acl: fix default authorizer for down_policy

This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632.
This commit is contained in:
Daniel Nephin 2021-09-23 18:11:16 -04:00
parent 6bb7aef15c
commit cd4e70b34c
3 changed files with 27 additions and 2 deletions

View File

@ -255,7 +255,11 @@ func ManageAll() Authorizer {
return manageAll return manageAll
} }
// RootAuthorizer returns a possible Authorizer if the ID matches a root policy // RootAuthorizer returns a possible Authorizer if the ID matches a root policy.
//
// TODO: rename this function. While the returned authorizer is used as a root
// authorizer in some cases, in others it is not. A more appropriate name might
// be NewAuthorizerFromPolicyName.
func RootAuthorizer(id string) Authorizer { func RootAuthorizer(id string) Authorizer {
switch id { switch id {
case "allow": case "allow":

View File

@ -355,7 +355,7 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
case "deny": case "deny":
down = acl.DenyAll() down = acl.DenyAll()
case "async-cache", "extend-cache": case "async-cache", "extend-cache":
// Leave the down policy as nil to signal this. down = acl.RootAuthorizer(config.Config.ACLDefaultPolicy)
default: default:
return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy) return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
} }

View File

@ -948,6 +948,27 @@ func TestACLResolver_DownPolicy(t *testing.T) {
require.Equal(t, acl.Allow, authz2.NodeWrite("foo", nil)) require.Equal(t, acl.Allow, authz2.NodeWrite("foo", nil))
}) })
t.Run("Extend-Cache with no cache entry defaults to default_policy", func(t *testing.T) {
delegate := &ACLResolverTestDelegate{
enabled: true,
datacenter: "dc1",
localPolicies: true,
localRoles: true,
}
delegate.tokenReadFn = func(*structs.ACLTokenGetRequest, *structs.ACLTokenResponse) error {
return ACLRemoteError{Err: fmt.Errorf("connection problem")}
}
r := newTestACLResolver(t, delegate, func(config *ACLResolverConfig) {
config.Config.ACLDownPolicy = "extend-cache"
})
_, authz, err := r.ResolveTokenToIdentityAndAuthorizer("not-found")
require.NoError(t, err)
require.NotNil(t, authz)
require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil))
})
t.Run("Extend-Cache-Role", func(t *testing.T) { t.Run("Extend-Cache-Role", func(t *testing.T) {
delegate := &ACLResolverTestDelegate{ delegate := &ACLResolverTestDelegate{
enabled: true, enabled: true,