From a9caff0ff40ffd1954d9ff1ab3df0148d033b049 Mon Sep 17 00:00:00 2001
From: Alejandro Pedraza <alejandro@buoyant.io>
Date: Tue, 23 Jul 2024 09:35:24 -0500
Subject: [PATCH] @adleong's feedback

---
 policy-controller/k8s/index/src/defaults.rs   | 43 ++++++++++++-------
 .../k8s/index/src/inbound/index.rs            |  4 +-
 2 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/policy-controller/k8s/index/src/defaults.rs b/policy-controller/k8s/index/src/defaults.rs
index 65d87502164cf..925905bff023e 100644
--- a/policy-controller/k8s/index/src/defaults.rs
+++ b/policy-controller/k8s/index/src/defaults.rs
@@ -85,15 +85,29 @@ impl DefaultPolicy {
         config: &ClusterInfo,
     ) -> HashMap<AuthorizationRef, ClientAuthorization> {
         let mut authzs = HashMap::default();
-        let (authenticated_only, cluster_only) = match self {
-            DefaultPolicy::Allow {
-                authenticated_only,
-                cluster_only,
-            } => (authenticated_only, cluster_only),
-            DefaultPolicy::Deny => return authzs,
-            DefaultPolicy::Audit => (false, false),
-        };
+        let auth_ref = AuthorizationRef::Default(self.as_str());
+
+        if let DefaultPolicy::Allow {
+            authenticated_only,
+            cluster_only,
+        } = self
+        {
+            authzs.insert(
+                auth_ref,
+                Self::default_client_authz(config, authenticated_only, cluster_only),
+            );
+        } else if let DefaultPolicy::Audit = self {
+            authzs.insert(auth_ref, Self::default_client_authz(config, false, false));
+        }
+
+        authzs
+    }
 
+    fn default_client_authz(
+        config: &ClusterInfo,
+        authenticated_only: bool,
+        cluster_only: bool,
+    ) -> ClientAuthorization {
         let authentication = if authenticated_only {
             ClientAuthentication::TlsAuthenticated(vec![IdentityMatch::Suffix(vec![])])
         } else {
@@ -107,14 +121,11 @@ impl DefaultPolicy {
                 "::/0".parse::<IpNet>().unwrap().into(),
             ]
         };
-        authzs.insert(
-            AuthorizationRef::Default(self.as_str()),
-            ClientAuthorization {
-                authentication,
-                networks,
-            },
-        );
-        authzs
+
+        ClientAuthorization {
+            authentication,
+            networks,
+        }
     }
 }
 
diff --git a/policy-controller/k8s/index/src/inbound/index.rs b/policy-controller/k8s/index/src/inbound/index.rs
index 06d3022f91b40..811fe83bb6acf 100644
--- a/policy-controller/k8s/index/src/inbound/index.rs
+++ b/policy-controller/k8s/index/src/inbound/index.rs
@@ -1753,9 +1753,7 @@ impl PolicyIndex {
             authzs.insert(reference, authz);
         }
 
-        if let Some(p @ DefaultPolicy::Allow { .. }) | Some(p @ DefaultPolicy::Audit) =
-            server.access_policy
-        {
+        if let Some(p) = server.access_policy {
             authzs.extend(p.default_authzs(&self.cluster_info));
         }