From: Pritha Srivastava <prsrivas@redhat.com>
Date: Tue, 20 Nov 2018 07:14:20 +0000 (+0530)
Subject: rgw: Correcting perm evaluation when a bucket policy is not attached, but a user... 
X-Git-Tag: v14.1.0~510^2~5
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8c80d301f10fbe9b9100d235ab601e305e86cf72;p=ceph.git

rgw: Correcting perm evaluation when a bucket policy is not attached, but a user policy is.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 788e78c6b5c8..a768897c090c 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -917,7 +917,14 @@ int RGWPutObjTags::verify_permission()
     auto obj = rgw_obj(s->bucket, s->object);
     rgw_iam_add_existing_objtags(store, s, obj, iam_action);
   }
-
+  if (! s->iam_user_policies.empty()) {
+    for (auto& user_policy : s->iam_user_policies) {
+      if (user_policy.has_partial_conditional(S3_EXISTING_OBJTAG)) {
+        rgw_obj obj = rgw_obj(s->bucket, s->object);
+        rgw_iam_add_existing_objtags(store, s, obj, iam_action);
+      }
+    }
+  }
   if (!verify_object_permission(this, s,iam_action))
     return -EACCES;
   return 0;
@@ -3188,11 +3195,14 @@ int RGWPutObj::verify_permission()
           else if (usr_policy_res == Effect::Allow)
             break;
         }
-	auto e = policy->eval(s->env, *s->auth.identity,
+  rgw::IAM::Effect e = Effect::Pass;
+  if (policy) {
+	  e = policy->eval(s->env, *s->auth.identity,
 			      cs_object.instance.empty() ?
 			      rgw::IAM::s3GetObject :
 			      rgw::IAM::s3GetObjectVersion,
 			      rgw::IAM::ARN(obj));
+  }
 	if (e == Effect::Deny) {
 	  return -EACCES; 
 	} else if (usr_policy_res == Effect::Pass && e == Effect::Pass &&
@@ -3246,9 +3256,12 @@ int RGWPutObj::verify_permission()
     if (usr_policy_res == Effect::Deny)
       return -EACCES;
 
-    auto e = s->iam_policy->eval(s->env, *s->auth.identity,
-				 rgw::IAM::s3PutObject,
-				 rgw_obj(s->bucket, s->object));
+    rgw::IAM::Effect e = Effect::Pass;
+    if (s->iam_policy) {
+      e = s->iam_policy->eval(s->env, *s->auth.identity,
+          rgw::IAM::s3PutObject,
+          rgw_obj(s->bucket, s->object));
+    }
     if (e == Effect::Allow) {
       return 0;
     } else if (e == Effect::Deny) {
@@ -3756,9 +3769,13 @@ void RGWPostObj::execute()
       op_ret = -EACCES;
       return;
     }
-    auto e = s->iam_policy->eval(s->env, *s->auth.identity,
+
+    rgw::IAM::Effect e = Effect::Pass;
+    if (s->iam_policy) {
+      e = s->iam_policy->eval(s->env, *s->auth.identity,
 				 rgw::IAM::s3PutObject,
 				 rgw_obj(s->bucket, s->object));
+    }
     if (e == Effect::Deny) {
       op_ret = -EACCES;
       return;
@@ -4285,11 +4302,15 @@ int RGWDeleteObj::verify_permission()
     if (usr_policy_res == Effect::Deny) {
       return false;
     }
-    auto r = s->iam_policy->eval(s->env, *s->auth.identity,
+
+    rgw::IAM::Effect r = Effect::Pass;
+    if (s->iam_policy) {
+      r = s->iam_policy->eval(s->env, *s->auth.identity,
 				 s->object.instance.empty() ?
 				 rgw::IAM::s3DeleteObject :
 				 rgw::IAM::s3DeleteObjectVersion,
 				 ARN(s->bucket, s->object.name));
+    }
     if (r == Effect::Allow)
       return true;
     else if (r == Effect::Deny)
@@ -5294,9 +5315,13 @@ int RGWInitMultipart::verify_permission()
     if (usr_policy_res == Effect::Deny) {
       return -EACCES;
     }
-    auto e = s->iam_policy->eval(s->env, *s->auth.identity,
+
+    rgw::IAM::Effect e = Effect::Pass;
+    if (s->iam_policy) {
+      e = s->iam_policy->eval(s->env, *s->auth.identity,
 				 rgw::IAM::s3PutObject,
 				 rgw_obj(s->bucket, s->object));
+    }
     if (e == Effect::Allow) {
       return 0;
     } else if (e == Effect::Deny) {
@@ -5423,9 +5448,13 @@ int RGWCompleteMultipart::verify_permission()
     if (usr_policy_res == Effect::Deny) {
       return -EACCES;
     }
-    auto e = s->iam_policy->eval(s->env, *s->auth.identity,
+
+    rgw::IAM::Effect e = Effect::Pass;
+    if (s->iam_policy) {
+      e = s->iam_policy->eval(s->env, *s->auth.identity,
 				 rgw::IAM::s3PutObject,
 				 rgw_obj(s->bucket, s->object));
+    }
     if (e == Effect::Allow) {
       return 0;
     } else if (e == Effect::Deny) {
@@ -5753,9 +5782,12 @@ int RGWAbortMultipart::verify_permission()
       return -EACCES;
     }
 
-    auto e = s->iam_policy->eval(s->env, *s->auth.identity,
+    rgw::IAM::Effect e = Effect::Pass;
+    if (s->iam_policy) {
+      e = s->iam_policy->eval(s->env, *s->auth.identity,
 				 rgw::IAM::s3AbortMultipartUpload,
 				 rgw_obj(s->bucket, s->object));
+    }
     if (e == Effect::Allow) {
       return 0;
     } else if (e == Effect::Deny) {
@@ -6001,12 +6033,16 @@ void RGWDeleteMultiObj::execute()
         send_partial_response(*iter, false, "", -EACCES);
         continue;
       }
-      auto e = s->iam_policy->eval(s->env,
+
+      rgw::IAM::Effect e = Effect::Pass;
+      if (s->iam_policy) {
+        e = s->iam_policy->eval(s->env,
 				   *s->auth.identity,
 				   iter->instance.empty() ?
 				   rgw::IAM::s3DeleteObject :
 				   rgw::IAM::s3DeleteObjectVersion,
 				   obj);
+      }
       if ((e == Effect::Deny) ||
 	  (usr_policy_res == Effect::Pass && e == Effect::Pass && !acl_allowed)) {
 	send_partial_response(*iter, false, "", -EACCES);