From cd4e70b34c898eae9d70158048fd348633dc7b31 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Thu, 23 Sep 2021 18:11:16 -0400
Subject: [PATCH] acl: fix default authorizer for down_policy

This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632.
---
 acl/static_authorizer.go |  6 +++++-
 agent/consul/acl.go      |  2 +-
 agent/consul/acl_test.go | 21 +++++++++++++++++++++
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/acl/static_authorizer.go b/acl/static_authorizer.go
index 5074bc4b5f..f257d6b68a 100644
--- a/acl/static_authorizer.go
+++ b/acl/static_authorizer.go
@@ -255,7 +255,11 @@ func ManageAll() Authorizer {
 	return manageAll
 }
 
-// RootAuthorizer returns a possible Authorizer if the ID matches a root policy
+// RootAuthorizer returns a possible Authorizer if the ID matches a root policy.
+//
+// TODO: rename this function. While the returned authorizer is used as a root
+// authorizer in some cases, in others it is not. A more appropriate name might
+// be NewAuthorizerFromPolicyName.
 func RootAuthorizer(id string) Authorizer {
 	switch id {
 	case "allow":
diff --git a/agent/consul/acl.go b/agent/consul/acl.go
index b22e32c613..b84b100bf4 100644
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@@ -355,7 +355,7 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
 	case "deny":
 		down = acl.DenyAll()
 	case "async-cache", "extend-cache":
-		// Leave the down policy as nil to signal this.
+		down = acl.RootAuthorizer(config.Config.ACLDefaultPolicy)
 	default:
 		return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
 	}
diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go
index e0a5500e01..b119f9c1ab 100644
--- a/agent/consul/acl_test.go
+++ b/agent/consul/acl_test.go
@@ -948,6 +948,27 @@ func TestACLResolver_DownPolicy(t *testing.T) {
 		require.Equal(t, acl.Allow, authz2.NodeWrite("foo", nil))
 	})
 
+	t.Run("Extend-Cache with no cache entry defaults to default_policy", func(t *testing.T) {
+		delegate := &ACLResolverTestDelegate{
+			enabled:       true,
+			datacenter:    "dc1",
+			localPolicies: true,
+			localRoles:    true,
+		}
+		delegate.tokenReadFn = func(*structs.ACLTokenGetRequest, *structs.ACLTokenResponse) error {
+			return ACLRemoteError{Err: fmt.Errorf("connection problem")}
+		}
+
+		r := newTestACLResolver(t, delegate, func(config *ACLResolverConfig) {
+			config.Config.ACLDownPolicy = "extend-cache"
+		})
+
+		_, authz, err := r.ResolveTokenToIdentityAndAuthorizer("not-found")
+		require.NoError(t, err)
+		require.NotNil(t, authz)
+		require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil))
+	})
+
 	t.Run("Extend-Cache-Role", func(t *testing.T) {
 		delegate := &ACLResolverTestDelegate{
 			enabled:       true,