// If RestrictPublicBuckets is enabled and the bucket policy allows public access,
// deny the request if the requester is not in the bucket owner account
- const bool restrict_public_buckets = s->public_access_block && s->public_access_block->RestrictPublicBuckets;
- if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) {
+ if (s->public_access_block.RestrictPublicBuckets &&
+ bucket_policy && rgw::IAM::is_public(*bucket_policy) &&
+ !s->identity->is_owner_of(s->bucket_info.owner)) {
ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
return false;
}
if (bucket_acl.verify_permission(dpp, *ps->identity, perm, perm,
ps->get_referer(),
- ps->public_access_block &&
- ps->public_access_block->IgnorePublicAcls)) {
+ ps->public_access_block.IgnorePublicAcls)) {
ldpp_dout(dpp, 10) << __func__ << ": granted by bucket acl" << dendl;
if (granted_by_acl) {
*granted_by_acl = true;
// If RestrictPublicBuckets is enabled and the bucket policy allows public access,
// deny the request if the requester is not in the bucket owner account
- const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->RestrictPublicBuckets;
- if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !ps->identity->is_owner_of(ps->bucket_info.owner)) {
+ if (ps->public_access_block.RestrictPublicBuckets &&
+ bucket_policy && rgw::IAM::is_public(*bucket_policy) &&
+ !ps->identity->is_owner_of(ps->bucket_info.owner)) {
ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
return false;
}
if (ps->bucket_object_ownership != rgw::s3::ObjectOwnership::BucketOwnerEnforced &&
object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm,
nullptr, /* http referrer */
- ps->public_access_block &&
- ps->public_access_block->IgnorePublicAcls)) {
+ ps->public_access_block.IgnorePublicAcls)) {
ldpp_dout(dpp, 10) << __func__ << ": granted by object acl" << dendl;
if (granted_by_acl) {
*granted_by_acl = true;
rgw::IAM::Environment env;
boost::optional<rgw::IAM::Policy> iam_policy;
- boost::optional<PublicAccessBlockConfiguration> public_access_block;
+ // PublicAccessBlock configuration that applies to this request
+ PublicAccessBlockConfiguration public_access_block;
rgw::s3::ObjectOwnership bucket_object_ownership = rgw::s3::ObjectOwnership::ObjectWriter;
std::vector<rgw::IAM::Policy> iam_identity_policies;
rgw::s3::ObjectOwnership bucket_object_ownership;
int perm_mask;
bool defer_to_bucket_acls;
- boost::optional<PublicAccessBlockConfiguration> public_access_block;
+ PublicAccessBlockConfiguration public_access_block;
perm_state_base(CephContext *_cct,
const rgw::IAM::Environment& _env,
rgw::s3::ObjectOwnership bucket_object_ownership,
int _perm_mask,
bool _defer_to_bucket_acls,
- boost::optional<PublicAccessBlockConfiguration> _public_access_block = boost::none) :
+ PublicAccessBlockConfiguration _public_access_block = {}) :
cct(_cct),
env(_env),
identity(_identity),
return ret;
}
-static boost::optional<PublicAccessBlockConfiguration>
+static PublicAccessBlockConfiguration
get_public_access_conf_from_attr(const map<string, bufferlist>& attrs)
{
+ PublicAccessBlockConfiguration configuration;
if (auto aiter = attrs.find(RGW_ATTR_PUBLIC_ACCESS);
aiter != attrs.end()) {
bufferlist::const_iterator iter{&aiter->second};
- PublicAccessBlockConfiguration access_conf;
try {
- access_conf.decode(iter);
- } catch (const buffer::error& e) {
- return boost::none;
+ configuration.decode(iter);
+ } catch (const buffer::error&) {
+ // reset to default
+ configuration = PublicAccessBlockConfiguration{};
}
- return access_conf;
}
- return boost::none;
+ return configuration;
}
static int read_bucket_policy(const DoutPrefixProvider *dpp,
} /* copy_source */
// reject public canned acls
- if (s->public_access_block && s->public_access_block->BlockPublicAcls &&
+ if (s->public_access_block.BlockPublicAcls &&
(s->canned_acl == "public-read" ||
s->canned_acl == "public-read-write" ||
s->canned_acl == "authenticated-read")) {
*_dout << dendl;
}
- if (s->public_access_block &&
- s->public_access_block->BlockPublicAcls &&
+ if (s->public_access_block.BlockPublicAcls &&
new_policy.is_public(this)) {
op_ret = -EACCES;
return;
s->cct, &s->bucket_tenant, data.to_str(),
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
rgw::sal::Attrs attrs(s->bucket_attrs);
- if (s->public_access_block &&
- s->public_access_block->BlockPublicPolicy &&
+ if (s->public_access_block.BlockPublicPolicy &&
rgw::IAM::is_public(p)) {
op_ret = -EACCES;
return;
projects / ceph.git / commitdiff