rgw/sns: ListTopics uses account root arn for policy evaluation

when called by a non-root account user, permissions from identity policy
were not being applied correctly and always resulted in:
> evaluate_iam_policies: implicit deny from identity-based policy

passing a non-empty ARN argument to verify_user_permission() fixes this.
while other SNS APIs use a specific topic's arn, ListTopics doesn't
operate on individual topics so we use the account root user's arn

Fixes: https://tracker.ceph.com/issues/74595
Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/src/rgw/rgw_rest_pubsub.cc b/src/rgw/rgw_rest_pubsub.cc
index fe4c949869f7e1f83a167acbfc7140caa06012a1..afefb18be21bb2d224ffcaee00d7907d8186e8b6 100644 (file)
--- a/src/rgw/rgw_rest_pubsub.cc
+++ b/src/rgw/rgw_rest_pubsub.cc
@@ -6,6 +6,7 @@
 #include <optional>
 #include <regex>
 #include "include/function2.hpp"
+#include "rgw_account.h"
 #include "rgw_iam_policy.h"
 #include "rgw_rest_pubsub.h"
 #include "rgw_pubsub.h"
@@ -467,9 +468,13 @@ private:
 
 public:
   int verify_permission(optional_yield) override {
-    // check account permissions up front
-    if (s->auth.identity->get_account() &&
-        !verify_user_permission(this, s, {}, rgw::IAM::snsListTopics)) {
+    // account permissions are checked up front. for non-account users,
+    // execute() instead checks permissions against each topic
+    if (!s->auth.identity->get_account()) {
+      return 0;
+    }
+    const auto arn = rgw::account::root_arn(s->auth.identity->get_account()->id);
+    if (!verify_user_permission(this, s, arn, rgw::IAM::snsListTopics)) {
       return -ERR_AUTHORIZATION;
     }