rgw: policy: reuse eval_principal to evaluate the policy principal

Since the other edge case when no Principal or a NotPrincipal is supplied also
must be accounted for, which is already done in eval_principal function. Also
reraising the error as Effect::Pass in line with the previous output, though an
Effect::Deny would also work here.

Fixes: https://tracker.ceph.com/issues/46078
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
(cherry picked from commit 1843f2dca853f97c6c9b4196eaf27581705be0e2)

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index da0fa92b7010e725b08f29db7faac10db302e19d..31936c40472f2d3b4f06f6182b7be8dc6b33c642 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -970,12 +970,9 @@ ostream& operator <<(ostream& m, const Condition& c) {
 Effect Statement::eval(const Environment& e,
                       boost::optional<const rgw::auth::Identity&> ida,
                       uint64_t act, const ARN& res) const {
-  if (ida) {
-    if (!princ.empty() && !ida->is_identity(princ)) {
-      return Effect::Pass;
-    } else if (!noprinc.empty() && ida->is_identity(noprinc)) {
-      return Effect::Pass;
-    }
+
+  if (eval_principal(e, ida) == Effect::Deny) {
+    return Effect::Pass;
   }
 
   if (!resource.empty()) {