rgw: initial implementation of a public policy tester

doesn't cover all the cases involving a nonprinc user yet

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index fdfa480f3e47af202cf99ad1d9b3fa8c7160ffc7..c33db62149cb0ac57ab163157b205e6124f61f92 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -1431,5 +1431,36 @@ ostream& operator <<(ostream& m, const Policy& p) {
   return m << " }";
 }
 
+static const Environment iam_all_env = {
+                                       {"aws:SourceIp","1.1.1.1"},
+                                       {"aws:UserId","anonymous"},
+                                       {"s3:x-amz-server-side-encryption-aws-kms-key-id","secret"}
+};
+
+struct IsPublicStatement
+{
+  bool operator() (const Statement &s) const {
+    if (s.effect == Effect::Allow) {
+      for (const auto& p : s.princ) {
+       if (p.is_wildcard()) {
+         if (s.eval_conditions(iam_all_env) == Effect::Allow)
+           return true;
+       }
+      }
+      // no princ should not contain fixed values
+      return std::all_of(s.noprinc.begin(), s.noprinc.end(), [](const rgw::auth::Principal& p) {
+                                                               return !p.is_wildcard();
+                                                            });
+    }
+    return false;
+  }
+};
+
+
+bool IsPublic(const Policy& p)
+{
+  return std::any_of(p.statements.begin(), p.statements.end(), IsPublicStatement());
 }
-}
+
+} // namespace IAM
+} // namespace rgw

diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 21f8ead8e7229b01baa9236a1b1f0c35903ff79d..a667a0192ac274fa0c6447f28d7af9f92d2d88f0 100644 (file)
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -486,6 +486,8 @@ struct Policy {
 };
 
 std::ostream& operator <<(ostream& m, const Policy& p);
+bool IsPublic(const Policy& p);
+
 }
 }
 

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index c2f4a98d255361c786117747dbba4549ae8328f8..a9fafb77f2d1a0ad28ea28b8aeee539fb2c8150d 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -8085,4 +8085,6 @@ void RGWGetBucketPolicyStatus::execute()
                          }
                         );
   ldout(s->cct,20) << __func__ << "ACL public status=" << isPublic << dendl;
+  if (s->iam_policy)
+    isPublic |= rgw::IAM::IsPublic(*s->iam_policy);
 }