From: Abhishek Lekshmanan <abhishek@suse.com>
Date: Tue, 23 Jan 2018 15:27:48 +0000 (+0100)
Subject: rgw: policy: refactor has_conditional
X-Git-Tag: v13.0.2~246^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b2accc222f67a6e14085ca08d1d80e80f749054f;p=ceph.git

rgw: policy: refactor has_conditional

Basically created has_conditional and has_partial_conditional to check for
exact/partial matches for conditionals and modified exisiting call sites.
has_key is now a function template that passes on the test string to any given
function as the second argument.

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
---

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 8bfb19574e4..828399551cf 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -1554,15 +1554,6 @@ Effect Policy::eval(const Environment& e,
   return allowed ? Effect::Allow : Effect::Pass;
 }
 
-bool Policy::has_conditional(const string& conditional, bool partial) const {
-  for (const auto&s: statements){
-    if (std::any_of(s.conditions.begin(), s.conditions.end(),
-		    [&](const Condition& c) { return c.has_key(conditional, partial);}))
-	return true;
-  }
-  return false;
-}
-
 ostream& operator <<(ostream& m, const Policy& p) {
   m << "{ Version: "
     << (p.version == Version::v2008_10_17 ? "2008-10-17" : "2012-10-17");
diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 0ef6f8503fb..4bb06b1195f 100644
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -363,6 +363,13 @@ struct Condition {
     }
   };
 
+  struct ci_starts_with {
+    bool operator()(const std::string& s1,
+		    const std::string& s2) const {
+      return boost::istarts_with(s1, s2);
+    }
+  };
+
   template<typename F>
   static bool orrible(F&& f, const std::string& c,
 		      const std::vector<std::string>& v) {
@@ -395,11 +402,9 @@ struct Condition {
     return false;
   }
 
-  bool has_key(const std::string& _key, bool partial=false) const {
-    if (partial)
-      return boost::algorithm::istarts_with(key, _key);
-    else
-      return boost::algorithm::iequals(key, _key);
+  template <typename F>
+  bool has_key_p(const std::string& _key, F p) const {
+    return p(key, _key);
   }
 };
 
@@ -454,7 +459,23 @@ struct Policy {
 	      boost::optional<const rgw::auth::Identity&> ida,
 	      std::uint64_t action, const ARN& resource) const;
 
-  bool has_conditional(const string& conditional, bool partial=false) const;
+  template <typename F>
+  bool has_conditional(const string& conditional, F p) const {
+    for (const auto&s: statements){
+      if (std::any_of(s.conditions.begin(), s.conditions.end(),
+		      [&](const Condition& c) { return c.has_key_p(conditional, p);}))
+	return true;
+    }
+    return false;
+  }
+
+  bool has_conditional(const string& c) const {
+    return has_conditional(c, Condition::ci_equal_to());
+  }
+
+  bool has_partial_conditional(const string& c) const {
+    return has_conditional(c, Condition::ci_starts_with());
+  }
 };
 
 std::ostream& operator <<(ostream& m, const Policy& p);
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index ccbfc1541be..ef246e7990c 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -743,7 +743,7 @@ int RGWGetObj::verify_permission()
     } else {
       action = rgw::IAM::s3GetObjectVersion;
     }
-    if (s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true))
+    if (s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG))
       rgw_iam_add_existing_objtags(store, s, obj, action);
   }
 
@@ -781,7 +781,7 @@ int RGWGetObjTags::verify_permission()
     rgw::IAM::s3GetObjectVersionTagging;
   // TODO since we are parsing the bl now anyway, we probably change
   // the send_response function to accept RGWObjTag instead of a bl
-  if (s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true)){
+  if (s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG)){
     rgw_obj obj = rgw_obj(s->bucket, s->object);
     rgw_iam_add_existing_objtags(store, s, obj, iam_action);
   }
@@ -827,7 +827,7 @@ int RGWPutObjTags::verify_permission()
     rgw::IAM::s3PutObjectTagging:
     rgw::IAM::s3PutObjectVersionTagging;
 
-  if(s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true)){
+  if(s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG)){
     auto obj = rgw_obj(s->bucket, s->object);
     rgw_iam_add_existing_objtags(store, s, obj, iam_action);
   }
@@ -870,7 +870,7 @@ int RGWDeleteObjTags::verify_permission()
       rgw::IAM::s3DeleteObjectTagging:
       rgw::IAM::s3DeleteObjectVersionTagging;
 
-    if (s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true)){
+    if (s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG)){
       auto obj = rgw_obj(s->bucket, s->object);
       rgw_iam_add_existing_objtags(store, s, obj, iam_action);
     }
@@ -4685,7 +4685,7 @@ int RGWGetACLs::verify_permission()
       rgw::IAM::s3GetObjectAcl :
       rgw::IAM::s3GetObjectVersionAcl;
 
-    if (s->iam_policy && s->iam_policy->has_conditional(S3_EXISTING_OBJTAG, true)){
+    if (s->iam_policy && s->iam_policy->has_partial_conditional(S3_EXISTING_OBJTAG)){
       rgw_obj obj = rgw_obj(s->bucket, s->object);
       rgw_iam_add_existing_objtags(store, s, obj, iam_action);
     }