rgw: adding code for policy evaluation for ops

like getbucketversioning, putbucketversioning etc

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit 5f86459381ed9f3c5565d1b74fc064f11b55c275)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 618b9f9fdde59357d5b8b932251c23176bf68d87..f706901dccb0de8cc03e3b9d201a609f52bdd3b9 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1263,11 +1263,22 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct req_state *
 int verify_bucket_owner_or_policy(struct req_state* const s,
                                  const uint64_t op)
 {
+  auto usr_policy_res = eval_user_policies(s->iam_user_policies, s->env, boost::none, op, ARN(s->bucket));
+  if (usr_policy_res == Effect::Deny) {
+    return -EACCES;
+  }
+
   auto e = eval_or_pass(s->iam_policy,
                        s->env, *s->auth.identity,
                        op, ARN(s->bucket));
+  if (e == Effect::Deny) {
+    return -EACCES;
+  }
+
   if (e == Effect::Allow ||
+      usr_policy_res == Effect::Allow ||
       (e == Effect::Pass &&
+       usr_policy_res == Effect::Pass &&
        s->auth.identity->is_owner_of(s->bucket_owner.get_id()))) {
     return 0;
   } else {