rgw: donot allow NotPrincipal with Allow Effect

NotPrincipal must be used with "Effect":"Deny". Using it with "Effect":"Allow" is not supported.
cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

Fixes: https://tracker.ceph.com/issues/67047
Signed-off-by: Seena Fallah <seenafallah@gmail.com>

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index bef4b587a666ecb99a5c6df5c8238ffa5d8f0a46..94d7d1bf29c5ac9225268e0ad5b42543a40f8aa4 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -701,11 +701,10 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
       return false;
     }
   } else if (w->kind == TokenKind::cond_key) {
-    auto& t = pp->policy.statements.back();
     if (l > 0 && *s == '$') {
       if (l >= 2 && *(s+1) == '{') {
         if (l > 0 && *(s+l-1) == '}') {
-          t.conditions.back().isruntime = true;
+          t->conditions.back().isruntime = true;
         } else {
          annotate(fmt::format("Invalid interpolation `{}`.",
                               std::string_view{s, l}));
@@ -717,7 +716,7 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
         return false;
       }
     }
-    t.conditions.back().vals.emplace_back(s, l);
+    t->conditions.back().vals.emplace_back(s, l);
 
     // Principals
 
@@ -756,6 +755,13 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
     return false;
   }
 
+  // NotPrincipal must be used with "Effect":"Deny". Using it with "Effect":"Allow" is not supported.
+  // cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
+  if (t && t->effect == Effect::Allow && !t->noprinc.empty()) {
+    annotate("Allow with NotPrincipal is not allowed.");
+    return false;
+  }
+
   return true;
 }