From: Abhishek Lekshmanan Date: Thu, 29 Aug 2019 18:06:59 +0000 (+0200) Subject: rgw: initial implementation of a public policy tester X-Git-Tag: v15.1.1~555^2~25 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ff972d6956709ff8b5da5a34205af623d7af9542;p=ceph.git rgw: initial implementation of a public policy tester doesn't cover all the cases involving a nonprinc user yet Signed-off-by: Abhishek Lekshmanan --- diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc index fdfa480f3e47a..c33db62149cb0 100644 --- a/src/rgw/rgw_iam_policy.cc +++ b/src/rgw/rgw_iam_policy.cc @@ -1431,5 +1431,36 @@ ostream& operator <<(ostream& m, const Policy& p) { return m << " }"; } +static const Environment iam_all_env = { + {"aws:SourceIp","1.1.1.1"}, + {"aws:UserId","anonymous"}, + {"s3:x-amz-server-side-encryption-aws-kms-key-id","secret"} +}; + +struct IsPublicStatement +{ + bool operator() (const Statement &s) const { + if (s.effect == Effect::Allow) { + for (const auto& p : s.princ) { + if (p.is_wildcard()) { + if (s.eval_conditions(iam_all_env) == Effect::Allow) + return true; + } + } + // no princ should not contain fixed values + return std::all_of(s.noprinc.begin(), s.noprinc.end(), [](const rgw::auth::Principal& p) { + return !p.is_wildcard(); + }); + } + return false; + } +}; + + +bool IsPublic(const Policy& p) +{ + return std::any_of(p.statements.begin(), p.statements.end(), IsPublicStatement()); } -} + +} // namespace IAM +} // namespace rgw diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h index 21f8ead8e7229..a667a0192ac27 100644 --- a/src/rgw/rgw_iam_policy.h +++ b/src/rgw/rgw_iam_policy.h @@ -486,6 +486,8 @@ struct Policy { }; std::ostream& operator <<(ostream& m, const Policy& p); +bool IsPublic(const Policy& p); + } } diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index c2f4a98d25536..a9fafb77f2d1a 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -8085,4 +8085,6 @@ void RGWGetBucketPolicyStatus::execute() } ); ldout(s->cct,20) << __func__ << "ACL public status=" << isPublic << dendl; + if (s->iam_policy) + isPublic |= rgw::IAM::IsPublic(*s->iam_policy); }