rgw: Avoid segfault when OPA authz is enabled

When `rgw_use_opa_authz=true`, radosgw would segfault on any request that
didn't target a specific object or bucket, because `s->object` or `s->bucket`
would be `nullptr` in that case, but that code path would try to dereference
them anyway.

This commit only adds the `object_name`, `subuser`, `user_info` and
`bucket_info` JSON objects if the corresponding `s->X` object is defined,
thereby avoiding segfaults in radosgw when Open Policy Agent authorization is
enabled.

Fixes: https://tracker.ceph.com/issues/55286
Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
(cherry picked from commit ac71916cea04c8bac4baf58bcb9c63d8797f877e)

diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc
index 4e5770300267f5c95da203eea6416eefc0a0527a..2cbbbdbd52ccb3b7f22c8d4b0cff10605eb2e2da 100644 (file)
--- a/src/rgw/rgw_opa.cc
+++ b/src/rgw/rgw_opa.cc
@@ -44,10 +44,18 @@ int rgw_opa_authorize(RGWOp *& op,
   jf.dump_string("decoded_uri", s->decoded_uri.c_str());
   jf.dump_string("params", s->info.request_params.c_str());
   jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str());
-  jf.dump_string("object_name", s->object->get_name().c_str());
-  jf.dump_string("subuser", s->auth.identity->get_subuser().c_str());
-  jf.dump_object("user_info", s->user->get_info());
-  jf.dump_object("bucket_info", s->bucket->get_info());
+  if (s->object) {
+    jf.dump_string("object_name", s->object->get_name().c_str());
+  }
+  if (s->auth.identity) {
+    jf.dump_string("subuser", s->auth.identity->get_subuser().c_str());
+  }
+  if (s->user) {
+    jf.dump_object("user_info", s->user->get_info());
+  }
+  if (s->bucket) {
+    jf.dump_object("bucket_info", s->bucket->get_info());
+  }
   jf.close_section();
   jf.close_section();