rgw: move PublicAccessConfiguration to req_state

This allows for evaluation of more complex use cases where IgnorePublicACLs and
the like are set which need to be evaluated for GET/HEAD requests as well

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index c8a02ed54a5dd0c42c4b4d1d9f38ec05e22b01ab..3a1cac9c14117c6f39d9cfeb30a55f6b77e95554 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -37,6 +37,7 @@
 #include "cls/user/cls_user_types.h"
 #include "cls/rgw/cls_rgw_types.h"
 #include "include/rados/librados.hpp"
+#include "rgw_public_access.h"
 
 namespace ceph {
   class Formatter;
@@ -1696,6 +1697,7 @@ struct req_state : DoutPrefixProvider {
 
   rgw::IAM::Environment env;
   boost::optional<rgw::IAM::Policy> iam_policy;
+  boost::optional<rgw::IAM::PublicAccessConfiguration> bucket_access_conf;
   vector<rgw::IAM::Policy> iam_user_policies;
 
   /* Is the request made by an user marked as a system one?

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index b993f099e0cfac792fe61661f4824aa35f8a25e2..a284e2e823936b9dd7a64a0626145c0e67c92d7c 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -700,6 +700,10 @@ int rgw_build_bucket_policies(rgw::sal::RGWRadosStore* store, struct req_state*
         return -EINVAL;
       }
     }
+
+    if(s->bucket_exists) {
+      s->bucket_access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
+    }
   }
 
   /* handle user ACL only for those APIs which support it */
@@ -3634,8 +3638,7 @@ int RGWPutObj::verify_permission()
     }
   }
 
-  auto access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
-  if (access_conf && access_conf->block_public_acls()) {
+  if (s->bucket_access_conf && s->bucket_access_conf->block_public_acls()) {
     if (s->canned_acl.compare("public-read") ||
         s->canned_acl.compare("public-read-write") ||
         s->canned_acl.compare("authenticated-read"))
@@ -5536,8 +5539,9 @@ void RGWPutACLs::execute()
     *_dout << dendl;
   }
 
-  if (auto access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
-      access_conf && access_conf->block_public_acls() && new_policy.IsPublic()) {
+  if (s->bucket_access_conf &&
+      s->bucket_access_conf->block_public_acls() &&
+      new_policy.IsPublic()) {
     op_ret = -EACCES;
     return;
   }
@@ -7692,11 +7696,11 @@ void RGWPutBucketPolicy::execute()
   try {
     const Policy p(s->cct, s->bucket_tenant, data);
     auto attrs = s->bucket_attrs;
-    if (auto access_conf = get_public_access_conf_from_attr(attrs);
-        access_conf && access_conf->block_public_policy() && rgw::IAM::IsPublic(p))
-    {
-        op_ret = -EACCES;
-        return;
+    if (s->bucket_access_conf &&
+        s->bucket_access_conf->block_public_policy() &&
+        rgw::IAM::IsPublic(p)) {
+      op_ret = -EACCES;
+      return;
     }
 
     op_ret = retry_raced_bucket_write(store->getRados(), s, [&p, this, &attrs] {