agent: default deny on connect authorize endpoint

This commit is contained in:
Mitchell Hashimoto 2018-03-25 15:00:59 -10:00
parent 86a8ce45b9
commit 9a987d6452
No known key found for this signature in database
GPG Key ID: 744E147AA52F5B0A
1 changed files with 7 additions and 3 deletions

View File

@ -956,11 +956,15 @@ func (s *HTTPServer) AgentConnectAuthorize(resp http.ResponseWriter, req *http.R
}
}
// TODO(mitchellh): default behavior here for now is "deny" but we
// should consider how this is determined.
// If there was no matching intention, we always deny. Connect does
// support a blacklist (default allow) mode, but this works by appending
// */* => */* ALLOW intention to all Match requests. This means that
// the above should've matched. Therefore, if we reached here, something
// strange has happened and we should just deny the connection and err
// on the side of safety.
return &connectAuthorizeResp{
Authorized: false,
Reason: "No matching intention, using default behavior",
Reason: "No matching intention, denying",
}, nil
}