From: Pritha Srivastava <prsrivas@redhat.com>
Date: Mon, 1 Apr 2019 15:39:22 +0000 (+0530)
Subject: rgw: Evaluating bucket policies also while reading permissions for an object that... 
X-Git-Tag: v12.2.13~115^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a752b21f549cc83745e35324387b85b3d039dfd2;p=ceph.git

rgw: Evaluating bucket policies also while reading permissions for an object that is non-existent.

Fixes http://tracker.ceph.com/issues/38638

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit 5eb50b7d10da51db72f705807c87775562b79b63)

 Conflicts:
	src/rgw/rgw_op.cc
	  bucket_policy.verify_permission has slightly different arguments
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 7a02556d32b..cb795825978 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -376,13 +376,20 @@ static int read_obj_policy(RGWRados *store,
     if (ret < 0) {
       return ret;
     }
-
     const rgw_user& bucket_owner = bucket_policy.get_owner().get_id();
     if (bucket_owner.compare(s->user->user_id) != 0 &&
-        ! s->auth.identity->is_admin_of(bucket_owner) &&
-        ! bucket_policy.verify_permission(*s->auth.identity, s->perm_mask,
-                                          RGW_PERM_READ)) {
-      ret = -EACCES;
+        ! s->auth.identity->is_admin_of(bucket_owner)) {
+      if (policy) {
+        auto r =  policy->eval(s->env, *s->auth.identity, rgw::IAM::s3ListBucket, ARN(bucket));
+        if (r == Effect::Allow)
+          return -ENOENT;
+        if (r == Effect::Deny)
+          return -EACCES;
+      }
+      if (! bucket_policy.verify_permission(*s->auth.identity, s->perm_mask, RGW_PERM_READ))
+        ret = -EACCES;
+      else
+        ret = -ENOENT;
     } else {
       ret = -ENOENT;
     }