mirror of https://github.com/status-im/consul.git
acl: fix default authorizer for down_policy
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done in https://github.com/hashicorp/consul/pull/10632.
This commit is contained in:
parent
6bb7aef15c
commit
cd4e70b34c
|
@ -255,7 +255,11 @@ func ManageAll() Authorizer {
|
||||||
return manageAll
|
return manageAll
|
||||||
}
|
}
|
||||||
|
|
||||||
// RootAuthorizer returns a possible Authorizer if the ID matches a root policy
|
// RootAuthorizer returns a possible Authorizer if the ID matches a root policy.
|
||||||
|
//
|
||||||
|
// TODO: rename this function. While the returned authorizer is used as a root
|
||||||
|
// authorizer in some cases, in others it is not. A more appropriate name might
|
||||||
|
// be NewAuthorizerFromPolicyName.
|
||||||
func RootAuthorizer(id string) Authorizer {
|
func RootAuthorizer(id string) Authorizer {
|
||||||
switch id {
|
switch id {
|
||||||
case "allow":
|
case "allow":
|
||||||
|
|
|
@ -355,7 +355,7 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
|
||||||
case "deny":
|
case "deny":
|
||||||
down = acl.DenyAll()
|
down = acl.DenyAll()
|
||||||
case "async-cache", "extend-cache":
|
case "async-cache", "extend-cache":
|
||||||
// Leave the down policy as nil to signal this.
|
down = acl.RootAuthorizer(config.Config.ACLDefaultPolicy)
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
|
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
|
||||||
}
|
}
|
||||||
|
|
|
@ -948,6 +948,27 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
||||||
require.Equal(t, acl.Allow, authz2.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz2.NodeWrite("foo", nil))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("Extend-Cache with no cache entry defaults to default_policy", func(t *testing.T) {
|
||||||
|
delegate := &ACLResolverTestDelegate{
|
||||||
|
enabled: true,
|
||||||
|
datacenter: "dc1",
|
||||||
|
localPolicies: true,
|
||||||
|
localRoles: true,
|
||||||
|
}
|
||||||
|
delegate.tokenReadFn = func(*structs.ACLTokenGetRequest, *structs.ACLTokenResponse) error {
|
||||||
|
return ACLRemoteError{Err: fmt.Errorf("connection problem")}
|
||||||
|
}
|
||||||
|
|
||||||
|
r := newTestACLResolver(t, delegate, func(config *ACLResolverConfig) {
|
||||||
|
config.Config.ACLDownPolicy = "extend-cache"
|
||||||
|
})
|
||||||
|
|
||||||
|
_, authz, err := r.ResolveTokenToIdentityAndAuthorizer("not-found")
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.NotNil(t, authz)
|
||||||
|
require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil))
|
||||||
|
})
|
||||||
|
|
||||||
t.Run("Extend-Cache-Role", func(t *testing.T) {
|
t.Run("Extend-Cache-Role", func(t *testing.T) {
|
||||||
delegate := &ACLResolverTestDelegate{
|
delegate := &ACLResolverTestDelegate{
|
||||||
enabled: true,
|
enabled: true,
|
||||||
|
|
Loading…
Reference in New Issue