rgw/s3: rename req_state::bucket_access_conf to public_access_block

the name reflects a PublicAccessBlock configuration that may either come
from the bucket (s3 PutPublicAccessBlock) or the account (s3control)

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 388da24ac8735c40c8fccfa9b38fd2e47ebc6635..418e4ef2aec3d7da4b4d785a9bbb5a870f74cf80 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1124,7 +1124,7 @@ struct perm_state_from_req_state : public perm_state_base {
                      _s->bucket_object_ownership,
                      _s->perm_mask,
                      _s->defer_to_bucket_acls,
-                     _s->bucket_access_conf),
+                     _s->public_access_block),
       s(_s) {}
 
   std::optional<bool> get_request_payer() const override {
@@ -1379,7 +1379,7 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp,
 
   // If RestrictPublicBuckets is enabled and the bucket policy allows public access,
   // deny the request if the requester is not in the bucket owner account
-  const bool restrict_public_buckets = s->bucket_access_conf && s->bucket_access_conf->restrict_public_buckets();
+  const bool restrict_public_buckets = s->public_access_block && s->public_access_block->restrict_public_buckets();
   if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) {
     ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
     return false;
@@ -1456,8 +1456,8 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp,
 
   if (bucket_acl.verify_permission(dpp, *ps->identity, perm, perm,
                                    ps->get_referer(),
-                                   ps->bucket_access_conf &&
-                                   ps->bucket_access_conf->ignore_public_acls())) {
+                                   ps->public_access_block &&
+                                   ps->public_access_block->ignore_public_acls())) {
     ldpp_dout(dpp, 10) << __func__ << ": granted by bucket acl" << dendl;
     if (granted_by_acl) {
       *granted_by_acl = true;
@@ -1546,7 +1546,7 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b
 
   // If RestrictPublicBuckets is enabled and the bucket policy allows public access,
   // deny the request if the requester is not in the bucket owner account
-  const bool restrict_public_buckets = ps->bucket_access_conf && ps->bucket_access_conf->restrict_public_buckets();
+  const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->restrict_public_buckets();
   if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !ps->identity->is_owner_of(ps->bucket_info.owner)) {
     ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
     return false;
@@ -1633,8 +1633,8 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
   if (ps->bucket_object_ownership != rgw::s3::ObjectOwnership::BucketOwnerEnforced &&
       object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm,
                                    nullptr, /* http referrer */
-                                   ps->bucket_access_conf &&
-                                   ps->bucket_access_conf->ignore_public_acls())) {
+                                   ps->public_access_block &&
+                                   ps->public_access_block->ignore_public_acls())) {
     ldpp_dout(dpp, 10) << __func__ << ": granted by object acl" << dendl;
     if (granted_by_acl) {
       *granted_by_acl = true;

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 4f2b0160ea660e4a495cad81e72db852567f158f..db2881dea63114b5c1945b8cd41c3d8c607cdcaa 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1401,7 +1401,7 @@ struct req_state : DoutPrefixProvider {
 
   rgw::IAM::Environment env;
   boost::optional<rgw::IAM::Policy> iam_policy;
-  boost::optional<PublicAccessBlockConfiguration> bucket_access_conf;
+  boost::optional<PublicAccessBlockConfiguration> public_access_block;
   rgw::s3::ObjectOwnership bucket_object_ownership = rgw::s3::ObjectOwnership::ObjectWriter;
   std::vector<rgw::IAM::Policy> iam_identity_policies;
 
@@ -1720,7 +1720,7 @@ struct perm_state_base {
   rgw::s3::ObjectOwnership bucket_object_ownership;
   int perm_mask;
   bool defer_to_bucket_acls;
-  boost::optional<PublicAccessBlockConfiguration> bucket_access_conf;
+  boost::optional<PublicAccessBlockConfiguration> public_access_block;
 
   perm_state_base(CephContext *_cct,
                   const rgw::IAM::Environment& _env,
@@ -1729,7 +1729,7 @@ struct perm_state_base {
                   rgw::s3::ObjectOwnership bucket_object_ownership,
                   int _perm_mask,
                   bool _defer_to_bucket_acls,
-                  boost::optional<PublicAccessBlockConfiguration> _bucket_access_conf = boost::none) :
+                  boost::optional<PublicAccessBlockConfiguration> _public_access_block = boost::none) :
                                                 cct(_cct),
                                                 env(_env),
                                                 identity(_identity),
@@ -1737,7 +1737,7 @@ struct perm_state_base {
                                                 bucket_object_ownership(bucket_object_ownership),
                                                 perm_mask(_perm_mask),
                                                 defer_to_bucket_acls(_defer_to_bucket_acls),
-                                                bucket_access_conf(_bucket_access_conf)
+                                                public_access_block(_public_access_block)
   {}
 
   virtual ~perm_state_base() {}

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 1c4502235a709db933e43c6a67aded1c5b13f7d2..dc07dd712b3df8821d15063dac1191a23e720a94 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -616,7 +616,7 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
       return -EINVAL;
     }
 
-    s->bucket_access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
+    s->public_access_block = get_public_access_conf_from_attr(s->bucket_attrs);
     s->bucket_object_ownership = rgw::s3::get_object_ownership(s->bucket_attrs);
   }
 
@@ -4177,7 +4177,7 @@ int RGWPutObj::init_processing(optional_yield y) {
   } /* copy_source */
 
   // reject public canned acls
-  if (s->bucket_access_conf && s->bucket_access_conf->block_public_acls() &&
+  if (s->public_access_block && s->public_access_block->block_public_acls() &&
       (s->canned_acl == "public-read" ||
        s->canned_acl == "public-read-write" ||
        s->canned_acl == "authenticated-read")) {
@@ -6409,8 +6409,8 @@ void RGWPutACLs::execute(optional_yield y)
     *_dout << dendl;
   }
 
-  if (s->bucket_access_conf &&
-      s->bucket_access_conf->block_public_acls() &&
+  if (s->public_access_block &&
+      s->public_access_block->block_public_acls() &&
       new_policy.is_public(this)) {
     op_ret = -EACCES;
     return;
@@ -8857,8 +8857,8 @@ void RGWPutBucketPolicy::execute(optional_yield y)
       s->cct, &s->bucket_tenant, data.to_str(),
       s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
     rgw::sal::Attrs attrs(s->bucket_attrs);
-    if (s->bucket_access_conf &&
-        s->bucket_access_conf->block_public_policy() &&
+    if (s->public_access_block &&
+        s->public_access_block->block_public_policy() &&
         rgw::IAM::is_public(p)) {
       op_ret = -EACCES;
       return;