From b6c5a5014811e2abbd823d54ff8135b749568680 Mon Sep 17 00:00:00 2001
From: Dreaded_X <tim@huizinga.dev>
Date: Tue, 23 Dec 2025 03:23:43 +0100
Subject: [PATCH] feat: Default access policy one factor if no rules

---
 src/resources/access_control_rule.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/resources/access_control_rule.rs b/src/resources/access_control_rule.rs
index cd25b7a..c31a6d8 100644
--- a/src/resources/access_control_rule.rs
+++ b/src/resources/access_control_rule.rs
@@ -49,6 +49,7 @@ struct AccessControl {
 
 #[derive(Serialize, Deserialize, Clone, Debug, Hash)]
 struct TopLevel {
+    default_policy: AccessPolicy,
     access_control: AccessControl,
 }
 
@@ -60,13 +61,19 @@ impl AccessControlRule {
         debug!("Updating acl");
         rules.sort_by_cached_key(|rule| rule.name_any());
 
-        let rules = rules
+        let rules: Vec<_> = rules
             .iter()
             .inspect(|rule| trace!(name = rule.name_any(), "Rule found"))
             .map(|rule| rule.spec.clone())
             .collect();
 
         let top = TopLevel {
+            // TODO: Make sure configurable?
+            default_policy: if rules.is_empty() {
+                AccessPolicy::OneFactor
+            } else {
+                AccessPolicy::Deny
+            },
             access_control: AccessControl { rules },
         };