From: liubingrun <liubr1@chinatelecom.cn>
Date: Fri, 19 Sep 2025 16:53:48 +0000 (+0800)
Subject: rgw/iam: fix NotEquals conditions to use AND logic instead of OR
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=225241d6ae6fc43fd6515910a5450006006d4ce0;p=ceph-ci.git

rgw/iam: fix NotEquals conditions to use AND logic instead of OR

All NotEquals operators (String/Numeric/Date/IP/ARN) now correctly require
the reference value to differ from ALL condition values, not just ANY value.

Signed-off-by: liubingrun <liubr1@chinatelecom.cn>
---

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 786e03022e0..c4d3bc048b8 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -908,7 +908,7 @@ bool Condition::eval(const Environment& env) const {
     return multimap_any(std::equal_to<std::string>(), itr, isruntime? runtime_vals : vals);
 
   case TokenID::StringNotEquals:
-    return multimap_any(std::not_fn(std::equal_to<std::string>()),
+    return multimap_none(std::equal_to<std::string>(),
      itr, isruntime? runtime_vals : vals);
 
   case TokenID::ForAnyValueStringEqualsIgnoreCase:
@@ -916,14 +916,14 @@ bool Condition::eval(const Environment& env) const {
     return multimap_any(ci_equal_to(), itr, isruntime? runtime_vals : vals);
 
   case TokenID::StringNotEqualsIgnoreCase:
-    return multimap_any(std::not_fn(ci_equal_to()), itr, isruntime? runtime_vals : vals);
+    return multimap_none(ci_equal_to(), itr, isruntime? runtime_vals : vals);
 
   case TokenID::ForAnyValueStringLike:
   case TokenID::StringLike:
     return multimap_any(string_like(), itr, isruntime? runtime_vals : vals);
 
   case TokenID::StringNotLike:
-    return multimap_any(std::not_fn(string_like()), itr, isruntime? runtime_vals : vals);
+    return multimap_none(string_like(), itr, isruntime? runtime_vals : vals);
 
   case TokenID::ForAllValuesStringEquals:
     return multimap_all(std::equal_to<std::string>(), itr, isruntime? runtime_vals : vals);
@@ -939,7 +939,7 @@ bool Condition::eval(const Environment& env) const {
     return typed_any(std::equal_to<double>(), as_number, s, vals);
 
   case TokenID::NumericNotEquals:
-    return typed_any(std::not_fn(std::equal_to<double>()),
+    return typed_none(std::equal_to<double>(),
        as_number, s, vals);
 
 
@@ -962,7 +962,7 @@ bool Condition::eval(const Environment& env) const {
     return typed_any(std::equal_to<ceph::real_time>(), as_date, s, vals);
 
   case TokenID::DateNotEquals:
-    return typed_any(std::not_fn(std::equal_to<ceph::real_time>()),
+    return typed_none(std::equal_to<ceph::real_time>(),
        as_date, s, vals);
   case TokenID::DateLessThan:
     return typed_any(std::less<ceph::real_time>(), as_date, s, vals);
@@ -992,24 +992,8 @@ bool Condition::eval(const Environment& env) const {
     return typed_any(std::equal_to<MaskedIP>(), as_network, s, vals);
 
   case TokenID::NotIpAddress:
-    {
-      auto xc = as_network(s);
-      if (!xc) {
-	return false;
-      }
-
-      for (const string& d : vals) {
-	auto xd = as_network(d);
-	if (!xd) {
-	  continue;
-	}
-
-	if (xc == xd) {
-	  return false;
-	}
-      }
-      return true;
-    }
+    return typed_none(std::equal_to<MaskedIP>(),
+      as_network, s, vals);
 
     // Amazon Resource Names!
     // The ArnEquals and ArnLike condition operators behave identically.
@@ -1018,7 +1002,7 @@ bool Condition::eval(const Environment& env) const {
     return multimap_any(arn_like, itr, isruntime? runtime_vals : vals);
   case TokenID::ArnNotEquals:
   case TokenID::ArnNotLike:
-    return multimap_any(std::not_fn(arn_like), itr, isruntime? runtime_vals : vals);
+    return multimap_none(arn_like, itr, isruntime? runtime_vals : vals);
 
   default:
     return false;