From fbaeac9ecf23749b395ee81f5a82ff227366c6b4 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Fri, 30 Jul 2021 13:58:01 -0400 Subject: [PATCH] acl: remove authz == nil checks These case are already impossible conditions, because most of these functions already start with a check for ACLs being disabled. So the code path being removed could never be reached. The one other case (ConnectAuthorized) was already changed in a previous commit. This commit removes an impossible branch because authz == nil can never be true. --- agent/acl_endpoint.go | 2 -- agent/connect_auth.go | 8 -------- agent/consul/acl_endpoint.go | 8 -------- 3 files changed, 18 deletions(-) diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go index a796cb3d8..058ebbfe6 100644 --- a/agent/acl_endpoint.go +++ b/agent/acl_endpoint.go @@ -1156,8 +1156,6 @@ func (s *HTTPHandlers) ACLAuthorize(resp http.ResponseWriter, req *http.Request) authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(request.Token, nil, nil) if err != nil { return nil, err - } else if authz == nil { - return nil, fmt.Errorf("Failed to initialize authorizer") } responses, err = structs.CreateACLAuthorizationResponses(authz, request.Requests) diff --git a/agent/connect_auth.go b/agent/connect_auth.go index 610b21381..293ac7016 100644 --- a/agent/connect_auth.go +++ b/agent/connect_auth.go @@ -132,14 +132,6 @@ func (a *Agent) ConnectAuthorize(token string, return false, reason, &meta, nil } - // No match, we need to determine the default behavior. We do this by - // fetching the default intention behavior from the resolved authorizer. The - // default behavior if ACLs are disabled is to allow connections to mimic the - // behavior of Consul itself: everything is allowed if ACLs are disabled. - if authz == nil { - // ACLs not enabled at all, the default is allow all. - return true, "ACLs disabled, access is allowed by default", &meta, nil - } reason = "Default behavior configured by ACLs" return authz.IntentionDefaultAllow(nil) == acl.Allow, reason, &meta, nil } diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index e08c23786..8800cb0ec 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -981,8 +981,6 @@ func (a *ACL) TokenBatchRead(args *structs.ACLTokenBatchGetRequest, reply *struc authz, err := a.srv.ResolveToken(args.Token) if err != nil { return err - } else if authz == nil { - return acl.ErrPermissionDenied } return a.srv.blockingQuery(&args.QueryOptions, &reply.QueryMeta, @@ -1073,8 +1071,6 @@ func (a *ACL) PolicyBatchRead(args *structs.ACLPolicyBatchGetRequest, reply *str authz, err := a.srv.ResolveToken(args.Token) if err != nil { return err - } else if authz == nil { - return acl.ErrPermissionDenied } return a.srv.blockingQuery(&args.QueryOptions, &reply.QueryMeta, @@ -1507,8 +1503,6 @@ func (a *ACL) RoleBatchRead(args *structs.ACLRoleBatchGetRequest, reply *structs authz, err := a.srv.ResolveToken(args.Token) if err != nil { return err - } else if authz == nil { - return acl.ErrPermissionDenied } return a.srv.blockingQuery(&args.QueryOptions, &reply.QueryMeta, @@ -2565,8 +2559,6 @@ func (a *ACL) Authorize(args *structs.RemoteACLAuthorizationRequest, reply *[]st authz, err := a.srv.ResolveToken(args.Token) if err != nil { return err - } else if authz == nil { - return fmt.Errorf("Failed to initialize authorizer") } responses, err := structs.CreateACLAuthorizationResponses(authz, args.Requests)