mirror of https://github.com/status-im/consul.git
acl: fix default authorizer for down_policy
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done in https://github.com/hashicorp/consul/pull/10632.
This commit is contained in:
parent
6bb7aef15c
commit
cd4e70b34c
|
@ -255,7 +255,11 @@ func ManageAll() Authorizer {
|
|||
return manageAll
|
||||
}
|
||||
|
||||
// RootAuthorizer returns a possible Authorizer if the ID matches a root policy
|
||||
// RootAuthorizer returns a possible Authorizer if the ID matches a root policy.
|
||||
//
|
||||
// TODO: rename this function. While the returned authorizer is used as a root
|
||||
// authorizer in some cases, in others it is not. A more appropriate name might
|
||||
// be NewAuthorizerFromPolicyName.
|
||||
func RootAuthorizer(id string) Authorizer {
|
||||
switch id {
|
||||
case "allow":
|
||||
|
|
|
@ -355,7 +355,7 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
|
|||
case "deny":
|
||||
down = acl.DenyAll()
|
||||
case "async-cache", "extend-cache":
|
||||
// Leave the down policy as nil to signal this.
|
||||
down = acl.RootAuthorizer(config.Config.ACLDefaultPolicy)
|
||||
default:
|
||||
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
|
||||
}
|
||||
|
|
|
@ -948,6 +948,27 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||
require.Equal(t, acl.Allow, authz2.NodeWrite("foo", nil))
|
||||
})
|
||||
|
||||
t.Run("Extend-Cache with no cache entry defaults to default_policy", func(t *testing.T) {
|
||||
delegate := &ACLResolverTestDelegate{
|
||||
enabled: true,
|
||||
datacenter: "dc1",
|
||||
localPolicies: true,
|
||||
localRoles: true,
|
||||
}
|
||||
delegate.tokenReadFn = func(*structs.ACLTokenGetRequest, *structs.ACLTokenResponse) error {
|
||||
return ACLRemoteError{Err: fmt.Errorf("connection problem")}
|
||||
}
|
||||
|
||||
r := newTestACLResolver(t, delegate, func(config *ACLResolverConfig) {
|
||||
config.Config.ACLDownPolicy = "extend-cache"
|
||||
})
|
||||
|
||||
_, authz, err := r.ResolveTokenToIdentityAndAuthorizer("not-found")
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, authz)
|
||||
require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil))
|
||||
})
|
||||
|
||||
t.Run("Extend-Cache-Role", func(t *testing.T) {
|
||||
delegate := &ACLResolverTestDelegate{
|
||||
enabled: true,
|
||||
|
|
Loading…
Reference in New Issue