acl: move check for Intention.DestinationName into Authorizer

Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r680134445

Move the check for the Intention.DestinationName into the Authorizer to remove the
need to check what kind of Authorizer is being used.

It sounds like this check is only for legacy ACLs, so is probably just a safeguard
.
This commit is contained in:
Daniel Nephin 2021-08-04 18:06:44 -04:00
parent 3dc113ada6
commit f6d5a85561
2 changed files with 3 additions and 9 deletions

View File

@ -524,6 +524,9 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) En
// IntentionWrite checks if writing (creating, updating, or deleting) of an // IntentionWrite checks if writing (creating, updating, or deleting) of an
// intention is allowed. // intention is allowed.
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision { func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
if prefix == "" {
return Deny
}
if prefix == "*" { if prefix == "*" {
return p.allAllowed(p.intentionRules, AccessWrite) return p.allAllowed(p.intentionRules, AccessWrite)
} }

View File

@ -322,16 +322,7 @@ func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
} }
func (ixn *Intention) CanWrite(authz acl.Authorizer) bool { func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
if authz == acl.ManageAll() {
return true
}
var authzContext acl.AuthorizerContext var authzContext acl.AuthorizerContext
// TODO: this line seems to require checking 'authz == acl.ManageAll()' above
if ixn.DestinationName == "" {
return false
}
ixn.FillAuthzContext(&authzContext, true) ixn.FillAuthzContext(&authzContext, true)
return authz.IntentionWrite(ixn.DestinationName, &authzContext) == acl.Allow return authz.IntentionWrite(ixn.DestinationName, &authzContext) == acl.Allow
} }