From: xiangxiang <xiangxiang@xsky.com>
Date: Fri, 17 Aug 2018 09:59:06 +0000 (+0800)
Subject: rgw: policy: fix NotPricipal, NotResource does not take effect
X-Git-Tag: v14.0.1~171^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=24d295237ef8de8f156e307fe451975b2292bc93;p=ceph.git

rgw: policy: fix NotPricipal, NotResource does not take effect

Signed-off-by: xiangxiang <xiangxiang@xsky.com>
---

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 8641d1109174..d45bc952dced 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -1280,20 +1280,28 @@ ostream& operator <<(ostream& m, const Condition& c) {
 Effect Statement::eval(const Environment& e,
 		       boost::optional<const rgw::auth::Identity&> ida,
 		       uint64_t act, const ARN& res) const {
-  if (ida && (!ida->is_identity(princ) || ida->is_identity(noprinc))) {
-    return Effect::Pass;
+  if (ida) {
+    if (!princ.empty() && !ida->is_identity(princ)) {
+      return Effect::Pass;
+    } else if (!noprinc.empty() && ida->is_identity(noprinc)) {
+      return Effect::Pass;
+    }
   }
 
-
-  if (!std::any_of(resource.begin(), resource.end(),
-		   [&res](const ARN& pattern) {
-		     return pattern.match(res);
-		   }) ||
-      (std::any_of(notresource.begin(), notresource.end(),
-		   [&res](const ARN& pattern) {
-		     return pattern.match(res);
-		   }))) {
-    return Effect::Pass;
+  if (!resource.empty()) {
+    if (!std::any_of(resource.begin(), resource.end(),
+          [&res](const ARN& pattern) {
+            return pattern.match(res);
+          })) {
+      return Effect::Pass;
+    }
+  } else if (!notresource.empty()) {
+    if (std::any_of(notresource.begin(), notresource.end(),
+          [&res](const ARN& pattern) {
+            return pattern.match(res);
+          })) {
+      return Effect::Pass;
+    }
   }
 
   if (!(action[act] == 1) || (notaction[act] == 1)) {