From f6d5a855611a8ba4d5a721fd0dc47ba147028608 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Wed, 4 Aug 2021 18:06:44 -0400
Subject: [PATCH] acl: move check for Intention.DestinationName into Authorizer

Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r680134445

Move the check for the Intention.DestinationName into the Authorizer to remove the
need to check what kind of Authorizer is being used.

It sounds like this check is only for legacy ACLs, so is probably just a safeguard
.
---
 acl/policy_authorizer.go   | 3 +++
 agent/structs/intention.go | 9 ---------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/acl/policy_authorizer.go b/acl/policy_authorizer.go
index af52418c2..9985c8feb 100644
--- a/acl/policy_authorizer.go
+++ b/acl/policy_authorizer.go
@@ -524,6 +524,9 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) En
 // IntentionWrite checks if writing (creating, updating, or deleting) of an
 // intention is allowed.
 func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
+	if prefix == "" {
+		return Deny
+	}
 	if prefix == "*" {
 		return p.allAllowed(p.intentionRules, AccessWrite)
 	}
diff --git a/agent/structs/intention.go b/agent/structs/intention.go
index 15c401764..c2240c414 100644
--- a/agent/structs/intention.go
+++ b/agent/structs/intention.go
@@ -322,16 +322,7 @@ func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
 }
 
 func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
-	if authz == acl.ManageAll() {
-		return true
-	}
 	var authzContext acl.AuthorizerContext
-
-	// TODO: this line seems to require checking 'authz == acl.ManageAll()' above
-	if ixn.DestinationName == "" {
-		return false
-	}
-
 	ixn.FillAuthzContext(&authzContext, true)
 	return authz.IntentionWrite(ixn.DestinationName, &authzContext) == acl.Allow
 }