acl: fix default authorizer for down_policy

This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done in https://github.com/hashicorp/consul/pull/10632.
2021-09-23 18:11:16 -04:00 · 2021-09-23 18:11:16 -04:00 · 30fe14eed3
parent a6a7069ecf
commit 30fe14eed3
3 changed files with 27 additions and 2 deletions
--- a/acl/static_authorizer.go
+++ b/acl/static_authorizer.go
@ -255,7 +255,11 @@ func ManageAll() Authorizer {
 	return manageAll
 }

-// RootAuthorizer returns a possible Authorizer if the ID matches a root policy
+// RootAuthorizer returns a possible Authorizer if the ID matches a root policy.
+//
+// TODO: rename this function. While the returned authorizer is used as a root
+// authorizer in some cases, in others it is not. A more appropriate name might
+// be NewAuthorizerFromPolicyName.
 func RootAuthorizer(id string) Authorizer {
 	switch id {
 	case "allow":
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@ -355,7 +355,7 @@ func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
 	case "deny":
 		down = acl.DenyAll()
 	case "async-cache", "extend-cache":
-		// Leave the down policy as nil to signal this.
+		down = acl.RootAuthorizer(config.Config.ACLDefaultPolicy)
 	default:
 		return nil, fmt.Errorf("invalid ACL down policy %q", config.Config.ACLDownPolicy)
 	}
--- a/agent/consul/acl_test.go
+++ b/agent/consul/acl_test.go
@ -948,6 +948,27 @@ func TestACLResolver_DownPolicy(t *testing.T) {
 		require.Equal(t, acl.Allow, authz2.NodeWrite("foo", nil))
 	})

+	t.Run("Extend-Cache with no cache entry defaults to default_policy", func(t *testing.T) {
+		delegate := &ACLResolverTestDelegate{
+			enabled:       true,
+			datacenter:    "dc1",
+			localPolicies: true,
+			localRoles:    true,
+		}
+		delegate.tokenReadFn = func(*structs.ACLTokenGetRequest, *structs.ACLTokenResponse) error {
+			return ACLRemoteError{Err: fmt.Errorf("connection problem")}
+		}
+
+		r := newTestACLResolver(t, delegate, func(config *ACLResolverConfig) {
+			config.Config.ACLDownPolicy = "extend-cache"
+		})
+
+		_, authz, err := r.ResolveTokenToIdentityAndAuthorizer("not-found")
+		require.NoError(t, err)
+		require.NotNil(t, authz)
+		require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil))
+	})
+
 	t.Run("Extend-Cache-Role", func(t *testing.T) {
 		delegate := &ACLResolverTestDelegate{
 			enabled:       true,