rgw/iam: match_policy() treats MATCH_POLICY_ARN as case-sensitive

now that the ArnLike conditions are the only user of MATCH_POLICY_ARN,
change their case-sensitivity to comply with Amazon Resource Name (ARN)
condition operators[1]

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit a7a63aa3ffef1db3788e90e25192a53ee323c69c)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 50752ec6fdbdcff36d9280164e682f8a2ef628bd..df006fe4fb3d9ab8f229acc25872de27d9426941 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -2156,7 +2156,7 @@ int rgw_parse_op_type_list(const string& str, uint32_t *perm)
 bool match_policy(const std::string& pattern, const std::string& input,
                   uint32_t flag)
 {
-  const uint32_t flag2 = flag & (MATCH_POLICY_ACTION|MATCH_POLICY_ARN) ?
+  const uint32_t flag2 = (flag & MATCH_POLICY_ACTION) ?
       MATCH_CASE_INSENSITIVE : 0;
 
   std::string_view::size_type last_pos_input = 0, last_pos_pattern = 0;

diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index 5e0ac32d64d51ff1ec183a5d121369f5f3e17ffb..a79d20849da30a88b0252be8ca0e14b3d4e3ef74 100644 (file)
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -1275,7 +1275,7 @@ TEST(MatchPolicy, ARN)
 {
   constexpr auto flag = MATCH_POLICY_ARN;
   EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
-  EXPECT_TRUE(match_policy("a:b:c", "A:B:C", flag)); // case insensitive
+  EXPECT_FALSE(match_policy("a:b:c", "A:B:C", flag)); // case sensitive
   EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
   EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
 }