From 9a987d64523d5e428c774c73816d38f93caae638 Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Sun, 25 Mar 2018 15:00:59 -1000
Subject: [PATCH] agent: default deny on connect authorize endpoint

---
 agent/agent_endpoint.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go
index cb4d06c59f..0f9ccb8529 100644
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@@ -956,11 +956,15 @@ func (s *HTTPServer) AgentConnectAuthorize(resp http.ResponseWriter, req *http.R
 		}
 	}
 
-	// TODO(mitchellh): default behavior here for now is "deny" but we
-	// should consider how this is determined.
+	// If there was no matching intention, we always deny. Connect does
+	// support a blacklist (default allow) mode, but this works by appending
+	// */* => */* ALLOW intention to all Match requests. This means that
+	// the above should've matched. Therefore, if we reached here, something
+	// strange has happened and we should just deny the connection and err
+	// on the side of safety.
 	return &connectAuthorizeResp{
 		Authorized: false,
-		Reason:     "No matching intention, using default behavior",
+		Reason:     "No matching intention, denying",
 	}, nil
 }