From: Pritha Srivastava <prsrivas@redhat.com>
Date: Fri, 18 Jun 2021 10:06:10 +0000 (+0530)
Subject: rgw/sts: code for returning an error when an IAM policy
X-Git-Tag: v17.1.0~815^2~1
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=be42b2cf04def671023b98c811e77e1e357eb38e;p=ceph.git

rgw/sts: code for returning an error when an IAM policy
resource belongs to someone else's tenant.

While parsing the policy it discards the resource element,
but then when an operation is evaluated, since the resource element
is empty, it doesnt evaluate the resource at all and the policy
ends up erroneously allowing actions on resources in other tenants.

Fixes: https://tracker.ceph.com/issues/51219

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index c6a63110e62a8..4a5595b22b3a4 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -562,10 +562,11 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) {
 	a->account = pp->tenant;
       (w->id == TokenID::Resource ? t->resource : t->notresource)
 	.emplace(std::move(*a));
-    }
-    else
+    } else {
       ldout(cct, 0) << "Supplied resource is discarded: " << string(s, l)
 		    << dendl;
+      return false;
+    }
   } else if (w->kind == TokenKind::cond_key) {
     auto& t = pp->policy.statements.back();
     if (l > 0 && *s == '$') {