rgw: Check bucket CORS operations in policy

author Adam C. Emerson <aemerson@redhat.com>

Wed, 27 Sep 2017 19:42:27 +0000 (15:42 -0400)

committer Abhishek Lekshmanan <abhishek@suse.com>

Fri, 20 Oct 2017 15:04:58 +0000 (17:04 +0200)
author Adam C. Emerson <aemerson@redhat.com>
Wed, 27 Sep 2017 19:42:27 +0000 (15:42 -0400)
committer Abhishek Lekshmanan <abhishek@suse.com>
Fri, 20 Oct 2017 15:04:58 +0000 (17:04 +0200)
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc

index f7e5caf67f51dd45763bc8c3eec39391ab2ae005..1496bc523533069d93ab6ea17a093284c1c3bc6e 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -4921,11 +4921,16 @@ void RGWDeleteLC::execute()
  
  int RGWGetCORS::verify_permission()
  {
-  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
-    return -EACCES;
+  if (s->iam_policy) {
+    if (s->iam_policy->eval(s->env, *s->auth.identity,
+                           rgw::IAM::s3PutBucketCORS,
+                           ARN(s->bucket)) == Effect::Allow) {
+      return 0;
+    }
+  } else if (s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
+    return 0;
    }
-
-  return 0;
+  return -EACCES;
  }
  
  void RGWGetCORS::execute()
@@ -4943,11 +4948,16 @@ void RGWGetCORS::execute()
  
  int RGWPutCORS::verify_permission()
  {
-  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
-    return -EACCES;
+  if (s->iam_policy) {
+    if (s->iam_policy->eval(s->env, *s->auth.identity,
+                           rgw::IAM::s3PutBucketCORS,
+                           ARN(s->bucket)) == Effect::Allow) {
+      return 0;
+    }
+  } else if (s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
+    return 0;
    }
-
-  return 0;
+  return -EACCES;
  }
  
  void RGWPutCORS::execute()
author	Adam C. Emerson <aemerson@redhat.com>
	Wed, 27 Sep 2017 19:42:27 +0000 (15:42 -0400)
committer	Abhishek Lekshmanan <abhishek@suse.com>
	Fri, 20 Oct 2017 15:04:58 +0000 (17:04 +0200)