From: Abhishek Lekshmanan <abhishek@suse.com>
Date: Mon, 27 Jul 2020 14:58:30 +0000 (+0200)
Subject: rgw: policy: reuse eval_principal to evaluate the policy principal
X-Git-Tag: v15.2.5~54^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F36636%2Fhead;p=ceph.git

rgw: policy: reuse eval_principal to evaluate the policy principal

Since the other edge case when no Principal or a NotPrincipal is supplied also
must be accounted for, which is already done in eval_principal function. Also
reraising the error as Effect::Pass in line with the previous output, though an
Effect::Deny would also work here.

Fixes: https://tracker.ceph.com/issues/46078
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
(cherry picked from commit 1843f2dca853f97c6c9b4196eaf27581705be0e2)
---

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index da0fa92b7010..31936c40472f 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -970,12 +970,9 @@ ostream& operator <<(ostream& m, const Condition& c) {
 Effect Statement::eval(const Environment& e,
 		       boost::optional<const rgw::auth::Identity&> ida,
 		       uint64_t act, const ARN& res) const {
-  if (ida) {
-    if (!princ.empty() && !ida->is_identity(princ)) {
-      return Effect::Pass;
-    } else if (!noprinc.empty() && ida->is_identity(noprinc)) {
-      return Effect::Pass;
-    }
+
+  if (eval_principal(e, ida) == Effect::Deny) {
+    return Effect::Pass;
   }
 
   if (!resource.empty()) {