rgw: Avoid segfault when OPA authz is enabled

When `rgw_use_opa_authz=true`, radosgw would segfault on any request that
didn't target a specific object or bucket, because `s->object` or `s->bucket`
would be `nullptr` in that case, but that code path would try to dereference
them anyway.

This commit only adds the `object_name`, `subuser`, `user_info` and
`bucket_info` JSON objects if the corresponding `s->X` object is defined,
thereby avoiding segfaults in radosgw when Open Policy Agent authorization is
enabled.

Fixes: https://tracker.ceph.com/issues/55286
Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
(cherry picked from commit ac71916cea04c8bac4baf58bcb9c63d8797f877e)

diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc
index 68f874a5d724e50f6c93aa817578d71f3fb13024..dfd3f4f8e1bd26060e449ed6ef0b3f0af5e752ac 100644 (file)
--- a/src/rgw/rgw_opa.cc
+++ b/src/rgw/rgw_opa.cc
@@ -47,10 +47,18 @@ int rgw_opa_authorize(RGWOp *& op,
   jf.dump_string("decoded_uri", s->decoded_uri.c_str());
   jf.dump_string("params", s->info.request_params.c_str());
   jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str());
-  jf.dump_string("object_name", s->object->get_name().c_str());
-  jf.dump_string("subuser", s->auth.identity->get_subuser().c_str());
-  jf.dump_object("user_info", s->user->get_info());
-  jf.dump_object("bucket_info", s->bucket->get_info());
+  if (s->object) {
+    jf.dump_string("object_name", s->object->get_name().c_str());
+  }
+  if (s->auth.identity) {
+    jf.dump_string("subuser", s->auth.identity->get_subuser().c_str());
+  }
+  if (s->user) {
+    jf.dump_object("user_info", s->user->get_info());
+  }
+  if (s->bucket) {
+    jf.dump_object("bucket_info", s->bucket->get_info());
+  }
   jf.close_section();
   jf.close_section();