rgw: honor PublicAccessBlockConfiguration for put object

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 42682a6c637bca5e06702e13555b50f0a8cf8d4e..4a9560e98db11d0588c4ae673885fac2c08376b5 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -86,6 +86,7 @@ using rgw::IAM::Effect;
 using rgw::IAM::Policy;
 
 using rgw::IAM::Policy;
+using rgw::IAM::PublicAccessConfiguration;
 
 static string mp_ns = RGW_OBJ_NS_MULTIPART;
 static string shadow_ns = RGW_OBJ_NS_SHADOW;
@@ -294,6 +295,24 @@ static boost::optional<Policy> get_iam_policy_from_attr(CephContext* cct,
   }
 }
 
+static boost::optional<PublicAccessConfiguration>
+get_public_access_conf_from_attr(const map<string, bufferlist>& attrs)
+{
+  if (auto aiter = attrs.find(RGW_ATTR_PUBLIC_ACCESS);
+      aiter != attrs.end())
+    {
+      bufferlist::const_iterator iter{&aiter->second};
+      PublicAccessConfiguration access_conf;
+      try {
+        access_conf.decode(iter);
+      } catch (const buffer::error& e) {
+        return boost::none;
+      }
+      return access_conf;
+    }
+  return boost::none;
+}
+
 vector<Policy> get_iam_user_policy_from_attr(CephContext* cct,
                         rgw::sal::RGWRadosStore* store,
                         map<string, bufferlist>& attrs,
@@ -3615,6 +3634,14 @@ int RGWPutObj::verify_permission()
     }
   }
 
+  auto access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
+  if (access_conf && access_conf->block_public_acls()) {
+    if (s->canned_acl.compare("public-read") ||
+        s->canned_acl.compare("public-read-write") ||
+        s->canned_acl.compare("authenticated-read"))
+      return -EACCES;
+  }
+
   auto op_ret = get_params();
   if (op_ret < 0) {
     ldpp_dout(this, 20) << "get_params() returned ret=" << op_ret << dendl;