From 514d751c935214f37e4c2f0d98e1ae3b06e8bbcf Mon Sep 17 00:00:00 2001
From: Will Nicholson <5702746+wjnicholson@users.noreply.github.com>
Date: Thu, 8 Dec 2022 12:25:22 +0000
Subject: [PATCH 1/2] bug: Handle missing policy documents in event streams

Fixes https://github.com/hashicorp/nomad/issues/15493
---
 nomad/stream/event_broker.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/nomad/stream/event_broker.go b/nomad/stream/event_broker.go
index 8ecf33ebded..93a5e7e30eb 100644
--- a/nomad/stream/event_broker.go
+++ b/nomad/stream/event_broker.go
@@ -301,9 +301,14 @@ func aclObjFromSnapshotForTokenSecretID(
 
 	for _, policyName := range aclToken.Policies {
 		policy, err := aclSnapshot.ACLPolicyByName(nil, policyName)
-		if err != nil || policy == nil {
+		if err != nil {
 			return nil, nil, errors.New("error finding acl policy")
 		}
+		if policy == nil {
+			// Ignore policies that don't exist, since they don't grant any
+			// more privilege.
+			continue
+		}
 		aclPolicies = append(aclPolicies, policy)
 	}
 
@@ -321,9 +326,14 @@ func aclObjFromSnapshotForTokenSecretID(
 
 		for _, policyLink := range role.Policies {
 			policy, err := aclSnapshot.ACLPolicyByName(nil, policyLink.Name)
-			if err != nil || policy == nil {
+			if err != nil {
 				return nil, nil, errors.New("error finding acl policy")
 			}
+			if policy == nil {
+				// Ignore policies that don't exist, since they don't grant any
+				// more privilege.
+				continue
+			}
 			aclPolicies = append(aclPolicies, policy)
 		}
 	}

From a74cb9c9ea83ec95f87ece7518a527a328ffe285 Mon Sep 17 00:00:00 2001
From: Tim Gross <tgross@hashicorp.com>
Date: Tue, 14 Feb 2023 09:29:45 -0500
Subject: [PATCH 2/2] add changelog entry

---
 .changelog/15495.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/15495.txt

diff --git a/.changelog/15495.txt b/.changelog/15495.txt
new file mode 100644
index 00000000000..77b38170ce8
--- /dev/null
+++ b/.changelog/15495.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+event stream: Fixed a bug where undefined ACL policies on the request's ACL would result in incorrect authentication errors
+```