From: Abhishek Lekshmanan <abhishek@suse.com>
Date: Thu, 12 Sep 2019 12:56:06 +0000 (+0200)
Subject: rgw: enforce BlockPublicPolicy on put bucket policy
X-Git-Tag: v15.1.1~555^2~18
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=f692d042d112c98d10fa4eaa0955c56a9f93025a;p=ceph.git

rgw: enforce BlockPublicPolicy on put bucket policy

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 1f3a8fea22a7..be4b6ef28225 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -7661,8 +7661,26 @@ void RGWPutBucketPolicy::execute()
 
   try {
     const Policy p(s->cct, s->bucket_tenant, data);
-    op_ret = retry_raced_bucket_write(store->getRados(), s, [&p, this] {
-	auto attrs = s->bucket_attrs;
+    auto attrs = s->bucket_attrs;
+    if (auto aiter = attrs.find(RGW_ATTR_PUBLIC_ACCESS);
+        aiter != attrs.end())
+      {
+        bufferlist::const_iterator iter{&aiter->second};
+        try {
+          rgw::IAM::PublicAccessConfiguration access_conf;
+          access_conf.decode(iter);
+          if (access_conf.block_public_policy() && rgw::IAM::IsPublic(p)) {
+            op_ret = -EACCES;
+            return;
+          }
+        } catch (const buffer::error& e) {
+          ldpp_dout(this, 0) << __func__ <<  "decode access conf failed" << dendl;
+          op_ret = -EIO;
+          return;
+        }
+      }
+
+    op_ret = retry_raced_bucket_write(store->getRados(), s, [&p, this, &attrs] {
 	attrs[RGW_ATTR_IAM_POLICY].clear();
 	attrs[RGW_ATTR_IAM_POLICY].append(p.text);
 	op_ret = store->ctl()->bucket->set_bucket_instance_attrs(s->bucket_info, attrs,