From: Casey Bodley Date: Mon, 30 Jun 2025 21:50:26 +0000 (-0400) Subject: rgw: PublicAccessBlockConfiguration as raw struct X-Git-Tag: v21.0.1~135^2~15 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=553fd26f391ece88129ccbb25cad64ba47a8ad77;p=ceph.git rgw: PublicAccessBlockConfiguration as raw struct we really don't need encapsulation for this Signed-off-by: Casey Bodley --- diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 0a253877333..ac71f65db5f 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1375,7 +1375,7 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, // If RestrictPublicBuckets is enabled and the bucket policy allows public access, // deny the request if the requester is not in the bucket owner account - const bool restrict_public_buckets = s->public_access_block && s->public_access_block->restrict_public_buckets(); + const bool restrict_public_buckets = s->public_access_block && s->public_access_block->RestrictPublicBuckets; if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) { ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl; return false; @@ -1453,7 +1453,7 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, if (bucket_acl.verify_permission(dpp, *ps->identity, perm, perm, ps->get_referer(), ps->public_access_block && - ps->public_access_block->ignore_public_acls())) { + ps->public_access_block->IgnorePublicAcls)) { ldpp_dout(dpp, 10) << __func__ << ": granted by bucket acl" << dendl; if (granted_by_acl) { *granted_by_acl = true; @@ -1542,7 +1542,7 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b // If RestrictPublicBuckets is enabled and the bucket policy allows public access, // deny the request if the requester is not in the bucket owner account - const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->restrict_public_buckets(); + const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->RestrictPublicBuckets; if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !ps->identity->is_owner_of(ps->bucket_info.owner)) { ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl; return false; @@ -1630,7 +1630,7 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm, nullptr, /* http referrer */ ps->public_access_block && - ps->public_access_block->ignore_public_acls())) { + ps->public_access_block->IgnorePublicAcls)) { ldpp_dout(dpp, 10) << __func__ << ": granted by object acl" << dendl; if (granted_by_acl) { *granted_by_acl = true; diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 40fd1365a48..0e09706c745 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -4324,7 +4324,7 @@ int RGWPutObj::init_processing(optional_yield y) { } /* copy_source */ // reject public canned acls - if (s->public_access_block && s->public_access_block->block_public_acls() && + if (s->public_access_block && s->public_access_block->BlockPublicAcls && (s->canned_acl == "public-read" || s->canned_acl == "public-read-write" || s->canned_acl == "authenticated-read")) { @@ -6746,7 +6746,7 @@ void RGWPutACLs::execute(optional_yield y) } if (s->public_access_block && - s->public_access_block->block_public_acls() && + s->public_access_block->BlockPublicAcls && new_policy.is_public(this)) { op_ret = -EACCES; return; @@ -9209,7 +9209,7 @@ void RGWPutBucketPolicy::execute(optional_yield y) s->cct->_conf.get_val("rgw_policy_reject_invalid_principals")); rgw::sal::Attrs attrs(s->bucket_attrs); if (s->public_access_block && - s->public_access_block->block_public_policy() && + s->public_access_block->BlockPublicPolicy && rgw::IAM::is_public(p)) { op_ret = -EACCES; return; diff --git a/src/rgw/rgw_public_access.cc b/src/rgw/rgw_public_access.cc index 6d86ad3516e..77c372f149c 100644 --- a/src/rgw/rgw_public_access.cc +++ b/src/rgw/rgw_public_access.cc @@ -26,10 +26,10 @@ std::ostream& operator<< (std::ostream& os, const PublicAccessBlockConfiguration oldState.copyfmt(os); os << std::boolalpha - << "BlockPublicAcls: " << access_conf.block_public_acls() << std::endl - << "IgnorePublicAcls: " << access_conf.ignore_public_acls() << std::endl - << "BlockPublicPolicy" << access_conf.block_public_policy() << std::endl - << "RestrictPublicBuckets" << access_conf.restrict_public_buckets() << std::endl; + << "BlockPublicAcls: " << access_conf.BlockPublicAcls << std::endl + << "IgnorePublicAcls: " << access_conf.IgnorePublicAcls << std::endl + << "BlockPublicPolicy" << access_conf.BlockPublicPolicy << std::endl + << "RestrictPublicBuckets" << access_conf.RestrictPublicBuckets << std::endl; os.copyfmt(oldState); return os; diff --git a/src/rgw/rgw_public_access.h b/src/rgw/rgw_public_access.h index 4bae36e732d..dc282ef3ad8 100644 --- a/src/rgw/rgw_public_access.h +++ b/src/rgw/rgw_public_access.h @@ -19,29 +19,11 @@ class XMLObj; namespace ceph { class Formatter; } -class PublicAccessBlockConfiguration { - bool BlockPublicAcls; - bool IgnorePublicAcls; - bool BlockPublicPolicy; - bool RestrictPublicBuckets; - public: - PublicAccessBlockConfiguration(): - BlockPublicAcls(false), IgnorePublicAcls(false), - BlockPublicPolicy(false), RestrictPublicBuckets(false) - {} - - auto block_public_acls() const { - return BlockPublicAcls; - } - auto ignore_public_acls() const { - return IgnorePublicAcls; - } - auto block_public_policy() const { - return BlockPublicPolicy; - } - auto restrict_public_buckets() const { - return RestrictPublicBuckets; - } +struct PublicAccessBlockConfiguration { + bool BlockPublicAcls = false; + bool IgnorePublicAcls = false; + bool BlockPublicPolicy = false; + bool RestrictPublicBuckets = false; void encode(ceph::bufferlist& bl) const { ENCODE_START(1,1, bl);