Merge pull request #25278 from ZVampirEM77/wip-deleteobject-policy

rgw: fix obj can still be deleted even if deleteobject policy is set
rgw: cleanup for RGWDeleteObj::verify_permission(

Reviewed-by: Pritha Srivastava <prsrivas@redhat.com>
Reviewed-by: Adam C. Emerson <aemerson@redhat.com>
Reviewed-by: Abhishek Lekshmanan <abhishek@suse.com>
Reviewed-by: Matt Benjamin <mbenjamin@redhat.com>

diff --cc src/rgw/rgw_op.cc
index 3b12fffa8b6b2d659ab9114a48cfe2b445efd724,37e45ec0374d7752c6f0d6407f68ebe9e6dcc5d2..d576107bc838644f908503ecb9025a662380ef95
--- 1/src/rgw/rgw_op.cc
--- 2/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@@ -4450,23 -4275,19 +4450,23 @@@ int RGWDeleteObj::verify_permission(
                                                rgw::IAM::s3DeleteObjectVersion,
                                                ARN(s->bucket, s->object.name));
      if (usr_policy_res == Effect::Deny) {
-       return false;
+       return -EACCES;
      }
 -    auto r = s->iam_policy->eval(s->env, *s->auth.identity,
 +
 +    rgw::IAM::Effect r = Effect::Pass;
 +    if (s->iam_policy) {
 +      r = s->iam_policy->eval(s->env, *s->auth.identity,
                                 s->object.instance.empty() ?
                                 rgw::IAM::s3DeleteObject :
                                 rgw::IAM::s3DeleteObjectVersion,
                                 ARN(s->bucket, s->object.name));
 +    }
      if (r == Effect::Allow)
-       return true;
+       return 0;
      else if (r == Effect::Deny)
-       return false;
+       return -EACCES;
      else if (usr_policy_res == Effect::Allow)
-       return true;
+       return 0;
    }
  
    if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {