From: Casey Bodley <cbodley@redhat.com>
Date: Mon, 30 Jun 2025 19:46:37 +0000 (-0400)
Subject: rgw/s3: rename req_state::bucket_access_conf to public_access_block
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=348034fededadb554b47973689a6cabe7e4f8af1;p=ceph-ci.git

rgw/s3: rename req_state::bucket_access_conf to public_access_block

the name reflects a PublicAccessBlock configuration that may either come
from the bucket (s3 PutPublicAccessBlock) or the account (s3control)

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 388da24ac87..418e4ef2aec 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1124,7 +1124,7 @@ struct perm_state_from_req_state : public perm_state_base {
 		      _s->bucket_object_ownership,
 		      _s->perm_mask,
 		      _s->defer_to_bucket_acls,
-		      _s->bucket_access_conf),
+		      _s->public_access_block),
       s(_s) {}
 
   std::optional<bool> get_request_payer() const override {
@@ -1379,7 +1379,7 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp,
 
   // If RestrictPublicBuckets is enabled and the bucket policy allows public access,
   // deny the request if the requester is not in the bucket owner account
-  const bool restrict_public_buckets = s->bucket_access_conf && s->bucket_access_conf->restrict_public_buckets();
+  const bool restrict_public_buckets = s->public_access_block && s->public_access_block->restrict_public_buckets();
   if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) {
     ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
     return false;
@@ -1456,8 +1456,8 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp,
 
   if (bucket_acl.verify_permission(dpp, *ps->identity, perm, perm,
                                    ps->get_referer(),
-                                   ps->bucket_access_conf &&
-                                   ps->bucket_access_conf->ignore_public_acls())) {
+                                   ps->public_access_block &&
+                                   ps->public_access_block->ignore_public_acls())) {
     ldpp_dout(dpp, 10) << __func__ << ": granted by bucket acl" << dendl;
     if (granted_by_acl) {
       *granted_by_acl = true;
@@ -1546,7 +1546,7 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b
 
   // If RestrictPublicBuckets is enabled and the bucket policy allows public access,
   // deny the request if the requester is not in the bucket owner account
-  const bool restrict_public_buckets = ps->bucket_access_conf && ps->bucket_access_conf->restrict_public_buckets();
+  const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->restrict_public_buckets();
   if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !ps->identity->is_owner_of(ps->bucket_info.owner)) {
     ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
     return false;
@@ -1633,8 +1633,8 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
   if (ps->bucket_object_ownership != rgw::s3::ObjectOwnership::BucketOwnerEnforced &&
       object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm,
                                    nullptr, /* http referrer */
-                                   ps->bucket_access_conf &&
-                                   ps->bucket_access_conf->ignore_public_acls())) {
+                                   ps->public_access_block &&
+                                   ps->public_access_block->ignore_public_acls())) {
     ldpp_dout(dpp, 10) << __func__ << ": granted by object acl" << dendl;
     if (granted_by_acl) {
       *granted_by_acl = true;
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 4f2b0160ea6..db2881dea63 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1401,7 +1401,7 @@ struct req_state : DoutPrefixProvider {
 
   rgw::IAM::Environment env;
   boost::optional<rgw::IAM::Policy> iam_policy;
-  boost::optional<PublicAccessBlockConfiguration> bucket_access_conf;
+  boost::optional<PublicAccessBlockConfiguration> public_access_block;
   rgw::s3::ObjectOwnership bucket_object_ownership = rgw::s3::ObjectOwnership::ObjectWriter;
   std::vector<rgw::IAM::Policy> iam_identity_policies;
 
@@ -1720,7 +1720,7 @@ struct perm_state_base {
   rgw::s3::ObjectOwnership bucket_object_ownership;
   int perm_mask;
   bool defer_to_bucket_acls;
-  boost::optional<PublicAccessBlockConfiguration> bucket_access_conf;
+  boost::optional<PublicAccessBlockConfiguration> public_access_block;
 
   perm_state_base(CephContext *_cct,
                   const rgw::IAM::Environment& _env,
@@ -1729,7 +1729,7 @@ struct perm_state_base {
                   rgw::s3::ObjectOwnership bucket_object_ownership,
                   int _perm_mask,
                   bool _defer_to_bucket_acls,
-                  boost::optional<PublicAccessBlockConfiguration> _bucket_access_conf = boost::none) :
+                  boost::optional<PublicAccessBlockConfiguration> _public_access_block = boost::none) :
                                                 cct(_cct),
                                                 env(_env),
                                                 identity(_identity),
@@ -1737,7 +1737,7 @@ struct perm_state_base {
                                                 bucket_object_ownership(bucket_object_ownership),
                                                 perm_mask(_perm_mask),
                                                 defer_to_bucket_acls(_defer_to_bucket_acls),
-                                                bucket_access_conf(_bucket_access_conf)
+                                                public_access_block(_public_access_block)
   {}
 
   virtual ~perm_state_base() {}
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 1c4502235a7..dc07dd712b3 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -616,7 +616,7 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
       return -EINVAL;
     }
 
-    s->bucket_access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
+    s->public_access_block = get_public_access_conf_from_attr(s->bucket_attrs);
     s->bucket_object_ownership = rgw::s3::get_object_ownership(s->bucket_attrs);
   }
 
@@ -4177,7 +4177,7 @@ int RGWPutObj::init_processing(optional_yield y) {
   } /* copy_source */
 
   // reject public canned acls
-  if (s->bucket_access_conf && s->bucket_access_conf->block_public_acls() &&
+  if (s->public_access_block && s->public_access_block->block_public_acls() &&
       (s->canned_acl == "public-read" ||
        s->canned_acl == "public-read-write" ||
        s->canned_acl == "authenticated-read")) {
@@ -6409,8 +6409,8 @@ void RGWPutACLs::execute(optional_yield y)
     *_dout << dendl;
   }
 
-  if (s->bucket_access_conf &&
-      s->bucket_access_conf->block_public_acls() &&
+  if (s->public_access_block &&
+      s->public_access_block->block_public_acls() &&
       new_policy.is_public(this)) {
     op_ret = -EACCES;
     return;
@@ -8857,8 +8857,8 @@ void RGWPutBucketPolicy::execute(optional_yield y)
       s->cct, &s->bucket_tenant, data.to_str(),
       s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
     rgw::sal::Attrs attrs(s->bucket_attrs);
-    if (s->bucket_access_conf &&
-        s->bucket_access_conf->block_public_policy() &&
+    if (s->public_access_block &&
+        s->public_access_block->block_public_policy() &&
         rgw::IAM::is_public(p)) {
       op_ret = -EACCES;
       return;