From: Seena Fallah Date: Fri, 19 Jul 2024 17:29:32 +0000 (+0200) Subject: rgw: donot allow NotPrincipal with Allow Effect X-Git-Tag: v20.0.0~1422^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=fbb7c3df31e94eeed860e15d2cb563921f10aa9b;p=ceph.git rgw: donot allow NotPrincipal with Allow Effect NotPrincipal must be used with "Effect":"Deny". Using it with "Effect":"Allow" is not supported. cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html Fixes: https://tracker.ceph.com/issues/67047 Signed-off-by: Seena Fallah --- diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc index bef4b587a666..94d7d1bf29c5 100644 --- a/src/rgw/rgw_iam_policy.cc +++ b/src/rgw/rgw_iam_policy.cc @@ -701,11 +701,10 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) { return false; } } else if (w->kind == TokenKind::cond_key) { - auto& t = pp->policy.statements.back(); if (l > 0 && *s == '$') { if (l >= 2 && *(s+1) == '{') { if (l > 0 && *(s+l-1) == '}') { - t.conditions.back().isruntime = true; + t->conditions.back().isruntime = true; } else { annotate(fmt::format("Invalid interpolation `{}`.", std::string_view{s, l})); @@ -717,7 +716,7 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) { return false; } } - t.conditions.back().vals.emplace_back(s, l); + t->conditions.back().vals.emplace_back(s, l); // Principals @@ -756,6 +755,13 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) { return false; } + // NotPrincipal must be used with "Effect":"Deny". Using it with "Effect":"Allow" is not supported. + // cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html + if (t && t->effect == Effect::Allow && !t->noprinc.empty()) { + annotate("Allow with NotPrincipal is not allowed."); + return false; + } + return true; }