eventstream: Handle missing policy documents in event streams (#15495)

Fixes https://github.com/hashicorp/nomad/issues/15493 Co-authored-by: Tim Gross <tgross@hashicorp.com>
2023-02-14 16:27:39 +00:00 · 2023-02-14 16:27:39 +00:00 · 4dc83757a6
parent 87b88fd83d
commit 4dc83757a6
2 changed files with 15 additions and 2 deletions
--- a/.changelog/15495.txt
+++ b/.changelog/15495.txt
@ -0,0 +1,3 @@
+```release-note:bug
+event stream: Fixed a bug where undefined ACL policies on the request's ACL would result in incorrect authentication errors
+```
--- a/nomad/stream/event_broker.go
+++ b/nomad/stream/event_broker.go
@ -295,9 +295,14 @@ func aclObjFromSnapshotForTokenSecretID(

 	for _, policyName := range aclToken.Policies {
 		policy, err := aclSnapshot.ACLPolicyByName(nil, policyName)
-		if err != nil || policy == nil {
+		if err != nil {
 			return nil, nil, errors.New("error finding acl policy")
 		}
+		if policy == nil {
+			// Ignore policies that don't exist, since they don't grant any
+			// more privilege.
+			continue
+		}
 		aclPolicies = append(aclPolicies, policy)
 	}

@ -315,9 +320,14 @@ func aclObjFromSnapshotForTokenSecretID(

 		for _, policyLink := range role.Policies {
 			policy, err := aclSnapshot.ACLPolicyByName(nil, policyLink.Name)
-			if err != nil || policy == nil {
+			if err != nil {
 				return nil, nil, errors.New("error finding acl policy")
 			}
+			if policy == nil {
+				// Ignore policies that don't exist, since they don't grant any
+				// more privilege.
+				continue
+			}
 			aclPolicies = append(aclPolicies, policy)
 		}
 	}