisfy All - all checks must succeed (so handle fails)
+        {% if access_list.clients.size != 0 %}
+    # {{ access_list.clients.size }} IP rules
     if ( $access_list_{{ access_list_id }} = 0) {
         return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
     }
+        {% else %}
+    # Empty IP rules list so no client IP check
+        {% endif %}
     if ( $ssl_client_verify != "SUCCESS" ) {
         return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
     }
diff --git a/backend/templates/access.conf b/backend/templates/access.conf
index 90121fb4..7d2d663d 100644
--- a/backend/templates/access.conf
+++ b/backend/templates/access.conf
@@ -1,10 +1,6 @@
 # Access List Clients for {{ access_list.id }} - {{ access_list.name }}
 geo $realip_remote_addr $access_list_{{ access_list.id }} {
-{% if access_list.client.size == 0 %}
-    default 1;
-{% else %}
     default 0;
-{% endif %}
 {% for client in access_list.clients %}
 {% if client.directive == "allow" %}
     {{client.address}} 1;