From 4d857d117fb9ffeb76dad28836eb03907670d6cf Mon Sep 17 00:00:00 2001
From: Chris Piraino <cpiraino@hashicorp.com>
Date: Mon, 13 Jul 2020 13:39:57 -0500
Subject: [PATCH] Set enterprise metadata after resolving the token (#8302)

The token can encode enterprise metadata information, and we must make
sure we set that on the reply so that we can correct filter ACLs.
---
 agent/consul/catalog_endpoint.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/agent/consul/catalog_endpoint.go b/agent/consul/catalog_endpoint.go
index 301e00974c..04be323cb5 100644
--- a/agent/consul/catalog_endpoint.go
+++ b/agent/consul/catalog_endpoint.go
@@ -296,8 +296,6 @@ func (c *Catalog) ListServices(args *structs.DCSpecificRequest, reply *structs.I
 		return err
 	}
 
-	reply.EnterpriseMeta = args.EnterpriseMeta
-
 	authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
 	if err != nil {
 		return err
@@ -307,6 +305,10 @@ func (c *Catalog) ListServices(args *structs.DCSpecificRequest, reply *structs.I
 		return err
 	}
 
+	// Set reply enterprise metadata after resolving and validating the token so
+	// that we can properly infer metadata from the token.
+	reply.EnterpriseMeta = args.EnterpriseMeta
+
 	return c.srv.blockingQuery(
 		&args.QueryOptions,
 		&reply.QueryMeta,