mirror of https://github.com/status-im/consul.git
agent: default deny on connect authorize endpoint
This commit is contained in:
parent
86a8ce45b9
commit
9a987d6452
|
@ -956,11 +956,15 @@ func (s *HTTPServer) AgentConnectAuthorize(resp http.ResponseWriter, req *http.R
|
|||
}
|
||||
}
|
||||
|
||||
// TODO(mitchellh): default behavior here for now is "deny" but we
|
||||
// should consider how this is determined.
|
||||
// If there was no matching intention, we always deny. Connect does
|
||||
// support a blacklist (default allow) mode, but this works by appending
|
||||
// */* => */* ALLOW intention to all Match requests. This means that
|
||||
// the above should've matched. Therefore, if we reached here, something
|
||||
// strange has happened and we should just deny the connection and err
|
||||
// on the side of safety.
|
||||
return &connectAuthorizeResp{
|
||||
Authorized: false,
|
||||
Reason: "No matching intention, using default behavior",
|
||||
Reason: "No matching intention, denying",
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue