if (!s->bucket_info.requester_pays)
return true;
- if (s->bucket_info.owner == s->user->user_id)
+ if (s->auth_identity->is_owner_of(s->bucket_info.owner))
return true;
const char *request_payer = s->info.env->get("HTTP_X_AMZ_REQUEST_PAYER");
if (!verify_requester_payer_permission(s))
return false;
- return bucket_acl->verify_permission(s->user->user_id, perm, perm);
+ return bucket_acl->verify_permission(*s->auth_identity, perm, perm);
}
bool verify_bucket_permission(struct req_state * const s, const int perm)
return true;
}
- if (!object_acl)
+ if (!object_acl) {
return false;
+ }
- bool ret = object_acl->verify_permission(s->user->user_id, s->perm_mask,
- perm);
- if (ret)
+ bool ret = object_acl->verify_permission(*s->auth_identity, s->perm_mask, perm);
+ if (ret) {
return true;
+ }
if (!s->cct->_conf->rgw_enforce_swift_acls)
return ret;
return false;
/* we already verified the user mask above, so we pass swift_perm as the mask here,
otherwise the mask might not cover the swift permissions bits */
- return bucket_acl->verify_permission(s->user->user_id, swift_perm,
- swift_perm);
+ return bucket_acl->verify_permission(*s->auth_identity, swift_perm, swift_perm);
}
bool verify_object_permission(struct req_state *s, int perm)
string no_object;
rgw_obj no_obj(bucket, no_object);
ret = get_policy_from_attr(s->cct, store, s->obj_ctx, bucket_info, bucket_attrs, &bucket_policy, no_obj);
- if (ret < 0)
+ if (ret < 0) {
return ret;
+ }
+
rgw_user& owner = bucket_policy.get_owner().get_id();
if (!s->system_request && owner.compare(s->user->user_id) != 0 &&
- !bucket_policy.verify_permission(s->user->user_id, s->perm_mask,
- RGW_PERM_READ))
+ !bucket_policy.verify_permission(*s->auth_identity, s->perm_mask,
+ RGW_PERM_READ)) {
ret = -EACCES;
- else
+ } else {
ret = -ENOENT;
-
+ }
} else if (ret == -ENOENT) {
ret = -ERR_NO_SUCH_BUCKET;
}
{
obj = rgw_obj(s->bucket, s->object);
store->set_atomic(s->obj_ctx, obj);
- if (get_data)
+ if (get_data) {
store->set_prefetch_data(s->obj_ctx, obj);
+ }
- if (!verify_object_permission(s, RGW_PERM_READ))
+ if (!verify_object_permission(s, RGW_PERM_READ)) {
return -EACCES;
+ }
return 0;
}
int RGWGetUsage::verify_permission()
{
- if (!rgw_user_is_authenticated(*s->user))
+ if (s->auth_identity->is_anonymous()) {
return -EACCES;
+ }
+
return 0;
}
int RGWGetBucketVersioning::verify_permission()
{
- if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+ if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
+ }
return 0;
}
int RGWSetBucketVersioning::verify_permission()
{
- if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+ if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
+ }
return 0;
}
int RGWStatBucket::verify_permission()
{
- if (!verify_bucket_permission(s, RGW_PERM_READ))
+ if (!verify_bucket_permission(s, RGW_PERM_READ)) {
return -EACCES;
+ }
return 0;
}
int RGWListBucket::verify_permission()
{
- if (!verify_bucket_permission(s, RGW_PERM_READ))
+ if (!verify_bucket_permission(s, RGW_PERM_READ)) {
return -EACCES;
+ }
return 0;
}
int RGWGetBucketLogging::verify_permission()
{
- if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+ if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
+ }
return 0;
}
int RGWGetBucketLocation::verify_permission()
{
- if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+ if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
+ }
return 0;
}
int RGWCreateBucket::verify_permission()
{
- if (!rgw_user_is_authenticated(*(s->user)))
+ if (s->auth_identity->is_anonymous()) {
return -EACCES;
+ }
if (s->user->user_id.tenant != s->bucket_tenant) {
ldout(s->cct, 10)
int RGWDeleteBucket::verify_permission()
{
- if (!verify_bucket_permission(s, RGW_PERM_WRITE))
+ if (!verify_bucket_permission(s, RGW_PERM_WRITE)) {
return -EACCES;
+ }
return 0;
}
int RGWPutObj::verify_permission()
{
- if (!verify_bucket_permission(s, RGW_PERM_WRITE))
+ if (!verify_bucket_permission(s, RGW_PERM_WRITE)) {
return -EACCES;
+ }
return 0;
}
int RGWPutMetadataAccount::verify_permission()
{
- if (!rgw_user_is_authenticated(*(s->user))) {
+ if (s->auth_identity->is_anonymous()) {
return -EACCES;
}
int RGWDeleteObj::verify_permission()
{
- if (!verify_bucket_permission(s, RGW_PERM_WRITE))
+ if (!verify_bucket_permission(s, RGW_PERM_WRITE)) {
return -EACCES;
+ }
return 0;
}
/* check source object permissions */
op_ret = read_policy(store, s, src_bucket_info, src_attrs, &src_policy,
- src_bucket, src_object);
- if (op_ret < 0)
+ src_bucket, src_object);
+ if (op_ret < 0) {
return op_ret;
+ }
- if (!s->system_request && /* system request overrides permission checks */
- !src_policy.verify_permission(s->user->user_id, s->perm_mask,
- RGW_PERM_READ))
+ if (!s->system_request && /* admin request overrides permission checks */
+ !src_policy.verify_permission(*s->auth_identity, s->perm_mask, RGW_PERM_READ)) {
return -EACCES;
+ }
}
RGWAccessControlPolicy dest_bucket_policy(s->cct);
dest_attrs = src_attrs;
} else {
op_ret = store->get_bucket_info(obj_ctx, dest_tenant_name, dest_bucket_name,
- dest_bucket_info, NULL, &dest_attrs);
+ dest_bucket_info, nullptr, &dest_attrs);
if (op_ret < 0) {
if (op_ret == -ENOENT) {
op_ret = -ERR_NO_SUCH_BUCKET;
/* check dest bucket permissions */
op_ret = read_policy(store, s, dest_bucket_info, dest_attrs,
- &dest_bucket_policy, dest_bucket, no_obj);
- if (op_ret < 0)
+ &dest_bucket_policy, dest_bucket, no_obj);
+ if (op_ret < 0) {
return op_ret;
+ }
if (!s->system_request && /* system request overrides permission checks */
- !dest_bucket_policy.verify_permission(s->user->user_id, s->perm_mask,
- RGW_PERM_WRITE))
+ !dest_bucket_policy.verify_permission(*s->auth_identity, s->perm_mask,
+ RGW_PERM_WRITE)) {
return -EACCES;
+ }
op_ret = init_dest_policy();
- if (op_ret < 0)
+ if (op_ret < 0) {
return op_ret;
+ }
return 0;
}
int RGWGetCORS::verify_permission()
{
- if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+ if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
+ }
return 0;
}
int RGWPutCORS::verify_permission()
{
- if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+ if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
+ }
return 0;
}
int RGWDeleteCORS::verify_permission()
{
- if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+ if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
+ }
return 0;
}
int RGWSetRequestPayment::verify_permission()
{
- if (s->user->user_id.compare(s->bucket_owner.get_id()) != 0)
+ if (false == s->auth_identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
+ }
return 0;
}
projects / ceph.git / commitdiff