rgw: policy: refactor has_conditional

Basically created has_conditional and has_partial_conditional to check for
exact/partial matches for conditionals and modified exisiting call sites.
has_key is now a function template that passes on the test string to any given
function as the second argument.

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 8bfb19574e4ee2a70e28de9b4cf532c20e4af463..828399551cf562dabcfa650c6ff6f963dbae03b7 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -1554,15 +1554,6 @@ Effect Policy::eval(const Environment& e,
   return allowed ? Effect::Allow : Effect::Pass;
 }
 
-bool Policy::has_conditional(const string& conditional, bool partial) const {
-  for (const auto&s: statements){
-    if (std::any_of(s.conditions.begin(), s.conditions.end(),
-                   [&](const Condition& c) { return c.has_key(conditional, partial);}))
-       return true;
-  }
-  return false;
-}
-
 ostream& operator <<(ostream& m, const Policy& p) {
   m << "{ Version: "
     << (p.version == Version::v2008_10_17 ? "2008-10-17" : "2012-10-17");

diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 0ef6f8503fb93ba2f9e6de8d2c44f7d33a06bab4..4bb06b1195f65588c60b9f73b2471661aa1f82ad 100644 (file)
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -363,6 +363,13 @@ struct Condition {
     }
   };
 
+  struct ci_starts_with {
+    bool operator()(const std::string& s1,
+                   const std::string& s2) const {
+      return boost::istarts_with(s1, s2);
+    }
+  };
+
   template<typename F>
   static bool orrible(F&& f, const std::string& c,
                      const std::vector<std::string>& v) {
@@ -395,11 +402,9 @@ struct Condition {
     return false;
   }
 
-  bool has_key(const std::string& _key, bool partial=false) const {
-    if (partial)
-      return boost::algorithm::istarts_with(key, _key);
-    else
-      return boost::algorithm::iequals(key, _key);
+  template <typename F>
+  bool has_key_p(const std::string& _key, F p) const {
+    return p(key, _key);
   }
 };
 
@@ -454,7 +459,23 @@ struct Policy {
              boost::optional<const rgw::auth::Identity&> ida,
              std::uint64_t action, const ARN& resource) const;
 
-  bool has_conditional(const string& conditional, bool partial=false) const;
+  template <typename F>
+  bool has_conditional(const string& conditional, F p) const {
+    for (const auto&s: statements){
+      if (std::any_of(s.conditions.begin(), s.conditions.end(),
+                     [&](const Condition& c) { return c.has_key_p(conditional, p);}))
+       return true;
+    }
+    return false;
+  }
+
+  bool has_conditional(const string& c) const {
+    return has_conditional(c, Condition::ci_equal_to());
+  }
+
+  bool has_partial_conditional(const string& c) const {
+    return has_conditional(c, Condition::ci_starts_with());
+  }
 };
 
 std::ostream& operator <<(ostream& m, const Policy& p);

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index ccbfc1541be4434b846c778bc6f6c12cf551095a..ef246e7990c39fe3e09495d493e684574c482b3a 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -743,7 +743,7 @@ int RGWGetObj::verify_permission()
     } else {
       action = rgw::IAM::s3GetObjectVersion;
     }
-    if (s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true))
+    if (s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG))
       rgw_iam_add_existing_objtags(store, s, obj, action);
   }
 
@@ -781,7 +781,7 @@ int RGWGetObjTags::verify_permission()
     rgw::IAM::s3GetObjectVersionTagging;
   // TODO since we are parsing the bl now anyway, we probably change
   // the send_response function to accept RGWObjTag instead of a bl
-  if (s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true)){
+  if (s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG)){
     rgw_obj obj = rgw_obj(s->bucket, s->object);
     rgw_iam_add_existing_objtags(store, s, obj, iam_action);
   }
@@ -827,7 +827,7 @@ int RGWPutObjTags::verify_permission()
     rgw::IAM::s3PutObjectTagging:
     rgw::IAM::s3PutObjectVersionTagging;
 
-  if(s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true)){
+  if(s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG)){
     auto obj = rgw_obj(s->bucket, s->object);
     rgw_iam_add_existing_objtags(store, s, obj, iam_action);
   }
@@ -870,7 +870,7 @@ int RGWDeleteObjTags::verify_permission()
       rgw::IAM::s3DeleteObjectTagging:
       rgw::IAM::s3DeleteObjectVersionTagging;
 
-    if (s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true)){
+    if (s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG)){
       auto obj = rgw_obj(s->bucket, s->object);
       rgw_iam_add_existing_objtags(store, s, obj, iam_action);
     }
@@ -4685,7 +4685,7 @@ int RGWGetACLs::verify_permission()
       rgw::IAM::s3GetObjectAcl :
       rgw::IAM::s3GetObjectVersionAcl;
 
-    if (s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true)){
+    if (s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG)){
       rgw_obj obj = rgw_obj(s->bucket, s->object);
       rgw_iam_add_existing_objtags(store, s, obj, iam_action);
     }