acl: move check for Intention.DestinationName into Authorizer

Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r680134445 Move the check for the Intention.DestinationName into the Authorizer to remove the need to check what kind of Authorizer is being used. It sounds like this check is only for legacy ACLs, so is probably just a safeguard .
3 years ago · 5b2e5882b4
2 changed files with 3 additions and 9 deletions
--- a/acl/policy_authorizer.go
+++ b/acl/policy_authorizer.go
@ -524,6 +524,9 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) En
 // IntentionWrite checks if writing (creating, updating, or deleting) of an
 // intention is allowed.
 func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
+	if prefix == "" {
+		return Deny
+	}
 	if prefix == "*" {
 		return p.allAllowed(p.intentionRules, AccessWrite)
 	}
--- a/agent/structs/intention.go
+++ b/agent/structs/intention.go
@ -322,16 +322,7 @@ func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
 }

 func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
-	if authz == acl.ManageAll() {
-		return true
-	}
 	var authzContext acl.AuthorizerContext
-
-	// TODO: this line seems to require checking 'authz == acl.ManageAll()' above
-	if ixn.DestinationName == "" {
-		return false
-	}
-
 	ixn.FillAuthzContext(&authzContext, true)
 	return authz.IntentionWrite(ixn.DestinationName, &authzContext) == acl.Allow
 }