acl: move check for Intention.DestinationName into Authorizer
Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r680134445 Move the check for the Intention.DestinationName into the Authorizer to remove the need to check what kind of Authorizer is being used. It sounds like this check is only for legacy ACLs, so is probably just a safeguard .
This commit is contained in:
parent
3dc113ada6
commit
f6d5a85561
|
@ -524,6 +524,9 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) En
|
||||||
// IntentionWrite checks if writing (creating, updating, or deleting) of an
|
// IntentionWrite checks if writing (creating, updating, or deleting) of an
|
||||||
// intention is allowed.
|
// intention is allowed.
|
||||||
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||||
|
if prefix == "" {
|
||||||
|
return Deny
|
||||||
|
}
|
||||||
if prefix == "*" {
|
if prefix == "*" {
|
||||||
return p.allAllowed(p.intentionRules, AccessWrite)
|
return p.allAllowed(p.intentionRules, AccessWrite)
|
||||||
}
|
}
|
||||||
|
|
|
@ -322,16 +322,7 @@ func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
|
func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
|
||||||
if authz == acl.ManageAll() {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
|
|
||||||
// TODO: this line seems to require checking 'authz == acl.ManageAll()' above
|
|
||||||
if ixn.DestinationName == "" {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
ixn.FillAuthzContext(&authzContext, true)
|
ixn.FillAuthzContext(&authzContext, true)
|
||||||
return authz.IntentionWrite(ixn.DestinationName, &authzContext) == acl.Allow
|
return authz.IntentionWrite(ixn.DestinationName, &authzContext) == acl.Allow
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue