rgw: adding mfa code validation when bucket versioning status is changed.

When the user changes bucket versioning status from Enabled->Suspended
and vice versa, MFA code needs to be validated, if MFA has been enabled
for the bucket.

Fixes tracker issue #42911

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit db89c4af159301710e1cc32dbd6298c1ec24b006)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 158848eb3dc456ee9ffd3af1ebeb3dd236d3ffe0..c0908d61d3fa836c6f8349e7b0764b60b5125bc6 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -2203,6 +2203,20 @@ void RGWSetBucketVersioning::execute()
     op_ret = -ERR_MFA_REQUIRED;
     return;
   }
+  //if mfa is enabled for bucket, make sure mfa code is validated in case versioned status gets changed
+  if (cur_mfa_status) {
+    bool req_versioning_status = false;
+    //if requested versioning status is not the same as the one set for the bucket, return error
+    if (versioning_status == VersioningEnabled) {
+      req_versioning_status = (s->bucket_info.flags & BUCKET_VERSIONS_SUSPENDED) != 0;
+    } else if (versioning_status == VersioningSuspended) {
+      req_versioning_status = (s->bucket_info.flags & BUCKET_VERSIONS_SUSPENDED) == 0;
+    }
+    if (req_versioning_status && !s->mfa_verified) {
+      op_ret = -ERR_MFA_REQUIRED;
+      return;
+    }
+  }
 
   if (!store->is_meta_master()) {
     op_ret = forward_request_to_master(s, NULL, store, in_data, nullptr);