acl: default tenancy with the no-auth ACL resolver (#19006)

When using the no-auth acl resolver (the case for most controllers and the get-envoy-boostrap-params endpoint), ResolveTokenAndDefaultMeta method only returns an acl resolver. However, the resource service relies on the ent meta to be filled in to do the tenancy defaulting and inheriting it from the token when one is present. So this change makes sure that the ent meta defaulting always happens in the ACL resolver.
1 year ago · d85fc535fb
1 changed files with 6 additions and 2 deletions
--- a/acl/resolver/danger.go
+++ b/acl/resolver/danger.go
@ -3,13 +3,17 @@

 package resolver

-import "github.com/hashicorp/consul/acl"
+import (
+	"github.com/hashicorp/consul/acl"
+	"github.com/hashicorp/consul/agent/structs"
+)

 // DANGER_NO_AUTH implements an ACL resolver short-circuit authorization in
 // cases where it is handled somewhere else or expressly not required.
 type DANGER_NO_AUTH struct{}

 // ResolveTokenAndDefaultMeta returns an authorizer with unfettered permissions.
-func (DANGER_NO_AUTH) ResolveTokenAndDefaultMeta(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) (Result, error) {
+func (DANGER_NO_AUTH) ResolveTokenAndDefaultMeta(_ string, entMeta *acl.EnterpriseMeta, _ *acl.AuthorizerContext) (Result, error) {
+	entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition())
 	return Result{Authorizer: acl.ManageAll()}, nil
 }