From 5b2e5882b43f3fdf9e32543e0e42568d76d6c040 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Wed, 4 Aug 2021 18:06:44 -0400
Subject: [PATCH] acl: move check for Intention.DestinationName into Authorizer

Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r680134445

Move the check for the Intention.DestinationName into the Authorizer to remove the
need to check what kind of Authorizer is being used.

It sounds like this check is only for legacy ACLs, so is probably just a safeguard
.
---
 acl/policy_authorizer.go   | 3 +++
 agent/structs/intention.go | 9 ---------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/acl/policy_authorizer.go b/acl/policy_authorizer.go
index af52418c25..9985c8feb1 100644
--- a/acl/policy_authorizer.go
+++ b/acl/policy_authorizer.go
@@ -524,6 +524,9 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) En
 // IntentionWrite checks if writing (creating, updating, or deleting) of an
 // intention is allowed.
 func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
+	if prefix == "" {
+		return Deny
+	}
 	if prefix == "*" {
 		return p.allAllowed(p.intentionRules, AccessWrite)
 	}
diff --git a/agent/structs/intention.go b/agent/structs/intention.go
index 15c4017645..c2240c4149 100644
--- a/agent/structs/intention.go
+++ b/agent/structs/intention.go
@@ -322,16 +322,7 @@ func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
 }
 
 func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
-	if authz == acl.ManageAll() {
-		return true
-	}
 	var authzContext acl.AuthorizerContext
-
-	// TODO: this line seems to require checking 'authz == acl.ManageAll()' above
-	if ixn.DestinationName == "" {
-		return false
-	}
-
 	ixn.FillAuthzContext(&authzContext, true)
 	return authz.IntentionWrite(ixn.DestinationName, &authzContext) == acl.Allow
 }