Use auth context when evaluating service read permissions (#17207)

Co-authored-by: Blake Covarrubias <1812+blake@users.noreply.github.com>
2023-05-02 16:23:42 -04:00 · 2023-05-02 16:23:42 -04:00 · f5668b3621
parent 827be5ad6e
commit f5668b3621
1 changed files with 4 additions and 2 deletions
--- a/agent/proxycfg-glue/resolved_service_config.go
+++ b/agent/proxycfg-glue/resolved_service_config.go
@ -8,6 +8,7 @@ import (

 	"github.com/hashicorp/go-memdb"

+	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/cache"
 	cachetype "github.com/hashicorp/consul/agent/cache-types"
 	"github.com/hashicorp/consul/agent/configentry"
@ -41,12 +42,13 @@ func (s *serverResolvedServiceConfig) Notify(ctx context.Context, req *structs.S

 	return watch.ServerLocalNotify(ctx, correlationID, s.deps.GetStore,
 		func(ws memdb.WatchSet, store Store) (uint64, *structs.ServiceConfigResponse, error) {
-			authz, err := s.deps.ACLResolver.ResolveTokenAndDefaultMeta(req.Token, &req.EnterpriseMeta, nil)
+			var authzContext acl.AuthorizerContext
+			authz, err := s.deps.ACLResolver.ResolveTokenAndDefaultMeta(req.Token, &req.EnterpriseMeta, &authzContext)
 			if err != nil {
 				return 0, nil, err
 			}

-			if err := authz.ToAllowAuthorizer().ServiceReadAllowed(req.Name, nil); err != nil {
+			if err := authz.ToAllowAuthorizer().ServiceReadAllowed(req.Name, &authzContext); err != nil {
 				return 0, nil, err
 			}